Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual page 202
Configuring dsms
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1:
- Administration manual (370 pages) ,
- Manual (94 pages) ,
- Getting started (14 pages)
Table of Contents
Advertisement
196
U
DSM
NIVERSAL
Using Device
Extensions
Universal DSM
Example
You can use a regular expression calculator to verify that a regular expression
search pattern functions properly against the event string being parsed. You can
down load a commonly used freeware Windows-based regular expression
calculator from: http://www.silveragesoftware.com/rxl.html.
If you are running STRM 6.1.2 or above, we recommend that you use device
extensions to associate a Universal DSM to devices.
Device extensions allow you to immediately extend parsing routines. You can
configure device extension information using the sensor devices window in the
STRM Administration Console. For information about device extensions, see
Managing Sensor Devices Guide.
Note: If you are running STRM 6.1.1 or earlier, see the following sections for
information on configuring your Universal DSM.
This section provides an example of a Universal DSM. This example includes a
simple software-based UNIX firewall. This UNIX firewall creates two critical syslog
messages (firewall accept and firewall deny) suitable for STRM to parse. For
example:
Firewall Accept example-> Jun 09 16:50:43.813005 rule
669/(match) user="john doe" pass in on em1: 172.16.11.240.1844 >
172.16.53.34.6080: S 2744116838:2744116838(0) win 16384
mss1460,nop,nop,sackOK> 00:01:23:45:67:89 > 01:22:33:44:55:66
Firewall Deny example -> Mar 26 22:06:16.057139 rule 0/0(match):
block in on rl0: 172.16.165.146.53 > 172.16.169.126.1026: 1024
update
The Universal DSM supports the parsing of Event Name, Source IP Address,
Destination IP Address, Source Port, Destination Port, and Protocol from within
event messages. When building a Universal DSM, the first goal is to analyze the
available event messages and isolate which of the data fields are actually
contained within the messages. In this UNIX firewall example, the syslog
messages contain data for all of the fields except for Protocol, as displayed in the
table below:
Table 84-1 Example of Messages
Event Name
Source IP Address
Destination IP
Address
Source Port
Configuring DSMs Guide
Firewall Accept Record
pass
172.16.11.240
172.16.53.34
1844
Firewall Deny Record
block
172.16.165.146
172.16.169.126
53
Advertisement
Table of Contents
Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1
Related Products for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper MEDIA FLOW MANAGER 2.0.2 - ADMINISTRATOR S GUIDE AND CLI
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper MEDIA FLOW CONTROLLER 2.0.5
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper 200 Series