Home » Symantec Manuals » Networking » Symantec 10268947 » Manual Viewer

Symantec 10268947 User Guide - Page 77

About event types, About severity levels, Intrinsic severity of the type of event, Level of traffic

UPC - 037648243766

Add to My Manuals
Save this manual to your list of manuals

Page 77 highlights

Response Rules 77 About automated responses segments, and network border interfaces defined in the network topology database. About event types The event type parameter specifies the base event or events for which the response rule is defined. Event types are grouped into several larger protocol and service attack categories. When Symantec Network Security detects a suspicious event, it analyzes the event to match it to an event type. About severity levels The severity parameter describes the relationship between the action to take in response to an incident and the severity of that incident. Before the analysis process assigns a severity level to an incident, it analyzes the various events that make up the incident according to the following factors: ■ Intrinsic severity of the type of event: An event might consist of an FTP packet transmitted on port 80. Because port 80 is used for HTTP traffic, this event might represent an attack on a Web server. By itself, this example might represent a medium level of intrinsic severity. ■ Level of traffic, if it is a counter event: If Symantec Network Security determines that a series of packets make up a flood attack, the height of the severity level depends on the number and frequency of packets received. ■ Severity of other events in the same incident: Symantec Network Security correlates severity levels from all events in the same incident. By using these variables to perform statistical analysis, Symantec Network Security assigns different severity levels as they apply to an incident. As the system gains information about the network, it integrates characteristics that influence the levels to reflect the current state of the network security. Because the traffic on every network is different, the severity levels specified in the response rule parameters are relative values and contain no inherent absolute definition. The creation of response rules in general and the selection of severity levels for the specific response rules requires fine-tuning to existing security response rules, as well as to the network traffic and ambient conditions. If the severity assigned during analysis equals the severity level defined in the response rule, as well as all other parameters defined in the response rule, then Symantec Network Security responds to the incident by performing the action associated with the response rule. SuperUsers and Administrators can also specify that the action execute only if the incident priority level falls above or below that of a particular severity level. Possible severity parameter values include informational, low, medium, high, and critical.

Section	Page
Symantec™ Network Security User Guide	1
Introduction	9
About the Symantec Network Security foundation	9
About the Symantec Network Security 7100 Series	9
About other Symantec Network Security features	11
Finding information	14
About 7100 Series appliance documentation	14
About software documentation	15
About the Web sites	16
About the Knowledge Base	16
About the Hardware Compatibility Reference	16
About the Product Updates site	16
About this guide	17
Architecture	19
About Symantec Network Security	19
About the core architecture	19
About detection	20
About protocol anomaly detection	21
About Symantec signatures	22
About user-defined signatures	22
Monitoring traffic rate	23
About DoS detection	23
About external EDP	23
About analysis	24
About refinement	24
About correlation	24
About cross-node correlation	25
About response	25
About protection policies	25
About response rules	25
About management and detection architecture	26
About the Network Security console	26
About role-based administration	27
About the node architecture	28
About the alert manager	29
About the sensor manager	29
About the administration service	29
About analysis	29
About the databases	29
About Event Stream Provider	30
About sensor processes	30
About Smart Agents	31
About FlowChaser	31
About the 7100 Series appliance node	31
About detection on the 7100 Series	32
About interface grouping	32
About response on the 7100 Series	32
About in-line monitoring mode	32
About blocking or alerting mode	32
About fail-open	33
Getting Started	35
Getting started	35
About the management interfaces	35
About the Network Security console	36
Launching the Network Security console	36
Viewing the Network Security console	37
Adjusting the Devices view	37
Adjusting the Incidents view	38
Adjusting the Policies view	38
Viewing node status	38
About management of 7100 Series appliances	38
About the LCD panel	38
About the serial console	39
About user permissions	39
About user passphrases	39
About deployment	40
About deploying single nodes	41
About deploying single Network Security software nodes	41
About deploying single 7100 Series appliance nodes	42
About interface grouping	42
About in-line mode	42
About fail-open	43
About deploying node clusters	43
Monitoring groups within a cluster	44
Selecting a monitoring group	44
Topology Database	47
About the network topology	47
Viewing the topology tree	48
Types of objects	48
Viewing node status	49
Viewing node details	50
Viewing object details	50
Viewing objects in the topology tree	51
Viewing auto-generated objects	51
About location objects	51
About Symantec Network Security objects	52
About software nodes	52
Viewing software nodes	52
About monitoring interfaces	53
Viewing monitoring interface objects	54
About appliance nodes	54
Viewing 7100 Series nodes	55
About 7100 Series interfaces	56
Viewing a monitoring interface on a 7100 Series node	57
Viewing interface groups	57
Viewing in-line pairs	58
About router objects	59
Viewing router objects	59
About router interfaces	60
About Smart Agents	60
About Smart Agent interfaces	61
About managed network segments	62
Launching Symantec Decoy Server	63
Launching from a new location	63
Launching from a known location	63
Protection Policies	65
About protection policies	65
Viewing protection policies	66
Understanding the protection policy view	67
Adjusting the view of event types	68
Adjusting the view by searching	68
Adjusting the view by columns	69
Viewing logging and blocking rule details	70
Viewing event detailed descriptions	70
Viewing policy automatic update	70
Annotating policies or events	71
Viewing policy annotations	71
Viewing event type annotations	71
Annotating event instances	72
Response Rules	73
About response rules	73
About automated responses	74
Viewing response rules	75
Interpreting color coding	75
Searching event types	76
About response parameters	76
About event targets	76
About event types	77
About severity levels	77
About confidence levels	78
About event sources	78
About response actions	78
About next actions	79
About response actions	79
About no response action	80
About email notification	80
About SNMP notification	80
About TrackBack response action	80
About custom response action	81
About TCP reset response action	81
About traffic record response action	81
About console response action	82
Enabling console response actions	82
About export flow response action	82
About flow alert rules	83
Viewing flow alert rules	83
Playing recorded traffic	83
Replaying recorded traffic flow data	84
Detection Methods	85
About detection	85
About sensor detection	86
Viewing sensor parameters	87
About port mapping	87
Viewing port mappings	87
About signature detection	87
About Symantec signatures	88
About user-defined signatures	88
Viewing signatures	89
About signature variables	89
About refinement rules	89
Incidents and Events	91
About incidents and events	91
About the Devices tab	92
Viewing device details	92
Viewing interface details	93
About the Incidents tab	94
Viewing priority color codes	95
Annotating incidents and events	95
Marking incidents as viewed	95
Monitoring incidents	96
Viewing incident data	96
Selecting incident columns	96
Filtering the view of incidents	98
Monitoring events	99
Viewing event data	99
Selecting event columns	100
Filtering the view of events	101
Viewing event notices	102
Managing the incident/event data	103
Loading cross-node correlated events	104
Saving, printing, or emailing incidents	104
Viewing incident details	104
Saving incident data	105
Printing incident data	106
Configuring Network Security to email	106
Emailing incident data	107
Pasting incident data	107
Reports and Queries	109
About reports	109
Reporting via the Network Security console	109
About report formats	110
About top-level report types	110
Reports of top events	111
Reports per incident schedule	112
Reports per event schedule	113
Reports by event characteristics	113
Reports per Network Security device	115
Drill-down-only reports	116
About querying flows	117
Viewing current flows	117
Viewing exported flows	119
Log Files	121
About the log files	121
About the install log	121
About the operational log	122
About log files	122
Viewing log files	122
Viewing live log files	123
Refreshing the list of log files	123

Match case Limit results 1 per page

Response Rules

About automated responses

segments, and network border interfaces defined in the network topology

database.

About event types

The event type parameter specifies the base event or events for which the

response rule is defined. Event types are grouped into several larger protocol

and service attack categories. When Symantec Network Security detects a

suspicious event, it analyzes the event to match it to an event type.

About severity levels

The severity parameter describes the relationship between the action to take in

response to an incident and the severity of that incident. Before the analysis

process assigns a severity level to an incident, it analyzes the various events

that make up the incident according to the following factors:

■

Intrinsic severity of the type of event

: An event might consist of an FTP

packet transmitted on port 80. Because port 80 is used for HTTP traffic, this

event might represent an attack on a Web server. By itself, this example

might represent a medium level of intrinsic severity.

■

Level of traffic, if it is a counter event

: If Symantec Network Security

determines that a series of packets make up a flood attack, the height of the

severity level depends on the number and frequency of packets received.

■

Severity of other events in the same incident

: Symantec Network Security

correlates severity levels from all events in the same incident.

By using these variables to perform statistical analysis, Symantec Network

Security assigns different severity levels as they apply to an incident. As the

system gains information about the network, it integrates characteristics that

influence the levels to reflect the current state of the network security.

Because the traffic on every network is different, the severity levels specified in

the response rule parameters are relative values and contain no inherent

absolute definition. The creation of response rules in general and the selection

of severity levels for the specific response rules requires fine-tuning to existing

security response rules, as well as to the network traffic and ambient conditions.

If the severity assigned during analysis equals the severity level defined in the

response rule, as well as all other parameters defined in the response rule, then

Symantec Network Security responds to the incident by performing the action

associated with the response rule. SuperUsers and Administrators can also

specify that the action execute only if the incident priority level falls above or

below that of a particular severity level. Possible severity parameter values

include informational, low, medium, high, and critical.