Table Of Contents
Attack Reports
Report Layout
General Details
Attack Statistics
Detected Anomalies
Report Parameters
Viewing Attack Reports
Exporting Attack Reports
Attack Reports
This chapter describes the attack reports that the Detector module produces and includes the following topics:
•
Report Layout
•Report Parameters
•Viewing Attack Reports
•Exporting Attack Reports
Report Layout
The Detector provides an attack report for each zone to help form a clearer picture of the attack. An attack begins when the first dynamic filter is produced and ends when no new dynamic filters are added. Reports include details of the attacks organized into sections. Each section describes different aspects of the traffic flow during an attack. You can view reports for past attacks and ongoing attacks and can export reports to an ftp server.
Reports include the following sections:
•General Details
•Attack Statistics
•Detected Anomalies
General Details
This section of the attack report includes general information about an attack. Table 9-1 describes the fields in this section of the report.
Table 9-1 Field Descriptions in General Details Section of Attack Report
Field
|
Description
|
Report ID
|
The identification number of the report.
|
Attack Start
|
Displays the date and time that the attack started.
|
Attack End
|
Displays the date and time that the attack ended. Attack in progress indicates that there an ongoing attack.
|
Attack Duration
|
Displays the duration of the attack.
|
Attack Statistics
The Attack Statistics provide a general analysis of the received traffic flow.
Detected Anomalies
The Detected Anomalies section of the attack report provides details of the traffic anomalies the Detector module detected in the zone's traffic. A flow is classified as being an anomaly when it requires the production of a Dynamic filter. These anomalies can occur infrequently or can turn into systematic DDoS attacks. The Detector clusters anomalies with the same type and flow parameters (such as source IP address, destination port) under one anomaly type. Table 9-2 describes the different types of detected anomalies.
Table 9-2 Types of Detected Anomalies
Type
|
Description
|
tcp_connections
|
A detected flow with unusual number of TCP concurrent connections, with or without data.
|
http
|
An unusual HTTP traffic flow.
|
tcp_incoming
|
A detected flow attacking a TCP service.
|
tcp_outgoing
|
A detected flow consisting of SYN-ACK flood or other packet attacks on connections initiated by the zone when the zone is the client.
|
unauthenticated_tcp
|
A detected flow that the Detector anti-spoofing mechanisms have not succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
|
dns (udp)
|
An attacking DNS-UDP protocol flow.
|
dns (tcp)
|
An attacking DNS-TCP protocol flow.
|
udp
|
An attacking UDP protocol flow.
|
other_protocols
|
A non TCP/UDP attacking protocol flow.
|
fragments
|
A detected flow with an unusual amount of fragmented traffic.
|
tcp_ratio
|
A detected flow with an unusual ratio between different types of TCP packets, for example, SYN packets versus FIN/RST packets.
|
ip_scan
|
A detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
|
port_scan
|
A detected flow initiated from a source IP address that tried to access many zone ports.
|
user
|
An anomaly flow detected by user definitions.
|
Report Parameters
The different sections of the report describe different aspects of the traffic flow.
Table 9-4 describes the fields for Attack Statistics.
Table 9-4 Field Descriptions for Attack Statistics
Field
|
Description
|
Total Packets
|
The total number of attack packets.
|
Average pps
|
The average traffic rate in packets-per-second units.
|
Average bps
|
The average traffic rate in bits-per-second units.
|
Max. pps
|
The maximum traffic rate measured in packets-per-second units.
|
Max. bps
|
The maximum traffic rate measured in bits-per-second units.
|
Table 9-5 describes the flow statistics for detected anomalies.
Table 9-5 Field Descriptions for Flow Statistics
Field
|
Description
|
ID
|
Indicates identification number (ID) of the detected anomaly.
|
Start time
|
Indicates the date and time the anomaly was detected.
|
Duration
|
Indicates the duration of the anomaly in hours, minutes, and seconds.
|
Type
|
Indicates the type of anomaly.
|
Triggering rate
|
Indicates the anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
Indicates the percentage by which the triggering rate is above the policy threshold.
|
Flow
|
Indicates the anomaly flow. The characteristics include the protocol number, source IP, source port, destination IP, destination port and indicates whether the traffic is fragmented or not. Any indicates that there is both fragmented and non-fragmented traffic
|
.
A value of * for any of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly's parameter.
A value of #, followed by a number, for any of the parameters, indicates the number of values measured for that parameter.
Viewing Attack Reports
Use the show command to display a list of attack reports for any specific zone or a more detailed report for a specific attack. The syntax for the command is as follows:
show reports [current | report-id] [details]
Table 9-6 the keywords and arguments for the show reports command.
Table 9-6 Arguments and Keywords for the show reports Command
Parameters
|
Description
|
current
|
An attack that is in progress.
The number of bits and packets is not displayed for an ongoing attack. In reports of an attack in progress, the packets and bits fields have a value of zero (0).
|
report-id
|
The identification number of the report.
|
details
|
(Optional) To view details of the flows.
|
For example, to view a list a all attacks on the zone, enter:
admin@DETECTOR-conf-zone-scannet# show reports
The report displays the following output with information about the duration of each attack, when it started and when it ended
.
To view the report for the current attack on the zone, enter:
admin@DETECTOR-conf-zone-scannet# show reports current
The report displays the following output. For more information about the different sections see the "Report Layout" section.
To view a more detailed report on the flow for detected anomalies use the details option.
Table 9-7 provides a list of the flow fields described in the detailed report.
Table 9-7 Field Descriptions of Flows in Detailed Report
Field
|
Description
|
Detected Flow
|
This row represents the flow that caused the production of the dynamic filter.
|
Action Flow
|
This row represents the flow that was addressed by the dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow could indicate all source ports for the specified source IP.
|
Exporting Attack Reports
You can export attack reports to an ftp server for monitoring and diagnostics capabilities. You can export attack reports in text format or in Extensible Markup Language (XML) format.
Note The user name and password of the ftp server appear in the show running-config. We recommend that you use an anonymous ftp account.
Use the export command to automatically export reports in XML format to an ftp server at the end of an attack. See the xsd file released with the version for a description of the XML schema. The syntax for this command is as follows:
export reports ftp server full-file-name [login] [password]
Table 9-8 describes the arguments for the export reports command.
Table 9-8 Arguments for the export reports Command
Parameter
|
Description
|
server
|
The IP address of ftp server.
|
full-file-name
|
The full file name for the report list. The default is the login user's home directory.
|
login
|
(Optional) The ftp server login name.
When you do not insert a login name, the ftp server assumes an anonymous login and does not prompt for a password.
|
password
|
(Optional) The password for the remote ftp server.
|
Use the copy command to copy reports to an ftp server manually. You can copy attack reports for attacks on all zones or you can copy a report for a specific zone.
The syntax for the command is as follows:
copy reports [xml] [details] ftp server full-file-name [login] [password]
Table 9-9 describes the arguments and keywords for the copy reports command.
Table 9-9 Keywords and Arguments for the copy reports Command
Parameter
|
Description
|
xml
|
(Optional) Export the report in XML format. See the xsd file released with the version for a description of the XML schema. By default, reports are exported in text format.
Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.
|
details
|
(Optional) Export details of flow and attacking source IPs.
|
server
|
The IP address of ftp server.
|
full-file-name
|
The full file name for the report list. If a path is not specified, the default is the login user's home directory.
|
login
|
(Optional) The ftp server login name. The ftp server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.
|
password
|
(Optional) The password for the remote ftp server.
|
For example, to copy a list of all attacks handled by the Detector module, in text format, to an ftp server at IP address 10.0.0.191 using login name user1 and password password1, enter:
admin@DETECTOR# copy reports ftp 10.0.0.191 Guard-reports.txt user1
password1
To copy the attack reports for a specific zone to an ftp server, enter the following at the Global command group level:
copy zone zone-name reports [current | report-id] [xml] [details] ftp server
full-file-name [login] [password]
Table 9-10 describes the keywords and arguments for copy zone reports command.
Table 9-10 Keywords and Arguments for the copy zone reports Command
Parameters
|
Description
|
zone-name
|
The name of an existing zone
|
current
|
(Optional) Export an ongoing attack report (if applicable).
By default, all zone reports are exported.
|
report-id
|
(Optional) The ID of and existing report. The Guard exports the report with the specified ID number. Use the show zone reports command to view the details of the zone attack reports.
By default, all zone reports are exported.
|
xml
|
(Optional) Export the report in XML format. See the xsd file released with the version for a description of the XML schema. By default, reports are exported in text format.
Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.
|
details
|
(Optional) Export details of flow and attacking source IPs.
|
server
|
The ftp server IP address.
|
full-file-name
|
The full file name for the report list. If a path is not specified, the default is the login user's home directory
|
login
|
(Optional) The ftp server login name.
When you do not insert a login name, the ftp server assumes an anonymous login and does not prompt for a password.
|
password
|
(Optional) The password for the remote ftp server.
|
For example, to copy all attack reports on the zone to an ftp server at IP address 10.0.0.191 using login name user1 and password password1, enter:
admin@DETECTOR# copy zone scannet reports ftp 10.0.0.191
ScannetCurrentReport.txt user1 password1
