Enterasys Intrusion Prevention System User manual
P/N 9034069-13
Enterasys®
Intrusion Prevention System
Analysis and Reporting Guide
i
Notice
Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and
its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such
changes have been made.
The hardware, firmware, or software described in this document is subject to change without notice.
IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF
OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF
ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF
SUCH DAMAGES.
Enterasys Networks, Inc.
50 Minuteman Road
Andover, MA 01810
2011 Enterasys Networks, Inc. All rights reserved.
Part Number: 9034069-13 November 2011
ENTERASYS, ENTERASYS DRAGON, ENTERASYS NETSIGHT, ENTERASYS NETWORKS, and any logos associated
therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. For a
complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.
Adobe, Acrobat, and Acrobat Reader are registered trademarks of Adobe Systems Incorporated.
Intel, Intel Pentium, Xeon, Celeron, and Pentium II are trademarks or registered trademarks of Intel Corporation.
Cisco is a registered trademark of Cisco Systems, Inc.
FireWall-1, OPSEC and Check Point are trademarks or registered trademarks of Check Point Software Technologies Ltd.
Dell and PowerEdge are trademarks of Dell Inc.
IPX/SPX, Novell and NetWare are trademarks or registered trademarks of Novell, Inc.
Linux is a trademark of Linus Torvalds.
Microsoft, Windows, and Windows NT are trademarks or registered trademarks of Microsoft Corporation.
Netscape is a registered trademark of Netscape Communications Corporation.
Red Hat is a registered trademark of Red Hat, Inc.
Solaris is a trademark of Sun MicroSystems, Inc.
SPARC is a registered trademark of SPARC International, Inc.
Sun and Java are trademarks or registered trademarks of Sun Microsystems, Inc.
UNIX is a registered trademark of The Open Group.
Product Series Name includes software whose copyright is licensed from MySQL AB.
Product Series Name contains a proprietary operating system based on Linux.
GNU general public License Copyright (C) 1989, 1991 Free Software Foundation, Inc.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Support Site URL: http://www.enterasys.com/support
Documentation URL: https://extranet.enterasys.com/downloads/
ii
Enterasys Networks, Inc. Software License Agreement
This document is an agreement (“Agreement”) between You, the end user, and Enterasys Networks, Inc. on behalf of itself and
its Affiliates (“Enterasys”) that sets forth your rights and obligations with respect to the software contained in CD-ROM or
other media. “Affiliates” means any person, partnership, corporation, limited liability company, or other form of enterprise that
directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the
party specified. BY INSTALLING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS
OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER
OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE UNOPENED PRODUCT TO
ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL
REFUND.
IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, INC. (978) 684-1000.
Attn: Legal Department.
Enterasys will grant You a non-transferable, non-exclusive license to use the machine-readable form of software (the “Licensed
Software”) and the accompanying documentation (the Licensed Software, the media embodying the Licensed Software, and the
documentation are collectively referred to in this Agreement as the “Licensed Materials”) on one single computer if You agree
to the following terms and conditions:
1. TERM. This Agreement is effective from the date on which You open the package containing the Licensed Materials. You
may terminate the Agreement at any time by destroying the Licensed Materials, together with all copies, modifications and
merged portions in any form. The Agreement and your license to use the Licensed Materials will also terminate if You fail to
comply with any term or condition herein.
2. GRANT OF SOFTWARE LICENSE. The license granted to You by Enterasys when You open this sealed package
authorizes You to use the Licensed Software on any one, single computer only, or any replacement for that computer, for internal
use only. A separate license, under a separate Software License Agreement, is required for any other computer on which You or
another individual or employee intend to use the Licensed Software. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED
MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT.
3. RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this
Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or
reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse
engineer the Licensed Software, or to translate the Licensed Software into another computer language.
The media embodying the Licensed Software may be copied by You, in whole or in part, into printed or machine readable
form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree
not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your
possession for said purposes without Enterasys’ prior written consent, and in no event shall You operate more than one copy of
the Licensed Software. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the
location of the original media and all copies of the Licensed Software, in whole or in part, made by You. You may modify the
machine-readable form of the Licensed Software for (1) your own internal use or (2) to merge the Licensed Software into other
program material to form a modular work for your own use, provided that such work remains modular, but on termination of
this Agreement, You are required to completely remove the Licensed Software from any such modular work. Any portion of the
Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall
remain subject to all the terms and conditions of this Agreement.
You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed
Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software
or any such modular work containing the Licensed Software or any part thereof.
4. TITLE AND PROPRIETARY RIGHTS.
(a) The Licensed Materials are copyrighted works and are the sole and exclusive property of Enterasys, any company or a
division thereof which Enterasys controls or is controlled by, or which may result from the merger or consolidation
with Enterasys (its “Affiliates”), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed
Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You
shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion
thereof, to any other party.
(b) You further acknowledge that in the event of a breach of this Agreement, Enterasys shall suffer severe and irreparable
damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach
of this Agreement, Enterasys shall be entitled to monetary damages and its reasonable attorney’s fees and costs in
enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available
to Enterasys.
iii
5. PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your
employees and agents may have access to private or confidential information owned or controlled by Enterasys relating to the
Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such
information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or
agents under this Agreement or in contemplation hereof shall be and shall remain Enterasys’ exclusive property, and You shall
use your best efforts (which in any event shall not be less than the efforts You take to ensure the confidentiality of your own
proprietary and other confidential information) to keep, and have your employees and agents keep, any and all such information
and data confidential, and shall not copy, publish, or disclose it to others, without Enterasys’ prior written approval, and shall
return such information and data to Enterasys at its request. Nothing herein shall limit your use or dissemination of information
not actually derived from Enterasys or of information which has been or subsequently is made public by Enterasys, or a third
party having authority to do so.
You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without
limitation the object or source code (if provided) of the Licensed Software, to any party other than Enterasys or its employees,
except for purposes specifically related to your use of the Licensed Software on a single computer as expressly provided in this
Agreement, without the prior written consent of Enterasys. You agree to use your best efforts and take all reasonable steps to
safeguard the Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized
copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys
of any unauthorized use thereof. You acknowledge that the Licensed Materials contain valuable confidential information and
trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Enterasys or its Affiliates and/or
its/their software suppliers.
6. MAINTENANCE AND UPDATES. Updates and certain maintenance and support services, if any, shall be provided to
You pursuant to the terms of an Enterasys Service and Maintenance Agreement, if Enterasys and You enter into such an
agreement. Except as specifically set forth in such agreement, Enterasys shall not be under any obligation to provide Software
Updates, modifications, or enhancements, or Software maintenance and support services to You.
7. DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this
Agreement, including a failure to pay any sums due to Enterasys, or in the event that You become insolvent or seek protection,
voluntarily or involuntarily, under any bankruptcy law, Enterasys may, in addition to any other remedies it may have under
law, terminate the License and any other agreements between Enterasys and You.
(a) Immediately after any termination of the Agreement or if You have for any reason discontinued use of Software, You
shall return to Enterasys the original and any copies of the Licensed Materials and remove the Licensed Software from
any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of
your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned
to Enterasys.
(b) Sections 4, 5, 7, 8, 9, 10, 11, and 12 shall survive termination of this Agreement for any reason.
8. EXPORT REQUIREMENTS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the
U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products
to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining
such license may be relied upon by the exporting party.
If the Licensed Materials are exported from the United States pursuant to the License Exception CIV under the U.S. Export
Administration Regulations, You agree that You are a civil end user of the Licensed Materials and agree that You will use the
Licensed Materials for civil end uses only and not for military purposes.
If the Licensed Materials are exported from the United States pursuant to the License Exception TSR under the U.S. Export
Administration Regulations, in addition to the restriction on transfer set forth in Section 4 of this Agreement, You agree not to
(i) reexport or release the Licensed Software, the source code for the Licensed Software or technology to a national of a country
in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Cambodia, Cuba, Georgia, Iraq, Kazakhstan, Kyrgyzstan,
Laos, Libya, Macau, Moldova, Mongolia, North Korea, the People’s Republic of China, Russia, Tajikistan, Turkmenistan,
Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to
Country Groups D:1 or E:2 (as defined herein) the direct product of the Licensed Software or the technology, if such foreign
produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the
direct product of the technology is a complete plant o r any major component of a plant, export to Country Groups D:1 or E:2
the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national
security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S.
Munitions List.
iv
9. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private
expense; (ii) contains “restricted computer software” submitted with restricted rights in accordance with section 52.227-19 (a)
through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is
proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Licensed Materials are
considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use,
duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein.
10. LIMITED WARRANTY AND LIMITATION OF LIABILITY. The only warranty Enterasys makes to You in connection
with this license of the Licensed Materials is that if the media on which the Licensed Software is recorded is defective, it will be
replaced without charge, if Enterasys in good faith determines that the media and proof of payment of the license fee are
returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.
NEITHER ENTERASYS NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR
IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY
AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY
DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. ONLY
TO THE EXTENT SUCH EXCLUSION OF ANY IMPLIED WARRANTY IS NOT PERMITTED BY LAW, THE DURATION OF
SUCH IMPLIED WARRANTY IS LIMITED TO THE DURATION OF THE LIMITED WARRANTY SET FORTH ABOVE. YOU
ASSUME ALL RISK AS TO THE QUALITY, FUNCTION AND PERFORMANCE OF THE LICENSED MATERIALS. IN NO
EVENT WILL ENTERASYS OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR
DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR
CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED
MATERIALS, TO ANY PARTY EVEN IF ENTERASYS OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES. IN NO EVENT SHALL ENTERASYS OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES
OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS.
Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or
limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited
warranty gives You specific legal rights, and You may also have other rights which vary from state to state.
11. JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in
accordance with the laws and in the State and Federal courts of the Commonwealth of Massachusetts, without regard to its rules
with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980
United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information
Transactions Act shall apply to this Agreement.
12. GENERAL.
(a) This Agreement is the entire agreement between Enterasys and You regarding the Licensed Materials, and all prior
agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and
canceled.
(b) This Agreement may not be changed or amended except in writing signed by both parties hereto.
(c) You represent that You have full right and/or authorization to enter into this Agreement.
(d) This Agreement shall not be assignable by You without the express written consent of Enterasys, The rights of
Enterasys and Your obligations under this Agreement shall inure to the benefit of Enterasys’ assignees, licensors, and
licensees.
(e) Section headings are for convenience only and shall not be considered in the interpretation of this Agreement.
(f) The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined
to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall
nevertheless be binding on and enforceable by and between the parties hereto.
(g) Enterasys’ waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire
understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations,
statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall
supersede this Agreement.
(h) Should You have any questions regarding this Agreement, You may contact Enterasys at the address set forth below.
Any notice or other communication to be sent to Enterasys must be mailed by certified mail to the following address:
ENTERASYS NETWORKS, INC., 50 Minuteman Road, Andover, MA 01810 Attn: Manager - Legal Department.
v
Contents
About This Guide
Intended Audience .............................................................................................................................................ix
Version Support .................................................................................................................................................ix
Related Documents ...........................................................................................................................................ix
Conventions ........................................................................................................................................................x
Getting Help ........................................................................................................................................................x
Chapter 1: Getting Started
Starting Enterasys IPS Reporting ................................................................................................................... 1-1
Displaying Interactive Reports ........................................................................................................................ 1-4
24 Hours Reports ..................................................................................................................................... 1-4
Top N Reports .......................................................................................................................................... 1-6
Trending Reports ..................................................................................................................................... 1-8
Creating and Editing Report Filters ........................................................................................................ 1-10
Creating and Viewing User Defined Reports ................................................................................................ 1-11
Creating a User Defined Report ............................................................................................................. 1-11
Viewing Generated Reports ................................................................................................................... 1-13
Finding Events .............................................................................................................................................. 1-13
Viewing Database Restore Status ................................................................................................................ 1-14
Chapter 2: System Dashboard
System Dashboard Overview ......................................................................................................................... 2-1
The Views Panel ............................................................................................................................................. 2-2
The Tabbed Panel .......................................................................................................................................... 2-4
Systems Tab ............................................................................................................................................ 2-4
Sensors Tab ............................................................................................................................................. 2-7
Interfaces Tab .......................................................................................................................................... 2-9
EMS/Reporting Tab ................................................................................................................................ 2-11
Customizing the Dashboard Interface .......................................................................................................... 2-12
Customizing the Views Panel ................................................................................................................. 2-12
Customizing Tables in the Tabbed Panel .............................................................................................. 2-14
Resetting the Dashboard Interface to the Default Layout ...................................................................... 2-19
Platform-Specific Dashboard Details ............................................................................................................ 2-20
Unix and Linux Systems ......................................................................................................................... 2-20
Windows Systems .................................................................................................................................. 2-20
Chapter 3: 24 Hours Reports
Event Summary Report .................................................................................................................................. 3-1
Event Log Report ............................................................................................................................................ 3-2
Setting Display Preferences ........................................................................................................................... 3-4
Customizing 24 Hours Report Tables ............................................................................................................. 3-4
Resizing Columns .................................................................................................................................... 3-4
Moving Columns ...................................................................................................................................... 3-4
Sorting, Filtering, and Grouping In Columns ............................................................................................ 3-4
Exporting Tables in CSV Format .............................................................................................................. 3-6
Chapter 4: Top N Reports
Defining a Top N Report ................................................................................................................................. 4-1
vi
Selecting the Top N Report Type ................................................................................................................... 4-2
Event Breakdown of Data ............................................................................................................................... 4-4
Displaying Details for a Selected Event ................................................................................................... 4-5
Selecting a Chart Type ................................................................................................................................... 4-5
Chapter 5: Trending Reports
Daily Event Rate Report ................................................................................................................................. 5-1
Selecting a Display Type .......................................................................................................................... 5-2
Defining a Daily Event Rate Report ......................................................................................................... 5-5
Displaying Details for a Selected Event ................................................................................................... 5-5
Event Growth Report ...................................................................................................................................... 5-5
Selecting a Chart Type ............................................................................................................................. 5-7
Defining an Event Growth Report ............................................................................................................ 5-9
Chapter 6: Event Table Pane
Displaying Data in the Event Table Pane ....................................................................................................... 6-1
Customizing the Event Table Display ............................................................................................................. 6-3
Setting Display Preferences ..................................................................................................................... 6-3
Resizing Columns .................................................................................................................................... 6-4
Moving Columns ...................................................................................................................................... 6-4
Sorting, Filtering, and Grouping In Columns ............................................................................................ 6-4
Exporting Tables in CSV Format .............................................................................................................. 6-6
Chapter 7: Event Details
Chapter 8: Viewing a PCAP File for an Event
Chapter 9: User Defined Reporting
Creating a User Defined Report ..................................................................................................................... 9-1
Viewing Generated Reports ........................................................................................................................... 9-3
Chapter 10: Preferences
Schedule Preferences .................................................................................................................................. 10-1
Configuring Session Time-out ...................................................................................................................... 10-2
Chapter 11: Legacy Reporting
Legacy Reporting Tools ................................................................................................................................ 11-1
Dragon Realtime Console ...................................................................................................................... 11-1
Dragon Forensics Console ..................................................................................................................... 11-2
Dragon Trending Console ...................................................................................................................... 11-2
Dragon Executive Reporting .................................................................................................................. 11-2
IPv6 Support in Legacy Tools ................................................................................................................ 11-2
Accessing the Legacy Reporting Tools ........................................................................................................ 11-3
Main Window .......................................................................................................................................... 11-3
Using the Realtime Console ......................................................................................................................... 11-6
Using the Console .................................................................................................................................. 11-6
AnalyzeEvent ......................................................................................................................................... 11-7
ChartGroups ........................................................................................................................................... 11-7
GraphEvents and GraphScores ............................................................................................................. 11-8
EventDetail ............................................................................................................................................. 11-9
EventsByGroup .................................................................................................................................... 11-10
EventsByNetworkSensor ..................................................................................................................... 11-10
EventsScoredByIP ............................................................................................................................... 11-11
vii
SummaryByIP ...................................................................................................................................... 11-11
EventSummary ..................................................................................................................................... 11-11
SummaryByDirection ........................................................................................................................... 11-13
SummaryLast7Days ............................................................................................................................. 11-13
SummaryByGroup ................................................................................................................................ 11-13
Creating Custom Queries ..................................................................................................................... 11-14
Filter Management ............................................................................................................................... 11-16
Load Events ......................................................................................................................................... 11-17
Realtime Status .................................................................................................................................... 11-18
Using the Forensics Console ...................................................................................................................... 11-18
Reviewing Forensics ............................................................................................................................ 11-18
Notes Option ........................................................................................................................................ 11-21
Using the Trending Console ....................................................................................................................... 11-22
Event Summaries ................................................................................................................................. 11-22
IP Address Summaries ........................................................................................................................ 11-24
Event Details ........................................................................................................................................ 11-25
Creating Additional Reports ................................................................................................................. 11-26
Using Executive Reporting ......................................................................................................................... 11-28
Managing Reports ...................................................................................................................................... 11-29
Save All Reports .................................................................................................................................. 11-29
Viewing Saved Reports ........................................................................................................................ 11-30
Report Examples .................................................................................................................................. 11-30
Index
viii
Enterasys IPS Analysis and Reporting Guide ix
About This Guide
The Enterasys®Intrusion Prevention System (IPS) is a solution consisting of an Intrusion
Detection System (IDS), active response, and intrusion prevention. This guide describes the
reports available with Enterasys IPS version 7.5 or higher using the web-based GUI. The first part
of the book describes the current reporting tools. Legacy tools are described in the last chapter of
the book.
Reporting tools available using the command line are described in the Enterasys Intrusion
Prevention System Command Line Tools Reference.
Intended Audience
This document is intended for analysts who are responsible for generating reports about intrusive
attacks.
Version Support
This guide supports Enterasys Intrusion Prevention System Version 7.5, and higher.
Related Documents
The Enterasys IPS user documentation listed below is available from
https://extranet.enterasys.com/downloads.
Enterasys IPS Document Title Description
Appliance Hardware Installation Guide Describes how to set up the Enterasys IPS appliances.
Configuration Guide Describes how to configure Enterasys IPS using GUI
management tools. It also describes the placement of Enterasys
IPS components within your network.
Creating Host Sensor Policies Describes how to create custom Host Sensor policies.
Creating Network Sensor Policies and
Signatures
Describes how to create custom Network Sensor policies and
signatures.
Analysis and Reporting Guide Describes the Enterasys IPS reporting tools. Reporting tools
available from the command line are described in the Command
Line Tools Reference.
Command Line Tools Reference Describes the forensics command line tools you can use to
analyze the events database or a single dragon.db file.
x
Conventions
The following conventions are used in this document.
Getting Help
For additional support, contact Enterasys Networks using one of the following methods:
Before contacting Enterasys Networks for technical support, have the following information
ready:
• Your Enterasys Networks service contract number
• A description of the failure
• A description of any action(s) already taken to resolve the problem (for example, changing
mode switches, and rebooting the unit.)
• The serial and revision numbers of all involved Enterasys Networks products in the network
• A description of your network environment (for example, layout, and cable type)
• Network load and frame size at the time of trouble (if known)
• The device history (for example, have you returned the device before, is this a recurring
problem)
• Any previous Return Material Authorization (RMA) numbers
<installdir> Indicates to enter the path were you installed Dragon. The default directory is
/usr/dragon.
bold type Actual user input values or names of screens and commands.
blue type Indicates a hypertext link. When reading this document online, click the text in blue to
go to the referenced figure, table, or section.
italic type User input value required.
courier Used for command-level input or output.
World Wide Web http://www.enterasys.com/support
Phone 1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1888
For the Enterasys Networks Support toll-free number in your country:
http://www.enterasys.com/support
Email [email protected]
To expedite your message, please type [dragon] in the subject line.
Enterasys IPS Analysis and Reporting Guide 1-1
1
Getting Started
The Enterasys IPS Enterprise Management Server (EMS) provides a Web-based interface for
reporting that lets you report on real-time data, perform forensics analysis, and spot trends. The
reports use data from Network and Host Sensors. Enterasys IPS Reporting uses this data to
generate customized reports that help you isolate attacks. The reports help you analyze IDS events
in real time, spot long-term trends, and inspect individual event details and associated
information.
Starting with v7.4, Enterasys IPS reporting supports IPv6 and IPv4.
Starting Enterasys IPS Reporting
Use the following procedure to start using the Enterasys IPS reporting tools:
1. Access the analysis and reporting tools in one of three ways:
• Directly, by entering the following URL in your web browser:
https://<IP address>:9443/dragonreports
where <IP address> is the IP address of the Reporting server.
• From the EMS client GUI. Select Tools > Dragon Analysis & Reporting > Launch.
For information about... Refer to page...
Starting Enterasys IPS Reporting 1-1
Displaying Interactive Reports 1-4
Creating and Viewing User Defined Reports 1-11
Finding Events 1-13
Viewing Database Restore Status 1-14
Starting Enterasys IPS Reporting Getting Started
1-2 Enterasys IPS Analysis and Reporting Guide
• By selecting Dragon Reporting from the Enterasys IPS Launch page.
a. Display the Launch page by entering either of the following URLs in your web
browser:
https://<IP address>:9443/
or
http://<IP address>:8080/
where <IP address> is the IP address of the Reporting server.
b. When the Launch page displays, click on the Dragon Reporting link.
The Enterasys IPS Launch page also offers a link to the Legacy Dragon Reporting
tools, which are described in Chapter 11, Legacy Reporting.
2. When the Dragon Reporting Login screen displays, enter your User Name and Password, then
click login.
The default User Name is dragon and there is no default password.
3. The System Dashboard and Reporting menu bar are displayed. The menu bar and Dashboard
areas are described in Table 1-1 below.
Getting Started Starting Enterasys IPS Reporting
Enterasys IPS Analysis and Reporting Guide 1-3
Table 1-1 System Dashboard and Menu Bar Descriptions
Component Description For more information...
Menu Bar The items on the menu bar allow you to:
• Select the type of interactive reports to
display
• Find information about specific events
• Schedule and manage user-defined reports
• Display help and logout
•“Displaying Interactive
Reports” on page 1-4
•“Finding Events” on page 1-13
•“Creating and Viewing User
Defined Reports” on page 1-11
System Dashboard
Views Panel
Provides several views of the Enterasys IPS
system health information
“The Views Panel” on page 2-2
System Dashboard
Tabbed Panel
Provides detailed information about the
Enterasys IPS components and sub-components
present in your network environment
“The Tabbed Panel” on page 2-4
Displaying Interactive Reports Getting Started
1-4 Enterasys IPS Analysis and Reporting Guide
Displaying Interactive Reports
You can display specific types of interactive reports by selecting from the menu bar. The
interactive reports include:
•24 Hours Reports
•Top N Reports
•Trending Reports
24 Hours Reports
The 24 Hours reports are described in detail in Chapter 3, 24 Hours Reports.
Two types of 24 Hours interactive reports can be displayed:
•Event Summary
•Event Log
Event Summary
By default, the Event Summary report lists each event that has occurred in the last 24 hours only
once, but gives you the number of times it has occurred during the last 24 hours and the hours in
which it occurred.
Clicking on an event causes event details to be displayed in the Event Table pane located at the
bottom of the interface window, as shown in the following figure. Right-clicking on an event in the
Event Table pane displays a menu of further actions that can be applied to the event. For more
information about the Event Table pane, see Chapter 6, Event Table Pane.
You can further filter the events displayed in the Event Summary tab by selecting an existing filter
from the Filter drop down list or by configuring additional filter Parameters, as described in
“Creating and Editing Report Filters” on page 1-10.
Getting Started Displaying Interactive Reports
Enterasys IPS Analysis and Reporting Guide 1-5
For information about navigating through multiple pages and setting display parameters for the
24 Hours reports, see“Setting Display Preferences” on page 3-4.
Event Log
By default, the Event Log report lists all the events that have occurred in the last 24 hours, in
sequential order. You can filter the data further by selecting an existing filter from the Filter drop
down list, or by creating a new filter, as described in “Creating and Editing Report Filters” on
page 1-10.
Right-clicking on an event displays a menu of further actions that can be applied to the event, as
shown below.
The Event Log report table can be exported in CSV (comma separated values) format and opened
immediately or saved as a file. To export, click on the CSV button at the top right of the pane.
Displaying Interactive Reports Getting Started
1-6 Enterasys IPS Analysis and Reporting Guide
Top N Reports
The Top N reports are described in more detail in Chapter 4, Top N Reports.
By default, Top N reports chart the top 10 occurrences of the selected event data, such as Events by
Event Group, Events by Score, and so on. You select the event data to display from a drop down
list, shown in the following figure.
You can interactively change the number of occurrences charted by increasing or decreasing the
number in the Top field.
Getting Started Displaying Interactive Reports
Enterasys IPS Analysis and Reporting Guide 1-7
Filter the data further by selecting an existing filter from the Filter drop down list, or by creating a
new filter, as described in “Creating and Editing Report Filters” on page 1-10.
The default chart type for the main reports is Column, but you can interactively change the chart
type to Pie or Bar, and for some charts, you can display the data in Logarithmic scale.
Single clicking on a data group in the chart causes event details to be displayed in the Event Table
pane located at the bottom of the interface window, as shown in the following figure. Right-
clicking on an event in the Event Table pane displays a menu of further actions that can be applied
to the event. For more information about the Event Table pane, see Chapter 6, Event Table Pane.
Double clicking on a data group in the chart opens a pane on the right side of the main window
and displays a chart illustrating the event breakdown of the data group. Single clicking on a
section in the right hand chart causes those event details to be displayed in the Event Table pane.
Displaying Interactive Reports Getting Started
1-8 Enterasys IPS Analysis and Reporting Guide
Trending Reports
The Trending reports are described in detail in Chapter 5, Trending Reports.
The Trending reports can help you answer questions about long-term trends and activity. The
Trending reports query the MySQL database to display events. Two types of Trending interactive
reports can be displayed:
•Event Growth
•Daily Event Rates
Event Growth
The Event Growth tab compares the number of occurrences of events between two time periods.
By default, the time period is one day (comparing the last 24 hour period with the previous 24
hour period, as shown in the figure below).
Also by default, Event Growth charts (Column, Bar, Pie) show the Top 10 and Bottom 10 events —
the Top 10 events are those that showed the greatest positive growth over the time period, while
the Bottom 10 events showed the least (or negative) growth over the time period. You can select
the number of events to show, and you can choose to show only the Top n, only the Bottom n, or
both Top and Bottom.
You can interactively change the time periods displayed and other filter criteria, by changing the
time period value in the Filter drop-down list or by configuring a custom filter. For more
information about creating a custom filter, see “Creating and Editing Report Filters” on page 1-10.
The Event Growth Table shows all event counts for the two time periods, not just the Top and/or
Bottom n events.
Other manuals for Intrusion Prevention System
1
Table of contents
Other Enterasys Software manuals
Enterasys
Enterasys Intrusion Prevention System User manual
Enterasys
Enterasys IRM2 User manual
Enterasys
Enterasys 2000 User manual
Enterasys
Enterasys 9034385 Guide
Enterasys
Enterasys ANG-1000 Instruction Manual
Enterasys
Enterasys Vertical Horizon VH-2402S Programming manual
Enterasys
Enterasys ANG-1100 Series Instruction Manual
Enterasys
Enterasys ANG-1100 Series Instruction Manual
Enterasys
Enterasys Matrix N1 User manual
Enterasys
Enterasys SmartSwitch 6000 User manual
