Symantec Intruder Alert 3.6 (10007266)
Contents
1. Figure E 1 Sample SNMP for Intruder Alert implementation SNMP Manager ITA Event 10 1 1 1 Viewer TA Query ITA Manager Manager One tole NetProwler ITA Agent gnmptrap snmptrap log 276 SNMP for Intruder Alert Adding lAQuery to the ITA User Manager Adding AQuery to the ITA User Manager In the ITA Administrator program you must add an account to the ITA User Manager to allow IA Query to read events from the ITA database The ITA user account that IA Query uses can only have the View Event Information privilege enabled If additional privileges are enabled for this account IA Query will not function and this will be logged in the iaquery log To add lAQuery to the ITA User Manager In the Intruder Alert tree click the desired Manager On the menu bar click Manager gt Security gt User Manager In the User Manager dialog box click Add 1 2 3 4 Under User Configuration check the View Event Information check box 5 Inthe User Name box type the user name as specified in the config iaq file 6 In the Full Name box type iaquery N In the Password box type the password as specified in the config iaq file 8 Inthe Confirm Password box retype the password 9 Click Commit Sending SNMP traps Using the snmpsendtrap exe executable and the IA Query Event Management Service you can send SNMP traps of Intruder Alert events as they occur or2. See Understand and manage the event database on page 261 108 Policies rules and criteria Actions Raise Flag The Raise Flag action can be used to Create an electronic marker indicating that an event occurred Rules located within the same policy can select the raised flag to trigger other actions Notify other Agents reporting to the same Manager that an event occurred Flags can be raised globally on all Agents reporting to the same Manager Global flags allow Agents to work together to detect complex multiple system events Global flags are useful for detecting events occurring on different systems throughout the enterprise Events occurring on a single system may not be indicative of a larger attack however when combined together each piece completes the profile of the attack such as an attacker attempting by brute force to gain access to various systems on the network detected through multiple failed logins Perform event context capturing The Raise Flag action has the ability to capture and store events This feature is called event context capturing With event context capturing you can configure a Select criteria or Ignore criteria flag to trigger when certain conditions on a raised flag exist See Configuring the Raise Flag action to use event context capturing on page 165 Note Use global flags judiciously Raising flags globally increases network traffic With global flags it is poss
3. s ssesssssesesssseseesssesersssrstssssrsesssnenesesee 177 Query Builder wizard screen two s ssssssesessesesesessssereesssesssssrsesssnenesesee 182 Query Builder wizard screen three s n ssssssessssesssssesesssesessssrsrssssrsesesne 183 Working in the Event Viewer ccccccscesssssseseseeseseseeseseeeeseseeceseeeeseseeseseeeeseees 185 Creatin Ga NOW VON A E A E E N E 185 Modifying a view s query definition ccceccceseseetesssseseeeeeeeeseesenees 186 Sorting the text View sorora ranon eni EEVEE NEE 187 Loading a predefined view ccccesesssssssssesesesesssessseeeceseseseseeseeseseeseeeees 187 Modifying a chart view u ccccscscsssssssssecesesesesesessessesssseseseseseseseeesseeseeeess 188 Savin a View seenen a a r A NE NATES 190 Sending an Intruder Alert command to an Agent ceceeeeeeeees 191 Defining advanced queries ccccccesssssseseseseeeseseseetsesseeeees Building blocks of a query Building complex queries 0 cccecescesesesesseseseeseseeeeseeeceseeeeseseseeseeeseeseeeeas Generating and viewing reports Aout reports sive E E as eo ee 199 Integrating Crystal Reports s ssssssessssssesesesssssseseesssestrsrsrsesesssntsesesseseseesesesese 201 Understanding security reports 00 0 cceccesescsseseeseseseeeeseseeceseeeeeeseeeeseeneeseeees 201 Why generate reports 0 ccecesessscesesseceseesesesesseseeseseseeeeseeeeseseesesenesaeeees 201 What reports are available out of
4. Figure 6 2 Rule definition fields Label New Rule Enter a rule name _ and description Description Enter a rule value Rule Value 0 I Indirect I Filter Disable Rule usage ee check boxes The first two elements include the Label and Description The Label text box contains the rule name Rule names may be up to 31 characters long The Description text box briefly defines the rule and is limited to 256 characters Rule value The rule value defines severity level of the event Values range between 0 and 100 with 100 being the most severe Policies in the product have the following values 0 Administrative does not detect system events 20 FYI 50 Alert 90 Emergency The following table is a guide for rule values Table 6 1 Rule value and security 0 33 Low For Your Information FYI Events within this range pose a minimal threat 34 66 Medium Alert Moderate Concern Events within this range pose a moderate threat 67 100 High Emergency Serious Concern Events within this range pose a high threat 94 Policies rules and criteria Select and Ignore criteria Rule type Adjacent to the Rule Value field are three check boxes These check boxes define how the rule functions The following table defines each option Table 6 2 Rule usage Indirect Indirect rules are referenced within other rules For example select criteria could be specified in a
5. Note If the raised flag has any events or contexts saved all contexts will be deleted when the flag is lowered To configure the Lower Flag action drag the desired flags from the Available box and drop them in the Flags to Lower box as illustrated below Send Email Figure 6 17 Lower flag action Flags to Lower Drag flag objects from the we Available box and drop Example them in the Flags to Raise Flag Lower box Policies rules and criteria Actions Available The Send Email action emails the event message to a specified user or group of users Emails can only be sent by Agents configured with the ability to send email Each Agent that has a policy containing a Send Email action should be configured with email capabilities See Configuring the Agent for email notification on page 83 To configure the email action list the email recipient s email address or addresses in the Addresses To Mail To box as illustrated below Figure 6 18 Send Email action ACTION Send Email New Ertry Type the e mail addresses Pad to Tis 5 Click to add the _ fe e mail address to the list m Addresses to Mail to jimmeketastnet uk co spsadmin qgobahet com Edil List Remove Clear List 111 112 Policies rules and criteria Actions Use the standard email address syntax lt name gt lt domain name gt when configuring the action criteria For example john
6. Chapter 7 Administering policies This chapter provides instructions on how to administer policies in Intruder Alert Administration tasks include activating deactivating exporting importing modifying and removing policies Chapter 8 Creating and modifying policies In this chapter you will learn the policy development process The chapter s examples and step by step tutorials will help you learn how to create your own policies in Intruder Alert Chapter 9 File and directory security This chapter teaches you how to monitor mission critical files for any changes or movements and how to secure the files and directories on your network Chapter 10 Configuring event context capturing Introducing Intruder Alert 17 Contents and organization of this guide This chapter describes event context capturing a feature that allows the Agent to remember certain events and use them for selective intrusion detection Section 4 Monitoring events The Monitoring events section of this guide contains Appendices Chapter 11 Using Intruder Alert Event Viewer This chapter teaches you the basics of using Intruder Alert Event Viewer to define queries and generate online views Chapter 12 Generating and viewing reports This chapter describes Intruder Alert s report generation and viewing capabilities You will learn about the various security and status reports and how to generate them
7. Connecting to a Manager on page 64 In the Intruder Alert tree expand the Manager s branch to display the Policies branch Right click Policies and then click New in the drop down list Intruder Alert adds a new policy to the tree as New Policyl In the right pane in the Label text box type a name for the new policy In the Description text box type a description of the new policy In the Intruder Alert tree click New Policy1 to update the name The new name replaces New Policy in the Policies branch Creating and modifying policies 139 Policy development tasks To save the policy right click the policy in the Intruder Alert tree and then click Save in the drop down list Intruder Alert adds a pencil to the policy icon in the tree when the policy needs to be saved The next step is to add one or more rules to the new policy See Adding and deleting a rule on page 139 Adding and deleting a rule The following procedures describe the processes of adding a rule to and deleting arule from a policy To add a rule 1 Inthe Intruder Alert tree expand the Manager s branch to display the Policies branch 2 Expand Policies and then expand the desired policy s branch The Rules branch should be visible 3 Right click Rules and then click New in the drop down list Intruder Alert adds a new rule added to the Intruder Alert tree as New Rule 4 Inthe right pane in the Label text box type a name for the new rule
8. Figure 6 22 Example notification message on Windows Messenger Service x Message from lt SYSTEM A gt to lt SYSTEM B gt on 3 18 2000 12 30PM This is where you can add user defined instructions messages or warnings Note If the user is not logged on or the system is not turned on the notification will be lost Therefore a Notify action should not be the only action taken Supported formats for notifying a user include lt User Name gt Specifying a user name instructs Intruder Alert to notify a specific user The user must be logged in to receive the notification Examples include m johnd m alincoln user The variable user instructs Intruder Alert to send the notification message to the user who generated the system message For example you can send a message to a user who attempts to change a user account However note that in some situations the user name may not be known If the user name can be determined via the operating system collector this variable will notify the user If it cannot no message will be sent Remember to use braces not brackets Note In UNIX environments where syslog has been centralized on a single UNIX system the notification message may be lost If the user is logged on to multiple Window systems residing on the same Domain Controller the notification message may appear on any one of those systems but it will not display on all the systems the use
9. Identifies a blank line 8 On Solaris systems check Include Delim The line containing the delimiter is part of the message 9 Optionally click in the text box and type the event string or strings to parse Parsing allows you to gather specific information from an event message and use that information for reporting in the Intruder Alert Event Viewer Use the following guidelines for parsing events Table B 2 Parsing guidelines Label Parsed Fields Intruder Alert captures whatever information appears in braces and stores it for Intruder Alert Event Viewer reporting The user defined label identifies the data Name of Field Braces not square brackets Represent spaces Press the spacebar Represent carriage returns line endings n Represent single missing characters Represent multiple missing characters or words 228 Operating system collectors Windows collectors The following is an example event message event chanc logged on to Juggler at 14 05 on 03 18 01 The following parsed string captures the relevant information contained in that event event User Action to System at Time on Date If no additional parsing rules are defined Intruder Alert applies standard parsing rules to each message for example Date Time Value Agent Policy Rule User and Message Text 10 Click OK The Agent is now configured to monitor the selected C2 audit log
10. Index NetProwler importing integration policies 285 receiving SNMP traps 283 NetWare killing processes on 123 network traffic understanding Intruder Alert traffic 270 NIS updating on Agent on UNIX 58 notification by email 83 by pager 84 Notify action 115 introduction to 36 nslookup 65 79 186 ntcrit file watch lists 151 number of Agents 20 0 online help button 30 using in Administrator 72 operators equality in simple queries 194 logical in complex queries 197 Select statement equality 160 wildcard 95 96 97 104 195 optimizing bandwidth usage 263 267 disk space 261 ITA error logs 264 options C2 audit daemon 225 custom log file collector 231 file watch list 149 itasetup 73 single exe 72 snmp commands various 282 snmpsendtrap 277 snmptrap 281 organizing Agents in domains 22 OSF 1 C2 audit pipe monitoring 224 overview of the manual 15 P pager configuring Agent for 84 Send Page action 36 send page to 113 with email 112 parsing audit log files 86 event messages guidelines for 227 example with event message 228 MIBs 278 user defined audit logs 194 usernames in audit log 104 passwords assigning on command line 72 73 case sensitive 65 changing user 69 paste button 30 performance effect on by event log collectors 228 optimizing 261 pie chart view 179 policies and rules 91 applying from Policy Library 127 applying multiple 128 applying to domain 127 available on Web 133 circular 134 136 c
11. Launch Symantec Intruder Alert Administrator Connect to a Manager In the left pane click the plus sign to the left of the Manager to expand the view Right click Policies and then click New in the drop down list In the right pane in the Label text box type Test Press Tab In the Description text box type Test Policy You have created a policy on your system It has no rules and it has not been applied to any domains or computers To create a custom filter rule within your policy 1 In the left pane click the plus sign to the left of your new policy to expand the view Right click Rules and then click New in the drop down list In the right pane in the Label text box type Path Filter Press Tab In the Description text box type This rule will inform you if anyone attempts to change or changes the PATH settings 238 Operating system collectors Windows collectors 10 11 In the Rule Value text box type 0 Click Indirect In the left pane click the plus sign to the left of your new rule to expand the view Right click Select and then click New gt Windows Registry Key in the drop down list In the Process Name text box type This will let you monitor all processes accessing the registry value In the Key Name field type HKEY_LOCAL_MACHINE SYSTEM ControlSet Control Session Manager Environment Path The asterisk on either side of the ControlSet wor
12. Record to Event Viewer Policies rules and criteria 107 Actions The Record to Event Viewer action records events in an event database located on the Manager s system Intruder Alert s Event Viewer queries the event database to generate online and printed reports When adding the Record to Event Viewer action to a rule no configuration is required The action need only be present to log events in the Manager s event database However you can tag additional data to the event by specifying a label data pair in the Enter Record Information box The added text only appears in the Event Viewer s text view Use the following format for label data pairs lt Desired Label Name gt lt Desired Data Text gt See the following examples Computer_Name adminbox m threat_type network m Description Agent detected 3 failed administrator logins Note For multiple word labels use an underscore character _ between words Spaces between words are not allowed The data portion allows up to 256 characters To append additional text to an event message add the desired data label statement to the Additional Text to Record box as illustrated below Figure 6 15 Record to Event Viewer action fields ACTION Record to E vent Viewer Addtional Text to Record Description Detecis user account changes on Windows New Enty Type the label data text Click to add the text gt ip the let Edt List __Bemeve Ceartie
13. For example m OnUNIX axent ita system lt hostname gt collect log sharkie m On Windows c logs logname log minnow Notify Policies rules and criteria 115 Actions Note Each record in the log file represents a single message Records are separated by a line of equal signs Use the Append to File action sparingly If arule s selection criteria is too general meaning a large number of events trigger the rule the log file will fill up A prolonged implementation which may be seconds or days depending on the selection criteria may yield undesired results including slowed performance by the Agent diminishing disk space i e the log file grows consuming valuable disk space and diminished network performance if the log file is on a remote system To configure the Append to File action add the desired path and file name to the Files To Append To box as illustrated below Figure 6 21 Append to File action ACTION Append to File m Files to Append to axert ta collect log New Ertiy Type the path and file name 4dd to Lis gt Click to add the 4 entry to the list Edit List Remove Clear List H The Notify action sends an on screen message to a specified user or system It can include user defined instructions messages event descriptions or warnings The following graphic illustrates an on screen message generated on Windows 116 Policies rules and criteria Actions
14. For more information about how to generate reports and set query parameters see the section See Creating a new view on page 185 In the Generate Report dialog box in the Report Title text box optionally type a title for the report Do one of the following m Under Standard Reports click Audience Detail and click a choice under Audience and under Detail The Audience setting indicates for whom the report is intended and the Detail setting indicates the type of information in the report m Under Standard Reports click Generic Listing of Security Events to get a list of all events matching the query definition sorted by level of severity This report does not contain summary graphs or charts 208 Generating and viewing reports Using the Intruder Alert Report Viewer m Under Custom Reports click Custom Report Template and click Browse to select a report in the custom reports directory Intruder Alert comes with three Crystal Reports templates the Agent Report Security Report and User Report These templates reside in the directory ita bin User defined report templates are stored in the predefined directory ita bin Custom_Reports 10 Click OK 11 If you selected an option under Standard Reports the report is generated and displayed in the Report Viewer screen If you selected an option under Custom Report Template the Select Report to View dialog box appears In the Select Report to View dialog box sel
15. Machine Type Get from Windows System Properties dialog 218 Contacting customer support Customer support Table A 1 Required Administrator or Event Viewer information OS Level Get from Windows System Properties dialog Version Get from the Help menu s About Intruder Alert dialog Date Get from the Help menu s About Intruder Alert dialog Table A 2 Required Manager information Machine Type Get from uname a if UNIX or System Properties if Windows OS Level Get from uname a if UNIX or System Properties if Windows Version amp Date Get from the file axent ita bin Revision txt if UNIX or Program Files Symantec ITA bin Revision txt if Windows Also check the Manager Properties dialog in the security product console Table A 3 Required Agent information Machine Type Get from uname a if UNIX or System Properties if Windows OS Level Get from uname a if UNIX or System Properties if Windows Version amp Date Get from the file axent ita bin Revision txt if UNIX or Program Files Symantec ITA bin Revision txt if Windows Also check the Agent Properties Item in the Agent Context Menu in the security product console International version Check the Agent log file for the message Initializing international level encryption Contacting customer support 219 Customer support Table A 4 Re
16. Note If you do not click Save the agent will continue to monitor the deleted audit log but it will not show up in the list of Audit Logs Windows Registry collector Windows stores all configuration information in a database called the Registry The Registry is a hierarchical database that controls all of the information related to the Windows operating system The Windows system configuration hardware configuration configuration information about Win32 based applications user preferences and group policies are all stored in the Registry For example any Windows computer access changes or user changes on the computer are immediately reflected in the Registry Because of these characteristics the Registry serves as the foundation for user system and network management in Windows How Intruder Alert uses the Registry Though Registry auditing has always been available through the Windows program regedt32 there are many audits that generate false positives This is because when a program opens a key for access the program has to inform the Registry what kind of access to the key is needed Software developers typically select full access to keep things simple The auditing feature in the Registry is tied to how the key was opened not necessarily how it was accessed resulting in false positives The Intruder Alert Registry monitoring capabilities are based on a device driver that monitors access to the Windows registry by reg
17. Save a custom generic view This option allows the query to be saved without Manager specific information It is only available after a view has been created and is open on the viewer desktop Print Output information to a default printer Print Setup Specify a default printer Exit Exit from the viewer View menu The View menu allows you to activate and deactivate the following features of the Intruder Alert Event Viewer Table 2 8 Event Viewer View menu options Toolbar Display or remove the toolbar Status Bar Display or remove the status bar ITA menu Toolbar Touring Intruder Alert 45 Intruder Alert Event Viewer The ITA menu contains a single command Table 2 9 Event Viewer ITA menu command Send Intruder Alert Command Trigger a user defined rule Window menu The Window menu allows you to activate several task display options on the Event Viewer desktop Table 2 10 Event Viewer Window menu display options Cascade Create a cascading display of all open task windows in order of activation Tile Create a tiled display of all open task windows Arrange Icons Arrange minimized report windows in order of most recent report It also rearranges the minimized windows after you have resized the general Event Viewer desktop Help menu Through the Help menu you can access several sources of information Table 2 11 Event Viewer Help menu options eet sa
18. Symantec Intruder Alert 3 6 1 Administration Guide Ss symantec i Symantec Intruder Alert 3 6 1 Administration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 3 6 1 Copyright Notice Copyright 2005 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec the Symantec logo and LiveUpdate are U S registered trademarks of Symantec Corporation Symantec Intruder Alert and Symantec Security Response are trademarks of Symantec Corporation Windows is a registered trademark of Microsoft Corporation HP HP UX HP 9000 HP Integrity Servers and HP OpenView are trademarks or registered trademarks
19. expression on the left and the expression on the right The event message must match both sets of criteria Or Pipe Selects events for the expression on the left or the expression on the right Either expression will satisfy the selection criteria Examples include m user smitty amp value gt 60 m policy System Messages amp value gt 50 Note The order of precedence is first inside parentheses and second from left to right 198 Using Intruder Alert Event Viewer Defining advanced queries Generating and viewing reports This chapter includes the following topics About reports Integrating Crystal Reports Understanding security reports Generating security reports Using the Intruder Alert Report Viewer Generating Agent status reports About reports Intruder Alert s report generator is designed to present information in a meaningful format Reports offer a published look and feel and allow mixed content of text charts and graphs With this tool you can generate easy to read security reports tailored for different audiences Intruder Alert s report generator allows you to use your own Crystal Reports templates to display security information in any format You may export report data to other standard database formats including CSV TSV XLS WKS RPT and many more Security reports generated from Intruder Alert Event Viewer have the following reporting capabilities Dat
20. m Default All Agents m Default UNIX m Default Windows m Default Netware During installation you can select the UNIX and Windows Drop amp Detect policies to be applied to these default domains After installation you can use Intruder Alert Administrator to create additional domains and activate additional policies as needed For Windows systems copy any Windows policies that you want to apply ina domain from either the Drop amp Detect Misc or Configure to Detect branch in the Policy Library Note The total number of Agents capable of registering to a single Manager varies by number of events operating system memory and disk space Agents are organized into domains and may belong to more than one domain if directed Once a policy has been applied to a domain the Manager delivers it to the specified Agents In turn Managers receive event data from Agents and store it in an event database The event database consists of two types of files an Introducing Intruder Alert 21 The Intruder Alert Agent extent ext file and a rex file For events to be written to the event database they must be recorded to the Event Viewer Rex Files Rex files contain the most recent events When the rex file reaches its maximum size 2 MB the system converts the file from a rex file to an extent file Extent Files Extent files are archived rex files Only one rex file exists on the Manager at any one time For examp
21. s Select Ignore and Action criteria 134 Creating and modifying policies The policy development process Suggestions for policy development Keep in mind the following tips when developing policies m Keep the size of your policy files below 64K The maximum size of a policy file is 64K If you have multiple rules within the policy group related rules together into multiple smaller policy files m Avoid circular policies A circular policy runs many times consecutively This policy configuration error can create unnecessary peaks in CPU utilization and consumes unwarranted disk space If you experience either of these problems examine your customized policies for circular logic See Circular policies on page 136 The following graphic illustrates the main steps for creating a new policy Creating and modifying policies 135 The policy development process Figure 8 1 Steps for creating a policy Step 1 Build a Collector Policy Step 2 Generate and Collect Events Step 3 Analyze the Events Step 4 Create the Policy Step 5 Test and Debug the Policy Building a collector policy A collector policy gathers all system messages and appends them to a user defined log file Security administrators analyze the events captured by the collector and identify events that make up an event signature These selected events become the building blocks for rules and policies See C
22. s name as the selection criterion The Agent s name is determined internally by the Agent it does not search event messages to determine the Agent s name Note Because the Agent s name is determined internally the System criteria may be the only Ignore criteria but it should not be the rule s only Select criteria Another type of Select criteria must be used in conjunction with a System criteria Policies rules and criteria 105 Select and Ignore criteria When configuring this criteria the available systems include only those registered to a Manager Thus the list of available systems will vary from Manager to Manager When adding the System criteria to a policy you should configure it when the policy resides on the Manager not when it resides in the Policy Library The policy is located in the Manager s Policies branch and the available Agent systems are displayed in the Available box If you are creating your policy in the Policy Library no systems will be displayed and you will need to finish the configuration of any System clauses when the policy has been copied to a Manager s Policies branch If the criteria exists with no Agent systems selected it will be inactive and unable to detect anything To configure the System criteria drag the desired system icons from the Available box and drop them in the Systems to Monitor box as illustrated below Figure 6 14 System criteria Systems to Monitor Avai
23. 5 In the Description text box type a description for the new rule 6 Optionally in the Rule Value boxes set the rule values Possible values range between 0 and 100 For more information about rule values and how to use them see the section See Rule value on page 93 7 Optionally to set the rule type check Indirect Filter or Disable Rule Usage For more information about these Rule Usage check boxes see the section See Rule type on page 94 8 To save changes to the policy right click the policy and then click Save in the drop down list Intruder Alert adds the new rule to the policy The next step is to add criteria to the rule See Adding and deleting rule criteria on page 140 To delete a rule 1 Expand the tree to view the rule 140 Creating and modifying policies Policy development tasks 2 3 Right click the rule and then click Delete in the drop down list In the dialog box click Yes to confirm the deletion Adding and deleting rule criteria Each rule must contain one or more Select criteria and one or more actions A rule can optionally contain Ignore criteria This section describes how to add criteria or actions to and delete criteria or actions from a rule Intruder Alert s out of box policies can be configured with additional actions such as email capabilities and paging See Policies rules and criteria on page 91 To add criteria or actions to a rule 1
24. ITA IP Bind setting ITA _BIND_ADDRESS 192 168 0 49 FE HE HE HE HE HE HE HE HE HE HE AE FE HE HE HE EEE HE HE HE ERR HE HE HE HE HE E HE HE HE HE ERE HE HE HE EEE Agent FE HE HE HE HE HE HE HE E HE HE AE HE HE HE HE HE HE FE HE HE HE HE E HE FE HE HE HE HE E HE HE HE HE HE HE HE HE HE HE HE E HE Filewatch configuration files These contain the list of files that filewatch is monitoring filewatch ita system system uxcrit_L lst uxcrit_L filewatch ita system system uxcrit_S lst uxcrit_S filewatch ita system system grabcore lst grabcore Turns on address caching ON or OFF ADDR_CACHE OFF Specifies how long the agent will use a cached address before trying to look up again in minutes The minimum is 15 minutes the maximum is 48 hours ADDR_CACHE_ TIMEOUT 60 Communications timeout in seconds The default is 30 seconds ITA_TIMEOUT 30 How long before the agent negotiates a new encryption key in seconds The default is 24 hours ENCRYPTION_KEY_LIFETIME 86400 How often the agent checks for expired keys in seconds The default is 60 minutes ENCRYPTION_KEY_CHECK_INTERVAL 600 Configure agent command restrictions This file contains all commands that the ITA agent is allowed to execute via an Execute Command Action ita ini file documentation 253 UNIX NOTE If no file is specified or the file
25. In the tree under the new rule click Ignore to display the Ignore toolbar above the right pane In the Ignore toolbar click Ignore Flag In the right pane drag the raised flag from the Available box and drop it in the Flags to Monitor box Double click the flag s icon in the Flags to Monitor box In the Ignore Flag Criteria dialog box in the edit box type the desired ignore statement or statements Each statement must reside on its own line in the edit box The relationship each statement has to the others is determined by the And and Or radio buttons located near the Ignore criteria s Label field See Select statement syntax on page 159 When you have finished defining the desired ignore statements click OK The changes are automatically saved 168 Event context capturing Creating policies that use event context capturing 9 10 Optionally add and configure the desired Select criteria and action Activate and test the policy to ensure that it is working as desired Detecting four failed logins by the same user Failed logins occur all the time In fact one or two failed logins by the same user is common However several failed logins by the same user may indicate an intruder attempting to gain unauthorized access to a system s resources To illustrate event context capturing in this section we will build an Intruder Alert policy that detects four failed logins by the same user within a two minute p
26. TOKEN gt Turn on debugging output for the specified TOKENs 278 SNMP for Intruder Alert Sending SNMP traps Table E 4 General options for snmpsendtrap ee E o lt FILENAME gt Write output to FILENAME The default output file is snmp log Use o stdout to print to screen m all lt MIBS gt Use MIBS list instead of the default MIB list M lt MIBDIRS gt Use MIBDIRS as the location to look for MIBs P lt MIBOPTS gt Toggle various defaults controlling MIB parsing MIBOPTS can have the following values u Allow the usage of underlines in MIB symbols c Disallow the usage of to terminate comments d Save MIB object descriptions e Disable MIB errors of MIB symbols conflicts w Enable MIB warnings of MIB symbols conflicts W Enable detailed warnings of MIB symbols conflicts R Replace MIB symbols from latest module O lt OUTOPTS gt Toggle various defaults controlling output display OUTOPTS can have the following values n Print object IDs numerically e Print enumerations numerically labels associated with enumerations are not printed b Do not break down object ID indexes q Quick print for easier parsing f Print full object IDs on output s Print only the last symbolic element of an object ID S Print MIB module ID plus the last element I lt INOPTS gt Toggle various defaults controlling input parsing INOPTS can have the following
27. The IP address time The time the event occurred Using these variables event information can be passed from Intruder Alert to another process This could be an application such as HP OpenView or MS Access or an operating system command Data is written to a temp file parsed by an external program then passed on command 120 Policies rules and criteria Actions For example you could write a command that copies the user names associated with a particular event to a text file HP OpenView or some other program would then read the file and use that information The following examples show ways in which these variables may be used m kill process ID m echo host name gt gt tmp myfile m load event file Note On Windows for Intruder Alert Agents to execute the commands in the Execute Command action these commands must also be listed in the commands txt file located in the directory lt system disk gt Program Files Symantec ITA system lt System Name gt See Securing the Execute Command action on page 131 To configure an Execute Command action add the desired commands or the path and file name of the executable files you want Intruder Alert to execute Figure 6 25 Execute Command action ACTION Run Command Commands to Execute faxent seouiity secure ce escuritySescure bat NewErty SYS cecuritySeacure nim Type the command or filename to execute amp dd lo List gt
28. The actions append the event to a log file and raise a flag completing the first cycle The second cycle begins when the system detects the raised flag and appends another event to the log file and raises the flag again Additional cycles continue as fast as the system can process the events These cycles cause peak CPU utilization while the Append to File action keeps writing events to the text file consuming disk space 138 Creating and modifying policies Policy development tasks Suggestions for managing policies The following suggestions may help you to manage your policies Upgrade Intruder Alert from earlier versions to version 3 6 1 Apply tune up packs as they become available To customize a policy copy it and modify the copied version When applying a policy verify that you are not applying both an original and a modified version of the same policy Policy development tasks To develop policies there are a number of tasks you need to perform This section describes the following tasks Creating a policy Creating a policy Adding and deleting a rule Adding and deleting rule criteria Saving policy changes Modify the ITA Shared Actions policy Creating and configuring a collector policy Creating a new folder in the Policy Library The following instructions describe the process of creating a new policy To create a policy in Intruder Alert 1 If you have not already done so connect to the Manager See
29. The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications ita ini file documentation 251 Windows MOD_COMM 1 Authentication MOD_AUTH 1 Encryption MOD_ENCRYPT 1 Manager Event Database MOD_DB 1 Manager event cache MOD_CACHE 1 Configuration Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_ACTION 1 Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates MOD_POLICY 1 FEE FE E HE FE AE FE HE HE FE FE FE EEE HE FE FE FE HE HE HE HE FE FE HE HE HE EH EE HE HE HE HE HE HE UPC FEAE FE FE FE FE HE FE E HE FE HE FE FE HE HE HE FE FE EE HE HE HE FE FE HE HE HE HE HE FE FE HE HE HE HE HE HE HE HE HE HE ITA Host Name Resolution behavior R ITA_NAME_RESOLUTION DNSONLY will force traditional hostname resolution and will reference the hosts file DEFAULT ITA_NAME_RESOLUTION USEWINS will allow WINS information via a Win32 name resolution method ITA_NAME_RESOLUTION USEALL will first try traditional hostname resolution and if it fails to resolve the name it will attempt to via a Win32 name resolution method 252 ita ini file documentation UNIX UNIX ITA_NAME_RESOLUTION DNSONLY
30. export it or delete it from the Manager 129 130 Administering policies Deleting policies from a Manager To keep the policy store it in a folder in the Policy Library or export it to an archive before deleting it from the Manager If you delete it without storing it in a folder in the Policy Library or exporting it to an archive the policy will be permanently deleted To move a policy to the Policy Library 1 Inthe tree in the Policies branch click the policy 2 On the menu bar do one of the following m Click Edit gt Cut m Click Edit gt Copy 3 Inthe Policy Library branch click the folder where you want to store the policy 4 Onthe menu bar click Edit gt Paste Deleting policies from a Manager To delete a policy from a Manager 1 Inthe Policies branch under the Manager click the policy 2 On the toolbar click Delete 3 Inthe confirmation dialog box click Yes Exporting policies You should export your customized policies before upgrading to a new release or before transferring them to another installation of Intruder Alert Administrator Intruder Alert policy files can be exported from the Manager or Policy Library and saved Note Before uninstalling Intruder Alert export any policies you wish to keep including user defined modified or otherwise valuable policies to a storage location outside of the Symantec ITA directory Otherwise during the uninstallation process these files will be delete
31. gt arguments are replaced by your actual manager name or IP address username password and port number To troubleshoot Agent registration on UNIX 1 2 3 Verify that the Manager and Agent are running Make sure the Manager and Agent can ping each other Verify that the hostnames of both the Manager and the Agent are known by the DNS server using tools like nslookup Repeat the registration process being careful to avoid any typographical errors Registering an Agent on Windows You can register an Agent by using ITA Mgr Agt Setup via the Start menu or by using single exe on the Windows command line Both procedures are provided in this section To register an Agent on Windows using ITA Mgr Agt Setup 1 From the Start menu click Programs gt Symantec gt Intruder Alert gt ITA Mgr Agt Setup In the Manager Agent Setup dialog box click Register to new Manager In the Register Local Agent to Manager dialog box in the Manager text box type the name of the Manager In the User Name text box type the user name for the Manager system In the Password text box type the password for the Manager In the Protocol group text box select the protocol and service number used by the Manager Click OK The Manager establishes communication with the Agent Intruder Alert supports Manager reconnects to unavailable Agents The Manager will periodically retry any failed attempts to connect to an Agent If the atte
32. m Telephone and Web support components that provide rapid response and up to the minute information m Upgrade insurance that delivers automatic software upgrade protection m Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using Licensing and registration If the product that you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Home Page select the Licensing and Registration link Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technic
33. message to send Start Timer Policies rules and criteria The Start Timer action starts a timer that counts down to either a specified date or for a specified amount of time The Start Timer action works with a Select Timer criterion located in a separate rule the Select Timer criterion detects when the timer expires Like flags timers are used internally by the Agent There is no graphical representation indicating they have started or how much time is remaining on them Timers can be set to repeat on a specified frequency once they have expired Timers expire or are cancelled by the Cancel Timer action Figure 6 24 Start Timer action Set the timer to start after the specified amount of time has elapsed Timer Options Select the specific f Specified Date Stoo Watch expiration date of the timer Dale Time Month E waa gt Weeks fp a Days Houis Minutes Seconds Days Hours Minutes Seconds f p f F 4 0 0 30 0 Repeal Weeks Das Hours Minutes Seconds Select how often the F 0 4 pa 4 pa timer should repeat With the Specified Date radio button selected the timer will expire on a specific month day and time With the Stop Watch radio button selected the timer will count down the specified amount of time Execute Command E The Execute Command action executes an operating system command script file or executable file On UNIX systems the Execute
34. the Kill Process action cannot stop all processes On UNIX systems this action kills a specific process when the event contains a process identification PID number PID If a PID does not exist in the event the process cannot be killed Not all variants of UNIX use the PID Windows does not provide the specific process that generated the event As a result Intruder Alert cannot kill a Windows specific process Rather Intruder Alert has been designed to terminate all processes belonging to the user associated with the event Therefore the selection criteria must contain the user name If the user name is not available processes will not be stopped However under no circumstances can this action kill a process associated with an administrator account Because NetWare does not allow one process to kill another this action cannot operate on NetWare systems but there is an alternative solution See Disconnect Session on page 124 123 124 Policies rules and criteria Actions Disconnect Session Disable User The Disconnect Session action stops all processes that have the same user name or session ID as the process that generated the event On UNIX systems this action can terminate a specific session if the event contains a session identification SID number Session ID XXXXX If the event does not contain a session ID sessions cannot be disconnected On Windows systems the Disconnect Sessio
35. when storing and comparing file attributes such as the creation access or modification times of monitored files Filewatch events shown in the text view portion of the Event Viewer are displayed in local time File modification and creation times are shown in GMT in the message text portion of the Event Viewer The monitoring feature can be configured to monitor a number of individual file attributes The following table lists the file attributes that the process can monitor Table 9 1 File monitoring capabilities ee a U UOU Checksum WROT BROT MD5 Group gid Deletion Owner uid File size Permissions rwx Modified time Driver description Read only Access time Creation time Permissions r File location Links hard and symbolic File type The UNIX File Tampering and Windows File Tampering policies detect and respond to changes in the monitored attributes of the default file watch lists If you create additional file watch lists you must also create and activate a new policy to detect and respond to changes in those lists The following sections describe how to create a file watch list You can also modify an existing file watch list See Modifying a file watch list on page 154 File and directory security 149 Configuring Intruder Alert file monitoring Configuring Intruder Alert file monitoring Configuring Intruder Alert to monitor a list of files consists of the
36. 147 Configuring Intruder Alert file monitoring os eseseseeeeeeeeeseeeteeeees 149 Creating a file Watch list ooo eeesessssesececesesesesessesesssesescsesesesesseeeenes 149 Adding the filewatch command to ita ini oc ceceeseseseseseeeseeeseseeees 152 Modifying a file Watch list cccccccssessesesessesesececcseseseseseesseeesseseseseseseseeeees 154 Event context capturing Understanding and using event contexts eee ceseseseeeeseteeeeseeeeeseeeeseseeeees 155 Event context configuration ccccesesssssesscesesesesetsesssesescseseseseseseeeeeees 155 Section 4 Chapter 11 Chapter 12 Contents Event COntext capturing sessen E a 156 Event context selection criteria oe eesessssesececeseeeseeeseseeeeceeeeeeeeesenees 159 Notes and known issues cscsssssssseseeecesesesesesescececeeeeceseseacneneeeeeeeeeeeees 164 Creating policies that use event context capturing s ssesesesseseseresseseseseee 165 Configuring the Raise Flag action to use event context capturing 165 Configuring Select Ignore Flag to use event context capturing 166 Detecting four failed logins by the same user c cseseseseseseseeeseseeees 168 Monitoring events Using Intruder Alert Event Viewer Launching Intruder Alert Event Viewer c cccccscsssseseesesesseceseeeeseeeeeseeeeees 175 Using the Query Builder wizard ccececcescesssessesesesseceseeseseseeceseseseeseeeeseseeees 176 Query Builder wizard screen one
37. 3 User privileges a View Configuration Allows the user to view configuration information Modify Policies Domains Allows the user to organize domains and apply remove policies View Event Information Allows the user to view event information Change Manager Configuration Not applicable Change Agent Configuration Allows the user to configure email paging and the Agent to monitor additional external audit logs Note The View Configuration privilege must be checked Register New Agent Allows the user to register an Agent to a Manager or additional Managers User Account Information Allows the user to add new users and define user privileges Creating a new user account Refer to Figure 4 2 when creating a new user account Figure 4 2 User Manager window ITA ddrersstistor Aone Click Add Type user and password information P ante Catei n pa IIM F Hodiy Poikeien Danai User Mame How User Select user privileges Administering Intruder Alert 69 Managing user accounts and privileges To create a new user account 1 2 As oO oo N Q U 10 In the Intruder Alert tree click the Manager to select it Do one of the following m Inthe menu bar click Manager gt Security gt User Manager m Inthe Intruder Alert tree right click the Manager and then click User Manager in the drop down list In the User Manager window click Add Under User Configuration assign privileges to the
38. 31 Send Email action 111 introduction 36 Send Intruder Alert Command 191 report command 213 Send Page action 113 introduction to 36 session disconnect 124 Disconnect Session action 37 shared action 121 rules in policy 122 Run Shared Action 37 sharing actions among policies 141 simple expressions 192 single exe command 72 size error log files default size 264 managing size of UNIX collectors 265 of rex and ext files 262 policies 134 SMTP throttle configuring 268 SNMP about in Intruder Alert 273 IA Query configuration for 285 IA Query installation for 274 IA Query sample configuration file 274 IA Query about configuring 274 importing NetProwler policies 285 installed files 284 installing 273 NetProwler traps from 283 options for snmpsendtrap 277 receiving traps 279 sample configurations 283 sending traps 276 sending traps to SNMP Manager 283 snmpget 282 snmpgetnext 282 snmpset 282 snmptrap options 281 snmptrap install and start 280 trap syntax 276 traps configuring audit log for 280 troubleshooting 285 utilities 282 Solaris btmp event logging 168 C2 audit pipe monitoring 224 Index 303 Start menu using for Manager Agent 67 Start Timer action 117 introduction to 37 starting a Manager on Windows 60 a UNIX Manager or Agent 56 66 a Windows Manager or Agent 66 Administrator 63 an Agent on Windows 60 ITA Manager Agent Setup on Windows 59 Status Message collector 144 stopping
39. 38 Managers branch in 39 Policies branch in 40 Policy Library branchin 41 printing 71 Registered Agents branchin 40 troubleshooting Agent registration on UNIX 79 Agent registration on Windows 80 tuneup Manager status during 270 packs 138 217 remote agent 271 requirements 270 U uninstalling exporting policies before 130 UNIX btmp btmps 222 C2 security 224 collectors 222 collectors managing the size of 265 event logs 21 ita ini file default 252 itarc command 56 itasetup command 56 57 58 73 modem 85 post installation options on 55 process accounting 222 registering an Agent 56 registering an Agent on 77 starting a Manager or Agent 56 66 stopping a Manager or Agent 56 66 syslog 222 wtmp wtmps 222 unregistering a UNIX Agent from a Manager 57 an Agent from a Manager 80 an Agent on Windows 61 updates policy 133 upgrading exporting policies before 130 importing policies 131 to 3 6 1 138 user accounts 67 creating account 68 disable 124 Disable User action 37 disconnect session of 124 modifying privileges 69 notification of 116 passwords changing 69 privileges 67 removing account 70 User criteria 103 introduction to 35 User Manager 67 dialog box 28 UTC 148 uxcrit file watch lists 151 V variables event 161 file watch list 151 versions finding information on Web 219 view menu Administrator 28 views about 176 bar chart 178 creating new 185 generic 187 line graph 178 loading generic 187 loa
40. Agent with an additional Manager At the Intruder Alert Manager prompt type the IP address or name of the Manager and then press Enter At the TCP port or service name prompt do one of the following m To use the default Manager port number of 5051 press Enter recommended m To specify a different TCP port type the port number or service name and then press Enter To use a service name first associate it with a specific port At the Authorized Administrator Name prompt type the username for the administrator and then press Enter At the Manager Password prompt type the administrator password and then press Enter The Agent attempts to register with the specified Manager If the attempt was successful a message will appear indicating the registration was complete If the attempt was unsuccessful be sure you can ping the Manager s system and then repeat these instructions avoiding any typographical errors Unregistering an Agent from a Manager To unregister an Agent from a Manager 1 Change to the Intruder Alert setup directory Type the following command and then press Enter cd axent ita bin lt platform_type gt where platform_type indicates the type of computer you are using Start Intruder Alert setup Type the following command and then press Enter itasetup When prompted with the Intruder Alert setup options type 2 and then press Enter to display the post installation options Type 3 and then pre
41. Alert file monitoring Table 9 2 File watch list commands and options TIME lt integer gt The TIME command defines the number of seconds between scans Use the TIME command only once in a list RESCAN The RESCAN command directs Intruder Alert to re scan directories and files that contain wildcards An asterisk directs the process to list all files and subdirectories A question mark can replace single variable characters MESSAGE lt text gt The MESSAGE command defines a character string that will be appended to the event message The message will be used in the selection criteria of a policy rule BROT This command enables and disables Byte Rotary BROT checksums The command functions like a toggle switch Each time the monitoring process encounters the command in the list the BROT checksum will be switched on or off An additional toggle BROT can be placed on individual files and directories This parameter should be added to the end of the directory or file command for example c security bin syntech exe BROT WROT This switch functions the same as BROT to start skip or stop Word Rotary WROT checksums Like BROT WROT has an additional toggle that can be placed on individual files and directories This switch is WROT Use it in the same way as the BROT switch MD5 This switch functions the same as BROT to start skip and stop MD5 checksums Like BROT MD5 has an add
42. Arule is comprised of three parts m Select criteria m Ignore criteria m Action criteria All three parts do not have to exist to have a valid rule The Select criteria defines the event to detect The conditions set in the Ignore criteria define exceptions to the rule if these conditions are present no actions will be taken The Action criteria specifies the action to be executed when the Select criteria is met Rules can be linked together to detect sequential events They can be assigned one of the following threat level values m Emergency These rules indicate the highest threat level m Alert These rules indicate a moderate threat level m For Your Information FYI These rules indicate the lowest threat level See Policies rules and criteria on page 91 See Administering policies on page 127 24 Introducing Intruder Alert Intruder Alert policies Touring Intruder Alert This chapter includes the following topics Intruder Alert Administrator Intruder Alert tree Intruder Alert Event Viewer Event Viewer task features Managers and Agents Intruder Alert Administrator The administration tasks of Intruder Alert have been simplified by using a Graphical User Interface GUI for the Intruder Alert Administrator This section discusses the various tools objects and features available in the GUI The Intruder Alert Administrator serves as Intruder Alert s command center It is used to m O
43. HE HE HE FE HE E HE HE ERE HE HE HE EEE Specifies if log file to be kept open while the Manager is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the manager log file will get in KB MaxLogSize 50 Specifies how many old log files the manager will keep MaxLogFiles 2 Includes the time with each diagnostic message logged 0 OFF 1 ON LogTimeStamp 1 Includes the date with each diagnostic message logged 0 OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run asa daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications MOD_COMM 1 Authentication MOD_AUTH 1 ita ini file documentation 247 Windows Encryption MOD_ENCRYPT 1 Manager Event Database MOD_DB 1 Manager event cache MOD_CACHE 1 Configuration Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_A
44. HE HE HE HE HE HE HE HE H H E H H H Admin Diagnostics FEFE HE HE HE HE HE HEHEHE HEHE HE HE HEHE AE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE H H E H H HH Specifies if log file to be kept open while the Admin is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the admin log file will get in KB MaxLogSize 50 Specifies how many old log files admin will keep MaxLogFiles 2 Includes the time 0 with each diagnostic message logged OFF 1 ON LogTimeStamp 1 Includes the date 0 with each diagnostic message logged OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic ita ini file documentation 249 Windows message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run asa daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications MOD_COMM 1 Authentication MOD_AUTH 1 Encryption MOD_ENCRYPT 1 Manager Event Database MOD_DB 1 Manager event cache MOD_CACHE 1 Configur
45. O O Help topics Assistance with Intruder Alert features Go to Homepage Support on the Web About Intruder Alert Event Viewer Display the Event Viewer version and build date The toolbar allows you to launch routine tasks with a single click of the button 46 Touring Intruder Alert Event Viewer task features Figure 2 19 Intruder Alert Event Viewer toolbar New Query Help Topics Send Command Symantec Homepage The tasks available on the toolbar include m Define a new query m Send an Intruder Alert command In addition the toolbar provides access to Symantec s Web site and online help Event Viewer task features Defining a query Defining a new query in the Intruder Alert Event Viewer is a three step process involving the three screens of the Query Builder wizard Screen one The following graphic illustrates the first of three screens contained in the Query Builder wizard In this screen you will select a Manager and a report view type Figure 2 20 Query Builder screen one Touring Intruder Alert Event Viewer task features s SYMANTEC Intruder Allert Event Viewer 0 xj Fie Edt Yew ITA window Hep Select Manager Manar and Type ote Select View Type Axis Properties Axis Properties hee Time z View Type Text Edt Manager List Z As ritenvele For Heb press FL Note Several options are available in the Axis Properties box depending on the
46. Registry key you specify The enumeration retrieves information about one subkey each time it is called If the Registry key you specify has several subkeys each alert on the Enumerate Value function will be displaying a different piece of information to the user 236 Operating system collectors Windows collectors m Flush Key This function monitors the writing of the attributes of the Registry key you specify into the registry Flushing is an explicit command and writes all the attributes of the Registry key you have specified to the Registry immediately m Open Key This function monitors the opening of the Registry key you specify Opening a specific key would be preparatory to performing some other action on the key a subkey or a value within the key m Query Key This function monitors the retrieval of information about the Registry key you specify Before the key can be queried it must be opened so you can monitor the opening with the Open Key function as well m Query Value This function monitors the retrieval of information about a specified value name associated with the Registry key you specify Before the value can be queried its associated key must be opened so you can monitor the opening with the Open Key function as well m Set Value This function lets you specify a particular service or application to which the rule you are creating will apply For example many applications create temporary share services For examp
47. Security logs 22 Introducing Intruder Alert Intruder Alert policies m Intruder Alert for UNIX and Windows can also be configured to monitor any ASCII audit log See Configuring external audit log monitoring on page 85 More information about how events are logged on UNIX and Windows operating systems is available See Operating system collectors on page 221 Agent Domains Agents are grouped in domains by operating system location workgroup or access restrictions A domain may contain one or more Agents In addition Agents may belong to more than one domain as illustrated below Figure 1 2 Shared Agent Diagram Domain 1 Domain 2 Manager 1 A Manager may have one or several domains If desired each registered Agent may reside in its own domain The Manager stores the policy and domain information Once a policy has been applied to a domain the Manager delivers that policy to all the Agents in that domain Agents run the policies 24 hours a day 7 days a week See Managing Agents on page 75 Intruder Alert policies Policies define which system events to select which to ignore and which actions to perform Intruder Alert comes with pre configured policies that can be applied during installation Rules Introducing Intruder Alert 23 Intruder Alert policies Policies contain rules and rule criteria that Intruder Alert uses to detect and respond to information security threats
48. System Other sources not used by Intruder Alert Event collection on UNIX C2 Audit py Log if binaryfile btmp 7 binaryfile wtmp 7 binaryfile Process Accnting binaryfile syslog binary file var adm 7 messages m Daemon C2 Daemon C2atd Collector collogd Operating system collectors 223 UNIX collectors Intruder Alert Agent Located in the axent ita system lt hostname gt directory The audit source files as an example syslog wtmp and so forth will continue to grow until those files are truncated The size of these files can be managed manually or Intruder Alert s collogd daemon can be configured to manage their growth automatically via settings in the ita ini file See Manage the size of UNIX collectors on page 265 Note The ability to audit these sources depends on the type of platform and installed platform options 224 Operating system collectors UNIX collectors Configure Intruder Alert to monitor C2 collector The United States Department of Defense DOD established a set of standards for different levels of information security These standards are published in the Trusted Computer System Evaluation Criteria document also known as the Orange Book The DOD organized these standards in four groups called A B C and D with seven l
49. Text View screen Section 5 Appendices This section discusses the following Appendix A Contacting customer support Appendix B Operating system collectors Appendix C ita ini file documentation Appendix D Optimization and problem solving techniques Appendix E SNMP for Intruder Alert Appendix F Destination ports for Intruder Alert 216 Appendix Contacting customer Support Customer support Symantec s technical support group of skilled technical engineers provide platform specific information about Symantec products Our staff has in depth expertise in both client server computing and information security technology Before contacting technical support See the on line help the relevant portion of the administration guide or the release notes for the version of the Symantec product If you are not able to find a solution access Symantec s Web site at http www symantec com techsupp If you are unable to find a solution complete the following steps before calling Technical Support m Become an authorized contact with your security manager m Check on the Web for tune up packs or updates for your product and review the technical FAQ s Beat the computer so our technical engineers can talk you through the steps needed to correct the problem m Gather the relevant information described in the tables on the following pages Table A 1 Required Administrator or Event Viewer information
50. The Intruder Alert Event Viewer offers five different view types from which to choose m Bar chart m Line graph m Pie chart m Report m Text Several options are available in the Axis Properties box depending on the type of report view you choose These allow you to define the display parameters for your report Note The pie chart and other graphic views available in the Intruder Alert Event Viewer may display with multicolored shading to the side of the graphic This is a Crystal Reports issue and is easily overcome by setting the monitor to a higher resolution or changing the color setting to display true color Modifying a graphic view In the Event Viewer it is possible to right click on the graphic and select a tool from the graph edit menu to modify the chart view See Modifying a chart view on page 188 Report view The report and text views provide more in depth information about the security events The details of the security event are clearly visible in the report view The first page is a summary of the query which was used to generate the report while subsequent report pages contain the detailed summaries of the security events that occurred during the period specified in the report query 50 Touring Intruder Alert Event Viewer task features Report options m The basic reports may be customized to present a certain level of detail for specific audiences m The data may be presented in a predefi
51. The file watch collector is covered elsewhere See File and directory security on page 147 Custom log file collector This feature of Intruder Alert lets you monitor any text file on the system whether it is created by you or some application program Once you have configured Intruder Alert it will read the file as one of its own audit logs and report events based on the information in the file Operating system collectors 231 Windows collectors The custom log file collector gives you two file watch options They are single line and multiple line The single line collector works with a carriage return while the multiple line collector requires that you enter some type of delimiter Whether single line or multiple the custom log file collector must be configured from an active agent and will only work on the agent To create a single line collector 1 InIntruder Alert Administrator connect to an Agent 2 Inthe right pane under Audit Logs click New 3 Inthe Audit Log window click Single Line 4 Inthe Description text box type a description of the file you will monitor 5 In the File Name text box type a fully qualified path to the file you wish to monitor e2 In the Strings to Parse text box type the desired pattern to audit 7 ClickOK 8 Inthe Audit Logs box click the name of the new audit log and then click Save The audit log collector is not complete until you save it The audit log is configured b
52. after gathering the selected data Modifying a chart view After creating a chart view you can modify the view s appearance by right clicking anywhere in the graph view screen and selecting an editing tool from the pop up Graph Editing menu Using Intruder Alert Event Viewer 189 Working in the Event Viewer Figure 11 9 Graph Editing menu Graph View Right click in this screen to access the Graph Editing Menu Use the tools on the Graph Editing menu to modify aspects of the chart For example by clicking Wizard the Chart Wizard appears The Chart Wizard walks you through the process of modifying the chart s type style layout and axis 190 Using Intruder Alert Event Viewer Working in the Event Viewer Figure 11 10 Chart Wizard Select an option and click Next until finished Click Help for online assistance Saving a view Chart Wizard After defining a query you can save the view that is generated for future use Saving a view saves you from having to redefine it each time you want to examine that the results of that query To save a view 1 If you do not already have a view open create a view See Creating a new view on page 185 In the Event Viewer menu bar click Edit gt Query This brings up the Query Builder wizard and adds the save option to the available menus In the menu bar click File gt Save View In the Save As dialog box specify a directory and file name a
53. and name it See Adding and deleting a rule on page 139 In the tree under the new rule click Select to display the Select toolbar above the right pane In the Select toolbar click Select Flag Event context capturing 167 Creating policies that use event context capturing In the right pane drag the raised flag from the Available box and drop it in the Flags to Monitor box Double click the flag s icon in the Flags to Monitor box In the Select Flag Criteria dialog box in the edit box type the desired select statement or statements Each statement must reside on its own line in the edit box The relationship each statement has to the others is determined by the And and Or radio buttons located near the Select criteria s Label field See Select statement syntax on page 159 When you have finished defining the desired select statements click OK The changes are automatically saved Optionally add and configure the desired Ignore criteria and action using the procedure below 10 Activate and test the policy to ensure that it is working as desired To configure the Ignore Flag 1 Complete the steps for configuring the Raise Flag action to capture event context information See Configuring the Raise Flag action to use event context capturing on page 165 In the Intruder Alert tree in the desired policy branch create a new rule and name it See Adding and deleting a rule on page 139
54. branches 5 Expand Actions The configured actions are displayed 6 Doone of the following m To reconfigure an existing action click the action to view the configuration fields in the right pane of Intruder Alert Administrator and configure as necessary For more information about a particular action see the desired heading in the section See Actions on page 106 m To adda new action right click Actions and then click New and the desired action in the drop down list Configure the action as necessary m To delete an action right click the particular action and then click Delete in the drop down list In the Delete dialog box click Yes The changes are automatically saved 7 Copy the policy to the desired Manager s branch and then apply it to the All Agents domain See Applying policies to a domain on page 127 To add a new shared rule 1 Inthe Intruder Alert tree expand Policy Library and then expand Configure to Detect 144 Creating and modifying policies Policy development tasks 2 Inthe Configure to Detect branch expand Generic and then expand ITA Shared Actions 3 Inthe ITA Shared Actions branch right click Rules and then click New in the drop down list The new rule is added to the Rules branch as New Rule 4 Inthe right pane in the Label text box type Shared be sure to add the colon and then whatever name you desire For example m Shared Priority 1 Alert m Shared Email Admin
55. chose to export the data in an HTML format in the Export to Directory dialog box specify the desired directory and then click OK m Ifyou chose to export the data in a different format in the Choose Export File dialog specify the desired directory and file name and then click OK Note HTML exporting can produce multiple output files In the Export To Directory dialog box the directory name is not used to name an output file It is used to create the directory where the HTML files will be created By default the base output file in this directory is named default htm Point your browser at this file to view the report contents Enlarge the view area The Zoom feature allows you to enlarge and shrink the size of the Report Viewer screen With this feature you can shrink the report to 25 percent or enlarge it to 400 percent of its original size To zoom in or out of a report 1 Generate a report 212 Generating and viewing reports Generating Agent status reports 2 On the Report Viewer toolbar in the resize drop down list click the desired size The report changes to the selected size Locate information in a report To locate information in a report 1 Generate a report 2 On the Report Viewer toolbar in the Search text box type the desired text and then click Search 3 To locate the next instance click Search again Exit the report To exit the report Inthe Report Viewer window click the X
56. configure the Shared Emergency rule to send email to an administrator 142 Creating and modifying policies Policy development tasks The following table describes the intended use for each rule Table 8 1 ITA Shared Actions policy Shared Append to Agt This rule appends captured events to a file located on the Agent s system You can specify any directory and file name you wish Be sure to modify the path and file name according to the Agent s operating system Shared Append to Mgr This rule appends captured events to a file located on the Manager s system Use the format lt path and file name gt lt Manager s Name gt For example on Windows c Program Files Symantec ITA bin logfile Mars Shared Email This rule sends an email to one or more people Configure the Send Email action with the desired email addresses Note The Agent must be configured with email capabilities See Configuring the Agent for email notification on page 83 Shared Exec Command This rule executes a command For instructions on how to configure the Execute Command action see the section See Execute Command on page 118 Shared Notify System This rule notifies a system For help on how to configure the Notify action see the section See Notify on page 115 Shared Record Alert This policy records events having a moderate security threat in the Manager s event database by using the Record to Event V
57. contained in the rex files Only one rex file exists at a time on the Manager system The default size of rex files is 2 MB Extent ext files contain archived event data The size of these files is 2 MB Both the rex files and ext files are named with a number using the format lt number gt rex When a lt number gt rex file reaches the maximum size Intruder Alert writes final data to it renames it to lt number gt ext and creates a new file in the format lt number 1 gt rex to hold new events For example when the Manager is installed Intruder Alert creates a 1 rex file and populates it with events New Intruder Alert events are initially stored in the 1 rex file When 1 rex reaches the maximum size Intruder Alert writes final data to 1 rex renames the file to 1 ext and then creates the 2 rex file to hold new events When 2 rex becomes full the Manager writes final data to 2 rex renames it as 2 ext and creates 3 rex to hold new events To display events Intruder Alert opens the rex file reads the events in that file looks at the number in the file name and reads backwards through the ext files that have a smaller number For instance if the current rex file is 18 rex Intruder Alert reads the events from 18 rex from 17 ext from 16 ext and so on in that order Extent files increment starting with 1 ext and continue to the maximum number of 99999999 ext With up to 99 999 999 possible extent files there is no limi
58. data to a format the Agent can read Writes Converted Data C2 Audit Reads Collector Log C2atd pipe 1 sec Configure the C2 audit daemon Two settings added to the ita ini file initialize and configure Symantec s C2 audit trail daemon The first command is required and starts the daemon The second command is optional It allows the user to specify options when using the daemon including the frequency in seconds to read the C2 binary audit pipe There are three different options available when configuring C2 m p x wait x seconds between polls m i y use alternate y audit file interpreter m b reads from beginning of audit file To initialize and configure the C2 audit daemon 1 Open the ita ini file into a UNIX text editor The ita ini file is located in the axent ita system lt hostname gt directory where lt hostname gt represents the name of the system being configured 2 Atthe end of the Agent section create a new line and enter the following command C2ATD_START 1 The setting 1 starts or enables the daemon and the setting 0 disables or prevents the daemon from starting 226 Operating system collectors UNIX collectors Optionally add another line and enter the following command C2ATD_OPTIONS px where x represents how often in seconds the daemon reads the C2 audit pipe The default is every second In the following example the daemon would read the pipe e
59. does not exist then no commands will be allowed ITA_COMMAND_LIST ita system system commands txt Specifies how large in bytes the agent cache files are allowed to be Default and maximum are 10000000 MAX_CACHE_SIZE 10000000 Unix Collector Truncation Turning these on will let ITA manage the size of the SYSTEM files NOTE ITA will always control the size of its own files The MAX SIZE entries are in KB The minimum size is 64KB the maximum size is 8192KB and the default is 256KB Process Accounting ACCT_TRUNC 1 ACCT_LOG_MAX SIZE 512 Syslog SLOG_TRUNC 1 SLOG_LOG_MAX SIZE 1024 WTMP WTMP_TRUNC 1 WTMP_LOG_MAX SIZE 512 BTMP Where available BTMP_TRUNC 1 BIMP_LOG_MAX SIZE 512 How many events to process before checking for other work The default is 20 For each event source this number is multiplied by the following Process Accounting Syslog WIMP and BTMP Single line external file N N e N A Multi line external file MAX_EVENTS_PER 20 Specifies the maximum amount of time reading a single line or 254 ita ini file documentation UNIX multi line external file in seconds The default is 2 the minimum is 1 and the maximum is 10 LOG_MAX SECONDS_PER 2 Indicates if the C2 Audit Trail Daemon should start when the agent starts C2ATD_START 0 Options to be passed to the C2 Audit Trail D
60. exit Intruder Alert Administrator you will be prompted to save You may save all or discard all changes to the policies To save changes to a policy 1 Expand the tree to view the policy If a pencil appears on the policy icon then there are changes that need to be saved 2 Doone of the following m Right click the policy and then click Save in the drop down list m On the toolbar click Save Modify the ITA Shared Actions policy The ITA Shared Actions policy administers actions from a central location You can modify one rule in the ITA Shared Actions policy and have it affect every policy configured to use it The ITA Shared Actions policy resides in the Configure to Detect gt Generic branch in the Policy Library branch This section describes its purpose and how to modify it for your organization s needs Note All out of box policies in versions 3 0 and 3 01 were configured to use the ITA Shared Action policy However if that policy was mistakenly removed or is not configured to detect then all policies configured to use it would be rendered ineffective Therefore to avoid this type of mistake all out of box policies in version 3 6 1 are configured with their own actions However the ITA Shared Action policy is still included and activated automatically so all version 3 0 policies will function in version 3 6 1 The ITA Shared Actions policy includes rules defining a different type of response For example you could
61. gt 50 System System Baddog Policy Policy NT User Account or NW Help Desk Rule Rule Account Changed User User jdoe TXT Type specific text to query Examples include TXT PID 123456789 TXT Failed Logon 196 Using Intruder Alert Event Viewer Defining advanced queries Building complex queries Complex queries contain two or more simple expressions linked by a logical operator Simple and complex expressions can be linked in various forms to make complex queries Use parentheses to group expressions together See the examples under Logical operators on the next page The following illustration depicts the various forms of a complex query Figure 11 12 Complex expressions Complex Expression Complex Logical Simple Expression Operator Expression Simple Logical Data Expression Operator Element Or Complex Logical Data Expression Operator Element Or Simple Logical Simple Expression Operator Expression Or Complex Logical Complex Expression Operator Expression Using Intruder Alert Event Viewer 197 Defining advanced queries Logical operators Logical operators are used between simple and complex expressions The actual operator must be used NOT the value that it represents Intruder Alert Event Viewer uses two logical operators Table 11 4 Logical operators amp And Ampersand Selects events that satisfy the criteria contained in both the
62. in the doc directory on the ITA program CD Configuring the IA Query Event Management Service You must configure the Intruder Alert IA Query Event Management Service to allow you to send SNMP traps to a management framework such as HP OpenView IBM s Tivoli Enterprise Manager or Micromuse s Netcool Refer to the Creating the Configuration File topic in the JA Query Event Management Service Implementation Guide for instructions This document is in the doc directory on the ITA program CD Sample IA Query configuration file The following file is an example of how to set up the IA Query Event Management Service configuration file This configuration file shows how IA Query can call a program to send each event as an SNMP trap to an SNMP management station query_port 3836 output command command c progra 1 symantec ita bin snmpsendtrap localhost public enterprises axent localhost 6 11 99999 intruderalertagentlabel s Sagent S intruderalerteventtime eventtime intruderalerttrapmessage s text intruderalerttrapseverity i Sseverity agenthostip s agent_ip policy s policy SNMP for Intruder Alert 275 Sample IA Query configuration file rule s rule poll_interval 1 managers Manager One mgr_port 5051 user iaquery password iaquery query mode real_time Figure E 1 is an example of how SNMP messages are sent to an SNMP Manager and how SNMP messages are received from NetProwler
63. in the upper right hand corner Generating Agent status reports Intruder Alert offers three reports that provide valuable information about an Agent system Agent reports include m Agent Policy report m Agent Active Datastream report m Agent Load report These reports are generated from and viewed in Intruder Alert Event Viewer This requires that the Intruder Alert Reports policy is activated on the Agent system The Intruder Alert Reports policy is automatically installed and activated on the Agent during installation However it may have been deactivated by an administrator Prior to generating the Agent reports verify that the Intruder Alert Reports policy is activated on the Agent The following sections describe each Agent report Agent Policy report The Agent Policy report contains information about each activated policy since the Agent started or the policy was last modified Report contents include m Agent name Generating and viewing reports 213 Generating Agent status reports m When the Agent started m Policies activated on the Agent m Date and time the policy was last modified m Number of times each rule was executed Agent Active Datastream report The Agent Active Datastream report lists the status of each event source Intruder Alert has different event sources for each supported operating system The event sources on UNIX include syslog wtmp process accounting and where available btmp and C2 audit l
64. items are selected the default is to gather all events captured by the policies rules and Agents listed in the Manager Objects box Note Limiting the number of selected objects to five or less will reduce complexity and make your reports and views easier to understand Advanced Query box Clicking the Advanced button displays the Query text box in screen three In the Query text box you can define a query string that pinpoints specific data of interest For example you can direct Intruder Alert Event Viewer to display a specific type of event for a specific person There is a specific language and syntax used to define query strings See Defining advanced queries on page 192 Working in Using Intruder Alert Event Viewer 185 Working in the Event Viewer GO button This button is available at any stage of the Query Builder wizard and can be used to launch the report based solely on the information that has been supplied to that point the Event Viewer This section provides instructions for performing the tasks available in Intruder Alert Event Viewer These tasks include m Creating anew view m Modifying a view s query definition m Sorting the text view m Loading a predefined view m Modifying a chart view m Saving aview m Sending an Intruder Alert command to an Agent Creating a new view The steps below outline the process for creating a new view using the Query Builder wizard If you need he
65. m Shared Page Admin 5 Inthe tree click New Rule This updates the rule name and expands the branch 6 Add and configure the desired actions to the new rule Rules with shared actions do not require Select and Ignore criteria The rule is automatically saved 7 Copy the policy on the desired Manager s branch and then apply it to the All Agents domain See Applying policies to a domain on page 127 Creating and configuring a collector policy The following instructions describe how to create and configure a collector policy A collector policy captures all event messages There are three different types of collector policies you can create The following table describes each collector Table 8 2 Collector types System Message The System Message collector uses operating system log files to capture all system events Status Message The Status Message collector uses Intruder Alert status messages from Manager and Agent log files to capture all Intruder Alert status events ITA Error Message The ITA Error Message collector uses Intruder Alert error messages from Manager and Agent log files to capture all Intruder Alert error events Creating and modifying policies 145 Policy development tasks Note Because collectors gather all events carefully select where the policy is activated and for how long If activated on a busy domain the collector will gather large amounts of data making analysis difficult To c
66. management station ita bin snmptrap exe Installs a service that receives SNMP traps from managed nodes SNMP for Intruder Alert 285 Importing NetProwler policies Note The ita bin directory is created when the Intruder Alert Agent is installed However installing SNMP for Intruder Alert adds the files listed in Table E 9 to that directory Importing NetProwler policies The NetProwler Intruder Alert integration policies are included with the Intruder Alert 3 6 Policy Library They are also included on the NetProwler 3 5 CD ROM and are available for download from the Symantec Web site If you do not have the Intruder Alert version 3 6 or above you must import these policies into the Intruder Alert Manager and apply them to the Agent where the Intruder Alert SNMP Collector resides Integration policies are saved with a pol file extension They can be imported into the Policy Library or a Manager s Policies branch To import an integration policy 1 Inthe Intruder Alert Administrator connect to the Intruder Alert Manager 2 Doone of the following m Click Policy Library m Inthe Manager s branch click Policies On the menu bar click File gt Import Policy In the Importing Policies dialog box select the path and filename Click Open ao uu A U Repeat steps 2 4 for the other integration policies The integration policies are imported and stored under the selected branch Troubleshooting SNMP fo
67. new user by selecting the check box for that privilege In the User Name text box type a username for the new user In the Full Name text box type the user s full name In the Password text box type the password for the new user In the Confirm Password text box retype the password Click Commit When finished click OK The new user is added with the specified privileges Modifying user privileges User privileges can be changed after the user account has been created In order to change account information you must have User Account Information privileges To modify user privileges 1 In the Intruder Alert tree right click the desired Manager and then click User Manager in the drop down list In the User Manager window in the User Name text box select the user and then click Edit Make the desired modifications and then click Commit When finished click OK User Manager changes the user s privileges Changing user passwords To maintain security and protect the use of Intruder Alert the administrator should periodically change user passwords In order to change account information you must have User Account Information privileges 70 Administering Intruder Alert General administrative tasks Note If an Admin User account was used during installation to register the Agents with the Manager communication between the Agent and Manager will disconnect if the password is changed To change user
68. of Hewlett Packard Development Company L P Intel Itanium and Pentium are registered trademarks of Intel Corporation Sun is a registered trademark and Java Solaris Ultra Enterprise and SPARC are trademarks of Sun Microsystems UNIX is a registered trademark of UNIX System Laboratories Inc Crystal Reports is a trademark of BusinessObjects Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 10987654321 Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definition Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization
69. of the following m Inthe Manager box select a Manager m Type the name of a Manager and then press Enter In the Connect to Manager dialog box specify a Manager enter its User Name and Password and then click OK In the Query Builder screen one click Next In the Query Builder screen two click Next In the Query Builder screen three in the Manager Objects box expand Policies The 4 Failed Logins policy should be visible Drag the 4 Failed Logins policy from the Manager Objects box to the Query List box and then click GO The text view appears with the 4 Failed Logins event Event context capturing 171 Creating policies that use event context capturing If the event does not appear in the text view verify that the policy was configured properly and that it resides on the targeted Agent system Repeat the steps for triggering and viewing the event 172 Event context capturing Creating policies that use event context capturing Section 4 Monitoring events This section discusses the following m Chapter 11 Using Intruder Alert Event Viewer m Chapter 12 Generating and viewing reports 174 Using Intruder Alert Event Viewer This chapter includes the following topics Launching Intruder Alert Event Viewer Using the Query Builder wizard Working in the Event Viewer Defining advanced queries Launching Intruder Alert Event Viewer Intruder Alert Event Viewer is a graphical user interface used to
70. the Agent must be shutdown and restarted A partial list of affected files follow m ita ini m commands txt m uxcrit_L fio amp Ist database file m uxcrit_S fio lst database file m itaobj dat Configuring the maximum record count In Windows the maximum record count is preset to a default of 15000 In UNIX it is preset to 1000 This setting prevents the files from consuming disk space and memory It may be necessary to adjust the setting to suit a particular system The maximum record setting that triggers the following pop up notification in Intruder Alert View Maximum record count reached is configurable in the ita ini file To change the setting parameters 1 For Windows open ita ini in Notepad or a similar text editor and locate the following setting GUI Specifies the maximum records that each text view can have VIEWRECORDS 15000 2 Adjust the view record setting to suit the system 3 Shutdown and restart the Agent 4 For UNIX open ita ini in a text editor and locate the following setting GUI VIEWRECORDS 1000 269 270 Optimization and problem solving techniques Known issues and resolutions Understanding Intruder Alert network traffic Intruder Alert packets are relatively small Most policies are less than 1KB in size so from the Manager to the Agent there is not much traffic However there are some exceptions If a particular policy is large the packet will be bigger The information
71. the provided values u Unregister the local Agent from a Manager Use of the single exe command is detailed in the following sections See Registering an Agent on Windows on page 79 See Unregistering an Agent from a Manager on page 80 See Determining Agent registration information on page 82 Using the itasetup command on UNIX You can use the itasetup command on UNIX to do various tasks including registering and unregistering local Agents to a Manager The command also provides options to list all Managers to which a local Agent is registered to stop Agent or Manager processes and to print out the usage information for the command itself The itasetup command resides in the folder axent ita bin lt platform type gt The complete syntax for itasetup is itasetup h d a m 1 r lt manager gt lt user gt lt password gt lt port gt u lt manager gt where the angle bracketed lt gt arguments are replaced by your actual manager name or IP address username password and port number and where the options are as follows h Print this usage message d Verbose output a Stop the Agent process m Stop the Manager process l List all the Managers to which the local Agent is registered r Register the local Agent to a Manager using the provided values 74 Administering Intruder Alert General administrative tasks u Unregister the local Agent from a Manager Use of ita
72. through a list of allowed commands in the commands txt file That file is secured from access by anyone other than Intruder Alert Agents and a highly trusted security administrator The commands txt file is installed with each Intruder Alert Agent and appears in the following directory for each operating system m UNIX axent ita system lt hostname gt m Windows lt system disk gt Program Files Symantec ITA system lt hostname gt 132 Administering policies Securing the Execute Command action Each line in the file lists a separate command For each command you must use the full path and file name including file extensions such as exe bat and nlm Do not include comments in front of the path name Type only the absolute path name On UNIX if you create a script file to be executed by Intruder Alert begin the file with bin sh on the first line of the script so that Intruder Alert will be able to execute the command You may need to change the file permissions to make the script executable To add entries to the commands txt file 1 On each Agent host where the commands will be executed open the commands txt file in a text editor capable of standard ASCII output The commands txt file is located in the following directories m On Windows lt system disk gt Program Files Symantec ITA system lt hostname gt m On UNIX axent ita system lt hostname gt Add a line to the end of the file and type the
73. to the axes on the bar chart line graph and pie chart view types Available values on the X Axis and the Z Axis are as follows X Axis Z Axis Agent Agent Rule Policy Time Rule User User Value Value Intruder Alert Event Viewer allows you to define the values for both the X Axis and Z Axis of the bar chart and line graph There is no Y axis 182 Using Intruder Alert Event Viewer Using the Query Builder wizard When defining a pie chart X Axis defines the category used for creating the pie Note Axes are not used with the report or text views Intervals Intervals refers to the number of divisions within a time period The following graph illustrates the time intervals on a bar chart Figure 11 6 Time intervals 2 Graph View Intervals Query Builder wizard screen two Access the Query Builder wizard from the Intruder Alert Event Viewer menu bar or toolbar See Working in the Event Viewer on page 185 Using Intruder Alert Event Viewer 183 Using the Query Builder wizard Figure 11 7 Query Builder wizard screen two A hei aaier iwe tut Arnan Hass n See Offset from Current eS pa Pa Time Degwrwg innit Cate Owe CAS fam Time Span i k bm 7 an Settings TSE E p tating f sss Cans Dae NWCOAAF ffm e a Ts a po o CEJ ees J fet _ The following sections describe the fields in screen two of the Query Builder wizard Offset from Current Time Real Time Stats Intr
74. two settings for each file Values are entered in kilobytes Valid entries range between 64 and 8192 If no value is entered the default is 256 Kilobytes Do not use zeros or the letter K at the end of the number The first setting enables the first command The following table lists the activation settings for each collector Table D 1 Collector size enabling command Process Accounting ACCT_TRUNC syslog SLOG_TRUNC wtmp WTMP_TRUNC btmp BTMP_TRUNC The second setting defines the maximum size of the file 266 Optimization and problem solving techniques Optimizing system performance The following table defines this setting for each file Table D 2 Collector size commands ao o es Process Accounting ACCT_LOG_MAX_SIZE syslog in ITA dir SLOG_LOG_MAX_SIZE wtmp WTMP_LOG_MAX_SIZE btmp BTMP_LOG_MAX_SIZE C2 C2ATD_START C2ATD_OPTIONS The value 1 enables file truncation while 0 or a non existent entry disables file truncation In the following example file truncation has been enabled for each collector Figure D 1 Modified ita ini file Agent filewatch ita system system crit_20s lst crit_20s filewatch ita system system crit_2h lst crit_2h ERROR_LOG_MAX_SIZE 50000 ACCT_LOG_MAX_SIZE 512 ACCT_TRUNC 1 SLOG_LOG_MAX_SIZE 1024 Add commands to the SLOG_TRUNC 1 end of the Agent WTMP_LOG_MAX_SIZE 512 WTPM_TRUNC 1 section BTMP_LOG_MAX_SIZE 512 BTMP_TRUNC 1 Mana
75. type gt and then press Enter Type the following command and then press Enter itasetup u lt manager gt where lt manager gt is replaced by your actual manager name or IP address Performing Agent management tasks This section describes the following Agent management tasks Determining Agent registration information Renaming an Agent on Windows Configuring the Agent for email notification Configuring the Agent for pager notification Configuring external audit log monitoring 82 Managing Agents Performing Agent management tasks Determining Agent registration information On either a Windows or a UNIX command line you can list all the Managers to which an Agent is registered The commands are Windows single exe UNIX itasetup To list Agent registration information on Windows 1 To open a command line window click Start gt Run and in the Run dialog box type cmd In the Run dialog box click OK To change to the correct directory type cd lt system disk gt Program Files Symantec ITA bin where lt system disk gt is replaced by the drive letter where your Program Files folder resides Type the following single exe 1 and then press Enter To list Agent registration information on UNIX 1 At the system console type the following command cd axent ita bin lt platform type gt and then press Enter Type the following command and then press Enter itasetup 1 Renaming an Agen
76. values R Randomly access object ID labels b Perform best regex matching to find a MIB node SNMP for Intruder Alert 279 Receiving SNMP traps The other options are described below m lt hostname gt The name of the host the trap is being sent from This can be in the form of a machine name or an IP address m lt community gt The SNMP Community Name A Community is a relationship between an SNMP Agent and a set of Managers that defines authentication access control and proxy characteristics Each community has a unique name m trap parameters The various parameters required to send the trap to the SNMP Manager The parameters are described in the following table Table E 5 Trap parameters for snmpsendtrap enterprise oid The enterprise object ID agent The name of the SNMP Agent sending the trap trap type The trap type number This will always be set to 6 specific type The specific type number This will always be set to 11 uptime A numeric value which indicates to the SNMP Manager how long the Agent has been up variable bindings Variables which can be described to be sent to the manager Those variable bindings are intruderalertagentlabel intruderalerteventtime intruderalerttrapmessage intruderalerttrapseverity agenthostip policy policydescr rule ruledescr Receiving SNMP traps You can use SNMP for Intruder Alert to receive SNMP
77. window When you select this option you will be prompted to select a predefined report template The report template defines what data to include in the report and how to format it Intruder Alert Event Viewer comes with five predefined templates In addition if you have Crystal Reports you can define your own custom templates and use them instead See Generating and viewing reports on page 199 Text view The text view shows the types of events being gathered It is useful for verifying what events make up the bar chart line graph and pie chart views The text view screen has a top half and a bottom half The top half of the view displays the policy rules that have triggered The bottom half of the view depicts the actual event message and any defined labels added via the Record to Intruder Alert Event Viewer action clause or parsed event message data Using Intruder Alert Event Viewer 181 Using the Query Builder wizard Figure 11 5 Text view Text View Event Message You can resize the Message Text window to see additional event information or more text as desired This is good for viewing several open text views at one time For more information about adding a text message event see the section See Record to Event Viewer on page 106 For more information about parsing event data see the section See Configuring external audit log monitoring on page 85 Axis properties Variables are assigned
78. within a user specified time period to any SNMP Manager or write the events to a file An example of an IA Query configuration file that will enable sending of SNMP traps is provided in the section See Sample IA Query configuration file on page 274 Note You must install and configure the IA Query Event Management Service to send SNMP traps of Intruder Alert events to an SNMP Manager Refer to Installing the IA Query Event Management Service and Creating the Configuration File in the IA Query Event Management Service Implementation Guide for instructions This document is in the doc directory on the ITA program CD The syntax for sending SNMP traps is as follows SNMP for Intruder Alert 277 Sending SNMP traps snmpsendtrap exe options lt hostname gt lt community gt trap parameters Command line options The command line options for snmpsendtrap exe are described in the following tables Table E 1 Options for snmpsendtrap h Display startup options H Display configuration directives V Display version of SNMP supported Table E 2 General communication options for snmpsendtrap p lt P gt Use port P instead of the default port T lt LAYER gt Use LAYER for the network layer UDP or TCP t lt T gt Set the request timeout to T r lt R gt Set the number of retries to R Table E 3 Debugging options for snmpsendtrap d Dump input output packets D all lt TOKEN
79. 0 Raise Flag action event context capturing 165 Record to Event Viewer throttle 267 Registry monitoring 233 Select Ignore Flag event context capturing 166 Send Email throttle 268 SNMP 273 SNMP traps from NetProwler 283 connect button 29 connecting toa Manager 64 console interface windows 38 Intruder Alert Administrator 19 25 UNIX system 78 81 82 copy button 30 corrupted event data 263 creating before creating a policy 133 collector policy 144 custom policy 236 domains 75 event context capturing policies 165 file watch list 149 folder in Policy Library 146 policies 138 policy steps for 135 user account 68 view 185 criteria adding to rules 140 Date 35 100 deleting from rules 140 Flag 35 98 Flag configuring for event context capturing 166 Flag flag counters in 162 Ignore criteria list 34 ITA Command 35 97 ITA Error 34 96 ITA Rule 103 ITA Status 34 95 Registry Key 35 105 Rule 35 Select and Ignore 94 Select criteria list 34 System 35 104 System Message 34 95 Timer 35 100 User 35 103 Windows Registry Key 105 Crystal Reports about 201 creating Microsoft Database file for 206 customizing 205 Report View with 180 templates 50 199 using Report Viewer to display 208 Web site 50 custom log file collector 230 creating a multiple line collector 231 creating a single line collector 231 deleting 232 customer support See technical support cut button 30 daemons Ag
80. 36 115 Raise Flag 36 108 Record to Event Viewer 36 106 239 Record to Event Viewer effect on database 261 Run Shared Action 37 121 Send Email 36 111 Send Page 36 113 Start Timer 37 117 adding actions torules 140 criteria to rules 140 entries to cols_nt cfg 230 entries to commands txt file 132 files to file watch list 154 filewatch command to ita ini 152 filewatch to ita ini file 153 rules 139 Administrator accessing User Manager 67 configuration frame in right pane 38 connecting to a Manager 64 deleting folder from tree 71 deleting Manager from tree 65 disconnecting from a Manager 65 fields in console 38 GUI console 25 introduction and tour 25 label field 38 Managers branch in tree 39 menu bar 26 monitoring C2 audit pipe 226 parsing event messages 227 parsing example 228 Policy Library branch in tree 41 printing tree view information 71 starting 63 tasks in Intruder Alert 19 toolbar 29 tree view 38 using help 72 Administrator console Action toolbar 33 Domains branch 40 edit menu 27 file menu 27 help menu 29 Ignore toolbar 32 Index list toolbar 31 Manager menu 28 Policies branch 40 Registered Agents branch 40 Select toolbar 31 view menu 28 advanced queries building blocks of 192 complex 196 data in expressions 195 defining in Event Viewer 192 equality operators in expressions 194 labels in expressions 193 Agent about 21 52 adding to a domain 76 applying policies to 127 ch
81. 4 Expand Registered Agents and then click the desired Agent In the Agent configuration fields in the right pane under Audit Logs click New In the Audit Log dialog box in the Description text box type a description of the log file In the File Name text box type the path and filename of the log file to monitor Do one of the following m Click Single Line for single line log files Click Multiple Line and in the Delim String text box specify a record delimiter for multiple line log files Determine if the log file is a single or multiple line file and what the record delimiter is by opening the log using a text editor such as Notepad on Windows or vi on UNIX Optionally click in the Strings to Parse text box and type the event string or strings to parse Parsing allows you to gather specific information from an event message and use that information for reporting in the Intruder Alert Event Viewer Use the guidelines in the table below for parsing events Table 5 2 Parsing guidelines Label parsed fields Name of field Intruder Alert captures whatever Braces not square brackets information appears in braces and stores it for Intruder Alert Event Viewer reporting Represent spaces Press the spacebar Represent hard carriage returns n Represent single missing characters Managing Agents 87 Performing Agent management tasks Table 5 2 Parsing guidelines Represent mul
82. 81 Determining Agent registration information ccceeseeceseeeeeeees 82 Renaming an Agent On Windows ccecessssesessecesesseceseeeeseseeeeseteseseeees 82 Configuring the Agent for email notification 0 eeseseseeeseteees 83 Configuring the Agent for pager notification oo eceeseeeeeeeeeeeeee 84 Configuring external audit log monitoring ooo sss tseseeeeeeeeeseeees 85 Securing systems Policies rules and criteria Policies and B ea e i TSE e E E E EET Policy Pul S a E A E A RENTERNE Rule definition oo cccsscscscsscscsscseseescscsecscsececsesscseseecscsesecsesscseseeeees Select and Ignore criteria serere aaa EEEE EE RE System Message Criteria paaa a iara eeoa aeei ITA Status criteria e e aaea r aA E a EEN AES ITA Error criteria in a ae E EnaA aAa e AASTA ERRE EES Ee ITA Command riteri ninss AA O AaS Flagcritetial eena e ae A E e Ea Timer criteria serere r Ean NE N ENEE ao Date E aA KE c e CE PAE E ET EE A E EA ITAR lecriteria aa a E EE User criteria System criteria Windows Registry Key criteria ACON Sennas EEE EEEE Record to Event Viewer Raise Flag cece Lower Flag Send Email e ORE Send Page ec a ite achtetie Mieke Lee Append tO Fil secc3 AOE A EE EEE ETE 7 8 Contents Chapter 7 Chapter 8 Chapter 9 Chapter 10 NOt T oaeen n EAEE LE REAREN E OTTER Start TIME rerna e E hee ava ee eee Ex cute Com MAd a a a ea a eri a Run Shared
83. 88 Destination ports for Intruder Alert Ports used by Intruder Alert In addition an Agent can change its destination port during re registration with a Manager when using one of the following utilities m UNIX itasetup m Windows ITA Mgr Agt Setup The following table lists the default TCP destination ports that are used by each component of Intruder Alert Table F 1 Intruder Alert destination ports Tren a Intruder Alert Manager 5051 Intruder Alert Agent 5052 Intruder Alert Administrator 3833 Intruder Alert Event Viewer 3834 Intruder Alert Tuneup 3835 IA Query 3836 Intruder Alert re registration 2840 see Note below Note Intruder Alert versions 3 6 1 600 and earlier use destination port 3840 for itasetup and ITA Mgr Agt Setup More recent versions of Intruder Alert use port 2840 The following diagram shows the various Intruder Alert components and the ports used for passing traffic between them Destination ports for Intruder Alert 289 Ports used by Intruder Alert Figure F 1 Intruder Alert ports and traffic flow Intruder Alert Communications ITA AQuery ITA Agert takingtothe ITA ITA Manager talking to the ITA ITA Manager talking to the 14 14 Query talking to Manager Agent Query the ITA Manager Source Port TCP 1024 65535 Source Port TCP 1024 65535 Source P ort TCP 1024 65535 Source Port TCP 1024 65535 Destination Port TCP 5051 Destination Port TCP 5052 Destination
84. Action action Cancel Timer Kill Process runotar nnan Disconnect Session cceescessesesseseceseeseeseseseenes Disable Usir andann E GR Administering policies Applying policies to a domain cecesesseeeseseeseseeeeeeseeeeseeeseseeeeseneeaeseeees Removing policies from a domain 0 0 ceeeesesesssesesesesesseseseceeeecseseseseseeeeeees Moving policies to the Policy Library Deleting policies from a Manager Exporting policies ccccseeseseeseseeeeeeees Importing a policy c eee Securing the Execute Command action Creating and modifying policies The policy development process cccceesesseseseeseeeeeseseseeeeseeeseseeeeseeeeseseeees Suggestions for policy development Suggestions for managing policies Policy development tasks ccccseseseseeseseseeeeseeeeeees Creating a policy 0 0 Adding and deleting a rule Adding and deleting rule criteria cccccccccccsesseseseeeeseseeseseseeeeseeeesees Saving policy changes cccccssssssssessesesseseseseseeseeseseseseeseeeeeseeeeseseneeseeees Modify the ITA Shared Actions Policy ccccccssssssessseseseseeteseteeseeseees 141 Creating and configuring a collector policy cccccecceesesesesesseseseeeeees 144 Creating a new folder in the Policy Library 0 ccceeeeeeteteteeeees 146 File and directory security Intruder Alert file monitoring 0 ces cseseseseceeesesesesesseseceeeeeesseseseseseeeeees
85. Attribute Database do not specify a file extension The process gives the File Attribute Database file a fio file extension by default To add the filewatch command 1 Open the ita ini file into a text editor 2 Locate the Agent section and add the filewatch command 3 Save changes to the ita ini file The filewatch command is now added to the ita ini file You must stop and restart the Manager and Agent to initiate the monitoring process for the selected files See Starting and stopping Managers Agents on page 66 In addition you must create a policy that detects and responds to the file watch message See Creating a policy on page 138 154 File and directory security Modifying a file watch list Modifying a file watch list You can modify an existing file watch list by adding or deleting files to check changing the type of checks Intruder Alert performs or changing the frequency with which Intruder Alert checks the files Note Do not modify the ntcrit_S 1st or unxcrit_S 1st lists To modify a file watch list 1 2 3 Stop the Intruder Alert Manager and Agent Open the file watch list in a text editor Make the desired changes to the list See Table 9 2 File watch list commands and options on page 149 Save the file Restart the Intruder Alert Manager and Agent Event context capturing This chapter includes the following topics Understanding and using event contexts Cr
86. BS O lt OUTOPTS gt Toggle various defaults controlling output display OUTOPTS values n Print object IDs numerically e Print enumerations numerically labels associated with enumerations are not printed b Don t break down object ID indexes q Quick print for easier parsing f Print full object IDs on output s Print only the last symbolic element of an object ID S Print MIB module ID plus the last element Additional utilities There are several utilities that allow you to manage Intruder Alert s SNMP communication These utilities are m snmpset an SNMP application that uses the SET Request to set information on a network entity m snmpget an SNMP application that uses the GET Request to query for information on a network entity m snmpgetnext an SNMP application that uses the GET NEXT request to query for information on a network entity Note To see the available command line parameters for these utilities run the respective utility with a H startup option To see the available options for the configuration file run the respective utility with a h startup option SNMP for Intruder Alert Sample configurations Sample configurations This section describes two specific ways SNMP for Intruder Alert can be used m Using SNMP for Intruder Alert to receive SNMP traps from Symantec NetProwler m Using SNMP for Intruder Alert to send SNMP traps to an SNMP capable entity Receiving SNMP t
87. CTION 1 Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates MOD_POLICY 1 FEFE HE HE HE HE HE HEHEHEHEHE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HEHE HE HE HE HE HE H H E H H H GUI FEFE HE HE HE HE HE EHEHEHE HE HEHE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HEHE HE HE HE HE HE HE E H H H H Specifies if TCP IP or IPX SPX or both will be used L specifies TCP IP only 2 specifies IPX SPX only Any other value specifies both PROTOCOL 0 Communications timeout in seconds This setting will only affect the Mgr Agt Setup program and the Administrator The default is 60 seconds ITA_TIMEOUT 30 248 ita ini file documentation Windows Specifies the port to listen on This setting will affect the Administrator program The default is 3833 ADMIN_SERVER_PORT 3833 The maximum number of records to show in the event viewer Default is 15000 VIEWRECORDS 15000 HEHEHE HE HE HEHEHEHEHE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE H H E H H H ADMIN FEFE HEHE HE HE HE HE HEHE HE HE HE HE HE HEHE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE H H E E HH Specifies the port to listen on This setting will only affect the Mgr Agt Setup program The default is 2840 SERVER_PORT 2840 FEFE HE HE HE HE HE HE HEHEHEHEHE HE HE HE HEHE HE HE HE HE HE HE HE HE HE HE HE HE
88. Choose the Or radio button when one of the selected rules alone is sufficient to satisfy this criteria The User criteria selects or ignores events generated by specified users and must be used in conjunction with other selection criteria To configure the User 104 Policies rules and criteria Select and Ignore criteria criteria add the desired user names to the Users to Monitor box as illustrated below Figure 6 13 Select User criteria Select to specify case sensitive text matching 4V Cass Sennitwe SELECT User s Users to Monitor Now Entry Type the user names Click to add user namesto me Ed List Remcve Clear List selection criteria The User criteria supports case sensitive text matching and wildcard operators Select the check box if you want the event text search to be case sensitive Use in place of multiple characters or names and in place of single characters Note The availability of the username depends on the event If the event contains the username you can select and ignore based on username If the event does not contain the username this criteria should not be used Windows does not always provide username information Be aware that parsing information with the audit log will not produce user names even if it is parsed with that field System criteria The System criteria selects or ignores specific Agent systems System uses the Agent
89. Click to add the 4 D entry to the list Remove Cea List Note The configured commands may not execute in the desired order Therefore when the order of execution is important you should consider placing the commands in multiple rules that use flags and timers to execute the commands in the desired sequence Also make sure the policy is activated on the operating system that supports the specified commands For example it will do no good to activate an Execute Command action containing UNIX commands on a Windows system Policies rules and criteria 121 Actions Temporary event file cleanup In an Execute Command action if the user has the event file variable in the command to execute a temporary file in the OS specific temp directory is created to hold the event information A new temporary file is created for each event The event file contains a copy of the event text The file name is then passed to the script to be used by the executable program The Agent has no way of knowing when the script of the executable starts so the Agent does not own the task of cleaning up Intruder Alert was designed so that the script or executable becomes responsible for post process cleanup once it has finished with the file Securing the Execute Command action The Execute Command action has an enhanced security feature It allows you to control which commands may be executed by Intruder Alert Agents The Execute Command action i
90. Command action can execute any command program or shell script Scripts must not require user interaction Specify the full path name to the command or script file for example usr bin myscript Policies rules and criteria 119 Actions On Windows the Execute Command action can execute the following types of executable files m cmd m bat m exe com They must not require user interaction Use the file path name to the executable file for example c scripts ita security bat The following table lists and defines available variables Table 6 4 Execute command variables fuser The user name from the triggering event If the user name is included in the event this information can be used event file The name of a temporary file in the TEMP directory that contains the text of the triggering event Using the event file variable you can pass the entire event message into another process In that process the data can be parsed and used in a wide range of applications The temp file itself must be manually deleted process ID The process identification number PID The process that generated the event session ID The session identification number SID The session that generated the event agent label The name of the Agent as it is known by Intruder Alert This may or may not be the system name host name The name of the system or host on which the event occurred system softid
91. E HE AE FE E HE HEHE H E EEE EE Manager Diagnostics FE E HE FE FE FE HE HE FE FE FE FE FE FE HE FE FE FE FE FE FE FE FE FE HE HE FE FE FE FE FE HE HE FE FE FE FE HE HE HE HE HE se Specifies if log file to be kept open while the Manager is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the manager log file will get in KB MaxLogSize 50 Specifies how many old log files the manager will keep MaxLogFiles 2 Includes the time with each diagnostic message logged 0 OFF 1 ON LogTimeStamp 1 257 258 ita ini file documentation UNIX Includes the date with each diagnostic message logged 0 OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run as a daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications MOD_COMM 1 Authentication MOD_AUTH 1 Encryption MOD_ENCRYPT 1 Event Database Manager M
92. IX they reside in the directory axent ita system lt hostname gt You can use these files as a reference when creating your own file watch lists The following table describes these files Table 9 3 Installed watch list files 60 Seconds ntcrit_S lst Windows Contains mission critical files 30 Seconds uxcrit_S lst UNIX 8 Hours ntcrit_L lst Windows Contains a list of important uxcrit_L Ist UNIX files to monitor Note The ntcrit_S Ist and uxcrit_S Ist files have been optimized Do not add files to these lists You may add files to the ntcrit_L list and uxcrit_L Ist files 152 File and directory security Configuring Intruder Alert file monitoring To create a file watch list 1 2 10 11 Create a new document in a UNIX or Windows text editor Enter any text comments Precede text comments with a percent symbol Enter the TIME command and specify a value in seconds Optionally if wildcards are going to be used when specifying the list of files enter the RESCAN command Specify the desired check summing or access function commands The monitoring process must access the file in order to calculate checksums Therefore do not enable both checksum and access functions at the same time List the files to be checked List one file or directory per line Optionally disable check summing Optionally enable access time monitoring Optionally list the files to be checked Optionally disable ac
93. In the Intruder Alert tree in the Policies branch expand the policy and then expand Rules Expand the desired rule to display the Select Ignore and Actions branches Do one of the following m Right click Select and then click New and the desired Select criteria in the drop down list m Right click Ignore and then click New and the desired Ignore criteria in the drop down list m Right click Actions and then click New and the desired Action in the drop down list In the right pane configure the criteria or action as needed Repeat the above steps until all desired criteria and actions are added To save changes to the policy right click the specific policy and then click Save in the drop down list To delete criteria or actions from a rule 1 2 3 Expand the tree to view the specific criteria or action Right click the criteria or action and then click Delete in the drop down list In the dialog box click Yes to confirm the deletion Saving policy changes After creating or modifying a policy from the Policies branch on the Manager you must save the changes otherwise the changes will be lost If the policy is already activated on a domain saving the changes activates those changes on Creating and modifying policies 141 Policy development tasks the policies that reside on the Agent You know that changes need to be saved when a pencil appears on the policy s icon If the policy has not been saved before you
94. Inthe drop down list click the name or IP address of the Manager 3 Inthe Agent text box do one of the following m Type the name or IP address of the Agent m Inthe drop down list click the name or IP address of the Agent 4 Inthe Command text box type the command If the Case Sensitive check box is selected in the policy the command is case sensitive so use the exact case when specifying a command 5 Click Send Command 6 Optionally to send a command to another Agent on a different Manager click New Manager 191 192 Using Intruder Alert Event Viewer Defining advanced queries 7 Inthe Connect to Manager dialog box enter the connection criteria for the new Manager and then click OK Then complete steps 3 5 above Defining advanced queries In the Event Viewer you can define advanced queries on screen three of the Query Builder wizard This screen contains a button labeled Advanced Clicking the Advanced button displays the Query text box to the right of the button In the Query text box you can define a query string to specify data of interest For example you can direct Intruder Alert View to display a specific type of event for a specific person This section describes the query language and syntax used to define query strings Section topics include m Building blocks of a query m Building complex queries Building blocks of a query There are three basic building blocks of a query label equality operator and d
95. M TTT Security Events Severity Breakdown 3 z D E a 3 a For Help press F1 Report Refresh O 4 How do create and use my own Crystal Reports templates Intruder Alert s report generation feature allows you to control how security information appears in a report This is done using customized report templates created in Crystal Reports Crystal Reports is a popular third party report design and report generation tool If your organization has specific reporting 206 Generating and viewing reports Understanding security reports requirements you will need to create your own template in Crystal Reports and use that template in Intruder Alert To create a template in Crystal Reports you will need m Database file in Microsoft Database mdb format containing 100 to 200 events captured by Intruder Alert m The database map or table definition The table definition describes the type location and size of the various fields in the database m Fully licensed version of Microsoft Access Note For help with creating a Crystal Reports template consult Crystal Reports documentation and help To create a Microsoft Database mdb file 1 Export a generated report from the Report Viewer in comma delimited format For instructions on how to export Intruder Alert data from the Report Viewer see the section See Export and save the report contents on page 210 2 Import that data file into Microso
96. Manager Registering the Agent with additional Managers Registering the Agent with additional Managers Configuring Agent service properties Starting ITA Manager Agent Setup To start Intruder Alert Setup From the Windows Start menu click Programs gt Symantec gt Intruder Alert gt ITA Mgr Agt Setup If the Intruder Alert programs were placed in another program group access ITA Mgr Agt Setup from that group The Manager Agent Setup dialog box appears 60 Post installation options Post installation options on Windows Stopping or starting the Agent To stop or start the Agent 1 Start ITA Mgr Agt Setup See Starting ITA Manager Agent Setup on page 59 In the Manager Agent Setup dialog box if the Agent is running and you want to stop it click Stop Local Agent If the Agent is stopped and you want to start it click Start Local Agent Stopping or starting the Manager To stop or start the Manager 1 Start ITA Mgr Agt Setup See Starting ITA Manager Agent Setup on page 59 In the Manager Agent Setup dialog box if the Manager is running and you want to stop it click Stop Local Manager If the Manager is stopped and you want to start it click Start Local Manager Registering the Agent with additional Managers To register the Agent with additional Managers 1 Start ITA Mgr Agt Setup See Starting ITA Manager Agent Setup on page 59 Click Register to new Manager In the R
97. NMP traps Installing SNMP for Intruder Alert SNMP for Intruder Alert is installed by running the setup exe file in the microsft winnt intel snmp directory on the ITA program CD To install SNMP for Intruder Alert on Windows 1 Inthe microsft winnt intel snmp directory on the ITA program CD double click the setup exe file 2 Follow the instructions to complete the installation The process installs a number of files See SNMP for Intruder Alert installed files on page 284 To uninstall SNMP for Intruder Alert remove SNMP for Intruder Alert through the Add Remove Programs option in the Windows Control Panel 274 SNMP for Intruder Alert Installing the IA Query Event Management Service Installing the IA Query Event Management Service The IA Query Event Management Service which is also referred to as IA Query is a Windows Service that filters forwards and stores security events detected by Intruder Alert IA Query can forward Intruder Alert events that occur during a user specified time period or it can forward events continuously as they occur in real time You can configure IA Query to store security event information in a file to be used by third party report applications You can also use IA Query from the command prompt to generate a static report Refer to the Installing the IA Query Event Management Service topic in the IA Query Event Management Service Implementation Guide for instructions This document is
98. OD_DB 1 Manager event cache MOD_CACHE 1 Configuration Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_ACTION 1 ita ini file documentation 259 UNIX Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates MOD_POLICY 1 se se AEE HE EH HH FE FE HE FE HE FE FE FE FE FE FE FE FE FE HE FE HE FE FE FE FE FHE HE FE FE FE HE HE HE HE HE HE GUI FE FE FE FE FE FE HE HE FE FE FE FE HE FE HE FE FE FE HE FE FE FE FE FE HE FE HE FE FE FE FE FHE HE FE HE FE FE HE HE HE HE HE Communications timeout in seconds This setting will only affect the Mgr Agt Setup program and the Administrator The default is 60 seconds ITA_TIMEOUT 30 FEE HE HE HE FE AE HE HE HE FE FE FE FE FE HE FE FE FE EE FE FE FE FE FE HE HE FE FE FE HE FE HE HE FE HE FE FE HE HE HE HE HE ADMIN FEE HE HEHE FE AE HE HE HE FE FE FE FE FE FE FE FE FE EE EEE FE FE FE FE HE FE FE HE FE FHE HE HH FE HE HE HE HE HE HE Specifies the port to listen on This setting will only affect the Mgr Agt Setup program The default is 2840 SERVER_PORT 2840 FEE HE HEHE FE AE FE EE EEE EEE EEE EE EEE FE FE HE HE FE FE FE FE EEE HH FE HE HE HE EEF UPC FEE HE FEE FE AE HE HE HE FE FE FE EEE EE FE FE FE FE FE HE FE FE FE FE FE EEE FE HE FE HE HE HE HEHE HE ITA IP Bind setting I
99. Path Changed Press Tab In the Description text box type This rule will inform you if anyone attempts to change or changes the PATH settings In the Rule Value field type 50 In the left pane click the plus sign to the left of your new rule to expand the view Right click Select and then click New gt System Message in the drop down list In the New Entry text box type HKEY_LOCAL_MACHINE SYSTEM ControlSet Control Session Manager Environment Path Right click Actions and then click New gt Record to Event Viewer in the drop down list You could select any of the fourteen valid choices for the action your rule will perform Each choice has different properties See Actions on page 106 Click Add to List You have selected the Registry keys you are going to monitor This policy will notify you whenever a user changes the system PATH variable or attempts to change it 240 Operating system collectors Windows collectors Appendix ita ini file documentation This appendix contains the current default settings for files specified in the program ini files Windows EEE E E EEE E E E E E E E E E E E E E E E E E E E E E E E HE HE E E E EHHH Agent EEE EEE EEE E E E E E E E E E HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE H H H H HH Filewatch configuration files These contain the list of files that filewatch is monitoring filewatch ita system system ntcrit_L 1lst ntcrit_L fil
100. Port TCP 3836 Destination Port TCP 5051 L ITA Manager ITA Admin talking to the ITA ITA Manager talking to the ITA ITA Manager talking to the ITA ITA View talking to the ITA Manager Admin Station ViewStation Manager Source Port TCP 1024 65535 Source Port TCP 1024 65535 Source Port TCP 1024 65535 Source Port TCP 1024 65535 Destination Port TCP 5051 Destination Port TCP 3833 Destination Port TCP 3834 Destination P ort TCP 5051 ITA Admin ITA View ITA Tuneup talking to the ITA Manager ITA Manager talking to the ITA Tuneup Source Port TCP 1024 65535 Destination Port TCP 5051 Source Port TCP 1024 65535 Destination Port TCP 3835 ITA Tuneup Pack 290 Destination ports for Intruder Alert Ports used by Intruder Alert Numerics 4 Failed Logins policy creating 168 testing 170 viewing events captured 170 A about actions 106 Administrator 19 byte rotary BROT 150 default domains 20 Event Viewer 19 extent ext files 20 Intruder Alert Agent 21 Intruder Alert architecture 18 Intruder Alert Manager 20 rex rex files 20 rules 23 accounts removing 70 user 67 Action toolbar 33 actions about 106 adding torules 140 Append to File 36 114 Cancel Timer 37 122 deleting from rules 140 Disable User 37 124 Disconnect Session 37 124 Execute Command 37 118 131 ITA Shared Actions policy modifying 141 Kill Process 37 123 list of 36 Lower Flag 36 110 Notify
101. S i ii Event Viewer gt a E Web Server Agent Firewall Agent Introducing Intruder Alert 19 The Intruder Alert Administrator The Intruder Alert Administrator Intruder Alert Administrator provides a Windows graphical user interface GUI that serves as Intruder Alert s administrative console Using Intruder Alert Administrator you will m Connect to and disconnect from Managers m Organize and configure Agents m Create and manage domains m Create and administer policies m Manage Intruder Alert users and user privileges Intruder Alert Administrator contains the master list of Drop amp Detect and Configure to Detect policies Drop amp Detect Install policies are applied during installation with no configuration required Drop amp Detect Miscellaneous and Configure to Detect policies require either system or policy configuration All Intruder Alert out of box policies reside in the Policy Library Intruder Alert Administrator supports an unlimited number of Managers Depending on your network architecture and the geographic diversity of your organization you may need to install only one or two Intruder Alert Administrators See Introducing Intruder Alert on page 15 The Intruder Alert Event Viewer Intruder Alert Event Viewer is a separate Windows GUI for viewing event data captured by Agents When directed via the Record to Event Viewer action Agents record events in an event database located
102. TA_BIND_ADDRESS 192 168 0 49 260 ita ini file documentation UNIX Appendix Optimization and problem solving techniques This appendix includes the following topics Optimizing system performance Known issues and resolutions Optimizing system performance This section describes how to configure and optimize certain aspects of Intruder Alert s performance The included topics are Understand and manage the event database Delete old data Manage the size of Intruder Alert error logs Debug logging Configure the Record to Event Viewer action throttle Configure the email SMTP action throttle Understand and manage the event database The Record to Event Viewer action directs the Agent to record event attack data in an event database located on the Manager s system The Intruder Alert Event Viewer queries the database to generate online and printed reports Over time event data accumulates on the Manager s system consuming valuable disk space This section describes how to control the amount of disk space being used 262 Optimization and problem solving techniques Optimizing system performance The event database is comprised of two types of files Rex rex and Extent ext files These files reside in the following directory for each system type Windows lt system disk gt Program Files SymantecITA system lt hostname gt UNIX axent ita system lt hostname gt The most recent event data is
103. This guide contains the following appendices Appendix A Contacting customer support This appendix describes where users can turn for help when using Intruder Alert Appendix B Operating system collectors This appendix discusses how Intruder Alert collects events on UNIX and Windows operating systems Appendix C ita ini file documentation This appendix discusses the ita ini file Appendix D Optimization and problem solving techniques This appendix describes how to optimize various aspects of your system s performance such as managing Intruder Alert s bandwidth and disk space usage Appendix E SNMP for Intruder Alert This appendix describes how to install and use SNMP services The SNMP services allow Intruder Alert to send and receive SNMP traps Appendix F Destination ports for Intruder Alert This appendix describes the destination ports used by each component of Intruder Alert 18 Introducing Intruder Alert Understanding Intruder Alert s architecture Understanding Intruder Alert s architecture The architectural components of Intruder Alert include m Administrator m Event Viewer m Manager m Agent The following graphic illustrates Intruder Alert s architecture Figure 1 1 Intruder Alert Architecture UNIX Agent a _ Windows A piee E rl sro a_i E a N x j E a Y x Intruder Alert Manager and Agent Netware Agent Administrator and or S
104. Windows collectors Intruder Alert uses the following event collectors to monitor Windows activities m Event log collector m File watch collector m Custom log file collector m Windows Registry collector Event log collector Intruder Alert captures events through the system audit logs and the Windows Registry Intruder Alert can filter any audit security or other type of log on a real time basis Intruder Alert can monitor as many logs as necessary However care should be taken to target policies and their rules to capture only important events Otherwise performance will suffer and numerous nonvital events will be captured by Intruder Alert Numerous options are available to the Windows system administrator to monitor events of interest for the server Intruder Alert provides stock policies for typical Windows audit functions The Intruder Alert security administrator may add further auditing with Custom Log collectors In the Intruder Alert versions 3 6 and above there are three new Windows Server event collection capabilities for advanced intrusion detection system administrators looking for further policy customization capabilities The three event collectors Directory Service DNS Server and File Replication enable the collection via custom policy creation of events that occur in the directory service DNS server and from server to server respectively Operating system collectors 229 Windows collectors Windows has t
105. a Manager on Windows 60 a UNIX Manager or Agent 56 66 a Windows Manager or Agent 66 an Agent on Windows 60 storing policies in Policy Library 130 summary selections 200 support See technical support Symantec button for Web site 30 policy updates on Web 133 technical support Web site 217 syntax cols_nt cfg file 230 commands txt file 132 email address 112 filewatch 153 itasetup 73 query complex 196 query simple expression in 192 Select statement 159 single exe 72 snmpsendtrap 276 syslog 21 116 as an event source 222 file location 222 managing the size of 265 System criteria 104 introduction to 35 System Message collector 144 System Message criteria 95 introduction to 34 T technical support 217 contacting 220 304 Index information needed for 217 problem information 219 Web site 217 templates customizing Crystal Reports 205 testing policies 136 text view 180 in Event Viewer 51 sorting 187 threat levels 23 throttles configuring Record to Event Viewer action throttle 267 email configuring 268 for bandwidth optimization 267 time offset in Event Viewer 183 time span in Event Viewer 183 time zones 102 148 timer cancel 122 Cancel Timer action 37 start 117 Start Timer action 37 Timer criteria 100 introduction to 35 toolbars Action 33 Administrator 29 Event Viewer 45 Ignore criteria 32 list 31 Select 31 tree deleting folder from 71 Domains branch in 40 in Administrator console
106. a export The product provides a feature that allows the user to define an export filter in Event Viewer and export the matching data to an MS Access Database 200 Generating and viewing reports About reports The export filter allows a user to select data for export based on event date and other data attributes When data is exported into the default MS Access database it is protected with the appropriate MS Access security features Commercial report writer Users are able to modify the default report templates and design their own reports provided they have purchased the tools separately They are also able to run and view these reports from within the product environment A set of pre defined easily modifiable reports have been included Report media includes printable electronic HTML RTF and ASCII formats Content Since the reports are one of the most visible elements of the product pre defined reports have undergone testing to verify the accuracy relevancy presentation and usability of the product Graphs and trends Charts provide a graphical trend analysis that displays relative history over a definable period of time against a definable set of threats Graphs are used for real time reporting in control centers and allow customization of graph properties like title color sticky notes etc Selectable summary detail All reports and trend analysis are designed to report events in terms of the following selectabl
107. abase on the Manager system for Intruder Alert Event Viewer reporting This is the default action for all Drop amp rA Detect policies Raise Flag Raises a flag for a specified period of time The flag can be selected by another rule Lower Flag Cancels a raised flag 3 Send Email Emails the event message to a specified recipient Send Page Notifies an administrator via pager that an event occurred Append to File Notifies an administrator via pager that an event occurred tll gt Notify Sends the event message and if desired a user defined message to a user or host a Table 2 6 Actions Touring Intruder Alert 37 Intruder Alert Administrator Start Timer Initiates a timer to count down to a specified date or for a specified amount of time Execute Command Executes a system command batch file executable file or shell script depending on the type of operating system Run Shared Action E Executes an action defined in another policy rule residing on the Agent system Cancel Timer Se Terminates a timer Kill Process gt A eh ene Stops the process referenced in the event Disconnect Session X Disconnects the user s session Disable User LS Disables a user s account except for an account having root administrator or supervisor privileges 38 Touring Intruder Alert Intruder Alert tree Intruder Al
108. acters The following are examples of ITA Error criteria m stat ing the multiline extra file No such file or directory m Socket Read Error m Errors reported by ITA Manager on production Failure m Remote client has disconnected To configure ITA Error criteria add the desired text in the Intruder Alert Errors to Monitor box as illustrated below Figure 6 5 ITA Error criteria SELECT Intruder Aleit Errors Intiuder Aleit Errors to Monitor Select to specify case ____ gt Case Sensitive sensitive text matching New Entry Type error message text Click to add the entry to the selection criteria Edit List Remove Gear List ITA Command criteria The ITA Command criteria uses commands sent from Intruder Alert Event Viewer using the Send Intruder Alert Command function An Intruder Alert command is a user defined word or phrase This criteria is used to test and debug policies However it may be used to perform a certain action such as lower a raised flag or cancel a timer To configure the ITA Command criteria add the desired text in the Intruder Alert Commands to Monitor box as illustrated below 98 Policies rules and criteria Select and Ignore criteria Flag criteria Figure 6 6 Select Intruder Alert command criteria SELECT Intruder Aleari Commandle r Intiuder Alor Commands to Monitor Select to specify case V Case Sensitive sensitive text m
109. action enabling 131 filewatch 149 filewatch in ita inifile 152 iaquery from command prompt 274 ITA Command criteria 97 itarc 66 itasetup 56 57 58 73 78 79 81 82 itasetup syntax 73 Manager to start 56 Manager to stop 56 nslookup 186 order of execution 120 ps ef 271 Registry Key 232 235 report 213 security feature of 121 Send Intruder Alert Command 191 sending from Event Viewer 51 single exe 72 80 81 82 single exe syntax 72 snmpget exe 284 snmpgetnext exe 284 snmpsendtrap 277 snmpsendtrap exe 276 284 snmpset snmpget snmpgetnext 282 snmpset exe 284 snmptrap options 281 snmptrap exe 284 Windows command prompt 66 81 commands txt file 131 adding entries to 132 syntax of 132 complex queries 196 logical operators in 197 components Administrator 25 Agent 52 Event Viewer Manager 52 of Intruder Alert 18 configuration frame in Administrator 31 38 293 294 Index Configure to Detect 41 configuring actions 106 Agent for email notification 83 Agent for pager notification 84 C2 audit daemon 225 C2 audit logs monitoring 224 collector file size 265 collector policy 144 Configure to Detect policies 42 criteria 94 custom log file collector 230 error log size 264 event context capturing 155 event sources 230 external audit log monitoring 85 file monitoring 149 firewall 287 TA Query 274 285 Intruder Alert configuration files 269 ITA Shared Actions policy 141 maximum record count 269 modems 85 policies 14
110. aemon p x wait x seconds between polls i y use alternate audit file interpreter y b read from beginning of the audit file C2ATD_OPTIONS Allow ITA to collect events from the process accounting file Set to 1 to enable the process accounting collector Set to 0 to disable the process accounting collector PROCESS_ACCOUNTING_ENABLED 0 On HP UX 11 23 there are some system processes that still write useful information into the older var adm wtmp and var adm btmp databases ITA s Collogd daemon monitors both the old databases and the newer var adm wtmps and var adm btmps databases if the version of HP UX is 11 23 or greater Uncomment the following 2 lines to instruct ITA to not monitor the older versions of the databases ENABLE_OLD_WTMP 0 E E ENABLE_OLD_BTMP 0 FE HE HE HE HE HE HE HE HE HE HE HE HE E HE HE HE HE HE HE HE E HE HE FE HE HE FE HE HE HE HE HE E HE H HE E E E E E HH Manager FEE FE E FE HE FE FE HE HE FE FE FE FE HE HE FE FE FE HE FE HE FE FE FE FE HE HE FE FE FE FE FE FE HE FE FE FE FE HE HE HE HE HE Turns on address caching ON or OFF ADDR_CACHE OFF Specifies how long the manager will use a cached address before trying to look up again in minutes The minimum is 15 minutes ita ini file documentation 255 UNIX the maximum is 48 hours ADDR_CACHE_TIMEOUT 60 Specifies a group of ports that will be used fo
111. ag the timer object from the Available box and drop it in the Timers to Monitor box Figure 6 9 Select Timer criteria Timers to Monitor Available fo Example Drag the timer objects Imer from the Available box and drop them in the Timers to Monitor box If more than one timer is being monitored use the And and Or radio buttons to define the relationship between each of the selected timers Choose the And radio button when all the selected timers must expire to satisfy the requirements of this clause Choose the Or radio button when one of the selected timers alone is sufficient to satisfy this criteria The Date criteria selects or ignores events occurring within a range of time and must be used in conjunction with other selection criteria It cannot be the sole Policies rules and criteria 101 Select and Ignore criteria selection criteria The range of time may span seconds minutes hours days months and even years 99 66 The Date criteria is often used to build working hours weekend only and after hours policies For example using the Date criteria with login policy rules you can monitor all remote logins that occur from 6 00 pm on Friday to 8 00 am on Monday morning Any remote logins that occur within that time would be detected Remote logins during the work week would be ignored by that same policy To configure the date select the desired years months and days then select the
112. ager bk1 264 manager log 96 264 MIBs 284 Microsoft Database mdb creating 206 monitoring about 147 monitoring steps to configure 149 ntcrit 151 predefined view files 187 Revision txt 218 SecurityReport rpt 203 SNMP files on Windows 284 SNMP installed files 284 snmp log 278 snmpsendtrap options 277 snmpsendtrap exe 276 snmptrap 280 syslog 222 UsersReport rpt 203 uxcrit 151 uxcrit restart system when changed 269 wtmp wtmps 222 filewatch command 149 adding to ita ini 153 syntax of 152 filter rule criteria 94 firewall configuration of Intruder Alert with 287 298 Index flag counters 162 Flag Context Count 164 Flag Count 164 Flag Instance Count 163 three types of 162 Flag criteria 98 introduction to 35 flags Flag criteria 35 98 global 108 165 Lower Flag action 36 Raise Flag action 36 folder deleting in tree 71 four failed logins policy 168 G global flags 165 GMT 148 graph editing menu 188 graphs in reports 200 Security Events Severity Breakdown 204 GUI Administrator 25 Event Viewer H help button 30 menu Administrator 29 using in Administrator 72 HP modems 85 HP OpenView with Execute Command 119 with SNMP 274 283 HP UX allowing Tuneup 271 btmp event logging 168 C2 audit pipe monitoring 224 delimiters in C2 audit pipe 227 IA Query configuration for SNMP 285 configuring 274 installing 274 mode parameter in configuration file 286 sample configuration file 274 Ignore crite
113. al Support via the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating system Version and patch level Network topology Router gateway and IP address information Problem description m Error messages log files m Troubleshooting performed prior to contacting Symantec m Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country and then choose Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec s technical support options Nontechnical presales questions Missing or defective CD ROMs or manuals Contents Section 1 Chapter 1 Chapter 2 Getting Started Introducing Intruder Alert Contents and organization of this guide oo cseseseseseseseseseesesseceeneseesenees 15 Section 1 Getting sta
114. al audit logs for Agents to monitor m Throttle the rate Agents record events in the Manager s event database The Policy Library is the second primary branch in the Intruder Alert Administrator Tree It contains all the out of box policies and serves as the repository for any user defined policies Intruder Alert s out of box policies are grouped into three categories m Drop amp Detect Install m Drop amp Detect Misc m Configure to Detect Most Drop amp Detect policies are selected and applied at the time of installation They require no configuration and only need to be applied to a domain Drop amp Detect Misc policies are not selectable during installation and can only be installed after everything is configured Drop amp Detect Misc policies are used for debugging diagnostics troubleshooting and protecting the system 42 Touring Intruder Alert Intruder Alert Event Viewer Configure to Detect policies require system or policy configuration to function Contact a Symantec consultant for assistance in configuring and activating these policies You can also create and store your own policies in the Policy Library The following graphic illustrates how these policies are organized Figure 2 17 The Policy Library SY SYMANTEC Intruder Alert Administrator PE EG File Edit Manager View Help ssla lolek alele Managers a Policy Library F Configure To Detect z3 i Generic E Fl Integration ica gi Netwar
115. anging label on UNIX 58 email configuration on 83 in domain 40 NIS information on UNIX 58 organizing Agents in domains 22 pager notification on 84 registering on UNIX 77 registering on Windows 79 removing from domain 76 removing policies from 129 renaming on Windows 82 starting or stopping on UNIX 66 starting or stopping on Windows 66 status reports in Event Viewer 212 system limits 20 unregistering from a Manager 57 80 Agent Active Datastream report 213 Agent Load report 213 Agent Policy report 212 analyzing complex events 157 data from collector 222 events 136 API 265 Append to File action 114 introduction to 36 Applied Domains branch 40 architecture Intruder Alert 18 network 19 archiving ext files 21 262 263 error log files about 264 policies 130 unwanted data 263 viewing archived events 183 audit log C2 security 224 external log monitoring 85 parsing guidelines 86 UNIX logs 222 audit log sources application log 229 security log 229 system log 229 audit policy about 229 audit trail 224 axis properties 181 bandwidth during tuneup 270 optimizing usage of 267 bandwidth usage optimizing 263 bar chart view 178 btmp as an event source 222 event capturing 21 managing the size 265 build versions finding information on Web 219 buttons connect 29 copy 30 cut 30 delete 30 import 29 LiveUpdate 30 online help 30 paste 30 print 30 save 30 Symantec home page 30 byte rotary BROT 149 abo
116. applying shared to 143 applying policies to 127 creating 75 default introduction to 20 defined 22 deleting 76 policies in 40 removing an Agent from 76 removing policies from 129 Domains branch 40 Drop amp Detect Install 41 Drop amp Detect Misc 41 E edit menu Administrator 27 email allowing user to configure 68 configuring Agent for 83 in ITA Shared Actions policy 142 paging with 112 Send Email action 36 111 throttle configuring 268 enabling Collector size 265 commands 131 Execute Command 131 enforcing policies 127 equality operators in queries 194 Select statement 160 spaces around 169 error logs configuring size of in ita ini 264 Index managing 264 optimizing 264 event context capturing about 155 about policies with 165 configuration overview 155 configuring Ignore Flag 167 configuring Raise Flag action 165 configuring Select Flag 166 criteria 159 event variables 161 example policy 168 example scenario 157 flag count variables 162 global flags with 165 known issues 164 overview 156 saving events 165 Select statements in 159 separate rules in 166 with Flag criteria 98 with Raise Flag action 108 event database 20 corrupted files in 263 files in 262 managing 261 most recent data 262 understanding 261 event log collector audit log sources application log 229 security log 229 system log 229 event logs on UNIX 21 event logs on Windows 21 Event Viewer about 19 175 about Query Builder wizard 176 a
117. apturing 10 In the Tag drop down list select the criteria by which saved events will be sorted Optionally under Flag Lifetime check Flag has a Lifetime If you checked Flag has a Lifetime in the Days Hours Minutes and Seconds boxes configure the duration of the flag Intruder Alert will raise the flag for the period of time defined in the time configuration fields Optionally to have the flag lifetime reset with each new trigger check Reset Flag Lifetime with Each Trigger Each new trigger will reset the flag lifetime to the time specified in the time configuration fields In the Intruder Alert tree right click the policy name and click Save in the drop down list You can create another rule to select or ignore the events captured by the raised flag See Configuring Select Ignore Flag to use event context capturing on page 166 Configuring Select Ignore Flag to use event context capturing This section describes how to configure Select Flag and Ignore Flag to use event context capturing Note The Select Ignore Flag and the Raise Flag action cannot reside in the same rule They must reside in separate rules To configure the Select Flag 1 Complete the steps for configuring the Raise Flag action to capture event context information See Configuring the Raise Flag action to use event context capturing on page 165 In the Intruder Alert tree in the desired policy branch create a new rule
118. ata The three together constitute a simple expression See below Figure 11 11 Simple expressions Simple Expression Equality Label Operator Data The following is an example of a simple expression User Guest This simple expression tells Intruder Alert View to collect and display only the data corresponding to the user Guest Users can combine simple expressions More than one simple expression joined by a logical operator constitutes a compound or complex expression Complex queries are discussed later in this chapter Using Intruder Alert Event Viewer 193 Defining advanced queries The sections below describe the fundamental building blocks of a simple expression and how to use them to build expressions or queries Labels A label is the first element in a simple expression Labels identify classes of information The following table describes each label Table 11 1 Query labels Value Each rule has an associated value The values range from 0 to 100 0 being the least severe and 100 being the most severe When Intruder Alert detects a security event it stamps the event with additional data One of those elements is the rule value Thus you can query the event database based on the rule value Use this label when you want to include or exclude events having a particular rule value For example Value gt 50 System System refers to the name of the Agent on which the event was captured T
119. atching New Enty Type the command text Click to add the command A x to the selection criteria Edt List Remove Cleat Lis Enter one or more code words or phrases to be selected or ignored The following are example commands m cancel timer m test m page admin The Flag criteria selects or ignores flags raised by another rule Intruder Alert lists the available flags in the Available box Flags can be used at two levels of selection The first level is the flag itself If the flag is raised the selection criterion is met and barring any ignore clauses the rule s actions will be executed The second level uses a feature called Event Context Capturing This feature works with a raised flag to trigger only when certain conditions on the raised flag exist For event context capturing to work the Raise Flag action must be configured to capture events Then you must configure the Select Ignore flag with the desired selection criteria The Raise Flag action and the Select Ignore Flag criteria must reside in two separate rules To configure the Flag criteria at the basic level event context capturing is not used drag the desired flag from the Available box to the Flags to Monitor box as illustrated below Policies rules and criteria 99 Select and Ignore criteria Figure 6 7 Flag criteria Flags to Monitor Available ad Example Drag flag objects from Raise Flag the Available box and drop them i
120. ated in one of three ways Contents m Index m Find 2 When the Help Topics dialog box appears to select the desired search method do one of the following m Click Contents m Click Index m Click Find Table 4 4 Online help search methods Contents A hierarchical listing of topics organized in a table of contents Index A list of indexed words or phrases designed to help find topics in the online help Find A tool that searches for any word or combination of words found in the online help Using the single exe command on Windows You can use the single exe command on the Windows command line to register and unregister local Agents to a Manager The command also provides options to list all Managers to which a local Agent is registered and to print out the usage information for the command itself The single exe command resides in the folder lt system disk gt Program Files Symantec ITA bin The complete syntax for single exe is single exe h 1 r lt manager gt lt user gt lt password gt lt port gt u lt manager gt Administering Intruder Alert 73 General administrative tasks where the angle bracketed lt gt arguments are replaced by your actual manager name or IP address username password and port number and where the options are as follows h Print this usage message l List all the Managers to which the local Agent is registered r Register the local Agent to a Manager using
121. ation Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_ACTION 1 Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates 250 ita ini file documentation Windows MOD_POLICY 1 FE HE HE HE HE HE HE FE HE HE HE HE HE HE HE HE HE HE E HE HE HE HE E HE E HE HE HE HE E HE E HE HE HE HE HE HE HE H HEE HE View Diagnostics FE HE HE HE HE HE HE FE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE AE HE FE HE HE HE HE HE HE E HE HE HE HE H HE HE HE HE HE Specifies if log file to be kept open while the Event Viewer is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the view log file will get in KB MaxLogSize 50 Specifies how many old log files the viewer will keep MaxLogFiles 2 Includes the time with each diagnostic message logged 0 OFF 1 ON LogTimeStamp 1 Includes the date with each diagnostic message logged 0 OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run as a daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels
122. ation procedure cccccessesesesseeeseeseceteeeeseeeteees 59 Post installation options on Windows c ccccesscssssessessescescescsecsesessesecseeaeees 59 Starting ITA Manager Agent Setup oo cecccecceseseeseeseeeeseeeeeseeeeeeeeeeeeee 59 Stopping or starting the Agent 00 ccesesseseseeeeseeeeseseeeeseseeseseeeeseees 60 Stopping or starting the Manager ccceesceseseseeseseeceseeeeseseeeeseseeeeseees 60 Registering the Agent with additional Managers cccceseeseeeeeees 60 Unregistering an Agent from a Manager ccccccscsesesesesseseseseeeseseseseeees 61 Configuring Agent Service properties ccccesecesesssseseeeseesseeeseseeseesees 61 Administering Intruder Alert Starting Intruder Alert Administrator ccccsssseseseeseseeeesesseeeseeeeseeeeees 63 Connecting to a Manager sisean E E EEE R 64 Disconnecting from a Manager cccessssseseseseseesseseeesececesesesesseseseseeescsesesenees 65 Deleting a Manager from the Intruder Alert tree oo ccseeseseseseseseseseseeees 65 Starting and stopping Managers Agents ccccccccsesssesessesecssesecesesesetetseseeees 66 Starting and stopping a UNIX Manager Agent ssssssssseseessesseessessesseees 66 Starting and stopping a Windows Manager Agent cccccseseeeeeeees 66 Managing user accounts and privileges esssseesesessesesessesesesresesesereeseseseeseses 67 Creating a new user account essesssesesssessseseserssssststsrsrsesesesenenestseeses
123. ator Place the pointer over each button to learn its name Figure 2 3 Intruder Alert Administrator toolbar Import Policy C Paste Print LiveUpdate i ao Se Ges TE Na id Connect Save Copy Delete Symantec Help Homepage Topics The following list provides the name and function of each button Connect Displays the Intruder Alert Connect to Manager S dialog box allowing you to establish a connection between the Administrator and the Manager 5 Import Policy Displays the Import dialog box allowing you to import a policy 30 Touring Intruder Alert Intruder Alert Administrator 2G U x ee amp is fad Save Cut Copy Paste Delete Print Symantec Homepage LiveUpdate Help Topics Saves changes made in the Intruder Alert Administrator The save button is activated when changes need to be saved Removes the selected object from the tree Makes a duplicate copy of the selected object Inserts the cut or copied object beneath the selected node Deletes the selected item from the tree Prints information about a policy rule or rule criteria Connects you to the Symantec Web site LiveUpdate is no longer used to provide Intruder Alert patches Instead go to the Symantec Web site to download updated versions http www symantec com techsupp enterprise Accesses online help In online help the user can browse or search by keywords Touring Intruder Alert 31 Intruder Al
124. bels in 193 logical operators in 197 simple 192 extent ext files 262 about 20 external audit log monitoring 85 F file access time monitoring 149 file attribute database 147 naming extension 153 file menu Administrator 27 file watch BROT WROT and MD5 149 file watch lists about 149 automatically installed 151 creating 152 modifying 154 ntcrit uxcrit 151 options for 149 path and file variables 151 files ext 262 ext about 20 rex 262 rex and ext files corrupted 263 rex and ext naming convention 262 rex about 20 Agent log 218 agent log 96 264 AgentsReport rpt 202 Append to File action 36 114 at allow 271 at deny 271 attributes monitored 148 btmp btmps 222 C2atd pipe 224 226 cols _nt cfg 230 commands txt 120 121 131 commands txt restart system when Index 297 changed 269 config iaq 276 284 critical monitoring of 147 default htm 211 detection of changes to 147 file watch list about 149 file watch lists 147 file watch lists options 149 IA Query configuration file 276 IA Query sample config file 274 iaquery log 276 ita ini C2 auditing in 225 ita ini default on UNIX 252 ita ini default on Windows 241 ita ini filewatch in 149 152 ita ini restart system when changed 269 ita ini setting collector truncation 265 ita ini setting error log size 264 ita ini setting max record count in 269 ita ini setting size of ext files 262 itaobj dat restart system when changed 269 log files 264 man
125. ble out of the box Intruder Alert comes with six standard reports described in the table below Table 12 1 Standard report types Management Report The Management Report targets business executives who may not have technical backgrounds or a lot of time Use this report to give upper management an illustration of detected attacks by severity Agent and user The Management report presents summary information using charts and graphs Technician Report The Technician Report targets information security and system administrators The Technician Report provides the greatest level of detail Not only does it present information in tables and charts but it also lists each attack by severity Agent or user Use the Technician Report when you want to give security and system administrators a comprehensive view of detected attacks Security Events Report The Security Events Report simply lists detected events in Sorted by Severity a report The report is sorted by severity level first then Agent system in alphabetical order second Use this report to get a list of all attacks matching the desired criteria Agent Report The Agent Report views events from the Agent s point of view It compares events on selected Agents plus it reveals events detected for each user on the selected Agents Use this report when you want to compare Agent systems and view user activity on each Agent The Agent Report uses a default Crystal Reports te
126. branches m Policies in Domain The Policies in Domain branch lists the policies applied to the Agent domain m Agents in Domain The Agents in Domain branch lists the Agents assigned to the selected domain Policies The Policies branch lists all policies applied to a Manager The policies that were applied at the time of installation are located in this branch You can copy policies from the Policy Library into this branch and apply them to a domain When a policy is removed from a domain it still resides in the Policies branch The Applied Domains and Rules branches appear beneath each policy Figure 2 15 Applied Domains and Rules branches NT System Tampering H Applied Domains Rules The branches are described as follows m Applied Domains The Applied Domains branch lists the domains on which the policy is applied m Rules The Rules branch lists the rules for the selected policy Rules specify which events to detect and actions to perform Registered Agents The Registered Agents branch lists all Agents registered to a selected Manager When an Agent is selected the Agent configuration fields appear in the configuration frame in the right pane of the Administrator window Policy Library Touring Intruder Alert 41 Intruder Alert tree Figure 2 16 Agent configuration fields The Agent configuration fields are used to m Set up the Agent with email and paging capabilities m Configure addition
127. cess time monitoring Save the file in standard ASCII file format with a Ist file extension The file watch list may reside in any directory on the system However Symantec recommends storing it in the following locations m On UNIX in the directory axent ita system lt hostname gt m On Windows in the folder lt system disk gt Program Files Symantec ITA system lt hostname gt Once you have created the file watch list you must direct the Agent to begin monitoring the selected files by adding a setting in the ita ini file See Adding the filewatch command to ita ini on page 152 Adding the filewatch command to ita ini The file watch list is enabled via a command located in the Agent s ita ini file The following diagram illustrates the command s syntax File and directory security 153 Configuring Intruder Alert file monitoring Figure 9 1 File watch command syntax Path and file name of File name of File File Watch list Attribute Database File Watch command filewatch lt Location of List gt lt Name of Database File gt Comma no spaces Examples include m filewatch c security ita filewatch chk1hr lst chk1hr m filewatch security ita filewatch filechk fil filechk m filewatch c security ita filewatch test Ist test The process allows multiple file watch lists to be activated at the same time Each file watch list should have its own line in the ita ini file Note When naming the File
128. cting to a Manager Connecting to a Manager To connect to a Manager from the Administrator follow the procedure below and refer to Figure 4 1 Figure 4 1 Connect to Manager dialog box Connect to Manager Ea Manager Enterprise r Account Infromation User Name Jjohnd Type the User Name __ a and Password perre Password r Protocol Optional Select the TCPAP Service 5051 protocol and port used C IPX SPX by the Manager crea Heb Type the Manager s name To connect to a Manager 1 Inthe Administrator window in the Intruder Alert tree click Managers 2 Doone of the following m On the toolbar click Connect m Inthe tree expand Managers and then right click the Manager that you want to connect to In the drop down list click Connect to Manager m Inthe tree right click Managers and then click Connect to Manager in the drop down list 3 Inthe Connect to Manager dialog box in the Manager text box type the name of the Manager 4 Inthe User Name text box type the Manager username 5 Inthe Password text box type the Manager password 6 Under Protocol do one of the following according to the Manager configuration Administering Intruder Alert 65 Disconnecting from a Manager m Click TCP IP m Click IPX SPX 7 Ifthe Manager is configured to communicate using a port number other than 5051 enter that port number in the Service text box The Service text box specif
129. d To export a policy 1 Inthe Policy Library branch or a Manager s Policies branch click the policy 2 Onthe menu bar click File gt Export Policy Administering policies 131 Importing a policy 3 Inthe Exporting Policies dialog box browse to the folder in which to save the policy 4 Inthe File Name text box type the policy name 5 Inthe Save as Type text box type or select pol 6 Click Save Importing a policy You may upgrade or expand the monitoring capability of Intruder Alert by importing new or custom policies Policies can be imported into a folder in the Policy Library branch or a Manager s Policies branch Policies must have a pol file extension to import successfully To import a policy 1 Inthe Intruder Alert tree do one of the following m Inthe Policy Library branch click one of the folders m Inthe Managers branch under the desired Manager click Policies 2 Onthe menu bar click File gt Import Policy 3 Inthe Importing Policies dialog box browse to the location of the policy to import and click the policy 4 Click Open The policy is imported and stored in the selected branch Securing the Execute Command action The Execute Command action has an enhanced security feature to prevent Intruder Alert from being used incorrectly This feature allows you to control which commands may be executed by Intruder Alert Agents The Execute Command action is disabled by default and is enabled only
130. d for example press 1 to page press 2 to speak with an attendant etc In addition some paging services accept numbers 114 Policies rules and criteria Actions Append to File immediately following each other without having to wait for options to be presented however many do not Some services do not require that you wait for an option to be presented before being able to choose it In these circumstances you must configure pauses in the sequence Pauses are configured using commas The length of the pause depends on the modem however as a rule of thumb use one comma for every second m Always test the policy to verify that the Send Page action is configured properly The Append to File action writes events in a user specified text file The location of the file may be on a local or remote host configured with an Intruder Alert Agent Note For security reasons the directory or folder where the file will reside must already exist Intruder Alert will create the file but it will not create the directory To append events in a file located on the local system specify the desired path and file name for example m OnUNIX axent ita system lt hostname gt collect log m On Windows lt system disk gt Program Files Symantec ITA system lt hostname gt collect log To append events to a file on a remote Agent system use the following format lt path and file name gt lt Agent label gt
131. d allows the filter to monitor the CurrentControlSet ControlSet001 and ControlSet002 at the same time You have selected the Registry keys you are going to monitor To define information passed to the collector Now define the information your filter will pass to the collector The information on this computer is very important and you want to know immediately if someone has attempted to modify the PATH settings O uo A W NY In the Actions area click Delete Value Check Success Check Failure In the Actions area click Set Value Check Success Check Failure You have created the filter that the collector needs to monitor the registry Your filter will monitor any attempted change or attempted change to the PATH settings When monitoring a Registry key as opposed to a Registry value use the Create Key and Delete Key options These four options will cover most of what you will monitor You have created a policy a filter and defined the information to be passed to the collector Now create the second rule and select the actions to be performed when your rule causes a response in Intruder Alert Operating system collectors 239 Windows collectors To create a second custom rule for actions 1 10 11 In the left pane click the plus sign to the left of your new policy to expand the view Right click Rules and then click New in the drop down list In the right pane in the Label text box type System
132. de an alert m You monitor the actions of new Registry keys m You monitor attempts to effect the results of actions of Registry keys m You provide near real time alerts The Registry Key Command gives you the capability to monitor the following m Close Key This function monitors the release of the Registry key you specify Closing a Registry key does not necessarily write information to the Registry before ending it can take as much as several seconds for the cache to be flushed to the hard disk If an application or service must explicitly write registry information to the hard disk it may use the flush function If the Close Key function does not return the information you are looking for you may want to try the Flush Key function m Create Key This function monitors the creation of subkeys or values within the Registry key you specify Unless you specify a particular type of service or application this function could register too many alerts to be of practical value m Delete Key This function monitors the deletion of the Registry key you specify The entire key including all of its values is removed m Delete Value This function monitors the deletion of a named value from the Registry key you specify m Enumerate Key This function monitors the enumeration of subkeys of the Registry key you specify The specified key must have been opened first m Enumerate Value This function monitors the enumeration of the values for the
133. desired hours minutes and seconds When you select date the date calendar appears Figure 6 10 Select Date criteria Use the arrow buttons to select the desired month and year Click on a date to define the range of time When you click on a date in the calendar the following time definition dialog box appears 102 Policies rules and criteria Select and Ignore criteria Figure 6 11 Time Definition dialog box From Hours Minutes Seconds parara em Select the time Tio Alemove range Hours Minutes Seconds Repet Select the repeat Daily x frequency Event date and time stamps The Agent reports events using its own local time The events display in the Event Viewer with the Agent s local time converted to the time zone of the Event Viewer This allows the Event Viewer to report all events simultaneously as they happen regardless of the time zone of the individual Agent This feature is rendered useless if the Agent is not set to its local time zone The event report results become confusing when an Agent or multiple Agents with incorrect time zone settings report to the Event Viewer The Windows system default calendar for the United States is the Gregorian calendar To select a range or time and frequency 1 Inthe Date criteria configuration calendar select the starting year and month and then click the desired day Use the double arrow
134. ding regular predefined 188 modifying chart view 188 modifying query definition in 186 multiple 176 pie chart 179 predefined 187 report 180 199 report view 49 saving 190 text 180 text view 51 text view sorting 187 time offset 183 time span 183 types in Event Viewer 49 using Crystal Report templates 50 Ww Web sites accessing Symantec home page 29 30 45 Crystal Reports 50 Intruder Alert version and platform information 219 policies new 133 technical support 3 217 wildcard operators 95 96 97 104 195 230 Windows about Registry 232 Agent registration on 79 Index 305 audit events recommended 229 audit policy 229 collectors 228 command prompt 66 event logs 21 Event Viewer 229 ita ini file default 241 modem 85 post installation on 59 registering an Agent 60 Registry Key criteria 105 Services 67 single exe command 72 Start menu 67 starting a Manager 60 starting a Manager or Agent 66 starting an Agent 60 starting ITA Manager Agent Setup 59 stopping a Manager 60 stopping a Manager or Agent 66 stopping an Agent 60 unregistering an Agent 61 word rotary WROT 149 150 wtmp as anevent source 21 222 managing the size 265 306 Index
135. doe symantec com Note The Send Email action can also be used to send email to alphanumeric paging devices in lieu of amodem for paging provided the email server supports this feature and is properly configured to do so The following graphic depicts an example email message sent by Intruder Alert Figure 6 19 Example email message Event type System Message Rule NT User Changed Policy Account Changed Importance Yellow 50 Agent name voyager Agent hostname voyager HHH HHH HHH HHH Time Tue Mar 26 13 48 24 2000 Time Tue Mar 26 13 48 24 2000 User jdoe Agent voyager Source Security ID 642 Type Success Audit User Account Changed Target Account Name jdoe Target Domain VOYAGER Target Account ID 444 Caller User Name JDoe Caller Domain Ds9 Caller Logon ID 0x0 0x618A Privileges Note Use this action sparingly If a rule s selection criteria is too broad meaning that a large number of events trigger the rule then large numbers of email messages will be sent A prolonged implementation which may be seconds or days depending on the selection criteria may yield undesired results including slowed performance by the Agent diminishing performance by the email server and diminished network performance due to a large volume of email messages Limit your use of this action to prevent system problems Send Page Policies rules and criteria 113 Actio
136. dvanced queries 184 advanced queries building blocks 192 advanced queries defining 192 Agent Active Datastream report 213 Agent Load report 213 Agent Policy report 212 Agent status reports 212 audit policy 229 axis properties in charts 181 bar chart view 178 chart wizard 189 creating aview 185 Crystal Reports 201 defining a query in 46 filemenu 44 ITA menu 44 launching 176 line graph view 178 loading generic view 187 loading predefined view 188 menu bar 43 modifying chart view 188 modifying query definition in views 186 pie chart view 179 predefined views 187 query list 184 report view 180 Report Viewer 203 reports 199 saving aview 190 security report generating 207 Send Intruder Alert Command 191 sending ITA commands from 51 standard report types 202 task features 46 tasks 19 185 text view 51 180 time offset 183 time span 183 to launch 43 toolbar 45 view menu 44 view types 49 views in 176 window menu 45 Windows 229 events analyzing tips 136 collector policy and 135 flooding 135 generated by report command 213 214 monitoring event sources 230 sources for monitoring 234 Execute Command action 118 introduction to 37 security feature of 121 131 temporary event file cleanup 121 exporting export filter in Event Viewer 200 policies 130 report contents from Report Viewer 210 to MS Access 199 expressions datain 195 equality operators in 194 in complex queries 196 la
137. e a Unix H windows NT B E Drop amp Detect Install Generic m Netware 4 i Unix ff Windows NT B gi Drop amp Detect Misc 3 E Generic a NetWare F l Unix fi Windows NT Configure to Detect polices Drop amp Detect Install policies Drop amp Detect Misc policies For Help press F1 Intruder Alert Event Viewer The reporting features of Intruder Alert have been simplified by using a Graphical User Interface GUI for the Intruder Alert Event Viewer This section discusses the various tools objects and features available in the GUI The Intruder Alert Event Viewer is used to view event data captured by Agents When directed via the Record to Event Viewer action Agents record events in an event database located on the Manager s system The Intruder Alert Event Viewer runs only on Windows Using the Intruder Alert Event Viewer you can m Query a Manager s event database and view selected events as they happen or view historical snapshots of the data m Send Intruder Alert commands to Agents Menu bar Touring Intruder Alert 43 Intruder Alert Event Viewer m Generate and view various reports To begin using the Intruder Alert Event Viewer 1 Launch the Event Viewer by doing one of the following m Launch the Event Viewer from the Windows Start menu m Click the application icon on the Windows desktop The Event Viewer consists of a viewer window bordered on the bottom by a general i
138. e Raise Flag action the Select and Ignore Flag can be used to monitor the event and respond as soon as the event is identified To illustrate how event context capturing works suppose you want to detect three failed logins by the same user within a two minute period In the following illustration Sam John and Mike perform a total of seven failed logins within a four minute period between 9 59 am and 10 03 am Figure 10 2 Failed logins diagram The first failed login One flag with raises the flag multiple contexts Additional failed ogins John Mike John Network Server Intruder Alert Agent 158 Event context capturing Understanding and using event contexts The policy states that among the many failed logins that occur we want to identify the user that fails three or more logins within a two minute period Now let s take a closer look at the flag to better understand how event context capturing works The following graphic is used for illustrative purposes only events stored with the flag cannot be seen or accessed by users Figure 10 3 Intruder Alert flag diagram Raised Flag Events are sorted by User Name Events contexts get saved with the raised flag Flag Context Count 1 Flag Count Flag Counters In the above diagram notice that the first failed login event raises the flag Subsequent failed logins are stored with the flag for the period of time specified on the flag Event conte
139. e press Enter m To reject the choice and display the list again type n and then press Enter Updating NIS Master information on the Agent To update NIS Master information on the Agent 1 Change to the Intruder Alert setup directory Type the following command and then press Enter cd axent ita bin lt platform_type gt where platform_type indicates the type of computer you are using Start Intruder Alert setup Type the following command and then press Enter Post installation options 59 Post installation options on Windows itasetup When prompted with the Intruder Alert setup options type 2 and then press Enter to display the post installation options Type 6 and then press Enter to change the NIS Master information At the NIS Master prompt do one of the following m If the Agent will not be an NIS master or slave master press Enter m If the Agent will be an NIS master or slave master type y and then press Enter Answer the questions that are displayed Exiting the post installation procedure To exit the post installation procedure When the post installation procedure option list is displayed type 7 and then press Enter to quit the procedure Post installation options on Windows This section contains instructions for performing each Windows post installation option Post installation options include Starting ITA Manager Agent Setup Stopping or starting the Agent Stopping or starting the
140. e Manager and or Agent 1 Change to the Intruder Alert bin directory Type the following command and then press Enter ed axent ita bin 2 Type the following command and then press Enter itare start Stopping the Manager and Agent The stop option stops whatever Intruder Alert components reside on that system If the Manager and Agent reside on the same system both will be stopped If only the Agent resides on that system only the Agent will be stopped To stop the Manager and or Agent 1 Change to the Intruder Alert bin directory Type the following command and then press Enter cd axent ita bin 2 Type the following command and then press Enter itarc stop Registering an Agent with additional Managers If desired Agents can be registered with multiple Managers The following instructions describe how to register an Agent with an additional Manager To register an Agent with additional Managers 1 Change to the Intruder Alert setup directory Type the following command and then press Enter cd axent ita bin lt platform_type gt where platform_type indicates the type of computer you are using 2 Start Intruder Alert setup Type the following command and then press Enter itasetup 3 When prompted with the Intruder Alert setup options type 2 and then press Enter to display the post installation options Post installation options 57 Post installation options on UNIX Type 4 and then press Enter to register the
141. e criteria m Scope m Time window m Audience management technician Management This report is intended for senior management It provides the highest level of summary information and the least amount of specific detail It uses charts and graphs largely to communicate status measured in terms of company wide business objectives Technician This report is intended for the systems administrator or security practitioner It is a detailed report showing events on specific systems The user may use this report to identify what precautions may be taken to eliminate risk m Type of detail security events agents or users Security events This report sorts data by event type across one or more systems Generating and viewing reports 201 Integrating Crystal Reports Agents This report sorts data by system and the events occurring on that system Users This report sorts data by user date and severity level Integrating Crystal Reports You must own a fully licensed version of Crystal Reports to take complete advantage of Crystal Report capabilities including the option to customize your report page with custom logos Crystal Report integration with Intruder Alert provides the following benefits m Choice of a variety of report types Choose from sub reports conditional reports summary reports form reports drill down OLAP Top N multiple detail reports mailing labels and more m Easy access to Intruder Alert
142. e critical system files with Trojan horse versions or alter system files in an effort to create a back door for future intrusions They may also try to replace Web files with slanderous versions to defame or sabotage an organization s credibility Intruder Alert is preconfigured to detect changes to mission critical files on UNIX and Windows systems Additional configuration steps are usually not necessary Symantec security experts have defined a set of mission critical files that are automatically monitored via the UNIX File Tampering and Windows File Tampering policies These policies are automatically activated during Agent Installation If you have other important files that you want Intruder Alert to monitor you can create additional file watch lists and configure Intruder Alert to monitor those lists Intruder Alert supports multiple file watch lists Intruder Alert can determine if a file text file program configuration file etc or directory has disappeared reappeared or changed been accessed or modified This security process works by comparing the attributes of files and directories with the file attribute database If an actual file or directory structure differs from the database the process sends a message to the Agent to indicate the file has changed 148 File and directory security Intruder Alert file monitoring Intruder Alert uses Coordinated Universal Time UTC also known as Greenwich Mean Time GMT
143. e made available in the text view Clicking on an event entry will reveal a detailed report about the event Text view options m Click or double click on a column header to sort all the information in either ascending or descending order m Resize or hide columns by dragging the borders of the column heads with a click and hold of the left mouse button Below is an example of the alert text view Figure 2 24 Text view Wl Text View pambro nt Re sizable columns New Rule New Rule Sortable data Detailed Event Reports P Event OS Micresoit Vindovs NT Event message file size hes changed was 326656 now 65024 file medification tine hos chonsed was Fri Feb 19 10 55 00 1995 now Thu Sep 09 06 19 38 1999 file creation tine has changed was Fri Feb 19 10 55 00 1999 now Fra Jon 0 14 40 47 2000 Sending Intruder Alert commands In the Intruder Alert Event Viewer you can send an Intruder Alert command Intruder Alert commands are user defined 52 Touring Intruder Alert Managers and Agents Figure 2 25 Send Intruder Alert command J SYMANTEC Intruder Alert Event Viewer 5 x File view ITA Window Help Enter a Command Send Command For Help press F1 See ITA Command criteria on page 97 See Sending an Intruder Alert command to an Agent on page 191 Managers and Agents Intruder Alert Managers and Agents are UNIX daemons or Windows services and do not require a user in
144. e will get in KB MaxLogSize 50 Specifies how many old log files the agent will keep MaxLogFiles 2 Includes the time with each diagnostic message logged 0 OFF 1 ON LogTimeStamp 1 Includes the date with each diagnostic message logged 0 OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run asa daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications MOD_COMM 1 Authentication MOD_AUTH 1 Encryption ita ini file documentation UNIX MOD_ENCRYPT 1 Manager Event Database MOD_DB 1 Manager event cache MOD_CACHE 1 Configuration Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_ACTION 1 Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates MOD_POLICY 1 se HE E HE HE AE HE FE HE FE AE HE FE HE FE E HE AE FE FE HE FE ERS HE FE H
145. eating policies that use event context capturing Understanding and using event contexts Event context capturing enables Intruder Alert to remember certain events and distinguish between them for more refined selection and response This feature is especially useful when a high volume of the same type of events occurs within a short period of time For example Intruder Alert can identify an attacker s five failed logins from among 30 that occur within a three minute period Before you begin creating or modifying policies to use event context capturing you should thoroughly understand how it works The next sections will teach you the principles of event context capturing Event context configuration Event context capturing Event context selection criteria Notes and known issues Event context configuration Using event context capturing requires three configuration phases or steps as illustrated in the following graphic 156 Event context capturing Understanding and using event contexts Figure 10 1 Steps to configuring event context capturing Phase 1 Configure a Raise Flag Action Clause to Capture Selected Events Phase 2 Configure a Select ignore Flag with Selection Criteria and Action to be taken Phase 3 Activate and Test the Policy The following list provides an overview to the process of configuring event context capturing m Ina policy create a rule with a Raise Flag action m Configure the rule t
146. ect the path and file name of the desired report template and then click Open This dialog is used to select the desired Crystal Reports template The report is generated in the Intruder Alert Report Viewer window This window is a Crystal Reports viewing screen If you have defined a general or complex query or if there is a large amount of data in the event database it may take a little longer to generate the report In such cases the message Generating Report will appear Wait for the report to appear In the Report Viewer you can print the report export the report contents and save the report Using the Intruder Alert Report Viewer The Report Viewer is a Windows graphical interface used to display Crystal Reports templates The following graphic depicts the Report Viewer toolbar Generating and viewing reports 209 Using the Intruder Alert Report Viewer Figure 12 3 Report Viewer toolbar Ga cel Magnification Total records reading Factor found by query records Go to first page Go to next page Search Records read Close _ 201th ah Taas 100 aofai Goto previous Percent of page records read Current page Printer Setup Go to last page Print This section describes how to use the Report Viewer Section topics include m Refresh the report contents m Suspend and resume automatic refresh m Set up the printer m Print the report m Export and save the report contents m Enlarge the view area Locate
147. ed in the policy To remove a policy 1 Connect to a Manager See Connecting to a Manager on page 64 In the Intruder Alert tree in the Domains branch of the connected Manager expand the domain In the domain branch expand Policies in Domain to view policies applied to that domain Right click the policy and then click Remove from Domain in the drop down list The policy is removed from the domain but it still resides on the Manager in the Policies branch You can also delete the policy from the Manager See Deleting policies from a Manager on page 130 To simultaneously remove multiple policies from a domain 1 In the Intruder Alert tree in the desired domain under the Domains branch of the connected Manager click Policies in Domain The configuration frame in the right pane displays all of the policies applied to the domain In the right pane do one of the following m Press Shift and select the first and last of a group of policies to remove m Press Ctrl and select multiple policies to remove On the keyboard press Delete In the confirmation dialog box click OK Although you are asked to confirm the deletion of the policies the policies themselves are not deleted from the Policies branch under the Manager They are removed only from the domain Moving policies to the Policy Library When a policy is no longer used you can store it in the Policy Library if it does not already reside there
148. eeeeeeeeees R le Actions goio e ERE Intruder Alert Administrator fields Intruder Alert tree eeeeeeeee Managers branch Policy Library o eecceeececesesseeeseeeeeeseeeeeeeees Intruder Alert Event Viewer Memu Dar wi55 isicseideescdscgeescesciiseessesiakes deta vedteessselvided ovacntelsssecacctstevesaiedestassesto MOOIDAN csteerescisseveesescesct act T E N Event Viewer task features ccccccccsscscsscsescsscscsesecsesecscsesecscsesscseecscaeeecseeeeees Defining a QUELY sensansnerisirne errire enari na a 6 Contents Section 2 Chapter 3 Chapter 4 VICW LY DOS nann orr E E A E E 49 Sending Intruder Alert commands s s sssssssssssssssssesessrsesesrsseseseseeseseseseesese 51 Managers and Agents reeet iie eai E Ea ER 52 Administering security Post installation options Post installation options on UNIX s sssssssssssesessssesesssnesesessesesesererssseseesssrsesesses 55 Starting the Manager and Agent 00 ccceccesessesesseceseseeeeseeeeseseneeseeeeeeaes 56 Stopping the Manager and Agent oo cceccsseseseeceseseeceseeeeseeeetseeeeeeaes 56 Registering an Agent with additional Managers ssssssessssssesesesseseee 56 Unregistering an Agent from a Manager o cccccccsescsessesesesesesesesesesees 57 Changing the Agent label s s ssesessesesosssessssessssssrsesesssnesesessesssesersrssseseesese 58 Updating NIS Master information on the Agent ssssssssssssssseesessseeseese 58 Exiting the post install
149. egister Local Agent to Manager dialog box in the Manager field type the Manager s name In the Username field type the Manager s username In the Password field type the Manager s password Under Protocol do one of the following to select the protocol m Click TCP IP m Click IPX SPX Click OK Repeat Steps 3 7 for each Manager The Agent is registered with the listed Managers Post installation options 61 Post installation options on Windows Note The user attempting to register the Agent with a Manager must have Register New Agent privileges to register new Agents User privileges are managed in Intruder Alert Administrator s User Manager Unregistering an Agent from a Manager Use the Intruder Alert Administrator to unregister an Agent from a Manager To unregister an Agent from a Manager 1 4 In the Administrator tree expand Managers The Managers branch displays all Managers connected to the Intruder Alert Administrator See Connecting to a Manager on page 64 Expand the branch of the Manager to which the Agent is registered In the Registered Agents branch right click the Agent and then click Unregister from Manager in the drop down list In the confirmation dialog box click Yes Although the recommended method of unregistering an Agent is through the Intruder Alert Administrator it may be necessary to force the unregistration process of an Agent from a Manager To force
150. ent 21 C2 audit 225 collector 222 Manager 52 65 snapdragon for snmptrap 281 syslog 222 data C2 security protection of 224 collected by collector 222 deleting 263 encrypted by Agent 21 event data storing 20 event data viewing 19 filtering by Event Viewer 175 final data 262 in Crystal Reports format 50 in event database 261 in expressions 195 in query 192 in Select statement 160 label data pair 107 large amounts of 145 parsing 85 pinpoint specific 184 real time viewing 186 throttling data transfer 267 transferred over network by Intruder Alert 270 databases event 20 event managing 261 event Record to Event Viewer 36 event types of files in 262 event used by Event Viewer 175 file attribute 147 Date criteria 100 introduction to 35 date stamp 102 debug logging 265 delete button 30 deleting actions from rules 140 criteria from rules 140 domains 76 folder in tree 71 Manager 65 old data 263 policies from Manager 130 policies permanently 130 rules 139 delimiters in Append to File log file 115 in C2 audit pipe file 227 in external audit log files 85 in multiple line collector 231 Index 295 variable 159 Disable User action 124 introduction to 37 Disconnect Session action 124 introduction to 37 disconnecting Disconnect Session action 124 from a Manager 65 if password is changed 70 disk space optimizing 261 DNS 65 79 186 228 domains adding an Agent to 76 Agents in 40 All Agents domain
151. eport and User Report These templates reside in the ITA bin directory Under Custom Reports you can also use your own custom report template The dialog has a browse feature to allow you to select the template User defined report templates should be stored in the predefined ita bin Custom_Reports directory After making your selections the report appears in the Report Viewer as illustrated below 203 204 Generating and viewing reports Understanding security reports Figure 12 1 Report Viewer lt SYMANTEC Intruder Alert Event Viewer Report Wi Saua gaan prsgeil is Report Title Page ma rrai gt Q x amp Security Report Intarion Detection Management Report Quy Mearan masane 44 auanie saanane 6442403 Query parameters as Rann defined in the Query mua moa ott cand at me Builder cavava isese Repon Preducet oo Meoder Feber 26 200 ILARAN wamran tras is Smem Terms Teyre Fen te SD symantec The body of the report contains various report elements such as charts graphs and listings of individual events The following graphic illustrates the Security Events Severity Breakdown chart and graph Generating and viewing reports 205 Understanding security reports Figure 12 2 Security Events Severity Breakdown chart SYMANTEC Intruder Alert Event Viewer Report 0 x TI File Edit View ITA Window Help 18 x ajaj 9 2 Amede Fabinmp IAI
152. eriod This policy is designed for a UNIX system equipped with btmp event logging such as HP UX or Solaris To simulate this event we will use a telnet client to login to the UNIX host remotely To create the 4 Failed Logins policy 1 10 11 Start Intruder Alert Administrator connect to a Manager and expand the branch for that Manager In the tree under the connected Manager right click Policies and then click New in the drop down list In the right pane in the Label text box type the name of the policy as 4 Failed Logins In the Description text box type Detects 4 failed logins by the same user within a 2 minute period on UNIX systems In the tree expand the new policy The Applied Domains and Rules branches are visible In the tree right click Rules and then click New in the drop down list A new rule is added as New Rule In the right pane in the Label text box type the following name for the rule Rule 1 In the tree click New Rule to update the name In the tree expand Rule 1 In the Rule 1 branch right click Select and then click New gt System Message in the drop down list In the right pane in the New Entry text box type the message the Agent sends to the Manager and then click Add to List Example responses include 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Event context capturing 169 Creating policies that use event context ca
153. ert Administrator List toolbar The List toolbar allows you to control the size and placement of the icons in the configuration frame It appears above the Label field and may be selected and deselected through the View menu Figure 2 4 List toolbar Large Icons List View __ eo elel x Small Icons Delete The functions this bar represents may also be accessed by right clicking in the configuration frame and using the shortcut menu Figure 2 5 Click access to the List toolbar options Veter dont A nro 3 Poky Liray aE Corga To Detect a ieoa Detect ratat a ios Dateci Ni To access the available options in the List toolbar right click in the configuration window Fee Help prees FY Select toolbar The Select toolbar lets you add Select criteria to a rule with a click of the mouse The bar is available when creating or editing the Select criteria of a policy rule and may be selected through the View menu 32 Touring Intruder Alert Intruder Alert Administrator Figure 2 6 Select toolbar Select criteria may also be added to rules by right clicking on the Select node in the tree view as illustrated below Figure 2 7 Click access to the Select toolbar m Pee et bea Oe Lemire r Frere ee ee To access the available options in the Select toolbar right click on the Select node in the tree view Ignore toolbar The Ignore toolbar lets you add Ignore criteria to the rule with a click
154. ert Administrator fields Figure 2 12 Label Window Configuration Window a OR Urunan pti pe UI Doren Tat Tree View Sap ur tamedcon r E UT Fae Teron Intruder Alert Administrator fields Che Dii Manager Yar Hale S iif 0s ex al 931 2 Soei E DK Fee tad ings Viekdoton sete krh MT UT Group Charged arean ipm The different fields are described as follows Label field Located in the right pane in the top section of the Administrator the label field provides information to identify the name of the application item that is selected in the Configuration frame It may also display an input field or activation check box for certain selected items Configuration frame This frame contains configuration dialogs for various Intruder Alert elements Intruder Alert tree Located in the left pane the Intruder Alert tree simplifies the process of administering Intruder Alert Intruder Alert tree The following graphic illustrates the main branches of the Intruder Alert tree Touring Intruder Alert 39 Intruder Alert tree Figure 2 13 Intruder Alert tree wy SYMANTEC Intruder Alert Administrator olx Fie Edt Manager vew Hep The Intruder Alert Tree G mi ex a 2 Intruder Alert amp Managers JST H x Domaine co Policies F a Registered 4 gents Tl Polcy Library E l Configure To Detect FF i Drop amp Dstec Instal a i Drop amp Detect Misc The Manager
155. es eeeeceeseseseseseseeeeseseseseseeeetesesens 284 Importing NetProwler policies 0 ccceccsssssesseceseeseseseeceseecesesesesseseeeeseeeeesees 285 Troubleshooting SNMP for Intruder Alert eeesseseeseseseeteeseseseeeeeeeeeens 285 SNMP Manager address in IA Query configuration file 0 0 0 0 285 Mode parameter in IA Query configuration file ccceeeeeeeees 286 Intruder Alert events are not sent as specified 0 ccccecceeeeseeeeeeeee 286 Destination ports for Intruder Alert OVELVIEW poveren a E EEEE VEE EEE AEEA 287 Ports used by Intruder Alert ccccceccessessseseesesesseeeseeeeseseeeeseeeeseeeeeseeeeaeeees 287 11 12 Contents Section 1 Getting Started This section introduces you to Intruder Alert as follows m Chapter 1 Introducing Intruder Alert m Chapter 2 Touring Intruder Alert 14 Introducing Intruder Alert This chapter includes the following topics Contents and organization of this guide Understanding Intruder Alert s architecture The Intruder Alert Administrator The Intruder Alert Event Viewer The Intruder Alert Manager The Intruder Alert Agent Intruder Alert policies Contents and organization of this guide Section 1 Getting started The Getting started section of the guide contains Chapter 1 Introducing Intruder Alert This chapter defines Intruder Alert including each component in its architecture and briefly describes how each component
156. eseseses 68 Modifying user privileges oo ccccccccsesesessssssesesecececesesesesesseseeseeeeseseseeeeees 69 Changing user passwords s ssesesesessssesessssestsssstststsnenesesesneneseseretsnseeesese 69 Removing a user account sssssseesesesesesesssseseserersrsestersrsesesenerresrsrsesesese 70 General administrative tasks se seeseseeseeseesresesetsreeresresresreresresreresresresreseereee 70 Printing tree view information oo ecesssssesesececeseseseessesssssseeseseseseeees 71 Deleting a folder 0 ceesssssssesescssssssesssssesescscsessesesssssessscseseseeseseesssesscseaees 71 Using online Help araneae aee r eaat ara E EE AE ELETERE 72 Using the single exe command on Windows ot Using the itasetup command on UNIX o 0 ce eeeseeeceseseeeeeeeeeeeeeeeeeeaeneeees 73 Chapter 5 Section 3 Chapter 6 Contents Managing Agents Creating and deleting a domain 0 ceccceessssesesseceseeseseseeeeseseeeeseeeeeesenesseeees Creating a domain Deleting a domain Adding an Agent to a domain Removing an Agent from a domain Registering an Agent to a Manager Registering an Agent on UNIX Registering an Agent on Windows cccecceesesseseseeseseseeseseseeeeseeeeseseeeesees 79 Unregistering an Agent from a Manager c ccecesessseseseseseesssseseseeeeeeesesesees 80 Performing Agent management tasks ccccesesesssesesesesesesessssesseseeeesceesesees
157. esired view file and then click Open If the Open dialog defaults to your desktop it will be necessary to drill down to the following file location lt system disk gt Program Files Symantec ITA bin 3 Inthe Connect to Manager dialog box type a Manager s name User name and Password into the corresponding fields and then click OK 188 Using Intruder Alert Event Viewer Working in the Event Viewer In the Query Builder screen click GO to generate the view using the generic view settings Depending on the amount of data in the event database it may take a few seconds to generate the view The message Generating View may appear The view will appear after gathering the selected data There are no predefined ivw files Views with Manager information that are created and saved by users will default to the ivw extension To load a regular view 1 2 3 Start Intruder Alert Event Viewer Click File gt Load View In the Open dialog box specify the desired view ivw file and then click Load If you are not already connected to the Manager the Connect to Manager dialog box appears with the name of the Manager the user name the protocol and the service number already loaded In the Connect to Manager dialog box type the Password and then click OK Depending on the amount of data in the event database it may take a few seconds to generate the view The message Generating View may appear The view will appear
158. evels From highest to lowest these levels are A1 B3 B2 B1 C2 C1 and D At the C2 level data must be protected so that it is available to only single users In addition C2 requires that an audit trail track access and attempted access to objects in the environment Many operating system vendors now offer C2 auditing to their customers as a configurable option After C2 has been configured in the operating system Intruder Alert can be configured to monitor the C2 audit log created by the operating system Intruder Alert can monitor C2 audit pipes on HP UX Solaris and OSF 1 The process for configuring C2 auditing consists of three main steps or phases They include Configuring the UNIX system to utilize C2 audit logging For instructions refer to the UNIX documentation that shipped with the operating system m Initializing and configuring the C2 auditing daemon in the ita ini file m Configuring the Agent to watch the C2atd pipe The UNIX operating system writes C2 data to a binary C2 auditor The C2 audit trail daemon translates the binary data into a format the Agent can read The Agent then reads the information and processes it The following graphic illustrates this process Operating system collectors 225 UNIX collectors Figure B 2 C2 audit processing UNIX Operating System Writes to File C2 Audit l security file Reads File Binary 1 sec Format C2 Audit Daemon Daemon converts binary
159. event Helps you s Provides FT Allows admi Indexes co Provides ne To configure the Agent service properties 1 Inthe Windows Control Panel open Services Started Started Started Started Started Started Automatic Manual Automatic Automatic Manual Automatic Automatic Automatic Manual LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem LocalSystem LocalSyster 2 Inthe Windows Services window double click Intruder Alert Agent v3 6 1 to launch the Agent Properties dialog box 3 Inthe Agent Properties dialog box in the Startup type text box select Automatic in the drop down list to ensure that Intruder Alert protection is available at all times Administering Intruder Alert This chapter includes the following topics Starting Intruder Alert Administrator Connecting to a Manager Disconnecting from a Manager Deleting a Manager from the Intruder Alert tree Starting and stopping Managers Agents Managing user accounts and privileges General administrative tasks Starting Intruder Alert Administrator Intruder Alert Administrator runs only on Windows To start Intruder Alert Administrator Doone of the following m Click the Windows Start menu and click Programs gt Symantec gt Intruder Alert gt ITA Administrator Double click the application icon on the Windows desktop 64 Administering Intruder Alert Conne
160. event logs Connect to over 30 different types of OLAP SQL and PC databases including Microsoft SQL Server Lotus Domino and Oracle using supported native ODBC connectivity m Ability to customize the look of your report Address complex reporting requirements with advanced features including grouping sorting sub reports and cross tabs To learn more about Crystal Reports visit the following Web site http www businessobjects com Understanding security reports The information in this section answers the following common questions about reports m Why generate reports m What reports are available out of the box m How do create and use my own Crystal Reports templates Why generate reports Intruder Alert reports help you see m What attacks occurred on your enterprise m Where those attacks occurred i e the hosts on which they occurred 202 Generating and viewing reports Understanding security reports m How many attacks occurred m Who the attackers were Having this information presented in a clear concise format helps you prevent the misuse of information resources With this information you can take preventative measures as necessary including disabling a user s account restricting file and directory access and disabling vulnerable services Also reports can be printed and distributed to management and technicians or they can be exported and used in another application What reports are availa
161. ew will update the open views with those events this may take a few seconds To set up the printer 1 2 3 Print the report On the Report View toolbar click Printer Setup Select the desired printer paper and orientation settings Click OK To print the report 1 2 3 4 Generate open a report On the Report Viewer toolbar click Print Select the print range and number of copies Click OK The report is sent to the printer Export and save the report contents You can export the report contents in a number of different file formats including CSV TSV Excel RTF HTML Microsoft Word and plain text Generating and viewing reports 211 Using the Intruder Alert Report Viewer Note Due to limitations of the Export utility you may receive an error saying it cannot export the report contents To export and save a report 1 2 3 Generate a report On the Report Viewer toolbar click Export In the Export dialog box in the Format drop down list click the desired format In the Destination drop down list click the desired destination For example if you choose the file format HTML 3 2 Standard and the destination Application the Report Viewer will start the default browser with the report data loaded Click OK For some file formats in the Number and Date Format dialog box select the desired number and date formats and then click OK Do one of the following m Ifyou
162. ewatch ita system system ntcrit_S lst ntcrit_S Turns on address caching ON or OFF ADDR_CACHE OFF Specifies how long the agent will use a cached address before trying to look up again in minutes The minimum is 15 minutes the maximum is 48 hours ADDR_CACHE_TIMEOUT 60 Communications timeout in seconds The default is 30 seconds ITA_TIMEOUT 30 How long before the agent negotiates a new encryption key in seconds The default is 24 hours ENCRYPTION_KEY_LIFETIME 86400 242 ita ini file documentation Windows How often the agent checks for expired keys in seconds The default is 60 minutes ENCRYPTION_KEY_CHECK_INTERVAL 600 Configure agent command restrictions This file contains all commands that the ITA agent is allowed to execute via an Execute Command Action NOTE If no file is specified or the file does not exist then no commands will be allowed ITA_COMMAND_LIST ita system system commands txt Specifies how large in bytes the agent cache files are allowed to be Default and maximum are 10000000 MAX_CACHE_SIZE 10000000 How often the agent checks for changes to the cols_nt cfg file in seconds The default is 60 seconds NT_EVENT_TIMER 60 How many events to process before checking for other work The default is 20 For each event source this number is multiplied by the followi
163. ex Q queries complex 196 defining 46 labels in 193 Query Builder wizard about 176 about generating reports 203 advanced queries 184 advanced queries building blocks 192 advanced queries defining 192 axis properties in charts 181 bar chart view 178 GO button 185 introduction to 46 launch view 185 line graph view 178 Manager selection in 177 pie chart view 179 query list 184 report view 180 screen one 177 screen three 183 screen two 182 text view 180 time offset 183 time span 183 view types 177 R Raise Flag action 108 configuring for event context capturing 165 event variables used with 161 introduction to 36 record delimiters 115 Record to Event Viewer action 106 introduction to 36 Registered Agents branch 40 registering an Agent on UNIX 56 77 an Agent on Windows 60 79 Registry about 232 auditing with regedt32 232 location of auditing sources 233 monitoring by Intruder Alert 232 Windows Audit Tampering policy 233 Registry Key Command 301 Index creating a custom filter rule 237 creating a custom policy 236 creating a custom standard rule 238 defining information passed to the collector 238 overview 235 Registry Key criteria 105 introduction to 35 removing Agent from a domain 76 policies 129 policies from Manager 130 user account 70 renaming Agent on Windows 82 report view 49 180 using Crystal Report templates 50 Report Viewer 203 about 208 automatic refresh 210 exit 212 exporting t
164. four steps that are outlined below m Creating a file watch list m Adding the filewatch command to ita ini Examples include m filewatch c security ita filewatch chk1hr st chk1hr a filewatch security ita filewatch filechk fil filechk m filewatch c security ita filewatch test Ist test m Restarting the Manager and Agent to activate the new command added to the ita ini See Starting and stopping Managers Agents on page 66 m Creating and activating a policy to detect the new event messages and to perform desired actions See Creating a policy on page 138 Creating a file watch list The file watch list defines m The files to check m The types of checks to perform m The frequency with which to check the files Text messages sent to the Agent Byte Rotary BROT Word Rotary WROT MD5 checksums and file access time are configurable Do not use checksums and access times together because checksums regularly access the file The check time and the number of files to check will impact CPU usage Shorter times and longer file lists will have the greatest impact The following table describes the commands and options used in the file watch list Table 9 2 File watch list commands and options lt text gt This command adds a text comment to the list Text comments can be added anywhere in the list They must be preceded by a percent symbol 150 File and directory security Configuring Intruder
165. ft Access 3 Save or export the data in Microsoft Database MDB format These events will be used to design the tables and charts in Crystal Reports Report Designer The following table describes the events database Use this information when creating the report template in Crystal Reports Table 12 2 Database definition table Date Text 13 Time Text 13 Value Text 13 System Text 255 Must be static size of 255 for queries sorts and indexing System can be 256 Policy Text 35 Rule Text 35 User Text 35 Generating and viewing reports 207 Generating security reports Table 12 2 Database definition table Event Text Memo 256 Generating security reports To generate a security report 1 2 3 Open the Event Viewer Click File gt New Query In Screen One of the Query Builder wizard in the Managers box do one of the following m Type the name or IP address of the Manager m Inthe drop down list click the name or IP address of the Manager If the Event Viewer is not connected to the selected Manager the Connect to Manager dialog box appears In this case you must connect to the Manager before continuing See Connecting to a Manager on page 64 In the View Type box click Report and then click Next In Screen Two set desired time parameters and then click Next In Screen Three select the desired Manager Objects and set any advanced query strings and then click GO
166. fully qualified path and filename of the command batch file or script on that line Command line parameters or switches are not required Include file extensions such as exe bat and nlm For example opt security disable c winnt security bat SYS setpass event file Repeat step 2 for each command Save the commands txt file Do one of the following to restart the Intruder Alert Agent m On Unix type the commands axent ita bin itarc stop axent ita bin itarc start m On Windows use Windows Services to restart the Agent See Configuring Agent service properties on page 61 Creating and modifying policies This chapter includes the following topics m The policy development process m Policy development tasks The policy development process Policies should be created by individuals who have a technical background and a thorough understanding of how Intruder Alert works Note Before creating a new policy make sure that Intruder Alert does not already have a solution for the security problem you are trying to detect Visit the Symantec Web site for the latest policy developments Access the web site at http securityresponse symantec com Under Updates click Symantec Intruder Alert Before creating policies you should m Be familiar with how Intruder Alert collects events on each supported operating system m Have a good understanding of rule functionality m Be familiar with Intruder Alert
167. g size in 264 filewatch command in 152 filewatch examples 149 on UNIX 252 on Windows 241 itarc command 56 66 itasetup command 56 57 58 77 syntax of 73 K Kill Process action 123 introduction to 37 L label changing on Agent on UNIX 58 field in Administrator 38 labels in expressions 193 launching Event Viewer 43 176 queries 49 limits number of Agents 20 line graph view 178 list toolbar 31 LiveUpdate 30 log files agent log 96 external audit log 85 manager log 96 records in 115 logical operators 197 Lower Flag action 110 introduction to 36 Index 299 Manager about 20 52 branch in tree 39 connecting to 64 default port 57 65 deleting from Intruder Alert tree 65 deleting policies from 130 disconnecting from 65 event database stored on 20 event database managing 261 menu in Administrator 28 number of registered agents 40 starting or stopping on UNIX 66 starting or stopping on Windows 66 managing the size of UNIX collectors 265 user accounts and privileges 67 manual contents 15 overview 15 MD5 149 150 menu bar Administrator GUI 26 Event Viewer 43 MIBs 284 modem on UNIX 85 Windows 85 modifying passwords 69 user privileges 69 monitoring effect on performance 228 event sources 230 234 external audit log files 85 of Registry 232 moving policies 129 MS Access creating a mdb file 206 exporting to 199 with Execute Command 119 multiple policies applying simultaneously 128 N NAT 287 300
168. g topics Applying policies to a domain Removing policies from a domain Moving policies to the Policy Library Deleting policies from a Manager Exporting policies Importing a policy Securing the Execute Command action Applying policies to a domain Policies are applied to all Agents in a domain Once a policy is applied to an Agent the Agent begins monitoring for the defined Select and Ignore criteria Note A policy is not enforced until it is applied The following instructions describe the process for applying a policy from the Policy Library However if the policy already exists on the Manager it can be applied from the Policies branch To apply a policy that already exists on the Manager from the Policies branch begin at Step 4 in the procedure below To apply a policy to one or more domains 1 Connect to a Manager See Connecting to a Manager on page 64 128 Administering policies Applying policies to a domain In the Intruder Alert tree in the Policy Library branch click the desired policy Do one of the following m Drag the policy from the Policy Library and drop it on the Policies branch under the desired Manager m Copy and paste the policy from the Policy Library to the Policies branch of the desired Manager The policy now resides on the Manager but it has not yet been applied In the Policies branch right click the desired policy and then click Apply to Domain in the drop down lis
169. gents or less at a time Tuneup utility requirements for update functionality Symantec has provided the Tuneup utility to update old agents up to the current release In order for the Tuneup utility to update the Agent on an NT 4 0 machine the machine must be using Service pack 5 Service control error unable to start service If you get this error after installing Intruder Alert you may correct the error by reinstalling the current Service Pack that is running on your Windows system Optimization and problem solving techniques Known issues and resolutions TUNEUP fails to upgrade a remote agent On some systems Tuneup will not execute a batch job to execute the tune up file It creates the transfer directory and the launch script but fails to execute This is most likely an end user configuration problem Tuneup requires that the agent being upgraded have permission to submit the batch job to the operating system This means that the username of the agent process must be listed in the at allow file or not listed in the at deny file on the Agent system On most systems the username will be root However to ensure the correct username you can run the following command ps ef grep itaagtd If the username of the itaagtd process is not listed in the at allow file if the at allow file does not exist or the username is listed in the at deny file the agent will not able to start the upgrade process Either add the userna
170. ger ERROR_LOG_MAX_SIZE 50000 To configure automatic file truncation on UNIX 1 Open the Agent s ita ini file in a UNIX text editor Optimization and problem solving techniques 267 Optimizing bandwidth usage If Intruder Alert was installed in the default location the ita ini file would be located in the axent ita system lt hostname gt directory 2 The desired commands are in the Agent section See Modified ita ini file on page 266 Commands are in the ita ini file but commented out 3 When finished save the file 4 Stop and restart the Agent See Starting and stopping Managers Agents on page 66 The specified files will automatically be truncated when they reach the specified size Optimizing bandwidth usage Intruder Alert sends packets across the network when m Managers update an Agent s configuration e g new policies get added the Agent is configured with paging or emailing capabilities etc m Agents send email m Agents raise global flags m Agents record event attack data in the Manager s event database via the Record to Event Viewer action Excessive data crossing the network at one time can hinder data flow To prevent this problem Intruder Alert allows you to throttle how much data the Agent sends However if you throttle the transfer rate too much events will accumulate in cache files on the Agent If these cache files become full event data may be lost due to a lack of me
171. his allows you to select or exclude events stemming from specific systems For example System Spartan Policy Policy refers to the name of the policy that detected the event Add policy names to the query or add policy names using the Manager Objects Query List boxes With either method the results are the same For example policy NT User Changed Rule not available on UNIX Rule refers to the name of the rule that detected the event Add rule names to the query or add rule names using the Manager Objects Query List boxes With either method the results are the same For example rule Account Changed User User refers to the user name of the person that generated the event If for example on a UNIX system you have multiple users logged in at once you can select events generated by specific users For example user jdoe 194 Using Intruder Alert Event Viewer Defining advanced queries Table 11 1 Query labels TXT The TXT all in caps label allows you to define specific text on which to query This label can only be used with the equals equality operator For example TXT Source Security Note Use the Offset fields in screen two of the Query Builder wizard to define the time period parameters Note Labels created when parsing user defined audit logs are also available for query definition Equality operators Equality operators are used within simple expressio
172. hostname gt lt number gt rex is encrypted with a different algorithm This entry indicates that some or all of the data in the rex file is corrupted There is no way to recover data from a corrupted event file To continue to record current events use one of the following methods m Delete the ext and rex files from the lt hostname gt directory Restore older ext and rex files from the most recent backup All event data that was recorded since the latest backup will be lost m Delete the ext and rex files from the lt hostname gt directory All event data will be lost Because Intruder Alert saves final data to each rex file before renaming it to an ext file ext files cannot be used to substitute for a corrupted rex file Corrupted ext files If Intruder Alert cannot read an ext file all events in that file and previous ext files are lost 264 Optimization and problem solving techniques Optimizing system performance Manage the size of Intruder Alert error logs Intruder Alert s Manager and Agent record various errors that occur during their operation Symantec s customer support representatives use these files to diagnose problems The name of the Manager s error log is manager log and the name of the Agent s log is agent log The default location for these files is in the directory lt system disk gt Program Files Symantec ITA system lt hostname gt A setting in the ita ini file contro
173. hree basic system audit log sources m Security m Application m System About auditing The Windows audit policy in Event Viewer defines the security related events to monitor and log in the Windows Security event log The Security event log is viewable from the Windows Event Viewer Intruder Alert turns on Windows event logging but not all security related events are required for Intruder Alert to successfully operate The following are the default audit events for Windows Table B 3 Windows recommended audit policy rs oe Audit account logon events X X Audit account management X X Audit directory service access X Audit logon events X X Audit object access X X Audit policy change X X Audit privilege use X Audit process tracking X Audit system events X X Audit account logon events X X Additional functionality in the event log collector In Intruder Alert version 3 6 1 the event log collector is enhanced to provide finer granularity in the processing of event log records This is done with two additions in functionality m First the Event Record selection criteria is expanded to allow optional selection based upon Event ID and Event DOMAIN USER m Second you can now exclude events 230 Operating system collectors Windows collectors To support these new features there are some changes to the syntax of the file cols_nt cfg The cols_nt cfg file contains a complete list of the even
174. ible to flood the network and all the Agents that report to the configured Manager with large numbers of TCP IP packets Flags can be raised for finite or infinite periods of time If the flag is raised indefinitely the only thing that can lower the flag is a Lower Flag action See Lower Flag on page 110 If the raised flag is given a lifetime then the flag will remain raised until the lifetime expires Flags configured with lifetimes can also be canceled by a Lower Flag action The following graphic illustrates the raise flag configuration fields Policies rules and criteria Actions Figure 6 16 Raise Flag action Select to raise flag t Global to all agents on all domains on all Agents r Flag Environment Configure the raised flag to capture and sort events IV Save Event Environment with Flag m Flag Lifetime IV Flag has a Lifetime Days Hours Minutes Seconds the flag s p fo zy fo I Reset Flag Lifetime with each trigger Tag User Name The following table describes each field Table 6 3 Raise Flag configuration options Global to all Agents on all domains This setting directs the Agent to raise the same flag globally on all Agents registered to the same Manager Note Global flags and event context capturing enabled via the Save Event Environment with Flag check box cannot be enabled at the same time Save Event Environment with Flag This check box d
175. ick Delete in the drop down list 2 Inthe Delete dialog box click Yes 66 Administering Intruder Alert Starting and stopping Managers Agents Starting and stopping Managers Agents The following instructions describe how to start and stop Managers and Agents manually for each operating system Note If the Manager and Agent reside on the same machine Intruder Alert starts both the Manager and Agent automatically during system startup Starting and stopping a UNIX Manager Agent To start and stop a UNIX Manager Agent 1 Atthe UNIX prompt type the command cd axent ita bin 2 Type one of the following commands and then press Enter Table 4 1 UNIX commands Stop the Manager and Agent itarc stop Start the Manager and Agent itare start Stop the Manager only itarc stopMgr Stop the Agent only itarc stopAgt Starting and stopping a Windows Manager Agent You can stop and start Intruder Alert components from the Windows command prompt from the Windows Start menu or via the Services utility located in the Control Panel To start and stop a Windows Manager Agent from the Windows command prompt 1 At the Windows command prompt go to the following directory lt system disk gt Program Files Symantec ITA bin 2 Enter one of the following commands Table 4 2 Windows commands Stop the Manager mgrnt stop Administering Intruder Alert 67 Managing user accounts and privileges Tab
176. ies the port number on the Manager system The default port number is 5051 8 Click OK Intruder Alert Administrator attempts to connect to the Manager If the connection is successful the expansion box appears next to the name underneath the Managers branch If the connection is not successful an error message will appear Intruder Alert supports Manager reconnects to unavailable Agents The Manager will periodically retry any failed attempts to connect to an Agent If the attempt to connect fails repeat the process watching for typographical errors For example passwords are case sensitive Also verify that you are able to perform a successful nslookup on the Manager system to confirm that the Domain Name Service DNS server can resolve the hostname to its IP address If the Manager will not connect make sure the Manager daemon or service is running Disconnecting from a Manager To disconnect the Administrator from a Manager follow the procedure below To disconnect from a Manager 1 Inthe Intruder Alert tree expand Managers 2 Right click the Manager and then click Disconnect from Manager in the drop down list 3 Inthe Administrator dialog box click Yes Deleting a Manager from the Intruder Alert tree To delete a Manager from the Intruder Alert tree in the Administrator follow the procedure below To delete a Manager from the Intruder Alert tree 1 Inthe Intruder Alert tree right click the Manager and then cl
177. iewer action The rule value is set at 50 Shared Record Emergency This policy records events posing a high security threat in the Manager s event database by using the Record to Event Viewer action The rule value is set at 90 Shared Record FYI This policy records events posing a low security threat in the Manager s event database by using the Record to Event Viewer action The rule value is set at 20 Instead of creating your own shared rules you should modify and use existing rules according to your needs You can modify shared rules within the Policy Library and then copy them to the desired Managers Creating and modifying policies 143 Policy development tasks Note Intruder Alert Administrator automatically saves all changes that you make within the Policy Library However once you copy a policy to a Manager s branch you must explicitly save it and any changes to it Administrator sends policy updates to the Manager only after you save To ensure that the ITA Shared Actions policy is available to all Agents apply it in the All Agents domain To configure a shared rule 1 Inthe Intruder Alert tree expand Policy Library and then expand Configure to Detect 2 Inthe Configure to Detect branch expand Generic and then expand ITA Shared Actions 3 Inthe ITA Shared Actions branch expand Rules The shared rules should be visible 4 Expand the desired rule to display the Select Ignore and Actions
178. ile Appendix Destination ports for Intruder Alert Overview Ports used Intruder Alert components such as Administrator Event Viewer Agents IA Query and Tuneup communicate over the network with the Intruder Alert Manager When a firewall device is positioned between the components and the Manager the components must connect to the Manager through the firewall You must configure the firewall to allow connections initiated from the component systems to reach the Manager on certain ports This appendix documents the ports to enable to allow Intruder Alert to pass traffic through your firewall You must make the required ports known to the firewall by creating protocols and rules and configuring Network Address Translation NAT For more information about configuring Intruder Alert with a firewall see the Intruder Alert 3 6 1 Installation Guide Note In all situations the Agents must have the ability to communicate directly with the Managers This means that TCP IP connectivity and routing must be configured to allow this communication This is especially important when the Agent computer is outside of a firewall in a DMZ network and may not otherwise have a route to the assigned IP address of the Manager by Intruder Alert Normally source ports are allocated dynamically within the range of 1024 65535 Destination ports have default values in Intruder Alert but these ports can be changed during installation 2
179. information in a report m Exit the report Refresh the report contents Use the refresh feature to verify that the report contains the most recent events To update the report contents 1 Inthe Event Viewer the desired Report View window must be active 2 Click Edit gt Refresh Report The report is updated with the latest events Note Reports that include current information only need to be updated if you select the time setting Time Span in the query If you select Offset from current time real time stats the report will automatically refresh 210 Generating and viewing reports Using the Intruder Alert Report Viewer Suspend and resume automatic refresh In Offset From Current Time real time stats mode the report view automatically refreshes itself in real time meaning that events get posted on the report immediately after they occur The Suspend Automatic Refresh feature allows you to disable Intruder Alert Event Viewer s real time updating temporarily If you have multiple report views open the Suspend Automatic Refresh feature will suspend all automatic refreshing on all reports and views To suspend and resume automatic refreshing 1 Set up the printer Click Edit gt Suspend Refresh The automatic refresh function is suspended Click Edit gt Resume Refresh Automatic refreshing is resumed If events occurred while automatic refreshing on all open report views was suspended Intruder Alert Vi
180. ing policies to a domain on page 127 Deleting a domain When you delete a domain Agents belonging to that domain are still registered to the Manager and policies continue to reside in the Policies branch on the Manager To delete a domain 1 2 In the tree right click the domain and then click Delete in the drop down list In the dialog box click Yes to confirm the deletion Adding an Agent to a domain To add an Agent to a domain 1 In the tree expand Managers and then expand the desired Manager See Connecting to a Manager on page 64 In the Registered Agents branch right click the Agent and then click Add to Domain in the drop down list In the Add lt Agent gt to Domain dialog box select the desired domain and then click OK For multiple domains do one of the following m Press Shift and select the first and last of a group of desired domains and then click OK m Press Ctrl and select each desired domain and then click OK The Agent is added to each selected domain Removing an Agent from a domain To remove an Agent from a domain 1 In the tree expand Managers and then expand the desired Manager See Connecting to a Manager on page 64 Managing Agents 77 Registering an Agent to a Manager 2 Inthe Domains branch expand the desired domain and then expand Agents in Domain Figure 5 1 Removing an Agent E Example Domain Right click on the e Activated Policies Age
181. ion Throttle text box type the desired throttling value The default is 5 KB sec 6 When finished click Save The Record to Event Viewer action is throttled Configure the email SMTP action throttle Administrators can reduce the risk of slowing the network by throttling the number of email notification messages the Agent can send per minute The default limit is 10 emails per minute Note If the number of email messages exceeds the throttle in a given minute the Agent discards the excessive messages To throttle the Send Email action 1 In Intruder Alert Administrator connect to the desired Manager See Connecting to a Manager on page 64 2 Inthe Intruder Alert tree expand the connected Manager s branch 3 Inthe Manager s branch expand Registered Agents 4 Inthe Registered Agents branch click the desired Agent The Agent configuration boxes appear in the right pane 5 Click in the SMTP Throttle text box and enter the desired throttling value The default value is set to 10 emails per minute 6 When finished click Save Optimization and problem solving techniques Known issues and resolutions Known issues and resolutions commands txt changes require system to be restarted Anytime any Intruder Alert configuration file is changed the Manager must be shutdown and restarted in order for the configuration file to get re read and implemented Likewise if changes are made to an Agent configuration file
182. irects the Agent to save event contexts with the raised flag It is used to enable the event context capturing feature See Configuring the Raise Flag action to use event context capturing on page 165 Tag This box allows you to select the criteria by which events will be sorted on the raised flag For example if you select User Name events captured during the flag s lifetime will be sorted by user name Flag has a Lifetime This check box enables disables the flag s lifetime Check this option to configure the flag with a lifetime After checking this box specify the flag s lifetime in the Days Hours Minutes and Seconds fields 109 110 Policies rules and criteria Actions Lower Flag Table 6 3 Raise Flag configuration options Days Hours Minutes Seconds These fields define the flag s lifetime Reset Flag Lifetime with Each Trigger This option directs the flag to reset its lifetime with each new trigger that occurs while the flag is raised For example if the flag has a lifetime of two minutes and two events occur one minute apart that trigger the flag the first event raises the flag and the second resets the flag s timer back to two minutes Thus the flag s total lifetime is three minutes Use this option when you want the flag s lifetime to reset with each new trigger that occurs during its lifetime The Lower Flag action lowers or cancels a raised flag
183. ister Agents on UNIX or Windows from Managers installed on UNIX or Windows You can use single exe on the Windows command line or itasetup on UNIX to unregister local Agents from a Manager All three procedures are provided in this section To unregister an Agent from a Manager using Administrator 1 InIntruder Alert Administrator connect to the desired Manager See Connecting to a Manager on page 64 4 Managing Agents 81 Performing Agent management tasks In the Intruder Alert tree expand Managers and the desired Manager and then expand Registered Agents The list of registered Agents should be visible Right click the Agent and then click Unregister from Manager in the drop down list In the Unregister Agent dialog box click Yes To unregister a local Agent using single exe on Windows 1 To open a command line window click Start gt Run and in the Run dialog box type cmd In the Run dialog box click OK To change to the correct directory type cd lt system disk gt Program Files Symantec ITA bin where lt system disk gt is replaced by the drive letter where your Program Files folder resides Type the following command and then press Enter single exe u lt manager gt where the lt manager gt is replaced by your actual manager name or IP address To unregister a local Agent using itasetup on UNIX 1 At the system console type the following command cd axent ita bin lt platform
184. istry key Intruder Alert with its Registry Auditing capabilities and its Registry Key command lets you Operating system collectors 233 Windows collectors safely monitor the Registry False positives are reduced to a minimum because only the key or value needed and Intruder Alert audits how it is accessed Implementing Registry auditing in an Intruder Alert policy lets you create a rule that uses the Select Windows Registry Key criteria In the rule you can add the desired Action so that Intruder Alert can respond to any suspicious Windows Registry activity All events are sent to the Event Viewer by default Other than configuring the policy and rule the Registry monitoring capabilities require no additional configuration by the user Using these features of Intruder Alert makes Registry monitoring much easier Otherwise the user would have to figure out how to find the Registry keys then turn on the auditing and then create a rule in Intruder Alert The load of the auditing is virtually undetectable The Intruder Alert registry auditing takes very few CPU cycles and no disk access This keeps the auditing load to the absolute minimum Intruder Alert 3 6 enhancements We can look at the Windows Audit Tampering policy in Intruder Alert 3 6 as an example of added capability and protection available through use of the Registry monitoring The Windows Audit Tampering policy checks for seven events m Changing the audit policy m C
185. itional toggle that can be placed on individual files and directories This switch is MD5 Use it in the same way as the BROT switch ACCESS This command enables and disables the function that detects when files were last accessed If enabled access times on the files following the command are compared Note The monitoring process must access the file in order to calculate checksums Therefore do not enable both checksum and access functions at the same time File and directory security 151 Configuring Intruder Alert file monitoring Table 9 2 File watch list commands and options lt path gt lt filename gt Use the following guidelines On UNIX the root directory can be defined differently for each user Use rootdir as a variable location On UNIX you can use to indicate the root directory Use the variable windir to identify the correct location and name of the main Windows directory Use ita to locate the ita directory dynamically If the system name is part of the path use the variable system to represent the host name If the platform is part of the path use the variable platform in place of the platform name Wildcards and are supported Two file watch lists are automatically installed with every UNIX and Windows Agent On Windows these lists reside in the folder lt system disk gt Program Files Symantec ITA system lt hostname gt On UN
186. lable my my Drag system objects Sharkie Snowball from the Available box and drop them in the Systems to Monitor box If more than one Agent system is being monitored the And Or radio buttons define the relationship between the selected systems Choose the And radio button when all selected systems must be present to satisfy the requirements of this selection criteria Choose the Or radio button when one of the selected systems alone is sufficient Windows Registry Key criteria R The Windows Registry Key criteria selects or ignores events generated in the registry by key With these criteria the system can act on signatures that 106 Policies rules and criteria Actions Actions indicate unauthorized access to the system The Windows Registry Key criteria can apply any action and report to the Intruder Alert Event Viewer Actions execute when the Select criteria are true and the Ignore criteria are false Intruder Alert offers 14 different actions This section describes the purpose of each action and how to configure it The actions are Record to Event Viewer Raise Flag Lower Flag Send Email Send Page Append to File Notify Start Timer Execute Command Run Shared Action action Cancel Timer Kill Process Disconnect Session Disable User Note The ITA Shared Actions policy allows you to administer actions from a central location See Modify the ITA Shared Actions policy on page 141
187. lag the saved events and the event currently being evaluated by the Agent The braces are used to Equality Variable Operator or Data 160 Event context capturing Understanding and using event contexts specify the current event and the dollar symbol is used to specify the saved events Table 10 1 describes the supported Select statement equality operators Table 10 1 Select statement equality operators Equal To Selects events in which the event variable contains the specified variable or text l Not Equal To Selects all events except those in which the event variable contains the specified variable or text lt Less Than Selects events in which the event variable contains a value lower than the stated value gt Greater Than Selects events in which the event variable contains a value greater than the stated value lt Less Than Or Equal To Selects events in which the event variable contains a value less than or equal to the stated value gt Greater Than Or Equal To Selects events in which the event variable contains a value greater than or equal to the stated value The data portion of the Select statement may list another variable or specific text The following are examples of valid Select statements m User Name Courtney m Flag Context Count gt 5 m Minute Minute m Process ID 1145370 Note The Select Ignore Flag support
188. lag count variables Flag count variables or flag counters are variables that count event occurrences during the lifetime of the flag Flag count variables allow you to trigger an action when a certain number of events have occurred Flag count variables are used with the Select Flag option There are three flag counters m Flag Instance Count m Flag Count m Flag Context Count To understand the difference between these variables return to the example where Sam John and Mike caused seven failed logins within a two minute period In the following diagram note the three flag counters and how they are used Event context capturing Understanding and using event contexts Figure 10 5 Flag counter diagram Raised Flag Old contexts 2 minute window deleted Fag Context Count 3 Flag Counte John Fiag Context Count 2 Flag Count 2 Mike Fig Context Count 1 Flag Count 1 Flag Counters Disinguisning Characteristic The following sections describe each variable in more detail Flag Instance Count The Flag Instance Count variable refers to the number of unique instances created during the flag s lifetime When an event is saved with a flag it is sorted by a user defined criterion in the Raise Flag action For example if User Name is the criterion the Flag Instance Count increments each time a new user name is created Use this counter to select when a certain number of instances have occurred For exam
189. le at install the system begins with 1 rex When this file reaches 2 MB the Manager saves the file as 1 ext and creates 2 rex When 2 rex becomes full it saves the file as 2 ext and creates 3 rex The Manager can have up to 99 999 999 extent files i e 1 ext through 99999999 ext The Intruder Alert Event Viewer queries these files for selected data You can archive this data and delete it from your system if desired More information on archiving and managing these files is available See Understand and manage the event database on page 261 The Intruder Alert Agent The Agent is a UNIX daemon or Windows service Every supported UNIX and Windows system in the network should have an installed Agent Agents perform the following services Monitor event collectors m Perform actions e g notify user send email page administrator etc m Receive policy updates from the Manager m Establish secured communication with the Manager and encrypt data for transmission across the network Security events are captured differently on each operating system m On UNIX systems by default the Agent captures events from syslog wtmp process accounting and where available btmp btmps wtmps and C2 audit logs Intruder Alert must be configured manually to monitor C2 audit logs See Configure Intruder Alert to monitor C2 collector on page 224 m On Windows systems the Agent captures events from the System Application and
190. le if you are monitoring the Shares key you will receive many alerts that you do not necessarily want Intruder Alert uses the Registry through a runtime loading collector The collector operates through the agent When the agent is stopped the collector unloads Creating a custom policy There are two parts to auditing a Registry key The first part generates a Registry filter rule that gets passed to the collector This means the collector monitors only the keys needed This reduces CPU overhead on the system and Intruder Alert The second half requires creating a standard rule that watches for the access to the Registry key Use the following scenario to create a custom policy in which you will store your custom rules You have a system configured for certain critical operations and want to know if any user attempts to change the PATH settings Operating system collectors 237 Windows collectors The procedures in this section explain how To create a custom policy To create a custom filter rule within your policy To define information passed to the collector To create a second custom rule for actions You must also define the action to be taken when the rule is activated See Actions on page 106 The scenario for creating your custom policy is that you are monitoring the computer and want to design a custom rule that will alert you if anyone tries to change the PATH settings To create a custom policy 1 2 3
191. le 4 2 Windows commands Start the Manager megrnt start Stop the Agent agtnt stop Start the Agent agtnt start To start and stop a Windows Manager Agent from the Windows Start menu 1 2 3 Click Start gt Programs gt Symantec gt Intruder Alert gt ITA Mgr Agt Setup The Manager Agent Setup dialog box appears To stop the Agent click Stop Agent To stop the Manager click Stop Manager To start and stop the Windows Manager Agent with the Windows service utility 1 Under the Windows Control Panel open Services 2 Inthe Services window do one of the following m Right click Intruder Alert Agent v3 6 1 m Right click Intruder Alert Manager v3 6 1 3 To stop the Manager or Agent click Stop in the drop down list 4 To start the Manager or Agent click Start in the drop down list The Status column indicates whether the service is stopped or started Note Intruder Alert Agent services should be configured so that Startup Type is Automatic so that protection can be started at boot time See Configuring Agent service properties on page 61 Managing user accounts and privileges The User Manager controls who can access the Intruder Alert Administrator and Intruder Alert Event Viewer and what privileges they have when installing 68 Administering Intruder Alert Managing user accounts and privileges and administering it The following table lists the privileges that can be assigned to a user Table 4
192. learing the event log m Turning auditing off m Turning auditing on m System Security and Application log file size changes m System Security and Application log file location changes m System Security and Application event message expiration changes The last three checks would not be possible without Registry monitoring Default Registry auditing The sources for the default Registry auditing are located in HKEY_LOCAL MACHINE SYSTEM CurrentControlSet Services EventLog The event source Registry keys are all below this starting point On a typical Windows system you could easily have over 400 possible audit sources under your starting point However not all the possible event sources are monitored by Intruder Alert 234 Operating system collectors Windows collectors You can configure Intruder Alert to capture events from additional event sources by adding entries to the cols_nt cfg file Viewing this file also gives youa complete list of the event sources that Intruder Alert automatically monitors The default event sources will vary depending on which version of Windows you are using The following is a partial list of the standard audit sources Intruder Alert automatically monitors m system Application Popup m system system m system RemoteAccess m system BROWSER m system Service Control Manager m system Rdr m system EventLog m system NETLOGON The first column in the list represents the l
193. lectors About collectors eni a a a a a a 222 LONIDE EoI K EAEE E EE ESTEE TE 222 Configure Intruder Alert to monitor C2 collector s snsoo0000000000000000 224 Configure the C2 audit daemon ceceesesessseseseseestseseeeeseeseseseeteeees 225 Configure Intruder Alert to monitor the C2 audit pipe 226 Windows coll ctOrs sore a E ae teen N REE S 228 Event log collector s sssssenesssosesssseseesssrststsnsstsesessesesesersrsnsesersssrsrssnenesesne 228 File watchcollectom nene E TEK es 230 Custom log file collector oo ccceceeseesesessessseeeeesesesesessessceeeeesesesesesseeenes 230 Windows Registry collector ccceceesssseseseeseseseeeeseseeseseseeseeseeseeeeseseeeees 232 ita ini file documentation Optimization and problem solving techniques Optimizing system performance cceccsessssessssseeeeesesesesetsessseseeeseseseseseeeeeees 261 Understand and manage the event database 0 cccceceeseeseseseeeeseees 261 Delete olddata ruren ra EEEE EERE 263 Corrupted rex files eieren na a E a 263 Corrupted ext files erens an n a S NE See 263 Manage the size of Intruder Alert error logs c ccccesesesseseeteteteeeees 264 Debtig logging ssc hen Sasi E eevee RR 265 Appendix E Appendix F Contents Manage the size of UNIX collectors eeceseseseeeeseseseeeeeeeeseseeeeeeeeeeteeeees 265 Optimizing bandwidth usage cececcsesssseseseeceseseeceseeeeseseeceseeeeseseeecseeeeeees 267 Config
194. list In the Apply Policy to Domain s dialog box select the domain in which the target UNIX system resides and then click OK Complete the steps below for triggering the 4 Failed Logins event 170 Event context capturing Creating policies that use event context capturing To trigger the 4 Failed Logins event 1 2 Start the telnet client software Specify the target telnet server This server should be in the domain to which the 4 Failed Logins policy is applied When prompted for the Login and Password enter pseudo values and then press Enter The pseudo values will reflect different user names with phony passwords Be sure to use the same user name at least four times as well as trying other user names Repeat Step 3 three more times within a two minute period The 4 Failed Logins event should appear in the Manager s event database and in Intruder Alert Event Viewer See the instructions below for viewing the event in Intruder Alert Event Viewer If the events do not display in the Event Viewer add the Record to Event Viewer action to each rule of the policy as a troubleshooting measure After adding the Record to Event Viewer action to each rule of the policy repeat steps 3 and 4 and watch the Event Viewer to confirm that each rule is working To view the event results in Intruder Alert Event Viewer 1 2 3 Start Intruder Alert Event Viewer Click File gt New Query In the Query Builder window do one
195. llation but if it has been removed you must reapply it See Applying policies to a domain on page 127 214 Generating and viewing reports Generating Agent status reports 10 11 On the Event Viewer menu bar click ITA gt Send Intruder Alert Command See Sending an Intruder Alert command to an Agent on page 191 In the Send ITA Command dialog box in the Commands text box type report Make selections for the Manager and Agent fields in the dialog box and then click Send Command On the Event Viewer menu bar click File gt New Query See Creating a new view on page 185 In Query Builder wizard screen one in the View Type drop down list click Text Fill in the other fields in screen one and then click Next In Query Builder wizard screen two click Next In Query Builder wizard screen three in the Manager Objects box click ITA Reports and then click the right arrow to move it to the Query List box In the Manager Objects box click the Agent system object and then click the right arrow to move it to the Query List box Click GO The Text View screen appears with the Agent report events listed The Agent report events are the three Agent reports as described above Click on the first event to view the Agent Load report the second event to view the Agent Policy report and the third event to view the Agent Active Datastream report The contents of the report are viewable in the lower half of the
196. lp using the Query Builder wizard click Help or refer to the section See Using the Query Builder wizard on page 176 To create a new view 1 Start Intruder Alert Event Viewer 2 Click File gt New Query 3 In screen one of the Query Builder wizard in the Managers box do one of the following m Type the name or IP address of the Manager m Inthe drop down list click the name or IP address of the Manager 4 Inthe Connect to Manager dialog box enter the User Name and Password and then click OK An asterisk should appear next to the Manager s name in the Query Builder screen indicating a successful connection If the asterisk does not appear after a few seconds the connection process was unsuccessful Repeat the process avoiding any typographical errors If 186 Using Intruder Alert Event Viewer Working in the Event Viewer 10 Intruder Alert Event Viewer still cannot connect to the Manager make sure the Manager is installed and running You can use the nslookup command on the Manager s system to determine if the system is known to DNS Also note that Intruder Alert Event Viewer and the Manager must be the same version In the Query Builder wizard screen in the View Type drop down list click the desired view type Because the Report view type is significantly different than the other types of views instructions for generating this type of view are discussed separately See Chapter 12 Generating and viewi
197. ls the size of these files The setting is named MaxLogSize This setting should be adjusted to control the size of each log file agent manager admin and iview The default size is set to 50 000 bytes When the error log reaches the maximum size specified in the ita ini file Intruder Alert saves the file with a old file extension and builds a new log file with the original file name By default Intruder Alert keeps two archived log files If a old error log file already exists Intruder Alert renames the file to agent manager bk1 and creates anew agent manager log file You can manage the number of log files written to the system via the ita ini file The default for MaxLog Files is 2 You can set this amount to a maximum of 9 999 999 However it is not recommended to save more than 10 The size of these logs should depend on how much data you want to keep To configure the size of the Intruder Alert error log 1 Open the Agent s ita ini file in a text editor The file is located in the directory lt system disk gt Program Files Symantec ITA system lt hostname gt 2 To modify the size of the Agent s error log locate the MaxLogSize command under the Agent section and specify the new size in KB 3 Ifthe Manager resides on the same system as the Agent and you want to modify the size of the Manager s error log locate the MaxLogSize command under the Manager Diagnostics section and specify the new size in KB Do no
198. lt is 15 seconds ITA_TIMEOUT 15 Maximum number of delayed connects Default is 20 Minimum is 500 MAX_ DELAYED CONNECTS 20 Maximum number of pending delayed connects Default is 10000 Minimum is 5 MAX_PENDING_CONNECTS 10000 Specifies the maximum number of records per batch to send to a query The default is 500 FILTER_BLOCK_SIZE 500 Specifies how large the rex file will get before it rolls toa ext file in bytes The default is 2MB 244 ita ini file documentation Windows RCACHE_EXTENT_SIZE 2000000 Specifies how large in bytes the manager cache files are allowed to be Default and maximum are 10000000 MAX_CACHE_SIZE 10000000 Allow old agents to connect to this manager OLD_AGENTS_ALLOWED 1 Specified if manager will advertise SAP via IPX SPX SAP_ENABLE OFF FEAE HE FE FE HE AE FE HE HE HE AE HE AE HE FE FE HE AE HE FE E HE FE FE AE FE FE HE HE FE HE FE FE HEH H E EE EEE Agent Diagnostics FEE FE E FE FE HE FE HE HE HE AE FE FE HE FE EH FE FE FE FE HE FE FE FE HE FE FE HE FE FE FE HE HE FE HE FE HE HE HE HEHE Specifies if log file to be kept open while the Agent is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the agent log file will get in KB MaxLogSize 50 Specifies how many old log files the agent will keep MaxLogFiles 2 Incl
199. me to the at allow file or remove it from the at deny file The following is the location list of the at allow and or at deny files on supported operating systems The list is not comprehensive and cannot anticipate a change in location on a new release of a given operating system See the batch man page for further details AIX var adm cron HP UX 10 20 var adm cron HP UX 11i v1 B 11 11 usr lib cron HP UX 11i v1 5 B 11 20 usr lib cron HP UX 11i v1 6 B 11 22 usr lib cron HP UX 11i v2 B 11 23 usr lib cron IRIX usr lib cron NCR etc cron d OSF1 usr lib cron Sequent usr lib cron Solaris usr lib cron 271 272 Optimization and problem solving techniques Known issues and resolutions Appendix SNMP for Intruder Alert Overview The SNMP feature in Intruder Alert allows you to configure Intruder Alert to send and receive SNMP messages You can configure SNMP to forward security events to network management systems as well as monitor external applications This capability significantly extends Intruder Alert s ability to manage an enterprise system s security environment SNMP for Intruder Alert can be installed and configured to run on Windows To send SNMP messages you must install SNMP install and configure the IA Query Event Management System and set up an iaquery user account in Intruder Alert To receive SNMP messages you must configure snmptrap and configure Intruder Alert to receive S
200. mory to store them Intruder Alert offers two throttles to help optimize network bandwidth usage m The Record to Event Viewer throttle m The Send Email throttle The Record to Event Viewer and Send Email throttles can be configured from within Intruder Alert Administrator The following sections describe how to configure these throttles Configure the Record to Event Viewer action throttle The Record to Event Viewer throttle defines the rate at which data transfers across the network to the Manager If the cache file becomes full Intruder Alert discards low priority events first replacing them with higher priority events A 268 Optimization and problem solving techniques Optimizing bandwidth usage low priority event is an event with a low rule value New events with a lower priority get deleted The default throttling speed is set at 5 KB sec Set the throttle higher to send more data across the network If there is a shortage of bandwidth set the throttle lower to transfer the data at a slower rate To throttle the Record to Event Viewer action 1 From within Intruder Alert Administrator connect to the desired Manager See Connecting to a Manager on page 64 2 Inthe Intruder Alert tree expand the connected Manager s branch 3 Inthe Manager s branch expand Registered Agents 4 Inthe Registered Agents branch click the desired Agent The Agent s configuration boxes appear in the right pane 5 Inthe Record Act
201. mplate AgentsReport rpt located in the ITA bin directory Generating and viewing reports Understanding security reports Table 12 1 Standard report types Security Report The Security Report views events from a security point of view It compares the severity of events by Agent user and date In addition it lists events by severity level The Security Report uses a custom Crystal Reports template SecurityReport rpt located in the ITA bin directory User Report The User Report views events from a user perspective It compares the severity of event by user users on an Agent and date In addition it lists events sorted by user and severity level The User Report uses a custom Crystal Reports template UsersReport rpt located in the ITA bin directory Reports are generated through the Query Builder wizard by selecting the Report view type and defining the parameters of the query as with any other view type The Generate Report dialog box appears allowing you to select the audience and level of detail for a comprehensive report Or you can select a Security Events Report that simply provides a list of all events matching the query definition sorted by level of severity This report does not contain summary graphs or charts Alternatively you can select a Custom Report that can use a Crystal Reports template for generating the report Intruder Alert comes with three such templates the Agent Report Security R
202. mprised of up to three parts m Select criteria If m Ignore criteria And m Actions Then These criteria relate together to provide functional logic for the policy rule Select items define selection while Ignore items define exceptions Therefore if the event contains the selection criteria but does not contain the exception criteria the rule action will trigger For example If lt Select gt is true AND 92 Policies rules and criteria Policies and rules lt Ignore gt is not true THEN Perform lt Action gt Note Valid rules typically contain one or more Select criteria an optional Ignore criteria and one or more Actions All criteria do not need to be present for the rule to be valid The following graphic illustrates the If And Then logic of policy rules Figure 6 1 Rule Logic Select Conditions No No Action Met Yes Ignore Conditions Yes Met Perform Execute Action s A single policy may contain several rules and a rule may contain several criteria While there is no practical limit to the number of criteria contained in a rule or the number of rules contained in a policy there is a 64k limit on the size of a policy file which is roughly 25 rules Rule definition When you create a rule in Intruder Alert you are presented with the following boxes in the right pane of the Intruder Alert Administrator window Policies rules and criteria 93 Policies and rules
203. mpt is unsuccessful troubleshoot the situation with the following procedure 80 Managing Agents Unregistering an Agent from a Manager To register an Agent using the Windows command line 1 To open a command line window click Start gt Run and in the Run dialog box type cmd 2 Inthe Run dialog box click OK 3 To change to the correct directory type cd lt system disk gt Program Files Symantec ITA bin where lt system disk gt is replaced by the drive letter where your Program Files folder resides 4 Type the following command and then press Enter single exe r lt manager gt lt user gt lt password gt lt port gt where the angle bracketed lt gt arguments are replaced by your actual manager name or IP address username password and port number To troubleshoot Agent registration on Windows 1 Verify that the Manager and Agent are running 2 Make sure the Manager and Agent can ping each other 3 Verify that the hostnames of both the Manager and the Agent are known by the DNS server using tools like nslookup 4 Repeat the registration process being careful to avoid any typographical errors Unregistering an Agent from a Manager Unregistering an Agent from a Manager terminates the Manager Agent relationship the Agent will no longer report to the Manager The only way to restore the Manager Agent relationship is to reregister the Agent with the Manager From Intruder Alert Administrator you can unreg
204. n if you need more shared action rules you can add them to the ITA Shared Actions policy This way all shared rules will be located in the same policy To ensure the ITA Shared Actions policy is active on all Agents activate it on the All Agents domain See Modify the ITA Shared Actions policy on page 141 To configure this action type the name of the rule containing the desired action in the Shared Actions to Run box as illustrated below Figure 6 26 Run Shared actions ACTION Run Shared Action s Shared Actions to Run Shared Emengency Now Entry Enter the name s of shared actions Add to List gt Click to add the _ gt entry to the list Edil List Remove Clear List Cancel Timer The Cancel Timer action cancels or deletes an active timer Note Canceling timers and flags after the event allows Intruder Alert to start with a clean slate If you do not cancel active timers after an attack subsequent events may yield false positive results Kill Process Policies rules and criteria Actions To configure the Cancel Timer action drag the desired timer objects from the Available box and drop them in the Timers to Cancel box Figure 6 27 Cancel Timer action Timers to Cancel Available 4 Example Start Timer Drag timer objects from the Available box and drop them in the Timers to Cancel box The Kill Process action stops the process that triggered the event However
205. n action kills all processes associated with the user name contained in the event therefore the selection criteria must contain the user name If the user name is not available no processes will be stopped On Windows systems the disconnect session cannot kill a process associated with an administrator account Note On Windows systems the user will be able to log in again If you want to prevent the user from logging in combine a disable user account action with a Disconnect Session action See Disable User on page 124 On NetWare this action disconnects the session if the event contains the connection number Therefore the selection criteria must be triggered by events containing a connection number The Disable User action disables a user s account other than an account having root UNIX or administrator Windows privileges On Windows systems this action disables the account of the user associated with the account so the user will not be able to log in again until the account is reactivated by a system administrator Policies rules and criteria Actions Note This action does not immediately log the attacker off the system If you want to log them off the system add a Disconnect Session action clause with the disable user account action See Disconnect Session on page 124 125 126 Policies rules and criteria Actions Administering policies This chapter includes the followin
206. n indirect rule and other rules could select or ignore the indirect rule This makes it possible to centralize select criteria changes for all system messages into one rule Filter If the filter rule criteria are met all rules in the policy will be ignored The filter rule contains only select criteria If the select criteria matches an event all other rules in the policy are ignored Disable The Disable check box disables the rule It allows you to retain the rule and its configuration without deleting it Select and Ignore criteria The same criteria exists for both Select and Ignore with one exception the Select Timer There is no Ignore Timer option This section provides information about the following System Message criteria ITA Status criteria ITA Error criteria ITA Command criteria Flag criteria Timer criteria Date criteria ITA Rule criteria User criteria System criteria Windows Registry Key criteria Policies rules and criteria 95 Select and Ignore criteria System Message criteria The System Message criteria contains the event text for which to search System Message criteria can be used to select or ignore an event If a Select system message matches an event and does not match an Ignore system message the actions specified in the rule will trigger System Message criteria support case sensitive text matching and wildcard operators Select the check box if you want the event tex
207. n the Flags to Monitor box If more than one flag is being monitored use the And and Or radio buttons located near the flag s Label field to define the relationship between each of the selected flags Choose the And radio button when all the selected flags must be raised to satisfy the requirements Choose the Or radio button when any one of the selected flags alone is sufficient To configure the Flag criteria for event context capturing drag the desired flag from the Available box and drop it in the Flags to Monitor box Then double click on the flag s icon When you double click on the icon the Select Flag Criteria dialog box appears Figure 6 8 Select Flag criteria dialog box Hour gt 10 Flag Context Count gt 4 The Select Flag criteria dialog box is used to define the flag s selection criteria In the above example the selection criteria for that flag will be met when four or more events occur after 10 00 am When the hour is stored from a Select Flag criteria it displays in GMT time Defining the flag criteria allows event context capturing to work See Event context configuration on page 155 100 Policies rules and criteria Select and Ignore criteria Timer criteria Date criteria The Timer criteria selects one or more active timers When the selected timer expires the actions defined in the rule will execute Timer criteria applies only to Select criteria To configure the timer dr
208. nd then click Save Save user defined files with a ivw file extension Save modified generic views with a ivg file extension Using Intruder Alert Event Viewer Working in the Event Viewer Sending an Intruder Alert command to an Agent The Send Intruder Alert Command feature allows you to send an Intruder Alert command to an Agent system from Event Viewer This feature works in conjunction with an Intruder Alert command located in a policy activated on the Agent Commands are user defined and can be any alpha numeric combination you wish The following are example commands m page administrator m cancel timer If you send the command page administrator to an Agent a policy on the Agent system must have a Select Intruder Alert Command containing the words page administrator In addition to sending user defined commands the Send Intruder Alert Command program has one hard coded command called report The report command generates three reports containing information about the Agent See Generate an Agent report on page 213 To send an Intruder Alert command to an Agent 1 Doone of the following m On the Intruder Alert Event Viewer toolbar click Send Command This is the ITA icon on the toolbar m On the Event Viewer menu bar click ITA gt Send Intruder Alert Command 2 Inthe Send ITA Command dialog box in the Manager text box do one of the following m Type the name or IP address of the Manager m
209. ned Crystal Reports format m Several Crystal Reports formats are included with Intruder Alert at the time of installation Figure 2 23 Crystal Report templates Look in Stin X B cal mE AgertsRepott pt aa basic pt a SecurkyRepoit pt fx UseisRepont pt Crystal Report Templates Fie pare Fiez of ype Crystal Reporte ipt k Cancel In order to take full advantage of the Crystal Reports capabilities in Intruder Alert including the option to customize your report page with custom logos you must own a fully licensed version of Crystal Reports Crystal Reports integration with Intruder Alert provides you with the following benefits m Choice of a variety of report types Choose from sub reports conditional reports summary reports cross tabs form reports drill down OLAP Top N multiple detail reports mailing labels and more m Easy access to Intruder Alert event logs Connect to over 30 different types of OLAP SQL and PC databases including Microsoft SQL Server Lotus Domino and Oracle using supported native ODBC connectivity m Ability to customize the look of your report Address complex reporting requirements with advanced features including grouping sorting sub reports and cross tabs To learn more about Crystal Reports visit the following Web site http www businessobjects com Touring Intruder Alert 51 Event Viewer task features Text view Details of the security event ar
210. nformation status bar and headed by two general command elements the menu bar and toolbar Figure 2 18 Intruder Alert Event Viewer SYMANTEC Intruder Alert Event Viewer Menu bar File View ITA Window Help Toolbar 9 ___ 9 To create anew query click the New Query button Viewer window Status bar For Help press F1 Note If you maximize the task window you must choose a cascade or tile view in order to view additional task windows that may be open in the background The Event Viewer menu bar contains five menus File View ITA Window and Help Note With the exception of the Help menu the availability of all menu items depends upon your location in the program the selected tree item and what you are trying to accomplish 44 Touring Intruder Alert Intruder Alert Event Viewer File menu Depending on the context the File menu may contain any of the following commands Table 2 7 Event Viewer File menu commands New Query Create a new query and define the view type Load View Open a custom view that is linked to a particular Manager Save View Save a custom view This option allows the query to be saved with Manager specific information It is only available after a view has been created and is open on the viewer desktop Load Generic View Open a generic view that can be applied to any Manager Save Generic View
211. ng NT Event Log and Registry 1 Single line external file 2 Multi line external file 2 MAX_EVENTS_PER 20 Specified if agent will advertise SAP via IPX SPX ON or OFF SAP_ENABLE OFF Specifies the maximum amount of time reading a single line or multi line external file in seconds The default is 2 the minimum is 1 and the maximum is 10 LOG_MAX SECONDS_PER 2 FEE FE FE FE HE AE FE HE HE FE HEE FE FE FE EEE EE FE FE HE HE FE FE FE FE FE FHE HE FE FE FE FE HE HE EEF ita ini file documentation 243 Windows Manager FE HE HE HE HE HE HE FE E HE HE HE HE E HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE HE FE FE HE HE HE HE HE HE H HE HE E HEH Turns on address caching ON or OFF ADDR_CACHE OFF Specifies how long the manager will use a cached address before trying to look up again in minutes The minimum is 15 minutes the maximum is 48 hours ADDR_CACHE_TIMEOUT 60 Specifies a group of ports that will be used for communication with agents using the format lt PORT NUM gt lt PORT_RANGE_BEGIN gt lt PORT_RANGE_END gt lt PORT NUM gt lt PORT_RANGE_BEGIN gt lt PORT_RANGE_END gt Maximum value for a port number is 65535 For example TCP_PORTS 10 20 30 TCP_PORTS Specifies a group of sockets that will be used for communication with agents SPX_SOCKETS Communications timeout in seconds Defau
212. ng reports Optionally select the Axis and Interval settings and then click Next You are finished with the Query Builder wizard screen one In the Query Builder wizard screen two do one of the following m To view events as they occur data will be added to the view in real time click Offset from current time realtime stats and define the offset amount m To view events that occurred within a period of time click Time Span and then define the time span in the Beginning Event Capture and Ending Event Capture boxes Click Next You are finished with the Query Builder wizard screen two In the Query Builder wizard screen three in the Manager Objects box click the desired Manager objects and then click the right arrow button to move them into the Query List box The query will be generated on the objects in the Query List box When you have finished defining the query click GO If you have defined a broad or complex query or if there is a large amount of data in the event database it may take a few seconds longer to generate the view In such cases the message Generating View will appear Wait for a few seconds until the view appears Modifying a view s query definition After a view has been created you can modify the query and recreate the view without entirely redefining the view To modify a view s query definition 1 If you have more than one view open select the desired view Using Intruder Ale
213. nical Support section at the beginning of this guide Appendix B Operating system collectors This appendix contains information on the following topics m About collectors m UNIX collectors m Windows collectors 222 Operating system collectors About collectors About collectors A collector collects data to be analyzed by Intruder Alert This appendix describes the collectors for each of the supported operating systems UNIX and Windows Where applicable it contains instructions for configuring Intruder Alert to monitor additional sources UNIX collectors Intruder Alert automatically monitors the following UNIX audit logs unless otherwise noted m syslog syslog contains operating system messages wtmp wtmps wtmp and wtmps collect login and accounting information m btmp btmps btmp and btmps collect failed login information btmp is not available on all UNIX platforms m Process accounting Process Accounting collects user process information and numerous other processing activities A syslog file is located in the axent ita system lt hostname gt directory and receives event data from the syslog daemon A collector daemon collogd reads the collector files and pipes event data to the Agent The Agent then processes the event according to its activated policies The following diagram illustrates how Intruder Alert captures and processes events on UNIX systems Figure B 1 UNIX Operating
214. ns The Send Page action calls a pager via a modem set up on an Agent system For the pager action to function one or more Agents connected to a Manager must to be configured with a modem capable of paging plus the Agent must to be configured to interface with the modem device See Configuring the Agent for pager notification on page 84 To configure the Send Page action type the numbers required to reach your paging service in the Pager Number field Be sure to include any prefacing numbers required for dialing outside the organization The number nine 9 is often used in many organizations to get an outside line Then in the Sequence To Send field type the dialing sequence required for sending the page to the desired administrator Figure 6 20 Send page action ACTION Send Page Enter the paging service s phone number ________ Pager Number 8221 4800 Sequence to send 1 45321 7653797 Show Agents that Page Enter numbers to be dialed upon answering Configuration Guidelines Paging action configuration guidelines are as follows m Inthe Pager Number field add any prefacing numbers necessary to obtain an outside phone line m Inthe Sequence to Send field enter the numbers necessary separated by commas to select options and send messages through the paging service Commas act as one second delays Most paging services have options that must be entered after the call has been answere
215. ns Logical operators discussed under Complex Queries later in this chapter are used between simple and complex expressions Intruder Alert View uses the following equality operators Table 11 2 Equality operators a Poa o Equal to l Not equal to lt Less than gt Greater than lt Less than or equal to gt Greater than or equal to Examples include m User jdoe m Policy Collector m Value gt 60 Using Intruder Alert Event Viewer 195 Defining advanced queries Note Do not add spaces before or after the operator Data The data element in a simple expression contains a specific instance of the label The data element need not be surrounded by quotation marks unless a space or special character exists in the segment For example rule Failed Logon The data element may also contain wildcard operators Use the asterisk wildcard character in place of multiple missing characters or words and the question mark wildcard operator in place of single missing characters For example system acct Note The data element is case sensitive allowing for more discriminating selection Be deliberate when using upper and lower case to define the data segment Use the following guidelines when inputting the data element Use quotes around multiple word data elements such as multiple word policy and rule names Table 11 3 Data element guidelines E Value Value
216. nt and choose H Agents in Domain Remove from Domain techwrite 3 Right click the Agent and then click Remove from Domain in the drop down list 4 Inthe confirmation dialog box click Yes The Agent is removed from the selected domain However Agent remains registered to the Manager and still resides in the Registered Agents branch Registering an Agent to a Manager Intruder Alert Agents can be registered to one or more Managers at the same time The following table lists the corresponding setup utility executable for each supported operating system Table 5 1 Setup executables UNIX itasetup Windows single exe Note You cannot register an Agent to a Manager by dragging and dropping from one Manager to another Registering an Agent on UNIX You can register a local Agent to a Manager by using the itasetup utility in one of two modes m Interactive m Command line option Procedures for both modes are provided in this section 78 Managing Agents Registering an Agent to a Manager To register an Agent on UNIX using interactive mode 1 At the system console type the following command cd axent ita bin lt platform type gt and then press Enter Type the command itasetup and then press Enter When prompted with the Intruder Alert setup options type 4 and then press Enter The post installation options are listed To register the Agent with a Manager type 3 and then p
217. ntruder Alert Administrator stores the Manager s name in the Manager s branch of the Intruder Alert tree allowing you to view the domains policies and registered Agents associated with that Manager Menu bar The menu bar contains five menus File Edit Manager View and Help Note With the exception of the Help menu the availability of all menu items depends upon your location in the program the selected tree item and what you are trying to accomplish File menu Touring Intruder Alert 27 Intruder Alert Administrator The File menu contains the following commands Table 2 1 File menu commands New Create new items Save Save any changes you make Print Output information to a network printer Printer Setup Specify a default printer Print to File Output information to a text file Connect to Manager Connect to a Manager Import Policy Import a policy from your backup directory Export Policy Export a policy file to your backup directory Edit menu The Edit menu contains the following commands Table 2 2 Edit menu commands Copy Copy available items Cut Cut available items Paste Paste items into appropriate areas Delete Delete available items Reload Reset any changes made to a policy or restore a policy to its original unedited version 28 Touring Intruder Alert Intruder Alert Administrator Manager menu The Manager menu lets you acce
218. o remember event contexts m Add Select criteria to the rule for an event that will trigger the Raise Flag action m Inthe same policy create a second rule with a Select Ignore Flag criteria m Configure it with the desired selection criteria and the action to be taken once the rule is triggered m Save activate and test the policy to make sure it is detecting and responding to the event Event context capturing It is important to understand that events occur within a context Intruder Alert event messages describe much of the context in which they occur such as m What type of event occurred Event context capturing 157 Understanding and using event contexts When it happened The process that generated the event The user that generated the event The system on which the event occurred Simply stated an event context answers the who what when where why and how of an event However single events do not always comprise the event More complex events generate multiple event messages and only when analyzed together do they identify the event Intruder Alert has the ability to filter user specified events by associating event contexts with a flag as well as the ability to create multiple instances of a flag save a flag count and specify the lifetime of a flag Intruder Alert s Raise Flag action has the ability to capture events of interest and remember them to identify an event When the events are saved with th
219. o various formats 210 print report 210 printer setup 210 refresh contents 209 saving contents 210 search feature 212 zoom feature 211 reporting capabilities 200 data export 199 graphs 200 templates 200 reports about 199 about generating 203 Agent Active Datastream report 213 Agent Load report 213 Agent Policy report 212 Agent status reports about 212 attack information in 201 Crystal Reports 201 Crystal Reports customizing 205 generating an Agent report 213 Report Viewer 208 Security Events Severity graph 204 security report generating 207 standard types 202 restarting after config file changes 269 rex rex file 262 about 20 Rule criteria introduction to 35 rules actions in 36 adding 139 adding actions to 140 adding criteria to 140 adding shared 143 configuring shared 143 defining 92 deleting 139 deleting actions from 140 deleting criteria from 140 filter 94 in ITA Shared Actions policy 142 indirect 94 logic of 91 modifying shared 142 severity value 93 understanding 23 Rules branch 40 Run Shared Action action 121 introduction to 37 S save button 30 saving automatic in Policy Library 143 policies 130 policy changes 140 reports 210 views 190 security classifications 23 in Execute Command action 131 of command 121 security report generating 207 Select and Ignore criteria 94 Select criteria 34 See also criteria Select statement data examples 160 equality operators 160 syntax 159 Select toolbar
220. of the mouse The bar is available when creating or editing the Ignore criteria of a policy rule and may be selected in the View menu Figure 2 8 Ignore toolbar majs wl alalar Ignore criteria may also be added to rules by right clicking on the Ignore node in the tree view as illustrated below Touring Intruder Alert 33 Intruder Alert Administrator Figure 2 9 Click access to the Ignore toolbar n si ad 3 ra IAEE To access the available aum iiome 5 ra ar options in the Ignore 3 toolbar right click on the Ignore node in the tree view Action toolbar The Action toolbar lets you add an action to the rule with a click of the mouse The bar is available when creating or editing a policy rule action and may be selected in the View menu Figure 2 10 Action toolbar An Action may also be added to rules by right clicking on the Action node in the tree view as illustrated below 34 Touring Intruder Alert Intruder Alert Administrator Figure 2 11 Click access to the Action toolbar T SYMANTEC Ineecier Alert Administrata Ee Ed Manager Yaw Help sisle He asle arsalara kissie Akt Newer S Feier l ser Configas Ta Detect Ganar iH Integrator a E nwse i ue BD UKS DDoS atys To access the available options in the Action Toolbar right click on the Action node in the tree view Select and Ignore criteria The following is a list and description of the Select and Igno
221. ogging service that handles the reporting application and the second column specifies the application name as it appears in the Source column of the Event Viewer Intruder Alert can monitor additional sources specific to your environment such as third party applications that register themselves as event sources In an application log the application source is listed in the Source column Intruder Alert can be configured to monitor any of these sources by adding the source to the cols_nt cfg file To configure Intruder Alert to monitor additional sources 1 Open cols_nt cfg using any text editor for example NotePad WordPerfect and so forth The file is located in the following directory lt system drive gt Program Files Symantec ITA system lt hostname gt 2 Scroll to the bottom of the file and insert the path to the audit source registry For example application Java VM 3 Save the file 4 Stop and restart the Agent for the changes to go into effect See Starting and stopping a Windows Manager Agent on page 66 Operating system collectors 235 Windows collectors The Registry key command In addition to the file and Registry auditing capabilities that Intruder Alert provides you now have the ability to write custom rules to monitor any Registry key This feature is new with Intruder Alert 3 6 and provides you with extensive customization capabilities m You decide which Registry keys and values to monitor and provi
222. ogs Event sources for Windows systems include System Application and Security logs The Agent Active Datastream report lists active event sources on the selected Agent If the Agent reports were generated on a UNIX Agent the report will list each datastream event source and whether the datastream is active or inactive Note If a data stream is inactive perform necessary troubleshooting to determine why and reestablish it as a source of events Agent Load report The Agent Load report lists statistics describing the activity or load on the Agent These statistics include the number of times a Manager has connected to the Agent and the total events processed Total events processed encompass Intruder Alert Status events Intruder Alert Error events and System Message events from each event source including those from user defined audit logs Generate an Agent report The Agent reports are generated by sending the Agent an Intruder Alert command called report The report command generates three events on the Agent system that correspond to the three Agent reports described above To view the report data generate a new text view in Intruder Alert Event Viewer with only the Intruder Alert Reports policy and the Agent system selected To generate and view the Agent reports 1 Verify that the Intruder Alert Reports policy is active on the Agent system The Reports policy is automatically activated on each Agent during insta
223. ollector about 135 collector creating 145 collector types of 144 Configure to Detect 41 creating 138 creating custom for collector 237 customizing a copy of 138 deleting from Manager 130 development process about 133 development tips 134 diagnosing errorsin 265 Drop amp Detect 41 enforcing 127 exporting 130 four failed logins example 168 importing 131 importing NetProwler integration 285 in domain 40 ITA Shared Actions modifying 141 managing 138 moving to Policy Library 129 removing from Agent 129 removing from domain 129 saving 130 saving changes to 140 size of 134 storing before deleting 130 testing 136 understanding and applying 22 UNIX File Tampering 147 Windows Audit Tampering 233 Windows File Tampering 147 Policies branch 40 Applied Domains in 40 Rules in 40 Policy Library adding shared rules in 143 collector policies in 145 configuring shared rules in 143 folders in creating 146 moving policies to 129 policy categories in 41 saving changes in 143 storing policies in before deleting 130 Policy Library branch 41 ports communication 57 default port on Manager 65 Manager 57 snmptrap 281 used by Intruder Alert components 287 post installation options on UNIX 55 on Windows 59 print button 30 printing tree view 71 privileges modifying 69 to register new Agents on Windows 61 user 67 process kill 123 Kill Process action 37 process accounting as anevent source 21 222 managing the size 265 Ind
224. on ambrosia is updating m Agent configuration modified m ITA agent active datastream report To configure an ITA Status criteria add the desired text in the Intruder Alert Status Messages to Monitor box as illustrated below Figure 6 4 Intruder Alert status criteria SELECT Intruder Alert Status Inttude Alert Status messages to Monitor Select to specify case ___1 Case Senatve sensitive text matching Intruder Alert Manager status report Now Eni Type status message text Click to add the entry to wf the selection criteria EdtLit Remove Gea List ITA Error criteria The ITA Error criteria selects or ignores Intruder Alert error messages Intruder Alert generates various error messages and logs them in the manager log or agent log files located in the directory lt system disk gt Program Files Symantec ITA system lt system name gt View the contents of this log file by opening it in a text editor Note The manager log and agent log files are created during run time If no errors have occurred these files will not exist Policies rules and criteria 97 Select and Ignore criteria ITA Error criteria supports case sensitive text matching and wildcard operators Select the check box if you want the event text search to be case sensitive Use the asterisk wildcard operator in place of multiple characters and the question mark wildcard operator in place of single char
225. on page 61 Creating policies that use event context capturing For event context capturing to work there must be a minimum of two rules The first rule selects the desired events and stores all or part of the event information on the raised flag The second rule selects when conditions on the raised flag exist It is also configured to perform another type of action such as email an administrator This section describes how to configure the first rule Configuring the Raise Flag action to use event context capturing Note Global flags cannot be set at the same time as the Save Events with Flag feature To trigger global flags from the same selection criteria add two Raise Flag actions to the same rule Configure one to raise global flags and the other to save events To configure the Raise Flag action to save events 1 Do one of the following m Create a new policy m Open an existing policy See Creating a policy on page 138 Do one of the following m Create a new rule m Expand an existing rule See Adding and deleting a rule on page 139 Create the desired Select and Ignore criteria such as failed or unsuccessful login See Adding and deleting rule criteria on page 140 Add a Raise Flag action The Raise Flag configuration screen appears in the right pane In the right pane check Save Event Environment with Flag 166 Event context capturing Creating policies that use event context c
226. on the Manager system Using Intruder Alert Event Viewer you will m Query a Manager s event database to view selected events as they happen or as a historical snapshot m Send Intruder Alert commands to Agents m Generate and view various types of online and printed reports The Query Builder wizard makes it easy to define query or generate online and printed reports See Using the Query Builder wizard on page 176 20 Introducing Intruder Alert The Intruder Alert Manager The Intruder Alert Manager The Manager is a software application that runs on UNIX or Windows The Manager does not have a graphical user interface Managers perform the following functions m Maintain secure communications with all registered Agents m Maintain the master list of domains and policies applied to each Agent Communicate domain and policy changes to Agents m Receive and store event data from Agents via the Record to Event Viewer action m Serve as the communication link between Intruder Alert Administrator Intruder Alert Event Viewer and Agents m Maintain the list of policies and the domains to which they are applied The Manager does not require a dedicated machine or server However it should reside on a fast stable secure machine During installation Intruder Alert creates platform specific domains based on the selected policies Intruder Alert automatically places a new Agent in one of the following default domains
227. or Enter The Intruder Alert Connect dialog appears See Connecting to a Manager on page 64 View Type Intruder Alert Event Viewer offers the following view types m Bar chart m Line graph 178 Using Intruder Alert Event Viewer Using the Query Builder wizard m Pie chart m Report view m Text view Bar chart The following graphic illustrates the Intruder Alert Event Viewer bar chart Figure 11 2 Bar chart view fl Graph View Iof Xx Time from 12 23 97 12 36 26 to 01 04 98 12 36 26 Mi techwrite jaguar J leopard Line graph The line graph depicts the same data as the bar chart except that the data points are connected in a linear format The following graphic illustrates the Intruder Alert Event Viewer line graph Using Intruder Alert Event Viewer 179 Using the Query Builder wizard Figure 11 3 Line graph view E Graph View Pie chart Select the pie chart view when you want to see what percentage each event contributes to the whole The following graphic illustrates the Intruder Alert Event Viewer pie chart 180 Using Intruder Alert Event Viewer Using the Query Builder wizard Figure 11 4 Pie chart view ia Graph View oix Time from 12 22197 21 43 13 to 12 30 97 02 31 13 a Error Messages i Reports IN Status Messages Choose the category for the pie chart in the X Axis drop down list Report view The report view type displays event data in a Crystal Report viewing
228. passed from Agent to Manager is mostly event data Most events are less than 500 bytes but some events can be bigger Larger packet size will also occur at Agent registration From GUI to Manager packets are usually small less than 500 bytes and consist mainly of policy configuration changes However from the Manager to the GUI packets tend to run larger For example when the GUI first connects the Manager transfers over the entire configuration database consisting on an average of about 250KB to 1MB of data This data is transferred over in 500 byte blocks An Intruder Alert Event Viewer query can generate a high volume of data across the network It is not unusual for transfers at 10K 75K a second to occur as the Manager queries historical data Normal real time event data is usually closer to 2K 5K a second but once again the file transfer rate varies greatly based on the amount of traffic at a particular installation Manager status during tune up process Depending upon your network configuration network traffic the number of Agents in a domain connected to a single manager and available bandwidth the tune up process may take 15 minutes to 24 hours or more During this time the Manager s attention is consumed by the task at hand the Tuneup application and it is generally unavailable for other Intruder Alert tasks Symantec recommends applying the tune up pack to no more than 10 Agents or a domain comprised of 10 A
229. passwords 1 Inthe Intruder Alert tree right click the desired Manager and then click User Manager in the drop down list 2 Inthe User Manager window in the User Name text box select the user and then click Edit 3 In the Password text box type the new password 4 Inthe Confirm Password text box retype the new password and then click Commit 5 When finished click OK The User Manager changes the user s password Removing a user account A Security Administrator may use a generic user account to register Agents to Managers If this account is subsequently deleted or the password is changed all communications between the Agents and Managers that were established using the account will be broken Symantec recommends that you do not use a temporary user account to set up Agent Manager communication If you do use such an account make it a generic account ensure that it is limited to trusted users only and do not delete it To remove a user account 1 Inthe Administrator window in the tree right click the Manager and then click User Manager in the drop down list 2 Inthe User Manager window in the User Name text box select the user 3 Click Remove 4 Click OK General administrative tasks The following tasks are discussed in this section m Printing tree view information Administering Intruder Alert 71 General administrative tasks Deleting a folder Using online help Printing tree view information Intr
230. phasis on the time frame during which a number of events occur In other words it is significant that they occurred within the given period of time Use the Flag Context Count variable when it is important that a certain number of events occur within a given period of time Thus our example of detecting three failed logins by the same user within a two minute period would use this counter For example Flag Context Count gt 3 Notes and known issues m Intruder Alert is limited by the collection systems on which it resides If the event collector provides the information Intruder Alert can use it The collector on Windows does not provide the user name of the person who generated a failed logon All events are given the user name System which is the process that generated the event not the actual user m Certain variants of UNIX generate only one failed login message for every three failed attempts Other varieties of UNIX generate an event message for Event context capturing 165 Creating policies that use event context capturing every failed login Thus you will need to adjust your selection criteria accordingly Furthermore you will need to activate the policy on only those systems for which it was designed to work For the Intruder Alert Agent service to interact with the Windows desktop you must configure Control Panel gt Services for the Intruder Alert Agent See Configuring Agent service properties
231. ple you can select when five different users have caused the same event within a given period of time The rule s select statement would read Flag Instance Count gt 5 163 164 Event context capturing Understanding and using event contexts Flag Count The Flag Count variable refers to the number of event contexts associated with a flag instance during the flag s lifetime Use this variable when similar events occur numerous times within a given period of time This counter places emphasis on the number of similar events rather than the amount of time in which they occur compare with Flag Context Count below For example this flag can be used to select four failed logins from the same user within a two minute period The rule s select statement would read Flag Count gt 4 In this example the flag will execute when the same or similar event has occurred 4 times during the flag s lifetime Flag Context Count The Flag Context Count variable refers to the number of events currently saved with a flag category Events saved on a flag instance expire after they have lived for the period of time configured on the raised flag More recent events will maintain the existence of the raised flag When an event s time to live has expired the event is deleted but the Flag Context Count remembers that the event occurred during the lifetime of the flag In contrast with the Flag Count variable this counter places em
232. pturing Unsuccessful login Repeated Login Failures on In the tree under Rule 1 right click Actions and then click New gt Raise Flag in the drop down list In the right pane in the Label text box type User Name Flag Check Save Event Environment with Flag In the Tag drop down list click User Name Check Flag has a Lifetime Set the Minutes to 2 In the tree to add a second new rule right click Rules and then click New in the drop down list In the right pane in the Label text box type the following name for the rule Rule 2 In the tree click New Rule to update the name Expand Rule 2 right click Select and then click New gt Flag in the drop down list In the right pane in the Label text box type 4 Failed Logins Flag Drag User Name Flag from the Available box to the Flags to Monitor box Double click User Name Flag In the Select Flag Criteria dialog box in the edit box type the following select statement and then click OK Flag Context Count gt 4 Be sure to include spaces between Flag Context and Count and around the equality operator In the tree under Rule 2 right click Actions and then click New gt Record to Event Viewer in the drop down list There is no need to configure this action with additional text to record In the tree right click 4 Failed Logins and then click Save in the drop down list Right click 4 Failed Logins again and then click Apply to Domain in the drop down
233. query and view events or attacks captured by Agents Intruder Alert Event Viewer gathers its data from events recorded by Agents in the event database located on a Manager system Intruder Alert Event Viewer has advanced data filtering capabilities allowing you to select and display specific data of interest in several formats including Bar chart Line graph Pie chart Text view Report view Intruder Alert Event Viewer runs on Windows operating systems Managers and Agents should be installed and running prior to running Intruder Alert Event Viewer and policies should be applied 176 Using Intruder Alert Event Viewer Using the Query Builder wizard To launch Intruder Alert Event Viewer From the Windows Start menu click Programs gt Symantec gt Intruder Alert gt ITA Event Viewer The Intruder Alert Event Viewer launch screen appears You can create a new view open a predefined view or send an Intruder Alert command to an Agent system Using the Query Builder wizard The Query Builder wizard guides you through the process of defining a query and generating a view The wizard presents three consecutive screens This section describes the elements in each screen and how to use the Query Builder wizard to select and view desired events See the following sections for information about the wizard m Query Builder wizard screen one m Query Builder wizard screen two m Query Builder wizard screen three A view allows yo
234. quired network information Find out the network protocol used Vendor version Table A 5 Required problem information List all the steps needed to reproduce the problem Describe the symptoms of the problem Note the exact wording of any error messages every character counts Print fax or email copies of the system log files Provide any other relevant information about the problem Finding version and platform information on the Web For a complete list of recent Intruder Alert build versions and associated platforms use the following procedure To find version and platform information on the Web 1 Go to the Symantec Web site http www symantec com techsupp enterprise 2 Under the heading Technical Support click knowledge base 3 On the next Web page under the heading Intrusion Protection expand Symantec Intruder Alert 4 Click the version that matches yours If you click Inactive versions then on the next Web page you must click Knowledge Base under the specific version 5 On the next Web page on the Search tab in the text box type latest build 6 Click search 7 On the next Web page click the link to the article whose title and description match the desired information The latest build and platform information should be in the first article 220 Contacting customer support Customer support Contacting technical support To contact Symantec s technical support see the Tech
235. r Intruder Alert Intruder Alert Events are not sent to the specified SNMP Manager SNMP Manager address in IA Query configuration file You must configure the IA Query Event Management Service to be able to send SNMP messages to an external SNMP Manager In the IA Query configuration file you must specify the IP address of the SNMP Manager to which you want to send Intruder Alert events Ensure that the IP address you want to send events to is specified in the command parameter 286 SNMP for Intruder Alert Troubleshooting SNMP for Intruder Alert See Sample IA Query configuration file on page 274 Mode parameter in IA Query configuration file You may not see the Intruder Alert events you expect on the specified SNMP Manager if the Manager specific mode parameter is set to history When mode real_time the Manager selects messages that occur from the current time and forwards them indefinitely When mode history only events that occur between the specified times are forwarded You must specify a beginning time and an ending time using the begin and end parameters This format uses 24 hour time designations begin mmddyyyyhhmm end mmddyyyyhhmm Intruder Alert events are not sent as specified When the output command in the IA Query configuration file ensure that the path for the system command is correct If the path is incorrect snmpsendtrap will not run and no events will be forwarded as specified in the configuration f
236. r communication with agents TCP_PORTS Specifies a group of sockets that will be used for communication with agents SPX_SOCKETS Communications timeout in seconds Default is 15 seconds ITA_TIMEOUT 15 Maximum number of delayed connects Default is 20 Minimum is 500 MAX_DELAYED_CONNECTS 20 Maximum number of pending delayed connects Default is 10000 Minimum is 5 MAX_PENDING_CONNECTS 10000 Specifies the maximum number of records per batch to send to a query The default is 500 FILTER_BLOCK_SIZE 500 Specifies how large the rex file will get before it rolls toa ext file in bytes The default is 2MB RCACHE_EXTENT_SIZE 2000000 Specifies how large in bytes the manager cache files are allowed to be Default and maximum are 10000000 MAX_CACHE_SIZE 10000000 Allow old agents to connect to this manager OLD_AGENTS_ALLOWED 1 FE HE HE HE HE FE AE HE HE HE EEE EEE EE EEE EEE EEE FE FE FE FE FE FE HE HE FE HE FE FE HE HE HE HE HE Agent Diagnostics 256 ita ini file documentation UNIX FE HE HE HE HE HE HE FE HE HE HE HE HE HE HE HE HE HE FE HE HE HE HE FE HE FE HE HE HE HE E HE HE HE HE HE HE H HE HE EEE Specifies if log file to be kept open while the Agent is running 0 False 1 True LogFileKeepOpen 1 Enables or disables diagnostic reporting Enable 0 Specifies how large the agent log fil
237. r configuration fields in the right pane click in the New Entry box type an asterisk and then click Add to List An asterisk is an Intruder Alert wildcard operator By itself it tells the Agent to select or capture all messages 10 Inthe tree in the Collector rule branch click Actions 11 Inthe Action toolbar above the right pane click Record to Event Viewer 146 Creating and modifying policies Policy development tasks The changes are automatically saved When activated the policy records events to the Event Viewer Creating a new folder in the Policy Library Create new folders in the Policy Library branch to organize user defined policies or reorganize Intruder Alert s out of box policies To create a new folder in the Policy Library 1 Inthe Policy Library branch do one of the following m Right click Policy Library and then click New Folder in the drop down list m Right click an existing folder under Policy Library and then click New Folder in the drop down list 2 Inthe right pane in the Label text box name the new folder 3 Inthe tree right click New Folder to update the name and save the change Policies can be created in or pasted to this folder File and directory security This chapter includes the following topics m Intruder Alert file monitoring m Configuring Intruder Alert file monitoring m Modifying a file watch list Intruder Alert file monitoring Intruders often attempt to replac
238. r is logged into lt User Name gt lt Agent Label gt The lt User Name gt lt Agent Label gt command instructs Intruder Alert to notify a specific logged on user on a remote system on which an Agent is running If the user is not logged on the message will be lost Do not make this the only source of notification for important messages Policies rules and criteria 117 Actions The Agent label must be the actual name of the Agent as it appears in Intruder Alert The IP address or email domain name will not work Examples include m jdoe musicbox Generic Use m jondoe rcbl accntg novell enterprise NDS Format m alincoln accounts utah globalco Long Agent Name m lt User Name gt Agent Label This option directs Intruder Alert to send notification to a specific user logged on to the system where the event was read by an Agent If the user is not logged in the notification message will be lost Examples include m johnd Agent Label Generic Use m davber rcvbl accntg novell agent label NDS format To configure a Notify action add the user and system names to the Users Systems to Notify box and then type additional text in the Additional Info box as illustrated below Figure 6 23 Notify action ACTION Notify r Useis Systerms to Notify New Entry Type the Agent or user name Click to add the gt j entry to the list Edit List Remove Clear List Additional Info Optional Type the
239. raps from NetProwler Integrating NetProwler with Intruder Alert provides a multi tiered intrusion defense strategy NetProwler s network based intrusion detection approach and Intruder Alert s multi platform host based detection approach complement each other Deploying both solutions together mitigates risk and provides the best possible security for your enterprise NetProwler Intruder Alert integration is made possible via Simple Network Management Protocol SNMP traps The NetProwler Agent detects an attack and sends an SNMP trap to an Intruder Alert system The Intruder Alert SNMP Collector a service you must install on the Intruder Alert system receives the trap and translates it into a format the Intruder Alert Agent can read The Agent then processes the trap and performs the configured actions To configure Intruder Alert to receive SNMP traps from NetProwler 1 Configure snmptrap to allow Intruder Alert to receive SNMP traps See Receiving SNMP traps on page 279 2 Ifyou are using an earlier version of Intruder Alert than 3 5 import the NetProwler Integration Policies into the Intruder Alert Policy Library See Importing NetProwler policies on page 285 3 Apply the NetProwler Policies to a NetProwler Domain Sending SNMP traps to an SNMP Manager Using SNMP for Intruder Alert and IA Query you can send Intruder Alert events from any Intruder Alert Agent to an SNMP Manager This includes management framework
240. re criteria available in Intruder Alert Table 2 5 Ru DDoS Fae Detected a OF Sect eS Super Foe Deter gt TFH chert Outected SS TPM deron Detects PS TRUK chart Detects a a TAHA chert ets Select and Ignore criteria System Message Selects or ignores specific text in event messages generated by an application or operating system ITA Status Message Selects or ignores specific text in Intruder Alert status messages D ITA Error Selects or ignores specific text in Intruder Alert error messages Table 2 5 Touring Intruder Alert 35 Intruder Alert Administrator Select and Ignore criteria ITA Command Selects or ignores Intruder Alert commands sent to the Agent from Intruder Alert Event Viewer Selects or ignores flags raised by other rules Timer Select only Selects timers started by another rule s action Date Selects or ignores events occurring within a range of time Rule Selects or ignores a specified rule User Selects or ignores events generated by specific users h System Selects or ignores events generated on specific Agent systems a Registry Key Selects or ignores events generated by the Windows R registry 36 Touring Intruder Alert Intruder Alert Administrator Rule Actions The following table defines the actions available for use in policy rules Table 2 6 Actions Record to Event Viewer Records the event in an event dat
241. reate a collector policy 1 In Intruder Alert Administrator in the tree do one of the following m Inthe Policy Library branch right click an existing folder and then click New Policy in the drop down list m Inaconnected Manager branch right click Policies and then click New in the drop down list 2 Inthe right pane in the Label text box name the policy Symantec suggests naming the System Message Collector Collector the Status Collector Status Collector and the ITA Error Collector ITA Errors Collector 3 Optionally in the Description text box type a description of the policy Adding a description causes the policy name to be updated in the tree 4 Inthe tree if necessary click New Policy to update it with the new name and then expand the branch 5 Under the new policy right click Rules and then click New in the drop down list 6 Inthe right pane in the Label text box for the rule name type Collector 7 Inthe tree click New Rule to update it with the name Collector 8 Under the Collector rule do one of the following m Tocreate a System Message collector right click Select and then click New gt System Message in the drop down list m To create a Status Message collector right click Select and then click New gt ITA Status Message in the drop down list m Tocreate an ITA Error Message collector right click Select and then click New gt ITA Error in the drop down list 9 Inthe collecto
242. reating and configuring a collector policy on page 144 Generating and collecting events Collect events by activating the policy on a domain and performing the actions that generate the events Try to isolate the events by minimizing the number of Agents in the domain and minimizing the time that the collector policy is 136 Creating and modifying policies The policy development process activated Otherwise the Event Viewer or Append to File log will be flooded with events Analyzing the events You can use the following questions to help analyze events m What events were generated by your actions m When did the events occur in relation to each other If more than one event was captured did those events occur in a specific sequence If so how far apart m Where and on what systems did they occur During the analysis phase you should identify all the relevant information needed to create the policy Creating the policy After analyzing the events and learning what events identify the performed action the next step is to create the policy in Intruder Alert However before creating a policy you must know the logic behind Intruder Alert rules and the various building blocks for creating rules See Policies rules and criteria on page 91 Testing and debugging the policy After the policy has been created activate it on a domain perform the same actions as before and verify that it captures the desired e
243. ress Enter At the Manager name prompt do one of the following m Type the name of the Manager and then press Enter m Type the IP address of the Manager and then press Enter At the Manager service port prompt do one of the following m To accept the default service port of 5051 for the Manager press Enter recommended m To specify a different service port type the port number and then press Enter At the user name prompt type the username for the Manager system and then press Enter At the password prompt type the password for the Manager and then press Enter At the Agent service port prompt do one of the following m To accept the default service port for the Agent press Enter recommended m To specify a different service port for the Agent type the port number and then press Enter The Agent attempts to register with the specified Manager If the attempt was successful a message will appear indicating that the registration was complete If the attempt is unsuccessful troubleshoot the situation with the following procedure To register an Agent on UNIX using command line mode 1 At the system console type the following command Managing Agents 79 Registering an Agent to a Manager cd axent ita bin lt platform type gt and then press Enter Type the following command and then press Enter itasetup r lt manager gt lt user gt lt password gt lt port gt where the angle bracketed lt
244. rganize Agents in domains m Create and apply policies to domains m Import polices from the Symantec Web site m Export policies m Configure Agents for email and paging notification m Configure Intruder Alert to monitor additional audit logs m Manage user privileges Figure 2 1 depicts the Intruder Alert Administrator 26 Touring Intruder Alert Intruder Alert Administrator Figure 2 1 Intruder Alert Administrator Y SYMANTEC Intruder Alert Administrator Menu bar ______ File Edit Manager View Help 4 tai SAAE Managers 10 127 20 217 Domains oe Policies pt Registered Agents lt ga hpita i Policy Library E Configure To Detect E Fiil Generic E E Integration a i NetWare ET Unix Windows 2000 Eil Windows NT Drop amp Detect Install Ei Drop amp Detect Misc Ei Generic i NetWare xl For Help press F1 Toolbar Intruder Alert Tree View toolbar Label field Configuration box Managers Policy Library See Starting Intruder Alert Administrator on page 63 See Connecting to a Manager on page 64 Once connected to a Manager you can use the various views and tools available to enable security policies on your network You can also create and manage reports generated by the Intruder Alert Event Viewer After connecting I
245. ria 34 See also criteria Ignore Flag configuring for event context capturing 167 Ignore toolbar 32 import button 29 importing NetProwler integration policies 285 policies 131 indirect rules 94 installing Administrators number of 19 file watch lists auto installed 151 IA Query 274 policies automatically installed on Agent 147 policies during installation 41 Reports policy auto installed 212 snapdragon 281 SNMP 273 snmptrap 280 Intruder Alert Administrator 25 components of 18 default Manager port 57 policies 22 rules 23 understanding architecture 18 understanding network traffic 270 Intruder Alert Administrator See Administrator Intruder Alert Event Viewer See Event Viewer Intruder Alert tree See tree issues changing commands txt file 269 during tuneup 270 max record count adjusting 269 service control error 270 tuneup and remote agent 271 ITA Command criteria 97 introduction to 35 ITA Error criteria 96 introduction to 34 ITA Error Message collector 144 ITA Rule criteria 103 ITA Shared Actions policy adding shared rules to 143 applying to All Agents domain 143 configuring shared rules in 143 modifying 141 modifying rules in 142 rules in 122 142 ITA Status criteria 95 introduction to 34 ita ini file adding filewatch to 153 C2 auditing in 224 collector size commands 266 collector size enabling 265 configuring automatic file truncation 266 configuring C2 auditing 225 configuring error log file size 264 error lo
246. risk wildcard operator 5 Click Save Configuring external audit log monitoring Operating systems and applications generate events and store them in log files Intruder Alert can be configured to monitor these files for security related events An external audit log is a log file that Intruder Alert does not automatically monitor Figure 5 3 Audit Log dialog box Type a description l ipti E l Type the path and file Depto ame name File Name c tsecurtylogname lcg Cancel Select Single or f f Single Line Mutiple Line Help Multiple Line and enter a delimiter string Delim String T Include Delim Stings to Parse Optional Type the User Application on Port using Protocol r parsing string Intruder Alert can be configured to parse or extract specific data out of an event message Parsing makes specific event content more accessible when viewing the event message in Intruder Alert Event Viewer Events need a record 86 Managing Agents Performing Agent management tasks delimiter to separate events Parsing rules are optional Define parsing rules for only the desired event types See Operating system collectors on page 221 To configure Intruder Alert to monitor an external audit log 1 In the Intruder Alert tree connect to a Manager and expand its branch See Connecting to a Manager on page 6
247. rse text box type an open double quote and close double quote Click OK Intruder Alert is configured to receive SNMP traps Command line options for snmptrap SNMP for Intruder Alert 281 Receiving SNMP traps The command line options for snmptrap are described in the following tables Table E 6 Help options for snmptrap Display startup options Display configuration directives Display version of SNMP supported Table E 7 Service control options for snmptrap install Install the snapdragon daemon as a service start Start the snapdragon daemon stop Stop the snapdragon daemon remove Remove the snapdragon service Table E 8 Startup options for snmptrap p port Local port to listen from P lt filename gt Print received traps to the specified file u lt PIDFILE gt Create PIDFILE with process id S Log syslog not supported on Windows 1 DO 7 Set syslog facility to log diamond log local O lt default gt 1 7 d Dump input output packets a Ignore authentication failure traps c CONFFILE Read CONFFILE as a configuration file C Don t read the default configuration files 282 SNMP for Intruder Alert Additional utilities Table E 8 Startup options for snmptrap m lt MIBS gt Use MIBS list instead of default MIB list M lt MIBDIRS gt Use MIBDIRS as the location to look for MI
248. rt Event Viewer 187 Working in the Event Viewer 2 Onthe menu bar click Edit gt Query The Query Builder wizard appears with the current query settings defined 3 Make the desired modifications to the query and then click GO Intruder Alert Event Viewer reads the event database on the selected Manager and recreates the view Sorting the text view Sorting rearranges event records rows in the text view based on the selected criteria such as date time and policy You can sort rows by column heading in ascending 1 to 9 A to Z or descending 9 to 1 Z to A order To sort the text view 1 Create a text view 2 In the text view do one of the following m To sort the text view in ascending order click the desired column heading once m To sort the text view in descending order click the desired column heading twice Loading a predefined view Intruder Alert Event Viewer allows you to save queries with or without Manager connection information A query saved without Manager connection information is called a generic view Generic files are saved with an ivg file extension Queries saved with Manager specific information are given a ivw file extension This section describes how to load both view types Note You can save the view as a shortcut to the desktop To activate double click on the shortcut icon To load a generic view 1 Click File gt Load Generic View 2 In the Open dialog box click the d
249. rted oo ccessssesesssceseeeeseseeeesceeeeseeesseesseseeeteeaeees 15 Section 2 Administering security 0 0 0 ccceceseeseseseeseseeeeceseeeeseseeseseseees 16 Section 3 Securing SYSTEMS c ee eceeeseesseseeseeeceeeseeeeseeseeseeaceaeeesecaeeneeeees 16 Section 4 Monitoring events 0 eee eesseseeseseeseeseeeeeeeseeseeeeeeeeseeaeeneeees 17 Appendices oo ecccsccscssessescssessessessescsscsecsssseescsscsecsecseescsecsecsscscsecsecsessceecseenees 17 Understanding Intruder Alert s architecture 0 c cceessseseeseetseeeeeteeeeees 18 The Intruder Alert Administrator 0 0 eeeeeeseseseseteesececeeeeeeeseneseneeeeeeeeeeeeaees 19 The Intruder Alert Event Viewer ccccecssssssececeseseteeeeeeeeeeeeeseseneneeeeseeeneeees 19 The Intruder Alert Manager c cccccccsssscssessseeeeseseeceseseeeeseeeeseseeeeseneeeeseeeseesees 20 Rex Files gas25 55525 2idec ccasaisaoadecs tices ioavsdaic caviatecsadevsesssa sansa cuesauevseacucsauscesssoressnaees 21 Extent PIES eonan e E E E EA CA 21 The Intriider Alert A gent srecan mnene ERE 21 Agent Domains ooi eeccececccscesessessesseseecceseeeeseeseeseeeseeseeaeeeseeseesenseeeeeeeseeseeeeeees Intruder Alert policies RUES eaa E E E R A E S Touring Intruder Alert Intruder Alert Administrator e esensssnseennoeeseoroeesesesesenrsnsnsnsrereseseseresisesenene Meni bar seanoa a a AE nN Toolbar cesonne a A A Select and Ignore criteria oo cccsescssssessssesesseseseeceeeecseeseeeeseeesaes
250. s lt lt or gt gt to change the year and the single arrows lt or gt to change the month 2 Inthe Time Definition dialog box in the From boxes select the starting time Specify the time based on a 24 hour clock military time 3 Inthe To boxes select the ending time You cannot specify a range that overlaps another day The range must be within 0 to 23 hours 59 min and 59 sec on a specified day 4 Inthe Repeat drop down list select the range of time 5 Click OK A red box appears on the calendar for the selected day The red box indicates the selection for that day Policies rules and criteria 103 Select and Ignore criteria ITA Rule criteria User criteria Ej The Rule criteria selects or ignores another rule In other words the Select and Ignore criteria for another rule are referenced To configure drag the desired rule from the Available box and drop it in the Rules to Monitor box as illustrated below Figure 6 12 ITA Rule criteria Rules to Monitor Available 4 4 Account Changed 4 Drag rule object from the Available box and drop it in the Rules to Monitor box You can add more than one rule in the Rules to Monitor box The And and Or radio buttons located near the rule s Label field define the functional relationship between multiple selected rules Choose the And radio button when all the selected rules must be triggered to satisfy the requirements of this clause
251. s Branch A Connected Manager The Policy Library For Heb press FL In the Intruder Alert tree there are two main branches the Managers branch and the Policy Library branch hereafter referred to as the Policy Library The Managers branch lists the available Managers and all domains policies and registered Agents belonging to each Manager The Policy Library contains all the policies that ship with Intruder Alert as well as user defined policies Managers branch The Managers branch lists all connected Managers The name of the Manager appears in the tree once the Administrator has established a connection to that Manager The Administrator allows you to connect to multiple Managers at the same time Managers not currently connected to the Administrator appear with a red mark across the Manager icon Listed beneath each Manager are a number of domains policies and registered Agents as shown in the following illustration Figure 2 14 Managers branch E techwrite Managers Branch H a Domains E e Policies Registered Agents 40 Touring Intruder Alert Intruder Alert tree Managers can have as many as 100 registered Agents reporting to them although this varies by operating system type Domains When Agents are installed they are initially organized into default domains The Domains branch lists the Agent domains available on a given Manager Each domain contains two sub
252. s configured to send email If it is it will send the email message If it cannot it will send the request to the Manager who will then pass the request to a registered Agent that can send the email Note Symantec recommends that all Agents be configured to send email To configure an Agent to send email 1 Configure an SMTP Server in your enterprise 2 Inthe Intruder Alert tree connect to a Manager and expand its branch 84 Managing Agents Performing Agent management tasks See Connecting to a Manager on page 64 3 Expand Registered Agents and then click the desired Agent 4 Inthe Agent configuration fields in the right pane under Capabilities check Can Email 5 Inthe SMTP Server text box type the SMTP server name or IP address 6 Inthe SMTP Port text box if the port configured for email is different than the default type the port number 7 Inthe Sender Address text box type the sender s email address 8 Inthe SMTP Timeout text box type the number of seconds before the SMTP server will time out 9 Inthe SMTP Throttle text box optionally modify the default SMTP throttle value The SMTP throttle value defines the maximum number of emails that can be sent per minute This throttle protects the network from excess traffic 10 Click Save Configuring the Agent for pager notification An Intruder Alert Agent can be configured to page a security administrator when an attack has been detected In addi
253. s multiple Select statements The relationship between multiple statements is determined by the And Or radio buttons located near the rule s Label field Event variables Event variables can be selected with the Raise Flag action only Event context capturing 161 Understanding and using event contexts The following table lists the event variables supported in Intruder Alert Table 10 2 Event vari ables User Name String Saved only The name of the user that generated the event For example User Name jdoe Process ID Numeric Saved only The name of the process that generated the event For example Process ID 517 Year Numeric Both The year in which the event occurs For example Year 2001 Month Numeric Both The numeric month in which the event occurs Valid values range between 1 and 12 For example to select events in the month of July type Month 7 Day Numeric Both The day of the month in which the event occurs Valid values range between 1 and 31 For example Day gt 15 Hour Numeric Both The hour in which the event occurs Valid values range between 0 and 23 For example Hour gt 18 Minute Numeric Both The minute in which the event occurs Valid values range between 0 and 59 For example Minute gt 30 162 Event context capturing Understanding and using event contexts F
254. s secured by listing the allowed commands in the commands txt file then securing that file s access from anyone other than Intruder Alert Agents and a highly trusted security administrator The commands txt file is installed with each Intruder Alert Agent and on Windows appears in the directory lt system disk gt Program Files Symantec ITA system lt System Name gt See Securing the Execute Command action on page 131 Run Shared Action action The Run Shared Action action executes an action contained in another rule or policy residing on the Agent system Having a shared action makes a group of policies actions easier to maintain because content is changed in only one location Configuration guidelines When creating shared actions the following criteria must be met m The rule with the shared action must begin with the word Shared The colon must be included For example Shared Priority One Alert 122 Policies rules and criteria Actions m The Run Shared action must reference the shared rule Specifically the Run Shared action must list the shared rule s name exactly as it appears in the tree view m The policy containing the shared action must reside on the Agent system Note The ITA Shared Actions policy contains ten rules Each rule is designed for different types of notification Rather than creating your own shared rules you can modify and use these rules according to your needs In additio
255. s such as HP OpenView IBM s Tivoli Enterprise and Micromuse s Netcool To send a trap to an SNMP Manager 1 Install SNMP for Intruder Alert 283 284 SNMP for Intruder Alert SNMP for Intruder Alert installed files 2 Configure the config iaq file to send traps to the specified SNMP Manager 3 Setup a user account for IA Query in the Intruder Alert Administrator See Sending SNMP traps on page 276 SNMP for Intruder Alert installed files The following table lists the files and directories created when SNMP for Intruder Alert is installed on Windows Table E 9 Installed files on Windows systems ita mibs Directory for MIB files ita mibs IntruderAlertMIB txt Intruder Alert Trap Definitions ita mibs itinasd mib NetProwler Trap Definitions ita mibs RFC1155 SMI mib Standard MIB declaration ita mibs RFC 1212 mib Standard MIB declaration ita mibs RFC1213 mib mib Standard MIB declaration ita mibs RFC 1215 mib Standard MIB declaration ita mibs SNMPV2 SMI mib Standard MIB declaration ita bin Directory for Intruder Alert executables ita bin snmpget exe Performs an SNMP GET request from an SNMP managed node ita bin snmpgetnext exe Perform an SNMP GET NEXT request from an SNMP managed node ita bin snmpset exe Performs an SNMP SET request on an SNMP managed node ita bin snmpsendtrap exe Sends an SNMP trap to an SNMP
256. setup command line options is detailed in the following sections See Registering an Agent on UNIX on page 77 See Unregistering an Agent from a Manager on page 80 See Determining Agent registration information on page 82 Managing Agents This chapter includes the following topics Creating and deleting a domain Adding an Agent to a domain Removing an Agent from a domain Registering an Agent to a Manager Unregistering an Agent from a Manager Performing Agent management tasks Creating and deleting a domain In Intruder Alert Agents are grouped in domains and policies are applied to all Agents in the domain Domains are organized according to common criteria such as operating system location or workgroup Creating a domain To create a domain 1 In Intruder Alert Administrator connect to a Manager and expand the Manager s branch In the Intruder Alert tree right click Domains and then click New in the drop down list The new domain appears in the Intruder Alert tree as New Domain In the right pane in the Label text box type a name for the new domain Optionally in the Description text box type a description of the domain In the tree click New Domain to update the name 76 Managing Agents Adding an Agent to a domain The new domain is created Your next steps are to add Agents and apply policies to the new domain See Adding an Agent to a domain on page 76 See Apply
257. ss Enter to unregister the Agent with a Manager Do one of the following m To unregister from the default Manager indicated in square brackets press Enter m To unregister from one or more other Managers type the name of each Manager separated by a space and then press Enter 58 Post installation options Post installation options on UNIX For example to unregister from the Managers global and enterprise type the following at the command prompt and then press Enter global enterprise Changing the Agent label The Agent label is the name that is used to identify the Agent To change the Agent label 1 Change to the Intruder Alert setup directory Type the following command and then press Enter cd axent ita bin lt platform_type gt where platform_type indicates the type of computer you are using Start Intruder Alert setup Type the following command and then press Enter itasetup When prompted with the Intruder Alert setup options type 2 and then press Enter to display the post installation options Type 5 and then press Enter to change the Agent label The post installation software displays a numbered list of possible choices for the Agent label At the prompt type the number for your choice and then press Enter If you chose to enter a custom label for this agent type it in at the prompt and then press Enter At the confirmation prompt do one of the following m To confirm the choic
258. ss the configuration dialog box for the following functions Security Paging Licensing View menu Access the User Manager dialog box Figure 2 2 Intruder Alert Administrator User Manager Menu User Nana Ful Nams oK Carel Le reef Coy Usa Contgaalon F Viewer Intruder Configuistion Uss Nans bius R Mody Pokoes Domsia View Event Information Ful Narre fia Adminztrat Account i com po F Change Agent Corhgration PREG er a F Regs Nan Ageri F Um Accourt Information Leoma ee Display a list of Agents that are configured to allow paged notifications Enter updates to your license key The View menu allows you to activate the following options Table 2 3 View menu options Toolbar Application menu items displayed graphically List Toolbar Control the configuration frame display Select Toolbar Rule editing tools Ignore Toolbar Rule editing tools Action Toolbar Rule editing tools Toolbar Touring Intruder Alert 29 Intruder Alert Administrator Help menu Access the following information through the Help menu Table 2 4 Help menu topics Contents amp Index Access to online help Go to Homepage Access to Symantec s home page on the World Wide Web About Intruder Alert Displays the Intruder Alert Administrator version Administrator number and build date The toolbar contains the most common functions of the Intruder Alert Administr
259. t In the Apply Policy to Domain dialog box do one of the following m Click the desired domain and then click OK m Press Ctrl and select multiple domains and then click OK You can apply the policy to one or more domains on the connected Manager To simultaneously apply multiple policies 1 If you have not already connected to a Manager complete the steps shown in the section See Connecting to a Manager on page 64 In the Intruder Alert tree in the Policy Library branch do one of the following m Press Shift and select the first and last of a group of desired policies m Press Ctrl and select multiple policies Do one of the following m Drag the policies from the Policy Library and drop them on the Policies branch under the desired Manager m Copy and paste the policies from the Policy Library to the Policies branch of the desired Manager The policies now reside on the Manager but have not yet been applied In the Intruder Alert tree right click the desired domain and then click Apply Policies in the drop down list Do one of the following m Press Shift and select the first and last of a group of policies to apply m Press Ctrl and select multiple policies to apply Click OK Administering policies Removing policies from a domain Removing policies from a domain Removing a policy removes it from all Agents in the selected domain Once removed the Agent no longer monitors for the conditions specifi
260. t on Windows To rename an Agent on Windows 1 From the Start menu click Programs gt Symantec gt Intruder Alert gt ITA Mgr Agt Setup In the Manager Agent Setup dialog box click Edit Label The Caption text box becomes active In the Caption text box rename the Agent as desired Click Commit Managing Agents 83 Performing Agent management tasks 5 Exit the Intruder Alert Mgr Agt Setup utility by clicking the X in the top right corner of the window The Agent s label is changed You can view the change in Intruder Alert Administrator Configuring the Agent for email notification Before an Agent can send email notification messages it must be configured to use the SMTP server The Agent can only send email not receive it Figure 5 2 Agent configuration fields m Description y Audit Logs Save Agent Name zeus ita log ae Software ID 172 17 13 4 2 Service Name 5052 Help Platform Type MS Windows Revision Date Thu Nov 11 08 17 17 r Capabilities M Can Email SMTP Server 86 1487199 0 SMTP Pot 5 Sender Address fi 86 14 87 4 SMTP Timeout 30 SMTP Throttle fio _New Ea Delete M Can Page r Record Action Throttle Modem Description Boca E kb sec In addition to configuring the Agent a Send Email action must be added to a policy specifying the email addresses of the people to be notified When a Send Email action is executed the Agent checks to see if it i
261. t search to be case sensitive Use the wildcard operator for multiple characters or words and the wildcard operator for single characters Following are examples of text contained in a system message m ftpd connection m Successful login guest m Failed dmin login To configure a system message add the desired search string to the System Messages to Monitor box Figure 6 3 System message box SELECT System Messagefs System Messages to Moritor Select to specify case ____________ Cae Senstne sensitive text matching Net econ securty scan conducted Now Entry Type complete or partial messages Laos Click to add the entry to gt the selection criteria Edt List Remove Crear List ITA Status criteria The ITA Status criteria selects or ignores text associated with Intruder Alert status messages Intruder Alert generates various messages regarding the 96 Policies rules and criteria Select and Ignore criteria Manager s and Agent s status Intruder Alert Managers and Agents handle all status messages internally The Status Criteria supports case sensitive text matching and wildcard operators Select the check box if you want the event text search to be case sensitive Use an asterisk wildcard operator in place of multiple characters and the question mark wildcard operator in place of single characters The following are examples of status messages m ITA manager
262. t sources that Intruder Alert automatically monitors You can configure Intruder Alert to capture events from additional event sources by adding entries to cols_nt cfg See Default Registry auditing on page 233 The new syntax is as follows lt log name gt lt event source gt lt event id gt lt event domain user gt where m lt event id gt is the numerical category ID that is associated with each event record The wild card characters and can be used in the criteria m lt event domain user gt is the user name qualified with the domain name It is important that the domain name be specified first and the forward slash character be used to separate the domain and user name The wild card characters and can be used in this criteria To specify that a selection criteria entry be used to exclude event records prepend the line with a minus sign For example to filter out all of the successful logout events for the domain MYDOMAIN use the following security security 538 MYDOMAIN To filter out all of the successful logon events for the user john_doe in the domain MYDOMAIN use security security 528 MYDOMAIN john_doe In addition the above changes to the collector entries have been made to cols_nt cfg to filter out the Object Access auditing events If this is undesired simply comment out the last few event exclusion lines in cols_nt cfg File watch collector
263. t to the amount of data Intruder Alert can handle The oldest extent files have the lowest number For example 1 ext will contain the oldest data 2 ext will contain the next most recent data and so on To control the size of ext files stored in the directory adjust the following setting found in the ita ini file RCACHE EXTENT _SIZE As Intruder Alert s administrator you must decide how much and how far back data should be kept Unneeded extent files should be archived and deleted from the Manager s system Optimization and problem solving techniques 263 Optimizing system performance Note When archiving the old files it is crucial that the most recent ext and rex files not be removed If the file is removed Intruder Alert will create a new empty file beginning again with number 1 rex then 1 ext The result will be discontinuity of event reporting and conflicting file names Delete old data To delete unwanted data 1 Optionally archive the desired extent files 2 Delete the desired files Note If you delete old data you may limit your view in Intruder Alert Event Viewer This will occur if you specify a date that references data in an ext file that was deleted or removed Corrupted rex files If Intruder Alert cannot read the rex file all event data is lost The Intruder Alert Manager will not start and Intruder Alert records the following entry in the manager log file lt path gt ita system lt
264. t use commas or periods For example MaxLogSize 100000 MaxLogSize 25000 4 When finished save the file 5 Stop and restart the Agent and or Manager as necessary See Starting and stopping Managers Agents on page 66 Optimization and problem solving techniques 265 Optimizing system performance Debug logging Intruder Alert features an API to control debug logging It is enabled in the production code and controls how information is logged in specified modules All callbacks are identified in the Debug logging code so the operation of the Manager and Agent can be tracked This helps in identifying and diagnosing policy errors Manage the size of UNIX collectors Process Accounting syslog btmp and wtmp security files will grow indefinitely unless managed System administrators typically manage the size of these collectors manually However Intruder Alert can be configured to automatically truncate these collectors once they reach a certain size In order for Intruder Alert Administrator to read the new INI file the Agent and Manager must be restarted Because the Agent Manager log file is deleted when the Agent Manager is shut down the Agent Manager Log file resets to zero 0 More information on how Intruder Alert collects events on UNIX systems is available in Appendix B See UNIX collectors on page 222 The automatic truncation feature is configured by adding settings to the Agent s ita ini file There are
265. terface 1109910 0 Administering security This section discusses the following m Chapter 3 Post installation options m Chapter 4 Administering Intruder Alert m Chapter 5 Managing Agents 54 Post installation options This chapter includes the following topics m Post installation options on UNIX m Post installation options on Windows Note The instructions in this chapter pertain to immediate post installation options only Information regarding connecting Managers and Agents starting and stopping Managers and Agents and performing additional administrative tasks using Intruder Alert Administrator is discussed later in the guide Post installation options on UNIX This section contains instructions for performing each UNIX post installation option UNIX post installation options include m Starting the Manager and Agent m Stopping the Manager and Agent m Registering an Agent with additional Managers m Unregistering an Agent from a Manager m Changing the Agent label m Updating NIS Master information on the Agent m Exiting the post installation procedure 56 Post installation options Post installation options on UNIX Starting the Manager and Agent The start option starts whatever Intruder Alert components reside on that system If the Manager and Agent reside on the same system both will be started If only the Agent resides on that system only the Agent will be started To start th
266. the box 0 0 cceecccseeeseseeeeseeeeeenees 202 How do I create and use my own Crystal Reports templates 205 Generating security reports oo eeeceeeeceeeeceeeecesteseeeeeceeeesecaceaeseeseeseeneeeeeeats 207 Using the Intruder Alert Report Viewer cccccecesesseseseeseseseeeeseeeceseeeeesees 208 Refresh the report contents oo ccecceccesesecsesecsesecscseeecsesesecseneeseseeeees 209 Suspend and resume automatic refresh ccccccceseseseseeseceeeeeteeeeees 210 Setap the printer AAIE EOE EE OET Print the report Export and save the report contents 9 10 Contents Section 5 Appendix A Appendix B Appendix C Appendix D Enlarge the View area voisine iin r reenn RE ETER 211 Locate information in a report s ssssessssssssesesesrsisessrsssesersssrsrsnssrnrsesse 212 EXxittne TEpOrt serere rea E a EET E EEE a Generating Agent status reports Agent Policy report 00 Agent Active Datastream report Agent Loadireport serieari ecient nea EE Generate an Agent report Appendices Contacting customer support CUSCOMEF SUP POT iieinccssieics secescascdesesscesecssbesecsuvsocessteuscustscustesecedeeuseasncaesduoveecates 217 Before contacting technical support eeeesssstseseseseeeeeeeseseseseeeeees 217 Finding version and platform information on the Web 06 219 Contacting technical support 20 0 eeeeeeesseeeseeeeceseeceseeeeeeseeeeeeseeeeseeees 220 Operating system col
267. tion to configuring the Agent a Send Page action must be added to a policy specifying the pager number to be dialed and the numeric sequence to be sent When a Send Page action is executed the Agent checks to see if it is configured to page If it is it will send the pager notification message If it cannot it will send the request to the Manager The Manager will then pass the request to a registered Agent that can send the page Note Every Agent does not need to be capable of paging To learn which Agents are capable click a connected Manager in the Intruder Alert tree and then select Paging from the Manager menu To configure an Agent to send a page 1 Install a modem device on the Agent system 2 Inthe Intruder Alert tree in the Registered Agents branch click the desired Agent 3 Inthe Agent configuration fields check Can Page Managing Agents 85 Performing Agent management tasks 4 Inthe Modem Description text box type the modem description for the Agent platform See the guidelines below m On UNIX type dev lt port name gt For example dev pty9 Note Hewlett Packard recommends HP modems when configuring modem devices under HP UX Non HP modems may cause unpredictable behavior m On Windows type the name of the modem Check in the Control Panel under Modems to identify the modem or modems available on the Agent system If the exact name of the modem is not known type what is known and use an aste
268. tiple missing characters or words Example The following is an example event message event jdoe logged on to Jaguar at 14 05 on 09 18 2001 The following parsed string would capture the relevant information contained in that event message event User Action to System at Time on Date To parse additional messages press Enter and type the parsed event message When finished click OK Intruder Alert monitors the specified audit log and parses the specified event messages 88 Managing Agents Performing Agent management tasks Section 3 securing systems This section discusses the following m Chapter 6 Policies rules and criteria m Chapter 7 Administering policies m Chapter 8 Creating and modifying policies m Chapter 9 File and directory security m Chapter 10 Event context capturing 90 Policies rules and criteria This chapter includes the following topics m Policies and rules m Select and Ignore criteria m Actions Policies and rules Policy rules Intruder Alert policies describe how to detect specific events and what actions to take once they are identified When intruders attack a host they leave a trail of audit log messages These messages are to information security experts what fingerprints are to criminal investigators Policies contain rules and rules contain criteria There are three types of criteria Select Ignore and Action A rule is a logical statement co
269. traps and respond to them like any other security event in Intruder Alert To enable Intruder Alert to receive SNMP traps you must perform the following tasks m Install and configure snmptrap 280 SNMP for Intruder Alert Receiving SNMP traps Configure Intruder Alert to receive SNMP traps This section also describes applicable command line and configuration file options for snmptrap Starting snmptrap To install and start snmptrap 1 At acommand prompt go to the symantec ITA bin directory and type snmptrap install This will install snmptrap as a Windows service To start snmptrap do one of the following m At the command prompt type snmptrap start m Inthe Windows Services window click the ITA SNMP Trap Collector Service Configuring Intruder Alert to receive SNMP traps To enable Intruder Alert to receive SNMP traps that are collected on an Agent set up an audit log in the Agent configuration To set up an audit log to collect SNMP events 1 ou F amp F WwW N In the tree view of Intruder Alert Administrator expand the desired Manager branch In the Manager s branch expand Registered Agents In the Registered Agents branch click the desired Agent In the right pane under Audit Logs click New In the Audit Log dialog box in the Description text box type a description for the audit log such as SNMP Audits In the File Name text box type n n Click Multiple Line In the Strings to Pa
270. type of report view that you have chosen These allow you to define the display parameters for your report Screen two The following graphic illustrates the second of three screens contained in the Query Builder wizard In this screen you define an effective time or time span 48 Touring Intruder Alert Event Viewer task features Figure 2 21 Query Builder screen two Offset from Current Time Query Start and Stop Date 27 37 27 37 2001 34 201 of Screen three In the third screen of the wizard you specify policies and Agents Figure 2 22 Query Builder screen three SYMANTEC Intruder Alert Event Viewer Fanaa THe Select rule ime setings J ANT Neeccn L Probe Deeded ITA Recore ITA Shaed Notification Now Policy a NT Aude Tampering 4 NT Domain Trust a NT Foiled Access i ENT File Tempering NT Group Chorged m NT Sucesestul Logon 3 NT Sys Accourt Changed View types Touring Intruder Alert 49 Event Viewer task features You may click GO to run the query and access the report or you may choose to save the query for later If you save the query you may choose from two different formats ivw and ivg See Loading a predefined view on page 187 Once a query and view have been defined in the Intruder Alert Event Viewer window you can click GO to launch the query Any information obtained by Event Viewer will be displayed in a preselected format
271. u to see events that have occurred or are occurring on your enterprise Intruder Alert Event Viewer also allows you to filter these events by selecting one or more of the following criteria m Agents m User m Policies m Rules m Rule value m Date m Time m Specified text Note Intruder Alert Event Viewer allows you to create multiple views and have them open at the same time This is useful for monitoring activity concurrently across multiple managers Using Intruder Alert Event Viewer 177 Using the Query Builder wizard Query Builder wizard screen one Access the Query Builder wizard from the Intruder Alert Event Viewer menu bar or toolbar by starting a new query See Working in the Event Viewer on page 185 Figure 11 1 Query Builder wizard screen one Manager box View type selector Display Properties Axis values The following sections describe the fields in screen one of the Query Builder wizard Manager box Intruder Alert Event Viewer gathers data from a specific Manager and only one Manager at a time may be selected The Manager drop down list allows the user to specify the Manager from which to gather data The first time a user attempts to use the Event Viewer the list will be empty After the first connection Intruder Alert Event Viewer stores the name of the Manager in the drop down list If the Manager s name does not appear in the list type it in and press Tab
272. uder Alert Administrator allows you to select an object in the Intruder Alert tree and print information about that object and all objects beneath it To print tree view information 1 2 3 4 Connect to a Manager In the Intruder Alert tree click the desired object On the menu bar click File gt Print In the Print dialog box click OK Information about the object is sent to the printer To print tree view information to a file 1 2 3 4 5 Deleting a folder Connect to a Manager In the Intruder Alert tree click the desired object On the menu bar click File gt Print To File In the Print to File dialog box specify the destination folder and filename Click OK The information is saved in the specified file The following instructions describe the process for deleting a folder item in the Intruder Alert tree Branches created by Intruder Alert Administrator during installation e g Managers Policies Registered Agents etc cannot be deleted To delete a folder 1 2 In Intruder Alert Administrator do one of the following m Inthe tree click the folder and then in the toolbar click Delete m Inthe tree right click the folder and then click Delete in the drop down list Click Yes to confirm the deletion 72 Administering Intruder Alert General administrative tasks Using online help To use online help 1 On the menu bar click Help gt Contents amp Index Help topics can be loc
273. uder Alert Event Viewer allows you to specify how far back in time you want to view events The default is to display events from the last two days Time Span By selecting a starting and ending date and time you can use the Time Span settings to frame an event window The window would allow you to view events that occurred within a specified time parameter which does not necessarily include current events This option is great for viewing historical events that may have been archived Query Builder wizard screen three Access the Query Builder wizard from the Intruder Alert Event Viewer menu bar or toolbar See Working in the Event Viewer on page 185 184 Using Intruder Alert Event Viewer Using the Query Builder wizard Figure 11 8 Query Builder wizard screen three Expand folders to view Poke ws objects EQ vet 4B LIT Neco ngr 3 Ma Sets tert tate T Add objects to the query by z pans rpa moving them from the E E Manager Objects box to the H NT Aut Targan Query List box H NT Dasan Tas PT tet ac p The following sections describe the fields in screen three of the Query Builder wizard Manager Objects and Query List boxes The Manager Objects box lists the policies rules and Agents you may select To add an object to a query drag it from the Manager Objects box and drop it in the Query List box The Query List box displays all policies rules and Agents on which the query will be generated If no
274. udes the time with each diagnostic message logged 0 OFF 1 ON LogTimeStamp 1 Includes the date with each diagnostic message logged 0 OFF 1 ON LogDateStamp 1 Includes the name of the diagnostic group with each diagnostic message logged 0 OFF 1 ON LogGroupName 0 Includes the name of the diagnostic level with each diagnostic message logged 0 OFF 1 ON LogLevel 0 Will log diagnostic messages to standard out if not run as a ita ini file documentation 245 Windows daemon 0 OFF 1 ON LogStdout 0 Diagnostic group names and levels The number specifies the lowest level for which you want to see diagnostic information Thus setting it to level 3 will also include levels 1 and 2 Main program loop MOD_MAIN 1 Communications MOD_COMM 1 Authentication MOD_AUTH 1 Encryption MOD_ENCRYPT 1 Manager Event Database MOD_DB 1 Manager event cache MOD_CACHE 1 Configuration Database MOD_ISAM 1 Collectors MOD_COLLECT 1 Event processing MOD_EVENT 1 Event actions MOD_ACTION 1 Dot format MOD_DOT 1 Callback engine MOD_CALLBACK 1 Memory manager MOD_MEM 1 Policy updates MOD_POLICY 1 FEE FE E FE FE AE FE HE HE HEE EEE EE HEE FE FE HE HE HE HE FE HE FE FE HE EEE HE HE HE EEF 246 ita ini file documentation Windows Manager Diagnostics FE HE HE HE HE HE HE FE HE HE HE HE HE HE HE HE HE HE FE EEE HE FE HE HE HE
275. unregistration of the Agent from a Manager 1 Start ITA Mgr Agt Setup See Starting ITA Manager Agent Setup on page 59 In the Manager Agent Setup dialog box in the Agent Registration box click the desired Manager and then click Unregister A dialog box appears warning you that this option should only be used if the Agent cannot be unregistered using the Intruder Alert Administrator In the warning dialog box click OK Repeat step 2 for each Manager that you want to unregister When finished click OK The Agent is unregistered from the selected Managers Configuring Agent service properties From the Windows Services window you can configure the Intruder Alert Agent service properties to automatically start the Agent at system boot time You can 62 Post installation options Post installation options on Windows also start stop and restart the Agent from the Windows Services window by right clicking the Agent and selecting the desired action in the drop down list Figure 3 1 Windows Services window Action View gt i m e EES gt i Tree Name Description Status Startup Type LogOnds _ Services Local By Distributed Link Trac Sy Distributed Transact DNS Client Be Event Log Be Fax Service Sa FTP Publishing Servi By HID Input Service Sy IIS Admin Service Sy Indexing Service Sy Internet Connection Sends notifi Coordinates Resolves a Logs
276. ure the Record to Event Viewer action throttle 0 267 Configure the email SMTP action throttle 00 ceeeseeeeteteeeees 268 Known issues and resolutions 0 cccecceessessseseeseseseeceseeceseseeceseeeeseseseeseeeeseeees 269 SNMP for Intruder Alert ONLA AAE EAEE A abana T 273 Installing SNMP for Intruder Alert 0 cccccceseseseseseeeeesesesesesecseseseseseeeeeeees 273 Installing the IA Query Event Management Service ccccceseeereeeeeeees 274 Configuring the IA Query Event Management Service cccsesessseseeeeees 274 Sample IA Query configuration file oo cccceseeesesssssssseseeeeeseeesesesesseeseees 274 Adding IAQuery to the ITA User Manager cccccccessscesesseceseeseseeeeseseneeeeees 276 Sending SNM P traps a a a a E a a a aiaa aiee 276 Command line Options nes R N NG 277 Receiving SNMP traps irienna ree a E aia 279 Starting snmptrap seee onare E aE asides E EE EEE NGR 280 Configuring Intruder Alert to receive SNMP traps eeeseeeeeeeees 280 Command line options for snmptrap ccccecesceseeseseeecseseeseseseesenes 281 Additional utilities 00 0 ccccsccsessssssesseseseseeseseeeeseseesesseeeseseseeseeeeseseeseseeesaeees 282 Saitiple configurations skieen EEEE AARE RELEET 283 Receiving SNMP traps from NetProwler ss ssssssssssssseesresseesresrersresrese 283 Sending SNMP traps to an SNMP Manager uu eeeceseseteteeeeeeeeeeeeeeees 283 SNMP for Intruder Alert installed fil
277. ut 150 c C2 audit logs 224 as an event source 21 C2 audit pipe configure monitoring of 226 delimiters various OS 227 frequency of reading 225 C2 security 224 audit daemon configuring 225 audit processing 225 audit trail 224 audit trail daemon 224 audit trail daemon options 225 Cancel Timer action 122 introduction to 37 case sensitive matching 95 96 97 104 chart wizard 189 circular policies 134 about 136 collector policies about 135 avoiding event flooding 135 creating 145 creating a custom policy 237 types of 144 collectors about 222 audit log sources in Windows 229 C2 about 224 creating filter for Registry Key command 237 creating multiple line collector 231 creating rule for actions 239 creating single line collector 231 custom log file collector 230 daemon on UNIX 222 defining filter information 238 deleting custom 232 Directory Service 228 DNS Server 228 event log collector enhancements 229 event log collector on Windows 228 File Replication 228 size commands 266 truncating UNIX collector files 265 UNIX about 222 Windows about 228 Windows three new collectors 228 cols_nt cfg file 230 configuring to monitor new sources 234 example entry in 230 syntax enhanced 230 Index commands Agent command restrictions 242 252 Agent to start 56 Agent to stop 56 C2 audit daemon initializing 225 Collector size 265 Execute Command action 37 118 Execute Command action restrictions 242 252 Execute Command
278. ut will not generate events until you create a rule that will trigger events based on the contents of the log See Adding and deleting a rule on page 139 To create a multiple line collector 1 In Intruder Alert Administrator connect to an Agent 2 Inthe right pane under Audit Logs click New 3 Inthe Audit Log window click Multiple Line 4 Inthe Description text box type a description of the file you will monitor 5 In the File Name text box type a fully qualified path to the file you wish to monitor 6 Inthe Delim String text box type your delimiter string The text entered as the delimiter string replaces the carriage return as the EOL marker If you check Include Delim the text delimiter is included in the information passed to the Intruder Alert Event Viewer 7 Inthe Strings to Parse text box type the desired pattern to audit 8 Click OK 232 Operating system collectors Windows collectors 9 Inthe Audit Logs box click the name of the new audit log and then click Save The audit log is not complete until you save it The audit log is configured but will not generate events until you create a rule that will trigger events based on the contents of the log See Adding and deleting a rule on page 139 To delete a custom log file collector 1 In Intruder Alert Administrator connect to an Agent 2 Inthe right pane under Audit Logs click the audit log you want to delete 3 Click Delete 4 Click Save
279. vents Resolve any problems that might arise Circular policies Acircular policy runs many times consecutively which can cause peak CPU utilization and consume excessive disk space If you experience either of these problems examine your customized policies for circular logic The following is an example of a circular policy Select criteria Select system message for event A Select raised flag 1 Action Append event to file and raise flag 1 The following diagram illustrates what this policy looks like in the Intruder Alert tree Creating and modifying policies 137 The policy development process Figure 8 2 Intruder Alert Tree Circular Policy a e Policy Name 7 Rules Rule 1 Select Clauses W gt Select Raised Circular Flag 5 Select System Message Ignore Clauses Action Clauses gt Append to File W gt Raise Circular Flag The following diagram illustrates how this policy operates Figure 8 3 Circular policy diagram An event occurs initiating the process Selection Clause Selects Event A Selects Flag 1 The raised flag triggers another cycle Cycles Action Clause continue as fast as the Raises Flag 1 Raised Flag amp CPU can process them Triggers Select Clause Appends to File Process Repeats Message gets Flag 1 is raised appended to text file Disk space gets consumed as the file grows In this example the policy selects an event
280. very 3 seconds C2ATD_OPTIONS p3 Save the changes to the ita ini file Stop and restart the Agent See Starting and stopping Managers Agents on page 66 This phase of configuring Intruder Alert to monitor a C2 audit pipe is complete The Agent must be configured to monitor the output file created by the daemon Configure Intruder Alert to monitor the C2 audit pipe To configure Intruder Alert to monitor the C2 audit pipe 1 2 3 4 Start Intruder Alert Administrator and connect to a Manager Expand the Manager s branch In the Registered Agents branch click the desired Agent In the right pane in the Agent configuration fields right click in the Audit Logs box and then click New in the drop down list In the Audit Pipe dialog box type a description in the Description field and then press Tab In the File Name text box type axent ita system lt hostname gt C2atd pipe where lt hostname gt represents the name of the system being configured For example axent ita system juggler C2atd pipe Operating system collectors 227 UNIX collectors 7 Click Multiple Line and specify a record delimiter for the type of operating system being configured Refer to the following table Table B 1 C2 audit pipe record delimiters HP UX www nme Five or six tildes is sufficient to identify a new record Solaris return The word return serves as the record delimiter Digital UNIX OSF 1 n
281. works together to secure your network Chapter 2 Touring Intruder Alert This chapter takes you on a screen by screen tour of the Intruder Alert Administrator and Event Viewer 16 Introducing Intruder Alert Contents and organization of this guide Section 2 Administering security The Administering security section of the guide contains Chapter 3 Post installation options This chapter provides an in depth tutorial of basic post installation configuration options available for UNIX and Windows Chapter 4 Administering Intruder Alert This chapter contains the advanced concepts and instructions for administering Intruder Alert on your network Administration information includes an overview of user management post installation options and basic tasks associated with Manager administration Chapter 5 Managing Agents This chapter contains advanced concepts and instructions for managing Agents on your network Administration information includes practical tutorials on basic tasks associated with Agent management and policy administration Section 3 Securing systems The Securing systems section of this guide contains Chapter 6 Policies rules and criteria This chapter teaches you how policies rules and rule criteria function It describes Intruder Alert s select ignore and action criteria Reading this chapter is required for those who plan to create or modify Intruder Alert policies
282. xt capturing 159 Understanding and using event contexts When an event has resided on the flag for the specified period of time the Agent deletes the event context In this example the oldest event Sam s first failed logon gets deleted after two minutes As events accumulate on the flag they are sorted by a user defined event variable In this example events are sorted by user name Each user has its own category These categories are also called Flag Instances Intruder Alert allows you to select the criterion by which events will be categorized Using the proper selection criteria you can determine when flag and event context conditions should trigger an action In the next section you will learn how to define that selection criteria Event context selection criteria The Select Ignore Flag selection criteria is defined using event variables in logical statements In this section you will learn how to build these statements to select the desired events More specifically you will learn m The select statement syntax m The available event variables m The available flag count variables Select statement syntax Select statements must use the following syntax Figure 10 4 Select statement syntax Current event syntax Variable Equality Operator Saved event syntax Variable The brace and dollar symbols are used as variable delimiters Intruder Alert differentiates between events saved on the raised f
Download Pdf Manuals
Related Search