Table Of Contents
Monitoring Detector Module and Zone Operations
Viewing the Detector Module Summary Screen
Using the Detector Module Global Diagnostic Tools
Viewing the Global Counters
Viewing the Global Received Counter in Real Time
Viewing the Event Log
Viewing the Zone Status Screen
Zone Status Bar
Zone Traffic Rate Graph
Zone Status Table
Zone Recent Events Table
Using the Zone Diagnostic Tools
Viewing the Zone Counters
Using Zone Counters to Analyze Traffic Flow
Viewing the Zone Counters in Real Time
Viewing the Zone Event Log
Viewing the Attacks Summary Report
Viewing Details of an Attack Report
Viewing Report Details of a Past Attack
Viewing Details of a Current Attack
Understanding Attack Report Details
General Attack Information
Attack Statistics
Detected Anomalies
Viewing Details of Detected Anomalies
Exporting an Attack Report
Deleting an Attack Report
Viewing the Policy Statistics Table
Monitoring Detector Module and Zone Operations
This chapter describes how to perform tasks used for monitoring the status of the Cisco Traffic Anomaly Detector Module and its zones. Also described in this chapter are the WBM statistical tools that enable you to diagnose problems related to zone traffic flow.
This chapter includes the following sections:
•
Viewing the Detector Module Summary Screen
•Using the Detector Module Global Diagnostic Tools
•Viewing the Zone Status Screen
•Using the Zone Diagnostic Tools
Viewing the Detector Module Summary Screen
The Detector Module Summary screen (see Figure 10-1) provides a summary of the current Detector module activity. It is the first screen to appear when connecting to the Detector module WBM. You can access the Detector Module Summary screen from the following locations within the interface:
•Click Detector Module Summary from the navigation pane.
•Click Home from the information area.
Figure 10-1 Detector Module Summary Screen
The Detector Module Summary screen includes the following two areas:
•Detector Summary—Graphical summary of the received traffic rate the Detector handled over the last two hours in bits per second (bps).
Table 10-1 describes the information that appears below the graph.
Table 10-1 Field Descriptions for Detector Module Summary Graph
Field
|
Description
|
Min.
|
Minimum traffic rate measured during the last two hours in bits per second (bps).
|
Max.
|
Maximum traffic rate measured during the last two hours in bits per second (bps).
|
Avg.
|
Average traffic rate measured during the last two hours in bits per second (bps).
|
Cur.
|
Current traffic rate in bits per second (bps).
|
•Zones Under Detection—Status information of the zones the Detector module is currently monitoring for traffic anomalies. The zone information the Detector module displays here will vary depending on which of the following anomaly detection modes you activate:
–Detect—The Detector module displays the zone information whether or not the zone is under attack.
–Detect and Learn—The Detector module displays zone information only when the zone is under attack.
TheDetector module lists the zones in the order in which they encountered attacks, with the most recently attacked zone appearing at the top of the list. You can click on the information the Detector module displays in each row to view the associated zone summary screen.
•Table 10-2 describes the fields for zones under detection.
Table 10-2 Field Descriptions for Zones Under Anomaly Detection
Fields
|
Description
|
Zone
|
Zone name. The zone name also provides a link to the status screen of the specific zone.
|
Activation Time
|
Date and time that zone protection was activated.
|
Attack Start Time
|
Date and time the most recent attack on the zone was detected.
|
#DF
|
Number of Dynamic filters. Because the Detector module only creates a Dynamic filter when it detects an anomaly, a #DF value greater that zero indicates an attack on the zone.
|
#PF
|
Number of Pending Dynamic filters. The display is N/A if the zone is operating in automatic protect mode (not interactive protect mode).
|
Receive Rate
|
Current rate of traffic destined to the zone and measured in bits per second (bps).
|
Thumbnail of the zone traffic summary
|
Graph displaying a summary of the traffic to the zone in the last half hour. The traffic rate appears in bits per second (bps). Legitimate traffic rate appears in green. Malicious traffic rate appears in red.
|
Using the Detector Module Global Diagnostic Tools
The Detector module provides diagnostic information to assist you in monitoring and troubleshooting global events. The following diagnostics tools are available from the Detector module Summary menu:
•Viewing the Global Counters
•Viewing the Global Received Counter in Real Time
•Viewing the Event Log
Viewing the Global Counters
The Counters screen provides an in-depth analysis of the counter information the Detector module displays in the Detector module summary screen. From the Counters screen, you can manipulate the information the Detector module displays in the traffic rates graph.
To view the Detector module counters:
Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.
Step 2 Choose Diagnostics > Counters from the Detector module summary menu. The Detector module Counters screen appears (see Figure 10-2).
Step 3 (Optional) To modify the time period of the displayed information, select a graph time period from the Graph Period drop-down list, then click Update Graph. The Detector module updates the graph.
By default, the traffic rate graph displays counter information recorded in the last two hours.
Step 4 (Optional) To modify the unit of measurement the Detector module uses in the traffic rate graph, select a unit of measurement from the Graph Type drop-down list, then click Update Graph. The Detector module updates the graph.
Units of measurement:
•pps—Packets per second
•bps—Bits per second
Figure 10-2 Detector Module Global Counters/Rates
The Received packets counter provides information on the total number of packets received and analyzed by the Detector.
Table 10-3 describes the fields for the received packets counter.
Table 10-3 Field Descriptions for Received Packets Counter
Field
|
Description
|
Packets
|
Total amount of packets since the Detector was reloaded.
|
Bits
|
Total amount of bits since the Detector was reloaded.
|
pps
|
Current traffic rate measured in packets per second.
|
bps
|
Current traffic rate measured in bits per second.
|
Viewing the Global Received Counter in Real Time
The Detector module allows you view the received packets counter information in real time. The received packets counter provides information on the total number of packets received and analyzed by the Detector.
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment"' section in "Introduction").
To view the rate counter in real time:
Step 1 Click Detector module Summary from the navigation pane. The Detector module summary menu appears.
Step 2 Choose Diagnostics > Real time counters from the Detector module summary menu. The Real time counters screen appears.
Step 3 (Optional) To change the unit of measurement the Detector module uses in the traffic rate graph, click one of the following Graph Type options. The Detector module updates traffic rates graph.
•bps—bits per second
•pps—packets per second
See Table 10-4 for a description of the information in the Real Time Global Counter/Rates table.
Viewing the Event Log
The Event log displays monitoring and troubleshooting information for events that relate to the zones under detection and to Detector module operation.
To view the contents of the event log:
Step 1 Click Detector module Summary from the navigation pane. TheDetector module summary menu appears.
Step 2 Choose Diagnostics > Event log from the Detector module summary menu. The Events screen appears (see Figure 10-3). Use the navigation tool provided above the events table to view scroll through the events listed.
Step 3 (Optional) To control which events display in the events table, select one of the following options, then click Filter Events. The Detector module updates the events table.
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels you select. Select the desired severity levels:
–Emergency
–Alert
–Critical
–Error
–Warning
–Notify
Figure 10-3 Event Log
Table 10-4 shows the possible event severity levels.
Table 10-4 Event Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Note The event logs only display zone-related events with a severity level of Emergency, Alert, Critical, Error, Warning, and Notification. See the "Viewing the Zone Event Log" section for further details on zone event logs.
Viewing the Zone Status Screen
The zone status screen (see Figure 10-4) provides a summary of the zone operating status. You can navigate to this screen in the following ways:
•Select the zone from the All Zones list in the navigation pane.
•If the zone is currently in detect mode, select the zone from the Under detection list in the navigation pane.
•From the navigation path of any zone-specific screen, click Zone.
•Select the zone from the zone list (Detector Module Summary > Zones > Zone list).
The zone status screen is divided into four sections:
•Zone status bar (see the "Zone Status Bar" section)
•Zone traffic rate Graph (see the "Zone Traffic Rate Graph" section)
•Zone status table (see the "Zone Status Table" section)
•Zone recent events Table (see the "Zone Recent Events Table" section)
The zone status screen contains function buttons that display just above the traffic rates graph. The WBM displays different function buttons depending on the current operating mode of the zone.
If the zone is in standby mode, the following function buttons appear:
•Detect & Learn—Switches the zone to detect and learn operating modes. This allows you to detect zone traffic anomalies while performing the threshold tuning phase of the learning process.
•Detect—Switches the zone to detect operating mode. This is a equivalent to selecting Detection > Detect from the zone main menu.
If the zone is currently in Detect, or Detect and Learn mode, the following function buttons appear:
•Deactivate—Deactivates the anomaly detect operating mode. This is equivalent to selecting Detection > Deactivate from the zone main menu. If the zone is operating in Detect and Learn mode and you click Deactivate, you have the option of deactivating anomaly detection, learning, or both operations.
•Report—Provides a link to the current attack report. This is equivalent to selecting Diagnostics > Attack reports from the zone main menu and clicking on the current attack (the attack with an end time of attack in progress). The Report button is only available if there is an attack in progress. See the "Viewing Details of a Current Attack" section for further details.
Figure 10-4 Zone Status Screen
Zone Status Bar
The zone status bar runs across the top of the zone status screen and provides a quick reference to the current operating status of the zone. The zone status bar provides the following information:
•The name of the zone.
•The zone operation mode—Setting of zone operation mode that dictates whether the Detector module operates in automatic or interactive operation mode for the zone. See the "Automatic and Interactive Operation Modes" and "Changing Zone Operation Modes" sections in "Activating Anomaly Detection" for details on zone operation mode settings.
•The zone operating status—Zone operating state. The operating status can be: Under Detection, Under Detection/Tuning Thresholds, Inactive, Constructing Policy, or Tuning Thresholds
•Indication of new recommendations—Indicates that new Dynamic filter recommendations are available. This indication is available only if the zone operation mode is set to interactive.
Zone Traffic Rate Graph
The zone traffic rate graph displays the received traffic rate over the last two hours in bits per second (bps).
Table 10-5 describes the fields that appear below the zone traffic rate graph.
Table 10-5 Field Descriptions for Fields below Zone Traffic Rate Graph
Field
|
Description
|
Min
|
Minimum traffic rate measured over the last two hours in bits per second (bps).
|
Max
|
Maximum traffic rate measured over the last two hours in bits per second (bps).
|
Avg
|
Average traffic rate measured over the last two hours in bits per second (bps).
|
Cur
|
Current traffic rate in bits per second (bps).
|
Zone Status Table
The zone status table provides the following information:
•Active Dynamic filters—Number of active Dynamic filters.
Click Active Dynamic filters to view the Dynamic filters screen. See the "Managing Dynamic Filters" section in "Activating Anomaly Detection" for detailed information on Dynamic filters.
•Pending Dynamic filters—Number of pending Dynamic filters. The number of pending Dynamic filters is greater than 1 when the zone is in interactive protect mode and there are new recommendations.
Click Pending Dynamic filters to view the Recommendations screen. See the "Managing Dynamic Filters" section in "Activating Anomaly Detection" for detailed information on Dynamic filters. See the "Managing Detector Module Recommendations for Dynamic Filters" section in "Activating Anomaly Detection" for details on Detector module recommendations.
•Last attack time—Date and time of the last attack on the zone.
•Activation time—Date and time that zone anomaly detection was activated.
Zone Recent Events Table
The recent events table displays the reported zone events with a minimum severity level of notify. The Detector module also records the events in the zone event log and the Detector module event log.
Using the Zone Diagnostic Tools
The Detector module provides diagnostic information to assist you in monitoring and troubleshooting zone events. The following diagnostics tools are described in this section:
•Viewing the Zone Counters
•Viewing the Zone Counters in Real Time
•Viewing the Zone Event Log
•Viewing the Attacks Summary Report
•Viewing Details of an Attack Report
•Understanding Attack Report Details
•Exporting an Attack Report
•Deleting an Attack Report
•Viewing the Policy Statistics Table
Viewing the Zone Counters
The zone counters (see Figure 10-5) enable you to analyze zone-specific traffic information in order to verify the zone status and determine whether or not zone anomaly protection is functioning properly. You can adjust the time period of the zone counters graph view to see how zone anomaly detection is evolving.
To view the zone counter information:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Counters from the zone main menu. The zone Counters screen appears.
Step 3 (Optional) To modify the time period of the information the Detector module displays, select the desired time period from the Graph Period drop-down list, then click Update Graph. The Detector module updates the screen.
By default, the traffic rates graph displays counter information recorded for the past two hours.
Step 4 (Optional) To change the unit of measurement the Detector module uses, select the desired unit of measurement from the Graph Type drop-down list, then click Update Graph. The Detector module updates the screen.
Units of measurement:
•pps—Packets per second
•bps—Bits per second
Figure 10-5 Zone Counters
The Zone Current Counters/Rates table displays the following information:
•Packets—Total number of packets destined to the zone since last activation.
•Bits—Total number of bits destined to the zone since last reload.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
A legend identifying the counters appears below the traffic rates graph. The minimum, maximum, and average rates for each counter display for the time period you select.
Using Zone Counters to Analyze Traffic Flow
It is important that you analyze the traffic flow in order to determine whether or not traffic is flowing properly to an active zone. The following information describes how to analyze traffic flow, recognize possible problems, and provide solutions:
•If the number of Received packets is greater than zero, this indicates proper traffic flow to the zone.
•If the number of Received packets equals zero, this could indicate one of the following situations:
–Detector moduleDetector moduleIf the current rate (pps or bps) of received packets for the Detector module or for zones on the same switch also equals zero, this could indicate that there is a problem with either the configuration of traffic capturing or traffic destined to the zone or zones is blocked before it reaches the switch the Detector module is connected to.
–If the Received packets current rate (pps or bps) of the Detector module or other zones connected to the same switch is greater than zero, verify that a Bypass filter is not defined for the zone
Viewing the Zone Counters in Real Time
Note You must have JRE installed on the client to view the counter information in real time (see the "Installing Java 2 Runtime Environment"' section in "Introduction").
To view the zone counter information in real time:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Real time counters from the zone main menu. The zone Real time counters screen appears.
Step 3 (Optional) To change the unit of measurement the Detector module uses, select the desired unit of measurement from the Graph Type drop-down list, then click Update Graph. The Detector module updates the screen.
Units of measurement:
•pps—Packets per second
•bps—Bits per second
The Zone Real Time Counters/Rates table displays the following information:
•Packets—Total number of packets destined to the zone since last activation.
•Bits—Total number of bits destined to the zone.
•pps—Current traffic rate destined to the zone, measured in packets per second.
•bps—Current traffic rate destined to the zone, measured in bits per second.
For information on using the counter information to analyze zone traffic, refer to the "Using Zone Counters to Analyze Traffic Flow" section.
Viewing the Zone Event Log
The zone event log provides useful monitoring and troubleshooting information.
To view the contents of the zone event log:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Event log from the zone main menu. The zone Events screen appears (see Figure 10-6).
Step 3 (Optional) To manage which events display, select one of the following options then click Filter Events to update the display:
•Show all Events—Displays the events of every severity level.
•Show events with severity level—Displays only the events of the severity levels you select. Select the desired severity levels:
–Emergency
–Alert
–Critical
–Error
–Warning
–Notify
Figure 10-6 Zone Event Log
Table 10-6 describes the different event severity levels.
Table 10-6 Event Log Severity Levels
Event Level
|
Description
|
Emergencies
|
System is unusable
|
Alerts
|
Immediate action required
|
Critical
|
Critical condition
|
Errors
|
Error condition
|
Warnings
|
Warning condition
|
Notifications
|
Normal but significant condition
|
Informational
|
Informational messages
|
Debugging
|
Debugging messages
|
Viewing the Attacks Summary Report
The Detector module provides a high level, attacks summary report for each zone to help form a clearer picture of any attacks on the zone the Detector module detects. The report summarizes the DDoS attacks made on the zone during a user-defined period of time. The Detector module records the relevant details during an attack and organizes the data into different categories. The report provides details of the total number and intensity of the attacks along with a short summary for each of the attacks. The Detector module also presents the attack data in a graph format.
To view the zone attacks summary report:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears. By default, the report displays attack information for the last month.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and select a date from the calendar pop-up.
The Attack Summary Report screen consists of the following areas:
•Detection Graph— Provides a graphical summary of the attacks during the user-defined period of time.
Figure 10-7 Zone Detection Summary Report—Detection Graph
The X-axis displays the time over which the attack occurred. The Y-axis displays the average attack rate in packets per second (pps). Each attack is represented by a bar. If you hold your mouse over any of the attack bars for a few seconds, the average attack rate is displayed.
To view attack details, click on the attack bar in the graph to open the attack report (see the "Viewing Details of an Attack Report" section).
•Total Attack Statistics Table—Provides information on the number of attacks on the zone and the aggregated attack details during the period of time you defined.
Figure 10-8 Zone Detection Summary Report—Total Attack Statistics
Table 10-7 describes the fields in the report.
Table 10-7 Field Descriptions for Total Attack Statistics Table
Field
|
Description
|
Attacks Detected
|
Number of attacks detected.
|
Attacks Duration
|
Aggregated duration of the detected attacks.
|
Max. Traffic Rate
|
Maximum rate of malicious traffic destined to the zone.
|
Total Rx
|
Total amount of traffic destined to the zone.
|
•Per Attack Summary Table—Provides a table with a list of the DDoS attacks on the zone during the time period you defined (see Figure 10-9). You can delete the information currently displayed in the Per Attack Summary table (see the "Deleting an Attack Report" section) or export the contents of an attack report (see the "Exporting an Attack Report" section).
Figure 10-9 Zone Detection Summary Report—Per Attack Summary
Table 10-8 describes the fields in the columns of the Per Attack Summary table.
Table 10-8 Field Descriptions for Summary Report
Field
|
Description
|
#
|
Identification number (ID) of the detected attack.
|
Start time
|
Date and time of the detected attack.
|
Duration
|
Duration of the detected attack in hours, minutes, and seconds.
|
Type
|
Type of detected attack. Possible values are:
•Tcp connections—Detected flow with unusual number of TCP concurrent connections with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow attacking a TCP service.
•Tcp outgoing—Detected attack flow in which the client seems to be the Zone, such as SYN-ACK attacks on connections initiated by Zone when the Zone is the client.
•Unauthenticated tcp—Detected flow that the Detector anti-spoofing mechanisms haven't succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—Attacking DNS-UDP protocol flow.
|
Type
(continued)
|
•DNS (Tcp)—Attacking DNS-TCP protocol flow.
•Udp—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual quantity of fragmented traffic.
•Hybrid—Attack composed of several attacks with different characteristics.
•IP scan—Detected flow initiated from source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
•worm_tcp—A worm attack over the TCP/IP protocol.
|
Peak (pps)
|
Maximum attack rate measured in packets per second.
|
Received Pkts
|
Total number of packets destined to the zone that was handled by the Detector module during the attack.
|
Note To view attack details, click in any of the rows of the Per Attack Summary table (see the "Viewing Details of an Attack Report" section).
Viewing Details of an Attack Report
The Detector module allows you to display details of an attack report listed in the Attacks Summary screen. The attack report gives details of the attack, starting with the production of the first Dynamic filter, and ending either by a user decision or after a defined period of time that no new Dynamic filters were added.
The Detector module records the relevant details during an attack and organizes the data into categories.You can view the details of past and current attacks.
Viewing Report Details of a Past Attack
To view the report details of a past zone attack:
Step 1 Select a zone from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears, displaying attack information for the past month.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon at the right of each date field and select a date from the calendar pop-up.
Step 4 Select one of the following methods to view details of the attack report:
•Click on the attack bar in the Detection Graph.
•Click on any of the fields for the attack in the Per Attack Summary table.
The Attack report screen appears.
Viewing Details of a Current Attack
When an attack on a zone is in progress, the Detector module displays a Report button on the status screen of the zone under attack. This button allows you to access the detailed information the Detector module is gathering on the current attack.
To view the current attack report of a zone:
Step 1 Select a zone from the navigation pane. The zone status screen and the zone main menu appear.
Step 2 Use one of the following methods to display the zone current attack report:
•Click Report on the zone status screen
•Choose Diagnostics > Attack Reports from the zone main menu and click any of the fields for the attack in progress in the Per Attack Summary table.
Understanding Attack Report Details
The attack report includes data fields and tables, grouped together in the following sections:
•General Attack Information
•Attack Statistics
•Detected Anomalies
General Attack Information
The first section of the attack report provides information related to the timing of the attack, including when the attack started, when it ended, and how long it lasted.
To view more details of the report, click i or Show details for all events.
All counters are integers except for rate. You can select the statistics unit of measurement from the general attack information area of the screen.
To change the statistic unit of measurement:
Step 1 Select the desired units to use from the Statistics units drop-down list.
Step 2 Click Set units. The Detector module updates the display.
Attack Statistics
The attack statistics provides information on Received packets. Table 10-9 describes the information provided:
Table 10-9 Attack Statistics
Field
|
Description
|
Total
|
Total number of packets in the category.
|
Max Rate
|
Maximum packet rate that was measured.
|
Average Rate
|
Average packet rate.
|
The traffic rate is displayed in the units that were selected from the drop-down list in the General Attack area (see the "General Attack Information" section).
Detected Anomalies
The Detected Anomalies table (see Figure 10-10) provides details of the anomalies the Detector module detected in the zone traffic. A traffic flow is classified as being an anomaly when it requires the production of a Dynamic filter. Traffic anomalies can occur infrequently or can turn into systematic DDoS attacks. The Detector module clusters anomalies with the same type and flow parameters (such as source IP address or destination port) under one anomaly type.
Figure 10-10 Attack Report—Detected Anomalies
The following information is provided for each anomaly:
Table 10-10 Field Descriptions for Detected Anomalies
Field
|
Description
|
#
|
Identification number (ID) of the detected anomaly.
|
Start time
|
Date and time the anomaly was detected.
|
Duration
|
Duration of the anomaly in hours, minutes, and seconds.
|
Type
|
The type of the detected anomaly. Possible values are:
•Tcp_connections—Detected flow with an unusual number of TCP concurrent connections, with or without data.
•HTTP—Unusual HTTP traffic flow.
•Tcp incoming—Detected flow attacking a TCP service when the zone is a server.
•Tcp outgoing—Detected attack flow in which the client appears to be the zone, such as SYN-ACK attacks on connections initiated by the zone when the zone is the client.
•Unauthenticated tcp—Detected flow that the Detector module anti-spoofing mechanisms have not succeeded in authenticating. For example, ACK flood, FIN flood or any other flood of unauthenticated packets.
•DNS (Udp)—Attacking DNS-UDP protocol flow.
|
Type (continued)
|
•DNS (Tcp)—Attacking DNS-TCP protocol flow.
•Udp—Attacking UDP protocol flow.
•Non tcp/udp protocols—Non TCP/UDP attacking protocol flow.
•Fragments—Detected flow with an unusual amount of fragmented traffic.
•TCP ratio—Detected flow with an unusual ratio between different types of TCP packets (for example, SYN packets versus FIN/RST packets).
•IP scan—Detected flow initiated from a source IP address that tried to access many zone destination IP addresses.
•port scan—Detected flow initiated from a source IP address that tried to access many zone ports.
•user detected—Anomaly flow detected by user definitions.
•Worm Tcp—Worm attack over the TCP/IP protocol.
|
Triggering rate
|
Anomaly traffic rate that violated a policy threshold.
|
% Threshold
|
Percentage by which the triggering rate is above the policy threshold.
|
Anomaly Flow
|
Anomaly traffic flow. The parameters of the common flow characteristics are displayed. The information includes parameters such as the anomaly protocol number, the destination IP address of the traffic flow and the flow packet type.
If the anomaly flow is on a specific port, it is displayed as: dst=ip address:port
|
Details
|
Indicates whether additional information can be viewed for this filter. Click i for additional information (see the "Viewing Details of Detected Anomalies" section).
|
A value of * for any of the parameters indicates one of the following:
•The value is undetermined.
•More than one value was measured for the anomaly parameter.
A value of # for any of the parameters indicates the number of values measured for that anomaly parameter.
Viewing Details of Detected Anomalies
The detected anomalies details table provides additional information on the Dynamic filters that constitute the detected anomaly.
To display the detected anomalies details table, click i in the details column for the filter in the detected anomalies table.
Table 10-11 describes the detailed anomaly information the Detector module provides.
Table 10-11 Field Descriptions for Detected Anomalies Details
Field
|
Description
|
Start time
|
Date and time the anomaly was detected.
|
End time
|
Expiration date and time of the Dynamic filter.
|
Rate (pps)
|
Rate measured in packets per second.
•Thresh—Indicates the policy threshold that was violated by the detected anomaly.
•Triggered—Indicates the anomaly traffic rate that violated a policy threshold.
|
Count
|
Number of packets that were handled by the Dynamic filter.
|
Detected flow
|
Provides the following information on the detected attack flow that caused the production of the Dynamic filter:
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Indicates the fragmentation characteristics of the detected traffic flow.
•Type—Detected anomaly type
|
Action flow
|
Provides information on the action flow that was addressed by the Dynamic filter. The action flow can have a wider range than the detected flow. For example, the detected flow could indicate a specific source port for a specific source IP whereas the action flow could indicate all source ports for the specific source IP. The columns represent the dynamic filter traffic data.
•Prot.—Protocol number.
•Src IP—Source IP address.
•Src Port—Source port number.
•Dst IP—Destination IP address.
•Dst Port—Destination port number.
•frag.—Indicates the fragmentation characteristics of the action flow.
|
|
Exporting an Attack Report
To export an attack report to an FTP server:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon (at the right of each field) and select a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to export. To select all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Export. The Export FTP Server Parameters window opens.
Step 6 From the Select FTP Server Parameters form, select the FTP method to use:
–FTP—File Transfer Program
–SFTP—Secure File Transfer Program
Step 7 From the Select FTP Server Parameters form, select and define the FTP server to use:
•Use default FTP definitions—Exports the packet-dump capture to the FTP server you defined in the Detector module configuration using the CLI.
•Use temporary FTP server—Exports the packet-dump capture to an FTP server not defined in the Detector module configuration. Enter the following FTP server information:
–Address—IP address of the FTP server.
–Path—Full path name. If you do not specify a path, the server will save the file or files in your home directory.
–Username—(Optional) FTP server login name. The FTP server assumes an anonymous login when you do not insert a user name and will not require a password.
–Password—(Optional) Password for the remote FTP server. If you enter a user name but do not enter a password, the Detector module prompts you for the password.
Step 8 Choose one of the following options:
•OK—Saves the attack report to the FTP server.
•Clear—Clears the Select FTP Server Parameters form of any information you added.
•Cancel—Closes the Export FTP Server Parameters window without saving the attack report.
Deleting an Attack Report
To delete an attack report:
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Attack Reports from the zone main menu. The Attacks summary screen appears.
Step 3 (Optional) To change the time period of the attack report, enter the desired Period from and to dates, then click Get Reports. You can enter the dates manually or click on the calendar icon (at the right of each field) and select a date.
Step 4 From the Per Attack Summary table, click the check box next to the attack report to export. To select all of the reports listed in the table, click the check box in the table header next to the number symbol (#).
Step 5 Click Delete. The Detector module deletes the attack summary report.
Viewing the Policy Statistics Table
The policy statistics table enables you to view the rate of the traffic flowing through each policy for a specific zone. This helps you to determine whether only legitimate traffic is passed to the zone and to manually tune thresholds.
To view the policy statistics table, choose Diagnostics > Policy Statistics from the zone main menu.
Step 1 Select a zone from the navigation pane. The zone main menu appears.
Step 2 Choose Diagnostics > Policy Statistics from the zone main menu. The Policies statistics screen appears.
Step 3 (Optional) To set a filter on the screen:
a. Click Set Screen Filter. The Policy Filter window opens.
b. Select the values of the parameters from the drop-down lists in the Policy Filter window.
c. Click OK. The Policy statistics screen is updated and displays only the selected parameters. Details of the selected path and the maximum keys per policy appear in the Screen Filter frame.
The policy statistics table displays the information in four sections. The information in each section is sorted by value, with the highest values appearing at the top:
•Rate—The rate of traffic flowing through the policy.
•Ratio—The ratio between the number of SYN flagged packets and the number of FIN/RST flagged packets. This information is available only for syn_by_fin policies.
•Connections—The number of concurrent connections or source IP addresses. This information is available for tcp_connections policies and the in_nodata_conns for the Analysis protection module.
•Dst IPs—Number of zone destination IP addresses that were scanned. This information is available for worm_tcp policies.
For easier management of the information displayed, you can set screen filters to display only a partial list of the statistics available.
Note When you change one of the display parameters, the Detector module automatically clears all the parameters listed below the one you changed. You must enter new values for the cleared parameters.
Table 10-12 describes the policy statistics fields.
Table 10-12 Policy Statistics
Field
|
Description
|
Policy template
|
The policy template that was used to construct the policy.
|
Service
|
The services the policy relates to.
|
Level
|
The level used to process the traffic flow.
|
Type
|
The packet type. Possible values are:
•auth_pkts—Packets that underwent either TCP handshake or UDP authentication.
•in_nodata_conns—Zone incoming connections that have no data transfer on the connection (packets without a data payload).
•in_pkts—Zone incoming DNS query packets.
•in_unauth_pkts—Zone incoming unauthenticated DNS queries.
•non_estb_conns—Non-established connections. Zone incoming failed connections. TCP connection requests (SYN packets) for which no reply was received.
•out_pkts—Zone incoming DNS reply packets.
•reqs—Request packets with data payload.
•syns—Synchronization packets—TCP SYN flagged packets.
•syn_by_fin—SYN and FIN flagged packets. Verifies the ratio between the number of SYN flagged packets and the number of FIN flagged packets.
|
Type
(continued)
|
•unauth_pkts—Packets that did not undergo TCP handshake.
•pkts—All packet types that do not fall under any other category in the same protection level.
|
Policy
|
The policy.
|
Key
|
The key (traffic characteristics) that was used to aggregate the policies.
In policies that relate to worms, the key is the source IP address that scans the zone network addresses, colon, and the destination port that is being scanned. For example, 192.128.100.3:70.
Possible values are:
•dst_ip—Traffic destined to a zone IP address.
•dst_ip_ratio—The ratio of SYN and FIN flagged packets destined to a specific IP address.
•dst_port_ratio—The ratio of SYN and FIN flagged packets destined to a specific port.
•global—A summation of all traffic flow as defined by the other policy sections.
•src_ip—Traffic destined to the zone aggregated according to source IP address.
•src_net—Traffic destined to the zone aggregated according to source subnet IP address.
•dst_port—Traffic destined to a specific zone port.
•protocol—Traffic destined to the zone aggregated according to protocol.
•src_ip_many_dst_ips—This is the key used for IP scanning. Traffic from a single IP address destined to many zone IP addresses.
|
Key
(continued)
|
•src_ip_many_port—Key used for port scanning. Traffic from one IP address destined to many zone ports.
•scanners—Histogram of the number of source IP addresses that scan zone destination IP addresses on a specific destination port.
|
Value
|
The rate, ratio, or number of connections depending on the section of the table. The information in each section is sorted by value, with the highest value appearing first.
|
