- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Configuring Remediations
When a correlation policy violation occurs, you can configure the FireSIGHT System to initiate one or multiple responses, which include remediations (such as running an Nmap scan) and various types of alerts.
The most basic kind of response you can launch is an alert. Alerts notify you, via email, a SNMP trap server, or syslog, of a policy violation. For information on creating alerts, see Configuring External Alerting.
Another kind of response you can launch is a remediation. A remediation is a program that the Defense Center runs when your network traffic violates a correlation policy. The FireSIGHT System ships with predefined remediations, which perform actions such as blocking a host at the firewall or router when it violates a policy or scanning the host.
When the Defense Center launches a remediation, it generates a remediation status event. You can search, view, and delete remediation status events, as you would any other event.
The FireSIGHT System also provides a flexible API that allows you to create custom remediation modules to respond to correlation policy violations. For example, if you are running a Linux-based firewall, you could write and upload a remediation module that dynamically updates the
iptables
file on the Linux server so that traffic violating a correlation policy is blocked. For more information about writing your own remediation modules, refer to the
Cisco
Remediation API Guide
.
Note You must use a Defense Center to configure and use remediations.
Creating Remediations
In addition to alerts, which are simple notifications of a correlation policy violation, you can also configure responses called remediations . Remediations are programs that the Defense Center runs when a correlation policy is violated. These programs use information provided in the event that triggered the violation to perform a specific action.
The FireSIGHT System ships with several predefined remediation modules:
- The Cisco IOS Null Route module, which, if you are running Cisco routers that use Cisco IOS® Version 12.0 or higher, allows you to dynamically block traffic sent to an IP address or network that violates a correlation policy.
See Configuring Remediations for Cisco IOS Routers for more information.
- The Cisco PIX Shun module, which, if you are running Cisco PIX® Firewall Version 6.0 or higher, allows you to dynamically block traffic sent from an IP address that violates a correlation policy.
See Configuring Remediations for Cisco PIX Firewalls for more information.
- The Nmap Scanning module, which allows you to actively scan specific targets to determine operating systems and servers running on those hosts.
See Configuring Nmap Remediations for more information.
- The Set Attribute Value module, which allows you to set a host attribute on a host where a correlation event occurs.
See Configuring Set Attribute Remediations.
You can create multiple instances for each remediation module, where each instance represents a connection to a specific appliance. For example, if you have four Cisco IOS routers where you want to send remediations, you should configure four instances of the Cisco IOS remediation module.
When you create an instance, you specify the configuration information necessary for the Defense Center to establish a connection with the appliance. Then, for each configured instance, you add remediations that describe the actions you want the appliance to perform when a policy is violated.
After they are configured, you can add remediations to what are called response groups, or you can assign the remediations specifically to rules within correlation policies. When the system executes these remediations, it generates a remediation status event, which includes details such as the remediation name, the policy and rule that triggered it, and the exit status message. For more information on these events, see Working with Remediation Status Events.
In addition to the default modules that Cisco provides, you can write custom remediation modules that perform other specific tasks when policy violations trigger. Refer to the Remediation API Guide for more information about writing your own remediation modules and installing them on the Defense Center. If you are installing a custom module, you can use the Modules page to install, view, and delete new modules.
To install a new module on the Defense Center:
Step 1 Select Policies > Actions > Modules .
Step 2 Click Browse to navigate to the location where you saved the file that contains the custom remediation module (refer to the Remediation API Guide for more information).
The custom remediation module installs.
To view or delete a module from the Defense Center:
Step 1 Select Policies > Actions > Modules .
Step 2 Perform one of the following actions:
The Module Detail page appears.
The remediation module is deleted.
Configuring Remediations for Cisco IOS Routers
Cisco provides a Cisco IOS Null Route remediation module that allows you to block a single IP address or an entire block of addresses using Cisco’s “null route” command when a correlation policy is violated. This forwards all traffic sent to the host or network listed as the source or destination host in the event that violated the correlation policy to the router’s NULL interface, causing it to be dropped (note that this will not block traffic sent from the violating host or network).
The Cisco IOS Null Route remediation module supports Cisco routers running Cisco IOS 12.0 and higher. You must have level 15 administrative access to the router to execute Cisco IOS remediations.
Note A destination-based remediation only works if you configure it to launch when a correlation rule that is based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution When a Cisco IOS remediation is activated, there is no timeout period. To remove the blocked IP address or network from the router, you must manually clear the routing change from the router itself.
To create remediations for routers running Cisco IOS:
Step 1 Enable Telnet on the Cisco router.
Refer to the documentation provided with your Cisco router or IOS software for more information about enabling Telnet.
Step 2 On the Defense Center, add a Cisco IOS Null Route instance for each Cisco IOS router you plan to use with the Defense Center.
See Adding a Cisco IOS Instance for the procedures.
Step 3 Create specific remediations for each instance, based on the type of response you want to elicit on the router when correlation policies are violated.
Each available remediation type is described in the following sections:
Step 4 Begin assigning Cisco IOS remediations to specific correlation policy rules.
Adding a Cisco IOS Instance
After you configure Telnet access on the Cisco IOS router (refer to the documentation provided with your Cisco router or IOS software for more information about enabling Telnet access), you can add an instance to the Defense Center. If you have multiple routers where you want to send remediations, you must create a separate instance for each router.
Step 1 Select Policies > Actions > Instances .
Step 2 From the Add a New Instance list, select Cisco IOS Null Route (v1.0) and click Add .
The Edit Instance page appears.
Step 3 In the Instance Name field, enter a name for the instance.
The name you choose should contain no spaces or special characters and should be descriptive. For example, if you intend to connect more than one Cisco IOS router, you will have multiple instances, so you may want to choose a name such as
IOS_01
and
IOS_02
.
Step 4 In the Router IP field, enter the IP address of the Cisco IOS router you want to use for the remediation.
Step 5 In the Username field, enter the Telnet user name for the router. This user must have level 15 administrative access on the router.
Step 6 In the Connection Password fields, enter the Telnet user’s user password. The password entered in both fields must match.
Step 7 In the Enable Password fields, enter the Telnet user’s enable password. This is the password used to enter privileged mode on the router. The password entered in both fields must match.
Step 8 In the White List field, enter IP addresses that you want to exempt from the remediation, one per line. You can also use CIDR notation or a specific IP address. For example, the following white list would be accepted by the system:
Note that this white list is not associated with any compliance white lists you have created. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
The instance is created and remediations appear in the Configured Remediations section of the page. You must add specific remediations for them to be used by correlation policies. See the following sections for more information:
Cisco IOS Block Destination Remediations
The Cisco IOS Block Destination remediation allows you to block traffic sent from the router to the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click the view icon (
).
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Destination and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockDest
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Step 6 Click Create , then click Done .
Cisco IOS Block Destination Network Remediations
The Cisco IOS Block Destination Network remediation allows you to block any traffic sent from the router to the network of the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click View .
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Destination Network and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockDestNet
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Step 6 In the Netmask field, enter the subnet mask or use CIDR notation to describe the network that you want to block traffic to.
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation, all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address, leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7 Click Create , then click Done .
Cisco IOS Block Source Remediations
The Cisco IOS Block Source remediation allows you to block any traffic sent from the router to the source host included in a correlation event that violates a correlation policy. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click View .
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Source and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockSrc
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Step 6 Click Create , then click Done .
Cisco IOS Block Source Network Remediations
The Cisco IOS Block Source Network remediation allows you to block any traffic sent from the router to the network of the source host in a correlation event. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click View .
If you have not yet added an instance, see Adding a Cisco IOS Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Source Network and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose should contain no spaces or special characters and should be descriptive. For example, if you have multiple Cisco IOS router instances and multiple remediations for each instance, you may want to specify a name such as
IOS_01_BlockSourceNet
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Step 6 In the Netmask field, enter the subnet mask or CIDR notation that describes the network that you want to block traffic to.
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation, all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address, leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7 Click Create , then click Done .
Configuring Remediations for Cisco PIX Firewalls
Cisco provides a Cisco PIX Shun remediation module that allows you to block an IP address or network using Cisco’s “shun” command. This blocks all traffic sent from either the source or destination host that violated the correlation policy and closes all current connections (note that this will not block traffic sent through the firewall to the host).
The Cisco PIX Shun remediation module supports Cisco PIX Firewall 6.0 and higher. You must have level 15 administrative access or higher to launch Cisco PIX remediations.
Note A destination-based remediation only works if you configure it to launch when a correlation rule that is based on a connection event or intrusion event triggers. Discovery events only transmit source hosts.
Caution When a Cisco PIX remediation is activated, no timeout period is used. To unblock the IP address or network, you must manually remove the rule from the firewall.
To create remediations for Cisco PIX firewalls:
Step 1 Enable Telnet or SSH (Cisco recommends SSH) on the firewall.
Refer to the documentation provided with your Cisco PIX firewall for more information about enabling SSH or Telnet.
Step 2 On the Defense Center, add a Cisco PIX Shun instance for each Cisco PIX firewall you plan to use with the Defense Center.
See Adding a Cisco PIX Instance for the procedures.
Step 3 Create specific remediations for each instance, based on the type of response you want to elicit on the firewall when correlation policies are violated.
The available remediation types are described in the following sections:
Step 4 Begin assigning Cisco PIX remediations to specific correlation policy rules.
Adding a Cisco PIX Instance
After you configure SSH or Telnet on the Cisco PIX firewall, you can add an instance to the Defense Center. If you have multiple firewalls you want to send remediations to, you must create a separate instance for each firewall.
Note Cisco recommends that you use an SSH connection instead of a Telnet connection. Data transmitted using SSH is encrypted, making it much more secure than Telnet.
Step 1 Select Policies > Actions > Instances .
Step 2 From the Add a New Instance list, select Cisco PIX Shun and click Add .
The Edit Instance page appears.
Step 3 In the Instance Name field, type a name for the instance.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you intend to connect more than one Cisco firewall, you will have multiple instances, so you may want to choose a name such as
PIX_01
,
PIX_02
, and so on.
Step 4 Optionally, type a description for the instance in the Description field.
Step 5 In the PIX IP field, enter the IP address of the Cisco PIX firewall you want to use for the remediation.
Step 6 If you require a specific username other than the default (
pix
), type it in the
Username
field.
Step 7 In the Connection Password fields, enter the password required to connect to the firewall using SSH or Telnet. The password entered in both fields must match.
Step 8 In the Enable Password fields, enter the SSH or Telnet enable password. This is the password used to enter privileged mode on the firewall. The password entered in both fields must match.
Step 9 In the White List field, enter IP addresses that you want to exempt from the remediation, one on each line. You can also use CIDR notation or a specific IP address. For example, the following white list is accepted by the system:
Note that this white list is not associated with any compliance white lists you have created. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 10 From the Protocol list, select the method you want to use to connect to the firewall.
The instance is created and remediations appear in the Configured Remediations section of the page. You must add specific remediations for them to be used in correlation policies. See the following sections for more information:
Cisco PIX Block Destination Remediations
The Cisco PIX Block Destination remediation allows you to block traffic sent from the destination host in a correlation event.
Note Do not use this remediation as a response to a correlation rule that is based on a discovery event; discovery events only transmit a source host and not a destination host. You can use this remediation in response to correlation rules that are based on connection events or intrusion events.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click View .
If you have not yet added an instance, see Adding a Cisco PIX Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Destination and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance, you may want to specify a name such as
PIX_01_BlockDest
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Step 6 Click Create , then click Done .
Cisco PIX Block Source Remediations
The Cisco PIX Block Source remediation allows you to block any traffic sent from the source host included in the event that violates a correlation policy. The source host is the source IP address in the connection event or intrusion event upon which the correlation rule is based, or the host IP address in a discovery event.
Step 1 Select Policies > Actions > Instances .
Step 2 Next to the instance where you want to add the remediation, click View .
If you have not yet added an instance, see Adding a Cisco PIX Instance.
The Edit Instance page appears.
Step 3 In the Configured Remediations section, select Block Source and click Add .
The Edit Remediation page appears.
Step 4 In the Remediation Name field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance, you may want to specify a name such as
PIX_01_BlockSrc
.
Step 5 Optionally, in the Description field, enter a description of the remediation.
Configuring Nmap Remediations
You can respond to a correlation event by scanning the host where the triggering event occurred. You can choose to scan only the port from the event that triggered the correlation event.
To set up Nmap scanning in response to a correlation event, you must first create an Nmap scan instance, then add an Nmap scan remediation. You can then configure Nmap scanning as responses to violations of rules within the policy.
Adding an Nmap Scan Instance
You can set up a separate scan instance for each Nmap module that you want to use to scan hosts on your network for operating system and server information. You can set up scan instances for the local Nmap module on your Defense Center and for any managed devices you want to use to run scans remotely. The results of each scan are always stored on the Defense Center where you configure the scan, even if you run the scan from a remote managed device. To prevent accidental or malicious scanning of mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never be scanned with the instance.
Note that you cannot add a scan instance with the same name as any existing scan instance.
Step 1 Select Policies > Actions > Instances .
Step 2 Select Nmap Remediation (v1.0) from the Add a module type drop-down list and click Add .
The Edit Instance page appears.
Step 3 In the Instance Name field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the Description field, specify a description that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 Optionally, in the Black Listed Scan hosts field, specify any hosts or networks that should never be scanned with this scan instance, using the following syntax:
If you specifically target a scan to a host that is in a blacklisted network, that scan will not run. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 6 Optionally, to run the scan from a remote managed device instead of the Defense Center, specify the name or IP address of the managed device in the Remote Device Name field.
Nmap Scan Remediations
You can define the settings for an Nmap scan by creating an Nmap remediation. An Nmap remediation can be used as a response in a correlation policy, run on demand, or scheduled to run at a specific time. In order for the results of an Nmap scan to appear in the network map, the scanned host must already exist in the network map. Note that NetFlow, the host input feature, and the system itself can add hosts to the network map.
For more information on the specific settings in an Nmap remediation, see Understanding Nmap Remediations.
Note that Nmap-supplied server and operating system data remains static until you run another Nmap scan. If you plan to scan a host for operating system and server data using Nmap, you may want to set up regularly scheduled scans to keep any Nmap-supplied operating system and server data up-to-date. For more information, see Automating Nmap Scans. Also note that if the host is deleted from the network map, any Nmap scan results for that host are discarded.
For general information about Nmap functionality, refer to the Nmap documentation at http://insecure.org .
Step 1 Select Policies > Actions > Scanners .
Step 2 Click Add Remediation next to the scan instance where you want to add a remediation.
The Edit Remediation page appears.
Step 3 In the Remediation Name field, type a name for the remediation that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the Description field, type a description for the remediation that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 5 If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, a connection event, or a user event, configure the Scan Which Address(es) From Event? option.
- Select Scan Source and Destination Addresses to scan the hosts represented by the source IP address and the destination IP address in the event.
- Select Scan Source Address Only to scan the host represented by the event’s source IP address.
- Select Scan Destination Address Only to scan the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or a host input event, by default the remediation scans the IP address of the host involved in the event; you do not need to configure this option.
Note Do not assign a Nmap remediation as a response to a correlation rule that triggers on a traffic profile change.
Step 6 Configure the Scan Type option:
-
To scan quickly in stealth mode on hosts where the
adminaccount has raw packet access or where IPv6 is not running, by initiating TCP connections but not completing them, select TCP Syn Scan . -
To scan by using a system
connect()call, which can be used on hosts where theadminaccount on your Defense Center does not have raw packet access or where IPv6 is running, select TCP Connect Scan . - To send an ACK packet to check whether ports are filtered or unfiltered, select TCP ACK Scan .
- To send an ACK packet to check whether ports are filtered or unfiltered but also determine whether a port is open or closed, select TCP Window Scan .
- To identify BSD-derived systems using a FIN/ACK probe, select TCP Maimon Scan .
Step 7 Optionally, to scan UDP ports in addition to TCP ports, select On for the Scan for UDP ports option.
Tip A UDP portscan takes more time than a TCP portscan. To speed up your scans, leave this option disabled.
Step 8 If you plan to use this remediation in response to correlation policy violations, configure the Use Port From Event option:
- Select On to scan the port in the correlation event, rather than the ports you specify in step 12 .
If you scan the port in the correlation event, note that the remediation scans the port on the IP addresses that you specified in step 8 . These ports are also added to the remediation’s dynamic scan target.
- Select Off to scan only the ports you will specify in step 12 .
Step 9 If you plan to use this remediation in response to correlation policy violations and want to run the scan using the appliance running the detection engine that detected the event, configure the Scan from reporting detection engine option:
Step 10 Configure the Fast Port Scan option:
Step 11 In the Port Ranges and Scan Order field, type the ports you want to scan by default, using Nmap syntax, in the order you want to scan those ports.
Specify values from 1 to 65535. Separate ports using commas or spaces. You can also use a hyphen to indicate a port range. When scanning for both TCP and UDP ports, preface the list of TCP ports you want to scan with a T and the list of UDP ports with a U. For example, to scan ports 53 and 111 for UDP traffic, then scan ports 21-25 for TCP traffic, enter
U:53,111,T:21-25
.
Note that the Use Port From Event option overrides this setting when the remediation is launched in response to a correlation policy violation, as described in step 8 .
Step 12 To probe open ports for server vendor and version information, configure Probe open ports for vendor and version information:
Step 13 If you choose to probe open ports, set the number of probes used by selecting a number from the Service Version Intensity drop-down list:
Step 14 To scan for operating system information, configure Detect Operating System settings:
Step 15 To determine whether or not host discovery occurs and whether port scans are only run against available hosts, configure Treat All Hosts As Online :
Step 16 Select the method to be used when Nmap tests to see if a host is present and available:
Note that this option scans port 80 by default and that TCP SYN scans are less likely to be blocked by a firewall with stateful firewall rules.
Note that this option scans port 80 by default and that TCP ACK scans are less likely to be blocked by a firewall with stateless firewall rules.
Step 17 If you want to scan a custom list of ports during host discovery, type a list of ports appropriate for the host discovery method you selected, separated by commas, in Host Discovery Port List .
Step 18 Configure the Default NSE Scripts option to control whether to use the default set of Nmap scripts for host discovery and server, operating system, and vulnerability discovery:
See http://nmap.org/nsedoc/categories/default.html for the list of default scripts .
Step 19 To set the timing of the scan process, select a timing template number; select a higher number for a faster, less comprehensive scan and a lower number for a slower, more comprehensive scan.
Step 20 Click Save , then click Done .
Configuring Set Attribute Remediations
You can respond to a correlation event by setting a host attribute value on the host where the triggering event occurred. For text host attributes, you can choose to use the description from the event as the attribute value. For more information on host attributes, see Working with the Predefined Host Attributes and Working with User-Defined Host Attributes.
To configure setting an attribute value in response to a correlation event, you must first create a set attribute instance, then add a set attribute remediation. You can then configure attribute value updates as responses to violations of rules within the policy.
Adding a Set Attribute Value Instance
You can set up an instance to set attribute values in response to correlation rule violations.
To create a set attribute instance:
Step 1 Select Policies > Actions > Instances .
Step 2 Select Set Attribute Value (v1.0) from the Add a module type drop-down list and click Add .
The Edit Instance page appears.
Step 3 In the Instance Name field, enter a name that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 4 In the Description field, specify a description that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Set Attribute Value Remediations
You can create a set attribute value remediation for each attribute value you want to be able to set in response to a correlation rule violation. If the attribute you want to set is a text attribute, you can set the remediation to use the description from the event as the attribute value.
To create a set attribute value remediation:
Step 1 Select Policies > Actions > Instances .
Step 2 Click View next to the scan instance where you want to add a remediation.
The Edit Instance page appears.
Step 3 Select Set Attribute Value from the Add a new remediation of type drop-down list.
The Edit Remediation page appears.
Step 4 In the Remediation Name field, type a name for the remediation that includes 1 to 63 alphanumeric characters, with no spaces and no special characters other than underscore (_) and dash (-).
Step 5 In the Description field, type a description for the remediation that includes 0 to 255 alphanumeric characters, including spaces and special characters.
Step 6 If you plan to use this remediation in response to a correlation rule that triggers on an intrusion event, user event, or a connection event, configure the Update Which Host(s) From Event option.
- Select Update Source and Destination Hosts to update the attribute value on the hosts represented by the source IP address and the destination IP address in the event.
- Select Update Source Host Only to update the attribute value on the host represented by the event’s source IP address.
- Select Update Destination Host Only to update the attribute value on the host represented by the event’s destination IP address.
If you plan to use this remediation in response to a correlation rule that triggers on a discovery event or host input event, by default the remediation scans the IP address of the host involved in the event; you do not need to configure this option.
Step 7 Configure the Use Description From Event For Attribute Value (text attributes only) option:
Step 8 If you are not planning to use the event description, type the attribute value you want to set in the Attribute Value field.
Step 9 Click Save , then click Done .
Working with Remediation Status Events
When a remediation triggers, a remediation status event is generated. These events are logged to the database and can be viewed on the Remediation Status page. You can search, view, and delete remediation status events.
Viewing Remediation Status Events
The page you see when you access remediation status events differs depending on the workflow you use. You can use the predefined workflow, which includes a table view of remediations. The table view contains a row for each remediation status event. You can also create a custom workflow that displays only the information that matches your specific needs. For information on creating a custom workflow, see Creating Custom Workflows.
The following table describes some of the specific actions you can perform on a remediation status events workflow page.
find more information in Understanding the Remediation Status Table. |
|
see Setting Event Time Constraints. Note that events that were generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This can occur even if you configured a sliding time window for the appliance. |
|
see Constraining Events and Sorting Drill-Down Workflow Pages. |
|
click (switch workflow) by the workflow title. For more information, see Selecting Workflows. |
|
navigate to the correlation events view to see associated events |
click Correlation Events . For more information, see Navigating Between Workflows. |
bookmark the current page so that you can quickly return to it |
click Bookmark This Page . For more information, see Using Bookmarks. |
click View Bookmarks . For more information, see Using Bookmarks. |
|
click Report Designer . For more information, see Creating a Report Template from an Event View. |
|
drill down to the next page in the workflow, constraining on a specific value |
use one of the following methods:
For more information, see Constraining Events. |
click Search . For more information, see Searching for Remediation Status Events. |
To view remediation status events:
Step 1 Select Analysis > Correlation > Status .
The first page of the default remediations workflow appears. To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range; see Setting Event Time Constraints.
Tip If you are using a custom workflow that does not include the table view of remediations, click (switch workflow) menu by the workflow title, then select Remediation Status.
Working with Remediation Status Events
You can change the layout of the event view or constrain the events in the view by a field value.
When you disable a column, it is disabled for the duration of your session (unless you add it back later). Note that when you disable the first column, the Count column is added.
Clicking a value within a row in a table view constrains the table view and does not drill down to the next page.
Tip Table views always include “Table View” in the page name.
Understanding the Remediation Status Table
You can configure the Defense Center to launch a variety of responses to policy violations and to discovery events. These responses include remediations, such as blocking a host at the firewall or router when it violates a policy. When a remediation triggers, a remediation status event is generated and logged to the database. For more information on remediations, see Configuring Remediations.
The fields in the remediation status table are described in the following table.
To display the table view of remediation status events:
Step 1 Select Analysis > Correlation > Status .
The table view appears. For information on working with remediation status events, see Working with Remediation Status Events.
Tip If you are using a custom workflow that does not include the table view of remediation status events, click (switch workflow) by the workflow title, then click Remediation Status.
Searching for Remediation Status Events
You can search for remediation status events to determine when and if a particular remediation was launched. You may want to create searches customized for your network environment, then save them to reuse later. The search criteria you can use are described in the following table.
Enter the exact name of the result message (a message that describes what happened when the remediation was launched) you want to match. Valid status messages are:
Note If you installed custom remediation modules, you may be able to enter additional status messages implemented by the custom module. |
|
Specify the date and time the Defense Center launched the remediation. See Specifying Time Constraints in Searches for the syntax for entering time. |
|
Enter the exact name of the remediation that was launched. This is the name you specified when you created the remediation. |
|
Enter the name of the correlation policy that triggered the remediation. |
|
Enter the name of the correlation rule that triggered the remediation. |
For more information on searching, including how to load and delete saved searches, see Searching for Events.
To search for remediation status events:
Step 1 Select Analysis > Search .
Step 2 From the table drop-down menu, select Remediation Status .
Tip To search the database for a different kind of event, select it from the table drop-down list.
Step 3 Enter your search criteria in the appropriate fields, as described in the Remediation Status Search Criteria table.
If you enter criteria for multiple fields, the search returns only the records that match search criteria specified for all fields.
Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to save a search as a restriction for restricted event analyst users, you must save it as a private search.
Step 5 Optionally, you can save the search to be used again in the future. You have the following options:
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.
Step 6 Click Search to start the search.
Your search results appear in the default remediation status workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click (switch workflow) by the workflow title. For information on specifying a different default workflow, see Configuring Event View Settings.
Feedback