Guardian Digital Internet Defense and Detection System
Contents
1. When changes have been completed click the Save Changes button The IDDS system is now ready to be started By clicking the Start IDDS option located at the bottom of the DDS Management page will start the IDDS The screen will refresh and there will now be a second option to stop the IDDS The Intrusion Detection System is now running 4 3 Graphs and Reports The Intrusion Detection System logs all the data it collects from the network That data is then used to compile numerous graphs and charts These graphs and charts are created daily weekly and monthly and are archived accordingly Additionally there are real time graphs that display live information for your network To access the Graphs and Reports select the Graphs and Reports option from the IDDS Management screen The Graphs and Reports section is broken down into two smaller sections There are the Active Reports and the Report Archives 4 3 1 Active Reports The Active Reports section allows you to choose a report type and how you would like the graph contained within the report displayed as a pie chart or bar graph You can view the report by clicking in the icon of a pie chart or a bar graph and the associated report will be displayed Internet Defense and Detection System 11 Section 4 3 Graphs and Reports Graph Report Type Graph Chart Type Attacks By Protocol Display current activity tor TCP UDP and ICMP Attacks By Alert Class Total number of a2. GE 74 2D 44 69 73 70 6F 73 69 74 69 GF 6E 3A 20 66 GF 72 6D 2D 64 61 74 61 3B 20 GE 61 6D 65 3D 22 67 T2 GF 75 70 22 Op OA OD OA 35 30 30 30 31 OD Da 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 20 2D 34 31 31 38 34 36 37 36 33 33 34 OD OA 43 GFP GE 74 65 GE T4 2D 44 69 73 70 GF 73 69 74 69 6F GE 3A 20 66 GF 72 6D 2D 64 61 74 61 3B 20 6E 61 6D 65 3D 22 64 65 66 61 T5 6C 74 22 OD OA Op OA 30 OD OA 2D 2D 2D 2D 2D 2D 2p 2D 2n 2p 20 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 34 31 31 38 34 36 37 36 33 33 34 OD OA 43 GF 6E 74 65 6E 74 2D 44 69 73 TO GF TI 69 74 69 GF GE 3A 20 66 6F 72 6D 2D 64 61 74 61 3B 20 GE 61 6D 65 3D 22 63 T2 65 61 74 65 22 OD OA OD OA 63 72 65 61 14 65 Op OA 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2p 20 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 2D 34 31 31 38 34 36 37 36 33 33 34 2D 2D OD Oa 4 5 Export Attack Data Aside from the creation of the daily weekly and monthly reports the IDDS system will create CSV files of this data as well Predefined Time Specifications The IDDS system will generate CSV files for the previous day week and month that will be available for immediete download Predetined Time Speci nations Choose to download reports for a single day from a chosen week or for the entire month Ka Meco Aa aa aa There are pull down menus for daily weekly and monthly Select the CSV to download and click the corrisponding Download CSV button to r
3. Guardian Digital Internet Defense and Detection System IDDS Guide Copyright 2000 2003 Guardian Digital Inc Contents 1 INTRODUCTION 1 2 CONTACTING GUARDIAN DIGITAL 2 3 TECHNICAL SUPPORT 3 4 Internet Defense and Detection System 5 4 1 InstallingIDDS araa naaraana 5 4 2 4 3 4 4 4 5 ConfiguringIDDS 5 4 2 1 General Operation 6 4 2 2 Rule Configuration 10 GraphsandReportss 11 43 1 Active Reports 11 4 3 2 IDDS Report Archives 14 Real Time Attack Listing 15 Export Attack Data 16 INTRODUCTION Chapter 1 1 INTRODUCTION Welcome to the Guardian Digital Internet Acceleration and Manage ment Server This QuickStart Guide provides information about the IAM Server and describes the steps necessary to successfully install and configure it For more detailed information about how to use EnGarde Secure Professional be sure to refer to the complete EnGarde Secure Pro fessional Users Guide Internet Defense and Detection System 1 Section 2 0 2 CONTACTING GUARDIAN DIGITAL Guardian Digital welcomes your input and feedback You may di rect all questions commands or requests concerning the software you purchased your registration status or similar issues to the Guardian Digital Customer Service department at the following address Guardian Digital Customer Service 165 Chestn
4. amempted recon SCAN SOCKS Prony atiempi 2005 05 12 1545 34 w 1921681151 Yee 168 5011 anempted racon ICMP PING NMAP 2003 06 12 154534 mgt 1921881151 192 1885011 anempres recon ICMP PING NMAP 2003 05 12 15 4530 vat 192 168 1 151 132 168 5011 attempted recon ICMP PING NMAP 2005 05 12 154530 mga 1921681151 192 168 5011 anemyred recon ICMP PING NMAP 2005 08 12 154530 1821681151 saa 192 1635011 as anempted recon SNMP Agen DU p request 2005 05 12 154530 mgt 192168 1 151 sss 192 168 5011 2080 anempted recon SCAN Pray 3080 attempt 2003 05 12 154830 Aa ae 168 1 1 1821681168 bad unkaowa ICMP redirect hast 2003 05 12 15 45 24 nga 182 168 1 151 7604 1921885011 1080 atempted recon SCAN SOCKS Prony atiempi 205051215452 vw 192 168 1151 192 168 5011 amempted recon ICMP PING NMAP 200505 12 154523 mgr 132 168 1 151 192 168 50 11 anenpied rocon ICMP PING NMAP 200505 12 154522 sai 121651 1 1a2168 1 165 bad unknoan ICMP redirect host 2005 05 12 1545 14 mga 18216811 192 163 1 165 bad unknoan ICMP redirect host 2005 05 12 154 10 182168 11 182 165 1 165 bad unknoan ICMP redirect host The attacks will be sorted by time By clicking on the time stamp of the attack the packet information for that attack will be displayed Internet Defense and Detection System 15 Section 4 5 Export Attack Data a File Edit View Go Bookmarks Tools Window Help Packet information for attack Packet is in hexadecimal format 36 37 36 33 33 34 OD OA 43 GF GE 74 65
5. er of false positives on WWW related attacks Multiple entries are handled like above What is CIDR Notation Classless Inter Domain Routing CIDR is a method for assigning IP addresses without using the standard IP address classes like Class A Class B or Class C In CIDR notation an IP address is represented as A B C D n where n is called the IP prefix or network prefix The IP prefix identi fies the number of significant bits used to identify a network For example 192 9 205 22 18 means the first 18 bits are used to repre sent the network and the remaining 14 bits are used to identify hosts Common prefixes are 8 16 24 and 32 Internet Defense and Detection System 7 Section 4 2 Configuring IDDS Refer to the following page for the CIDR to Netmask Translation Table 8 User Guide CIDR 7 128 0 0 0 192 0 0 0 224 0 0 0 240 0 0 0 248 0 0 0 252 0 0 0 254 0 0 0 255 0 0 0 255 128 0 0 255 192 0 0 255 224 0 0 255 240 0 0 255 248 0 0 255 252 0 0 255 254 0 0 255 255 0 0 255 255 128 255 255 192 0 255 255 224 0 255 255 240 0 255 255 248 0 255 255 252 0 255 255 254 0 255 255 255 0 255 255 255 128 255 255 255 192 255 255 255 224 255 255 255 240 255 255 255 248 255 255 255 252 255 255 255 254 255 255 255 255 BLOM 2 E kaa 16 a RB 10 m 12 m 4 S 16 LIT 1 18 As el NO o0 o ojl NO NI Section 4 2 Configuring IDDS 4 2 2 Rule Config
6. ering in the network s A description of what each option is and how to use it is below IDS Contiguratien These settings affect the operation of the intrusion detection system Device 10 Menor Dano 18216517 i internal Networks LocaiNaworks aaa UNG Saro Local Addresses e ii Local Addresses a UU Device To Monitor To be effective the IDDS needs to be told which interface it should monitor for malicious activity If your ma chine has only one interface select it from the drop down If your machine has multiple interfaces select the external one If you are unsure select eth0 Web Server s 6 User Guide Internet Defense and Detection System Chapter 4 Internal Network s This is a listing of networks which are deemed local to the IDDS subsystem These networks will be used when matching destination addresses in the attack patterns You may enter one network of the form 1 2 3 4 5 where 1 2 3 4 isa network address and 5 is the netmask in CIDR notation For a definition of CIDR see the end of this section on page 7 To add multiple addresses specify one per line DNS Server s This is a listing of the IP addresses of machines you use as DNS servers This will help limit the number of false positives on DNS related attacks Multiple entries are handled like above Web Server s This is a listing of the IP addresses of machines you use as web servers This will help limit the numb
7. etrieve the CSV for the specified time period 16 User Guide Internet Defense and Detection System Chapter 4 NOTE All CSVs are compressed due to their large size Custom Defined Time Specifications In addition to the predefiined time periods to download in CSV there is also the Custom Defined Time Specifications sections This will allow a CSV of the specified time period to be generated and down loaded Custom Dolinad Time Spectacations Choose to download reports for a single day from a chosen week or for the entire month staring Timo Ending Time 5 g6 Boo 5 Hh 16 Boo Download CSV To make a date selection choose a month from the first pull down menu and a day from the second pull down Do the same for the ending date and then click the Download CSV button Unlike the Predefined Time Specifications since the data is gathered and the CSV generated at the time the dates are selected On slower ma chines with a good deal of data this can be time consuming Once the report has been generated you will be prompted to save the CSV file As with the Predefined Time Specifications CSVs these are compressed Internet Defense and Detection System 17
8. isplayed in detail Internet Defense and Detection System 13 Section 4 3 Graphs and Reports Details Regarding Information Leak Attacks from 00 00 00 through 13 32 12 Time Stamg Pr d e Port estination IP Des 2002 08 06 18 26 11 np 209 10 240 68 1317 109 214 85 8080 2002 08 06 18 29 11 ngi 209 10 240 68 1351 63 109 214 65 8080 2002 08 06 18 32 05 Mgr 209 11 107 25 80 66 150 40 71 4753 2002 08 06 18 32 11 ngi 209 10 240 68 1385 63 109 214 85 8080 2002 08 06 18 35 11 ng 209 10 240 68 1419 63 109 214 85 8080 2002 08 06 18 38 11 ngi 20910 240 68 1453 63 109 214 85 8080 2002 08 06 1840 32 ng 209 11 107 14 80 64 140 48 27 572965 2002 08 06 184047 ngi 128 38 31 22 35461 209 11 107 14 80 2002 08 06 18 40 48 Ng 128 38 31 22 35461 209 11 107 14 80 2002 08 06 18 41 00 ngi 128 38 31 22 35481 209 11 107 14 80 2002 08 06 18 41 00 Hg 128 38 31 22 35463 209 11 107 14 80 2002 08 06 1841 11 en 209 10 240 68 1487 63 109 214 65 8080 2002 08 06 18 44 11 ng 209 10 240 68 1521 63 109 214 85 8080 2002 08 06 18 47 11 ngi 209 10 240 68 1555 63 109 214 85 8080 This works for all the graphs in this section 4 3 2 IDDS Report Archives The Intrusion Detection System uses its logs to produce reports All the reports created are stored on the server for future reference Daily weekly and yearly reports are created and stored Daily re ports are created at midnight for the previous day and are kept for 30 days before the system removes them Weekly rep
9. orts are for the previous week 7 days and removed after 3 months 90 days and monthly reports are for the prior month 30 days and are removed after one year IDS Report Archives Below you can select to view reports from previous days months and weeks Daily reports are archived for up to 30 days weekly reports for 3 months and year for monthly reports Dally Reports Weekly Reports Monthly Reports 14 User Guide Internet Defense and Detection System Chapter 4 To access a report select from the daily weekly or monthly pull down menu 4 4 Real Time Attack Listing The Real Time Attack Listing will open a new window that will dis play the 20 most recent attacks in 5 second increments Elle Edit View Go Bookmarks Tools Window Help Refresh Close 20 Most Recent Attacks 2003 06 12 15 45 42 Source IP Destination IP Destination Class Name P Pon 2003 06 12 1545 35 mgt 192 165 1 1 192 165 1 168 Dad unknown ICMP redirect host 2005 06 12 154535 s 192163 1151 33870 192 168 5011 mas anempted recon SCAN Sguti Proxy anempt 2003 08 12 1548 35 mga 192168 1151 1921685011 attempted recon ICMP PING NMAP 2005 05 12 154838 w 192 168 1 151 33870 192 168 5011 sas anempied recon SCAN Shuti Proxy attempt 200505 12 154538 mga 192 168 1 151 192 168 50 11 _attemptad recon ICMP PING NMAP 2003 05 12 154535 aa 192 168 1 151 naasa 192 168 50 11 m attempted recon SNMP AgenDUtcp request 200505 12 1545 35 mgs 1921681151 12168011 1080
10. se include this information in your cor respondence e Program name and version number e Product registration number e Any additional hardware or peripherals connected to your com puter e How to reproduce your problem when it occurs whether you can reproduce it regularly and under what conditions Internet Defense and Detection System 3 Section 3 0 e Information needed to contact you by voice fax or e mail e Steps you have taken thus far to try to resolve the problem e Any additional software installed Please contact us using one of the following methods Phone 1 201 934 9230 E Mail support guardiandigital com World Wide Web http www guardiandigital com To avoid delay in processing your request be sure to include your account number in the subject of the e mail 4 User Guide Internet Defense and Detection System Chapter 4 4 Internet Defense and Detection System The Guardian Digital Internet Defense and Detection System IDDS will track incoming and outgoing traffic on your network Using a pre defined set of rules the IDDS will determine if the traffic is mali cious The IDDS will search for attacks against servers and services such as Denial of Service DoS attacks it will also track the use of an array of protocols which may be against company policy and track possible misuse of the network Additionally IDDS keeps detailed reports and graphs in real time and over time The IDDS will also archi
11. ttacks of each classification Ten Least Common Attacks View least frequently occuring attacks Ten Most Common Attacks View most frequently occuring attacks Ten Most Ports Attacked View most frequently attacked destination ports NANA 999969 The report may take a few moments to be displayed since these num bers are gathered and the reported being generated when you click on the icon 12 User Guide Internet Defense and Detection System Chapter 4 Attacks by Alert Class for 00 00 00 through 10 20 18 1811 1811 1295 1295 1079 3 863 647 Total Attacks 8 si e pa 215 a U Count Attacks by Alert Class 1374 Attempted Information Leak Ei 335 Information Leak HEN a52 Misc Attack 652 Misc activity EB 896 Not Suspicious Traffic Hi 7 Potertially Bad Trattic 141 Successtul Administrator Privilege Gain E 254 Web Application Attack Once the report is displayed you will see the report type along with the time period the report covers followed by the graph and a break down of each item in the graph Each highlighted item in the graph can be clicked on to view details concerning that item For example if Attacks by Alert Class was chosen a graph display ing the different protocols will be displayed In the example above if Information Leak was chosen all the source hosts attempting this exploit in to the Information Leak alert class will be d
12. uration The Intrusion Detection System works on a set of given rules How it makes use of these rules is by checking the data it sees on the network against these rules If a piece of data matches a set rule it then takes action according to the rule The rule defines the type of traffic the priority of the traffic and sort it into a proper class The IDDS then keeps track of all data in detailed logs These logs are used to create detailed graphs and reports that are generated on a daily weekly and monthly basis More information concerning these reports can be found in Section 4 3 on page 11 Rule Configuration Below are groups of rules for the IDS The IDS will use whichever ones are checked attack responses B backdoor E bad traffic g chat B ddos Ll deleted a dns B dos B experimental u explolt a finger E ftp Le icmp Into a temp E imap oa Info a local E misc a multimedia g mysqi B netblos o nntp B oracle B other ids oO p2p a policy a pop3 m porn B rpe f rservices oO scan ao shelicode B smtp L snmp a sq B telnet g ttp zf virus i web attacks o web og B web cilent if webcoldfusion EI web trontpage a web ils B web misc Eu web php B x11 B Save Changes To enable a rule check its associated box and vice versa to disable a rule To get an explanation of each rule click on the rule itself A smaller window will appear with a description of the rule and what it does 10 User Guide Internet Defense and Detection System Chapter 4
13. ut Street Allendale New Jersey 07401 United States Phone 1 201 934 9230 E Mail customer service guardiandigital com World Wide Web http www guardiandigital com Online Store http store guardiandigital com The department s hours of operation are 9 00 AM to 7 00 PM East ern Time Monday through Friday 2 User Guide TECHNICAL SUPPORT Chapter 3 3 TECHNICAL SUPPORT Guardian Digital provides comprehensive support for your enter prise Guardian Digital can help bridge the gap between the fast paced nature of the Internet security and the latest open source technologies available in EnGarde Guardian Digital can provide you with the information necessary to develop unique customiza tions of EnGarde products to achieve the fastest time to market with the most cost effective solutions Included with your purchase is 60 days of e mail telephone and Web installation and configuration support beginning at the time of purchase This includes up to four incidents of installation and con figuration support within that 60 day period Guardian Digital encourages you to visit us on the Web for the an swers to many commonly asked questions and system documenta tion Contact Guardian Digital Technical Support between the hours of 9 00 AM and 7 00 PM Eastern time To provide the answers you need quickly and efficiently the Guardian Digital Technical Support staff needs some information about your computer and software Plea
14. ve all reports for a given day week or month 4 1 Installing IDDS The Guardian Digital Internet Defense and Detection System is in stalled via the Guardian Digital Secure Network GDSN To in stall the IDDS insert the CD ROM disk that was included with the Guardian Digital IDDS purchase into the CD ROM drive of the En Garde server you will be installing the IDDS on Selecting Install from Local Media in the GDSN will perform the installation Instructions on how to use the GDSN can be found in Section 5 on page 171 of EnGarde Secure Professional User Manual Additionally the Install from Local Media portion can be located on page 173 under Section 5 1 2 Install from Local Media 4 2 Configuring IDDS After installation you can find the IDDS modules in the Security section of the WebTool main menu Internet Defense and Detection System 5 Section 4 2 Configuring IDDS To configure the Intrusion Detection System on your EnGarde server select the DDS Management option from the Security menu Select Edit Configuration to begin configuring the IDDS 4 2 1 General Operation Configuring the IDDS is a relatively painless task Leaving all the configuration options set to their default settings will allow the IDDS to scan the local internal network s that the IDDS is located on To limit the IDDS to monitor specific subnets on the internal network they must be specified separately by selecting the Specify Network s option and then ent
Download Pdf Manuals
Related Search