Page 1 Enterasys ® Intrusion Prevention System Analysis and Reporting Guide P/N 9034069-13...
Page 3 Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
Page 4 (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Enterasys’ prior written consent, and in no event shall You operate more than one copy of the Licensed Software.
Page 5 Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys of any unauthorized use thereof.
Page 6 Enterasys in good faith determines that the media and proof of payment of the license fee are returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.
Page 7: Table Of Contents
Version Support ..............................ix Related Documents ............................ix Conventions ................................x Getting Help ................................x Chapter 1: Getting Started Starting Enterasys IPS Reporting ........................1-1 Displaying Interactive Reports ........................1-4 24 Hours Reports ............................. 1-4 Top N Reports ............................1-6 Trending Reports ............................. 1-8 Creating and Editing Report Filters ......................
Page 8 Selecting the Top N Report Type ........................4-2 Event Breakdown of Data ..........................4-4 Displaying Details for a Selected Event ....................4-5 Selecting a Chart Type ........................... 4-5 Chapter 5: Trending Reports Daily Event Rate Report ..........................5-1 Selecting a Display Type .......................... 5-2 Defining a Daily Event Rate Report ......................
Page 9 SummaryByIP ............................11-11 EventSummary ............................. 11-11 SummaryByDirection ........................... 11-13 SummaryLast7Days ..........................11-13 SummaryByGroup ..........................11-13 Creating Custom Queries ........................11-14 Filter Management ..........................11-16 Load Events ............................11-17 Realtime Status ............................ 11-18 Using the Forensics Console ........................11-18 Reviewing Forensics ..........................11-18 Notes Option ............................
Page 10 viii...
Page 11: About This Guide
Detection System (IDS), active response, and intrusion prevention. This guide describes the reports available with Enterasys IPS version 7.5 or higher using the web-based GUI. The first part of the book describes the current reporting tools. Legacy tools are described in the last chapter of the book.
Page 12: Conventions
A description of any action(s) already taken to resolve the problem (for example, changing mode switches, and rebooting the unit.) • The serial and revision numbers of all involved Enterasys Networks products in the network • A description of your network environment (for example, layout, and cable type) •...
Page 13: Chapter 1: Getting Started
The reports use data from Network and Host Sensors. Enterasys IPS Reporting uses this data to generate customized reports that help you isolate attacks. The reports help you analyze IDS events in real time, spot long-term trends, and inspect individual event details and associated information.
Page 14 <IP address> is the IP address of the Reporting server. b. When the Launch page displays, click on the Dragon Reporting link. The Enterasys IPS Launch page also offers a link to the Legacy Dragon Reporting tools, which are described in Chapter 11, Legacy Reporting.
Page 15 “Creating and Viewing User Defined Reports” on page 1-11 • Schedule and manage user-defined reports • Display help and logout System Dashboard Provides several views of the Enterasys IPS “The Views Panel” on page 2-2 Views Panel system health information System Dashboard Provides detailed information about the “The Tabbed...
Page 16: Displaying Interactive Reports
You can further filter the events displayed in the Event Summary tab by selecting an existing filter from the Filter drop down list or by configuring additional filter Parameters, as described in “Creating and Editing Report Filters” on page 1-10. 1-4 Enterasys IPS Analysis and Reporting Guide...
Page 17 The Event Log report table can be exported in CSV (comma separated values) format and opened immediately or saved as a file. To export, click on the CSV button at the top right of the pane. Enterasys IPS Analysis and Reporting Guide 1-5...
Page 18: Top N Reports
Event Group, Events by Score, and so on. You select the event data to display from a drop down list, shown in the following figure. You can interactively change the number of occurrences charted by increasing or decreasing the number in the Top field. 1-6 Enterasys IPS Analysis and Reporting Guide...
Page 19 Single clicking on a section in the right hand chart causes those event details to be displayed in the Event Table pane. Enterasys IPS Analysis and Reporting Guide 1-7...
Page 20: Trending Reports
“Creating and Editing Report Filters” on page 1-10. The Event Growth Table shows all event counts for the two time periods, not just the Top and/or Bottom n events. 1-8 Enterasys IPS Analysis and Reporting Guide...
Page 21 The minimum and maximum daily event counts for the period are also displayed. The figure below displays the Column chart view for the time period of one week with a three day moving average. Enterasys IPS Analysis and Reporting Guide 1-9...
Page 22: Creating And Editing Report Filters
To create or edit a filter: Click the Launch ( ...) button to the right of the Filter field. The Filter Parameters dialog window is displayed. 1-10 Enterasys IPS Analysis and Reporting Guide...
Page 23: Creating And Viewing User Defined Reports
User Defined report templates are easily created from predefined templates. To create a new user defined report template and run the report: Select Schedule > Manage Report Templates from the main menu bar, then click the New Template button. Enterasys IPS Analysis and Reporting Guide 1-11...
Page 24 Note that when you “run” the report, the output is not stored as a generated report. To generate the report and have it added to the list of generated reports, click the Generate icon (gray gear). 1-12 Enterasys IPS Analysis and Reporting Guide...
Page 25: Viewing Generated Reports
Note: A warning that a script is running slowly will sometimes display when generating a report with a high event count. Workaround: For Firefox, select the checkbox to not see this warning again. For Internet Explorer, see http://support.microsoft.com/kb/175500. Enterasys IPS Analysis and Reporting Guide 1-13...
Page 26: Viewing Database Restore Status
During the restore process, a progress indicator showing the day currently being restored and the number of days remaining is displayed in the status bar at the bottom of the Dashboard, 24 Hours, Top N, and Find Events windows, as shown in the following figure. 1-14 Enterasys IPS Analysis and Reporting Guide...
Page 27: Chapter 2: System Dashboard
Enterasys IPS deployment. This includes status information for the sensors and nodes within a deployment. The Dashboard lets you see at a glance both an overview of the status of your Enterasys IPS deployment and the status of each Enterasys IPS component in your network.
Page 28: The Views Panel
The tooltip per bar displays the system name and the number of packets read per second by that system. Clicking on a system’s bar in the graph opens the Systems Tab in the left pane of the Dashboard, filtered on the specific system. 2-2 Enterasys IPS Analysis and Reporting Guide...
Page 29 Interfaces Status The Interfaces Status pie chart displays the status of all known Enterasys IPS interfaces. Each currently present status category is a “slice” of the pie chart. Interfaces that are up, down, and unavailable are shown in the pie chart.
Page 30: The Tabbed Panel
EMS/Reporting Tab Systems Tab By default, the Systems tab provides a table of system information for all the Enterasys IPS systems in your environment. An Enterasys IPS system is any system known to the EMS that contains an IPS component.
Page 31 • Down • Blank, for systems that do not have an Event Channel, such as an EMS that is not forwarding events to another server. Operating System Type of operating system of the system. Enterasys IPS Analysis and Reporting Guide 2-5...
Page 32 Status Message Condition No message/blank field This sensor or system is up with no known issues. Sensor-name is not up A system update occurred and one or more sensors on this system are down. 2-6 Enterasys IPS Analysis and Reporting Guide...
Page 33: Sensors Tab
Interface is Down The Interface is link-down. Sensors Tab The Sensors tab displays information about Network and Host Sensors in the Enterasys IPS environment. Table 2-2 on page 2-5 describes the type of data shown in the Sensors tab table columns.
Page 34 Packets that are read in successfully, but are filtered out by an application filter statement or because they are of a protocol type that Enterasys IPS does not know how to inspect. Expressed in packets per second. Packets Blocked (pps) In an in-line IPS deployment, the packets that are blocked due to either intrusion prevention rules or a black list rule.
Page 35: Interfaces Tab
Interfaces Tab The Interfaces tab displays information about the network interfaces of Enterasys IPS systems and sensors in the Enterasys IPS environment. By default, interface information is grouped in this table by system. Refer to “Sorting, Filtering, and Grouping In Columns”...
Page 36 Packets that are read in successfully, but are filtered out by an application filter statement or because they are of a protocol type that Enterasys IPS does not know how to inspect. Expressed in packets per second. Packets Blocked (pps) In an in-line IPS deployment, the packets that are blocked due to either intrusion prevention rules or a black list rule.
Page 37: Ems/Reporting Tab
The Tabbed Panel EMS/Reporting Tab The EMS/Reporting tab displays Enterasys IPS-specific system information about EMS and Reporting servers in this Enterasys IPS environment. A graph of event cache traffic over time is also displayed, as shown in Figure 2-4 below.
Page 38: Customizing The Dashboard Interface
To hide the entire Views panel, click the double left arrows icon as shown in Figure 2-6. Figure 2-6 Hide Views Panel To show the Views panel, click the double right arrows icon as shown in Figure 2-7. 2-12 Enterasys IPS Analysis and Reporting Guide...
Page 39 Figure 2-9 Removing or Adding a View to the Views Panel To reorganize the layout of views, click and drag the view’s title bar as shown in Figure 2-10. Enterasys IPS Analysis and Reporting Guide 2-13...
Page 40: Customizing Tables In The Tabbed Panel
To reorganize the layout of columns within tables, click and drag the column name to a new location. Figure 2-12 shows the Uptime column of the Systems table being repositioned to the right of the Status column. Figure 2-12 Moving Columns 2-14 Enterasys IPS Analysis and Reporting Guide...
Page 41 Filters option for the Configuration Channel column lets you choose from the possible values that can be displayed in that column. Enterasys IPS Analysis and Reporting Guide 2-15...
Page 42 Systems tab columns are described in Table 2-2 on page 2-5. Sensors tab columns are described in Table 2-5 on page 2-7. Interfaces tab columns are described in Table 2-6 on page 2-9. 2-16 Enterasys IPS Analysis and Reporting Guide...
Page 43 Use this feature to remove systems, sensors, or interfaces from the Dashboard that have stopped reporting statistics or no longer exist in the Enterasys IPS deployment environment. If the component starts reporting statistics again, it will again be displayed in the Dashboard.
Page 44 State Description Active Filter on Enterasys IPS systems/sensors with a status of Active, meaning that they are operating normally (the Configuration Channel and Sensor are both up) Inactive Filter on Enterasys IPS systems/sensors with a status of Inactive, meaning that...
Page 45: Resetting The Dashboard Interface To The Default Layout
Enterasys IPS Reporting server cookies as follows. In the Web browser you use to view Enterasys IPS Reporting, view stored cookies. In Firefox, for example, select Tools > Options from the main menu, then click Privacy. Click Show Cookies to see the list of stored browser cookies.
Page 46: Platform-Specific Dashboard Details
Platform-Specific Dashboard Details System Dashboard Platform-Specific Dashboard Details This section provides details about how the various Enterasys IPS statistics available in the Dashboard are gathered. In addition, differences between supported operating systems in how this data is collected are detailed.
Page 47 Dashboard uses Host Sensor heartbeat events on Windows to provide the following Host Sensor status information: • Host Sensor Uptime • Host Sensor Event Rate • Host Sensor CPU Usage • Host Sensor Memory Used • Total System Memory Enterasys IPS Analysis and Reporting Guide 2-21...
Page 48 Platform-Specific Dashboard Details System Dashboard 2-22 Enterasys IPS Analysis and Reporting Guide...
Page 49: Chapter 3: 24 Hours Reports
You can filter the data in the report by selecting an existing filter from the Filter drop down list, or by creating a new report filter, as described in “Creating and Editing Report Filters” on page 1-10. Enterasys IPS Analysis and Reporting Guide 3-1...
Page 50: Event Log Report
You can filter the data further by selecting an existing filter from the Filter drop down list, or by creating a new report filter, as described in “Creating and Editing Report Filters” on page 1-10. 3-2 Enterasys IPS Analysis and Reporting Guide...
Page 51 Refer to Chapter 8, Viewing a PCAP File for an Event for more information. Mail Event Opens your mail application with the URL for the event in the content field of the message. Enterasys IPS Analysis and Reporting Guide 3-3...
Page 52: Setting Display Preferences
All columns in the 24 Hours report tables have a drop down menu that allows you to sort, group, and filter the contents, as appropriate. Figure 3-5 shows the drop down menu that is displayed for the Score column in the 24 Hours reports. 3-4 Enterasys IPS Analysis and Reporting Guide...
Page 53 Filters option for the Score column lets you choose from the possible values that can be displayed in that column (Critical, High, Medium, Low). Enterasys IPS Analysis and Reporting Guide 3-5...
Page 54: Exporting Tables In Csv Format
When prompted, select Open or Save. If you selected Open, the file will be opened using the selected application (such as Microsoft Excel). If you selected Save, you will be prompted to specify the location. 3-6 Enterasys IPS Analysis and Reporting Guide...
Page 55: Chapter 4: Top N Reports
Top field at the top of the chart. Filter the data further by selecting an existing filter from the Filter drop down list, or by creating a new filter, as described in “Creating and Editing Report Filters” on page 1-10. Enterasys IPS Analysis and Reporting Guide 4-1...
Page 56: Selecting The Top N Report Type
Top N Report Window Selecting the Top N Report Type Figure 4-2 shows the drop down list of Top N report types that can be selected. Table 4-1 describes the Top N reports. 4-2 Enterasys IPS Analysis and Reporting Guide...
Page 57 Charts the top “N” sensors receiving the least events over the time period specified by the Filter value. The value of “N” is 10 by default, but can be changed in the Top field. Enterasys IPS Analysis and Reporting Guide 4-3...
Page 58: Event Breakdown Of Data
10 event breakdown of the data group, as shown in Figure 4-3 on page 4-5. Single clicking on a section in the right hand chart causes those event details to be displayed in the lower event detail pane. 4-4 Enterasys IPS Analysis and Reporting Guide...
Page 59: Displaying Details For A Selected Event
You can either hover over a pie slice to see what it represents in a tooltip or change the chart type to Bar or Column to obtain a chart with labeled data. Enterasys IPS Analysis and Reporting Guide 4-5...
Page 60 Selecting a Chart Type Top N Reports 4-6 Enterasys IPS Analysis and Reporting Guide...
Page 61: Chapter 5: Trending Reports
The minimum and maximum daily event counts for the period are also displayed. Figure 5-1 displays the Column chart view for the time period of one week with a three days moving average. Enterasys IPS Analysis and Reporting Guide 5-1...
Page 62: Selecting A Display Type
On some charts you can select the Logarithmic button to display the data in Logarithmic scale. The following graphic illustrates the different chart types. 5-2 Enterasys IPS Analysis and Reporting Guide...
Page 63 Pie charts show the event rate per time period. Hovering over a pie slice shows the date, number of events, and the percent of events for the time period occurring on that date. Enterasys IPS Analysis and Reporting Guide 5-3...
Page 64 Table Report The Daily Event Count Table report lists the time period segments/days, the event count per day, the difference in count from the previous day, and the moving average. 5-4 Enterasys IPS Analysis and Reporting Guide...
Page 65: Defining A Daily Event Rate Report
Event Growth Report The Event Growth compares the number of occurrences of events between two time periods. By default, the time period is one day (comparing the last 24 hour period with the previous 24 Enterasys IPS Analysis and Reporting Guide 5-5...
Page 66 The text boxes displaying this information are bordered in green if the event count increased and in red if the event count decreased. Figure 5-5 Event Growth Tab – Column Chart 5-6 Enterasys IPS Analysis and Reporting Guide...
Page 67: Selecting A Chart Type
Bar chart in logarithmic scale. Figure 5-6 Event Growth Tab – Bar Chart Note: The axis labels in Bar charts may overlap, depending on the browser window size. Enterasys IPS Analysis and Reporting Guide 5-7...
Page 68 Table reports show all the data, not just the Top n and Bottom n events, as shown in Figure 5-8 page 5-9. In the Table report, you can right click on an event row to display a description of the event. 5-8 Enterasys IPS Analysis and Reporting Guide...
Page 69: Defining An Event Growth Report
Filter drop down list range from 15 minutes to 4 weeks. For information on setting a date range or other filter parameters, see “Creating and Editing Report Filters” on page 1-10. Enterasys IPS Analysis and Reporting Guide 5-9...
Page 70 Event Growth Report Trending Reports 5-10 Enterasys IPS Analysis and Reporting Guide...
Page 71: Chapter 6: Event Table Pane
The Event Table pane is located at the bottom of the interface window. Single-clicking on a data group in a chart or table causes the Event Table pane to display. Figure 6-1 Event Table Pane Event Table Pane Enterasys IPS Analysis and Reporting Guide 6-1...
Page 72 Destination Address Lookup to display a new browser window that attempts to resolve the IP address using a DNS lookup. Additional publicly-available web sites that perform address resolution are provided as links on the browser page. Destination Port The destination port. 6-2 Enterasys IPS Analysis and Reporting Guide...
Page 73: Customizing The Event Table Display
Page field, as shown in Figure 6-3. You can interactively refresh the display by clicking the circular arrow icon next to the Page field. Enterasys IPS Analysis and Reporting Guide 6-3...
Page 74: Resizing Columns
Figure 6-6 are selectable for all columns, depending on what is appropriate for the data in the column. Clicking in the column header also reverses the sort order of the column. 6-4 Enterasys IPS Analysis and Reporting Guide...
Page 75 Figure 6-8 illustrates how to display a list of columns in the Event Detail table. Check or uncheck the appropriate check box to display or hide specific columns. Figure 6-8 Selecting Columns to Display Enterasys IPS Analysis and Reporting Guide 6-5...
Page 76: Exporting Tables In Csv Format
When prompted, select Open or Save. If you selected Open, the file will be opened using the selected application (such as Microsoft Excel). If you selected Save, you will be prompted to specify the location. 6-6 Enterasys IPS Analysis and Reporting Guide...
Page 77: Chapter 7: Event Details
Event Summary, Event Log, and the Event Table pane. To display the Event Details window for an event: Right click an event. Select Event Details... from the right click menu. Figure 7-1 Launching Event Details Window Enterasys IPS Analysis and Reporting Guide 7-1...
Page 78 Description — Includes a detailed description of the event. The Reference(s) hotlinks launch a web browser to Google to search for that reference. • Signature Definition — Shows the signature of the event. 7-2 Enterasys IPS Analysis and Reporting Guide...
Page 79 Applicable to any TCP event that supports the Dragon mktcpdump CLI tool. Refer to Chapter 8, Viewing a PCAP File for an Event for more information. Enterasys IPS Analysis and Reporting Guide 7-3...
Page 80 Any additional details about the event. If you launch the Event Details window from an event name, such as from Event Summary, the Event Details window contains only the Description and Signature Definition tabs. 7-4 Enterasys IPS Analysis and Reporting Guide...
Page 81: Chapter 8: Viewing A Pcap File For An Event
Viewing a PCAP File for an Event Enterasys IPS Reporting lets you download the session data for a given event in the form of a PCAP file. This lets you view traffic data in an application such as Wireshark. To view captured session traffic data for an event: In the Event Table pane, right click and select Download PCAP.
Page 82 Viewing a PCAP File for an Event 8-2 Enterasys IPS Analysis and Reporting Guide...
Page 83: Chapter 9: User Defined Reporting
Click on the desired template from the Predefined Templates list. The Template Details window is displayed. Note that, depending on the template chosen, certain fields in the Query Parameters area may be grayed out. Enterasys IPS Analysis and Reporting Guide 9-1...
Page 84 Run the report manually by clicking on the Run Report icon (green arrow) on the right of the report’s row and view the output. Note that when you “run” the report, the output is not stored as a generated report. 9-2 Enterasys IPS Analysis and Reporting Guide...
Page 85: Viewing Generated Reports
Each generated report provides the tools described in Table 9-2. Table 9-2 Generated Reports Tools Icon Description Displays the selected generated report. Creates a new email message containing a link to the selected generated report. Enterasys IPS Analysis and Reporting Guide 9-3...
Page 86 Viewing Generated Reports User Defined Reporting Table 9-2 Generated Reports Tools Icon Description Prompts you to delete the selected generated report. 9-4 Enterasys IPS Analysis and Reporting Guide...
Page 87: Chapter 10: Preferences
Table Page Max Rows The maximum number of table rows displayed per page when displaying a list of generated reports or when displaying a list of report templates. By default this is 50 rows. Enterasys IPS Analysis and Reporting Guide 10-1...
Page 88: Configuring Session Time-Out
Generally, for Enterasys IPS appliances, this command should not be changed from the default. Configuring Session Time-out The Enterasys IPS Reporting Web interface has a default session time-out of 30 minutes. You can change this interval by editing the <session-timeout>...
Page 89: Chapter 11: Legacy Reporting
A high storage capacity is needed to store the significant number of events that can be in the buffer. Dedicating a machine to run only the Realtime Console agent can easily maintain several million events in the ring buffer. Enterasys IPS Analysis and Reporting Guide 11-1...
Page 90: Dragon Forensics Console
In general, the legacy tools should be used to report on IPv4 events. • Realtime Console reports will not include any IPv6 events. • Trending and Executive reports will include IPv6 events but will not display the address. 11-2 Enterasys IPS Analysis and Reporting Guide...
Page 91: Accessing The Legacy Reporting Tools
The reporting tool interface is web-based and its appearance may vary slightly depending your browser. The Main window provides navigation areas and a display area as well the ability to select the desired reporting tool. Enterasys IPS Analysis and Reporting Guide 11-3...
Page 92 There is a top right navigation area which allows you to select the desired tool. The Top left navigation area provides tool-specific selection. The left navigation area provides tool- specific functionality. The bottom navigation area contains tool-specific actions. Navigation areas vary depending on the selected reporting tool. 11-4 Enterasys IPS Analysis and Reporting Guide...
Page 93 Display Area Display Area The Display Area populates most of the right side of the window. It is in this area that the data selected is displayed and that you manipulate that data. Enterasys IPS Analysis and Reporting Guide 11-5...
Page 94: Using The Realtime Console
Click the Filters pulldown and select the desired filter. Although default filters exist, you can create custom filters. See Filter Management page 11-16. Click Execute. The desired data is shown in the display area. 11-6 Enterasys IPS Analysis and Reporting Guide...
Page 95: Analyzeevent
ChartGroups has several macros that enable certain recent time periods for analysis. For example, ChartGroups-6hr charts the various group activities for the last 6 hours. For each active Enterasys IPS Analysis and Reporting Guide 11-7...
Page 96: Graphevents And Graphscores
Clicking on any portion of the graph brings you to that area’s corresponding event summary. Figure 11-7 is an example graph of port 80 events over the last 48 hours. 11-8 Enterasys IPS Analysis and Reporting Guide...
Page 97: Eventdetail
For network-based events of either TCP or UDP protocols, clicking on the URL associated with the source and destination address results in a Dragon Forensics Console mksession query and displays the underlying network session. Clicking on the event type for any event (regardless if it Enterasys IPS Analysis and Reporting Guide 11-9...
Page 98: Eventsbygroup
A list of all active Dragon Network Sensors are output for event summary, as shown in Figure 11-10. Only Dragon sensors that have an active event are listed. Clicking on a Dragon sensor name lists an event summary of events only from that engine. Figure 11-10 Realtime EventsByNetworkSensor 11-10 Enterasys IPS Analysis and Reporting Guide...
Page 99: Eventsscoredbyip
The strip chart shows a 48-hour time line that is slightly different than the 24-hour time line used in the Dragon Forensic Console’s sum_event tool. Figure 11-13 an example output. Enterasys IPS Analysis and Reporting Guide 11-11...
Page 100 Dragon Network Sensor. Notice the trailing events and also a much less dense occurrence of any one event. Figure 11-14 Realtime EventSummary (Well-Tuned) Figure 11-15 Realtime EventSummary (IPS Events) 11-12 Enterasys IPS Analysis and Reporting Guide...
Page 101: Summarybydirection
In some cases, this output can be easier to analyze than the raw event summary output because the list of events is broken into smaller groups. Enterasys IPS Analysis and Reporting Guide 11-13...
Page 102: Creating Custom Queries
Click Custom Query in the top left navigation area. Enter the desired criteria in the entry fields provided. Only those fields that pertain to your search need to be completed. There are no required fields. 11-14 Enterasys IPS Analysis and Reporting Guide...
Page 103 Time Mode field. • Time Start and Stop fields can contain date value in the following format: “YYMmmDD”, for example, “03Aug23”. These values are valid when date or dates selected for the Time Mode field. Enterasys IPS Analysis and Reporting Guide 11-15...
Page 104: Filter Management
For example, (1). Click Execute. The display area is populated with entry fields for the selected field. Enter the desired information in the fields. 11-16 Enterasys IPS Analysis and Reporting Guide...
Page 105: Load Events
To load specific events: Click Load Events in the top left navigation area. Select the desired event from the pulldown menu. Click Execute. The display area is populated with information about the loaded events. Enterasys IPS Analysis and Reporting Guide 11-17...
Page 106: Realtime Status
To access the Forensics Console Main Window and tools: Click Forensics in the top right navigation area. The Forensics Console main window appears as shown in Figure 11-21. Navigation options are shown in the left navigation panel. 11-18 Enterasys IPS Analysis and Reporting Guide...
Page 107 Clicking on a source or destination port launches a mksession tool with the intent of reconstructing the session associated with the event. The maximum amount of events listed can be selected from a pulldown menu in the output mode filter. Enterasys IPS Analysis and Reporting Guide 11-19...
Page 108 The display area is populated with the requested data. The following figures provide two sample reports. Figure 11-22 is an example output of the sum_event tool. Figure 11-23 shows the sum_event tool options used to select the desired output format. 11-20 Enterasys IPS Analysis and Reporting Guide...
Page 109: Notes Option
This allows you to write notes or messages for limited event tracking. To add notes: Click Notes in the left navigation panel. The display area is populated with any existing notes for the day. Enterasys IPS Analysis and Reporting Guide 11-21...
Page 110: Using The Trending Console
To manipulate event summary data: Click Event Summary in the top left navigation area. This is the default selection when entering the Trending Console. The display area is populated with Event Summary information. 11-22 Enterasys IPS Analysis and Reporting Guide...
Page 111 IP Filter menu. Multiple IP addresses or CIDR blocks can be specified by using the character, &. For example, data can be entered as 10.100.100.125 & 10.10.10.0/24 & 10.10.20.0/24 Enterasys IPS Analysis and Reporting Guide 11-23...
Page 112: Ip Address Summaries
The top seven events are indexed in a legend to the left of the graph. Filtering certain events can cause this graph and table to regenerate. Select the desired information to view by clicking the navigation buttons and selecting the desired item in the pulldown menu. 11-24 Enterasys IPS Analysis and Reporting Guide...
Page 113: Event Details
Select the desired information to view by clicking the navigation buttons and selecting the desired item in the pulldown menu. Table 11-7 Event Detail Buttons Button Description Sensors A list of available sensors. Enterasys IPS Analysis and Reporting Guide 11-25...
Page 114: Creating Additional Reports
Click Additional Reports in the top left navigation area. Enter the desired criteria in the entry fields provided. Only those fields that pertain to your search need be completed. There are no required fields. 11-26 Enterasys IPS Analysis and Reporting Guide...
Page 115 • Time Start and Stop fields can contain date value in the following format: “YYMmmDD”, for example, “03Aug23”. These values are valid when date or dates are selected for the Time Mode field. Enterasys IPS Analysis and Reporting Guide 11-27...
Page 116: Using Executive Reporting
To access the Executive Reporting Main Window and generate new reports: Click Reporting in the top right navigation area. The Executive Reporting main window appears as shown in Figure 11-24. Selection options are shown in the left navigation panel. 11-28 Enterasys IPS Analysis and Reporting Guide...
Page 117: Managing Reports
A new window appears allowing you to select the sensors for which to save the report. Reports that are created include the following: – Attacks Listed By Exploit – Listed By Priority – Attacks Listed By Destination IP – Top 10 Attacks – Total Events Over Time Enterasys IPS Analysis and Reporting Guide 11-29...
Page 118: Viewing Saved Reports
You can right-click on the link and select Save As to save the report to a new location. Report Examples The following examples show some of the available reports. Figure 11-28 Event Ratios by Risk Level 11-30 Enterasys IPS Analysis and Reporting Guide...
Page 119 Legacy Reporting Managing Reports Figure 11-29 Event Count by Classification Figure 11-30 Event Count by Day Enterasys IPS Analysis and Reporting Guide 11-31...
Page 120 Managing Reports Legacy Reporting Figure 11-31 Event Ratios by Day 11-32 Enterasys IPS Analysis and Reporting Guide...
Page 121 Index Numerics EventDetail 11-9 setting 10-1 events 24 Hours reports searching for 1-13 about Query Parameters EventsByGroup 11-10 CSV exporting EventsByNetworkSensor 11-10 customizing EventSummary 11-11 Event Log report realtime Executive Reporting 11-2 Event Summary report analyze event 11-7 Legacy 11-28 overview chart groups 11-7...
Page 122 EMS/Reporting tab 2-11 Interfaces tab Sensors tab status column values Systems tab table rows, deleting 2-17 Table Page Max Rows 10-1 Top N reports about CSV exporting defining event breakdown pane overview report filters 1-10 report types setting display preferences 3-4, trending custom queries 11-26...

Enterasys Intrusion Prevention System Reporting Manual

About this Guide

Chapter 1: Getting Started

Chapter 2: System Dashboard

Chapter 3: 24 Hours Reports

Chapter 4: Top N Reports

Chapter 5: Trending Reports

Chapter 6: Event Table Pane

Chapter 7: Event Details

Chapter 8: Viewing a PCAP File for an Event

Chapter 9: User Defined Reporting

Chapter 10: Preferences

Chapter 11: Legacy Reporting

Quick Links

Need help?

Questions and answers

Related Manuals for Enterasys Intrusion Prevention System

Summary of Contents for Enterasys Intrusion Prevention System

Table of Contents