on Oct 12, 2016Vertical Scan Dashboard for Firewall Logs
Overview
The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:
- Unique port count of individual IP addresses probing/scanning the network and displayed by IP address.
- Unique port count of countries probing/scanning the network and displayed by country.
- Unique IP address count of individual Countries probing/scanning the network and displayed by country.
- Top 10 most denied destination ports, displayed by port.
The Dashlets
Top 10 Denied IP High Unique Port Count
It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address. In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis. Basically a vertical scan, a single IP probing multiple ports.
Top 10 Denied High Unique Port Count by Country
It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country. In short, a unique port count by country and displayed by country.
Top 10 Denied Countries by Unique IP Count
It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country. In short, it’s a count of unique IP addresses used to probe your network displayed by country.
Top 10 Denied Destination Ports
It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied. Then it displays them in a Timeline and a Summary format as shown below. In short, it shows the top ten ports that are being probed and denied.
Prerequisites
You must have the items listed below installed and configured for this dashboard to work properly.
Security Analytics/Netwitness
- Versions 10.5 or higher
- Log Decoder and Concentrator
- Firewall Logs
Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.
Lua Parser
- Traffic Flow (RSA Live)
- lua (RSA Live
Directions for installation and configuration of this parser are located in the link below:
https://community.rsa.com/docs/DOC-44948
If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.
This does not work straight out of the box on 10.6 -
Tips on how to fix it below:
If the chart says some error message due to permissions etc
-go to the dashboard, click on the options (spinning cog) on the actual chart
- click on the Browse option next to the Chart field and then reselect the chart that has the same title as what is defined in the title field then click apply and then the charts should work.
You will probably have to do this to make sure all the other charts work as well.
This is due to the initial chart configuration points to another path that does not exist in SA.
Jay