RSA enVision^® Discussions

RSAAdmin · ‎2008-10-02

Hi everyone. I need help with the NIC011 alert. I attempted to use the NIC011 template to create the same alert with only Checkpoint FW. But the value masks in NIC011 appear to be wrong for Checkpoint. The CheckPoint value for Firewall Failure in the template is 080080. When I look this up in Manage Messages it shows 080080 as a system.failure message. The value masks in the template for Firewall_Success are 020011 and 020010. Again, when I look in Manage Messages these two values are in the event category Auth.Failures.User Errors. How can the circuit Firewall_Success use messages that are in the category Auth.Failures.User Errors? So, I created my own alert using the messages in the categories Network.Connections.Successful and Network.Denied.Connections. Now, I am getting all kinds of false positives and when I actually have someone purposefully fail a login and then successfully login, it doesn't work. Bottom line, I am confused. The theory seems simple but I can't execute it. Any help is GREATLY appreciated. Thanks!

RSAAdmin · ‎2008-10-03

We haven't used that specific alert but let me offer a suggestion and what I use. I too have found that alerts looking for specific message numbers/id are prone to problems. I lean more heavily on the data normalization that a SEIM is built for. For instance, in your example you might look use Event Category and ALL in the Event Selection then Comparison In Value of Auth.Failures. Set a threshold that fits your needs. Then in the same circuit create a second statement and change the first statement to a Followed by of the second statement and a time frame that you are looking for. In the second statement use the same device selection, Event Category and ALL but this time in the Comparison In Value select Auth.Success. Apply these changes but on the first screen of the rule you need to setup Multi-Threading. Again in your example you want to Multi-Thread on User Name.

I'll leave it to you to set up the Alert level, Event Category etc.

Use of the system taxonomy will help eliminate the mess of each systems message id, etc. This puts it upon RSA engineering, who are charged with keeping this all up to date, to get it right. But of course you will want to keep an eye on this.

RSAAdmin · ‎2008-10-03

Kurta59,

Thanks. Your suggestion makes sense to me. I am having trouble with one thing. I have added the statements based off of auth.failures and auth.successful. When I try to use multithreading, I have only 3 options to choose from: envision Device IP Address, enVision Site, and enVision Collection node. I am not sure how to multithread based on username. It seems like when I use NIC Message ID's, it allows me to have more multithreading options. When I use Event Category, I only see the multithreading options I mentioned above. Can you explain how I can multithread with username? Thanks!

RSAAdmin · ‎2008-10-07

In the corr rule, edit a statement and add an Event Selection. From the Event Type pulldown choose Variable. The Comparison will be In and for the Value use the selection button and you should see all the variables. You can select username here. Apply the changes and return to the first screen. You should now see other selections in Multi-Threading.

One trick about selecting variables when you have more then one type of device in the correlation. For example, if one device uses the variable 'username' and the other device is 'userid', when you're in the Value selection window then select the radio button for 'Matching the following mask' and enter 'user*'. This will give you all variations of username, userid, etc. Remember to use the normalization of the SEIM for devices too. When using the Device Selection click the Device Class/Type. This will use all devices of that type for this rule. I use Security.Firewall and include all of our Cisco ASA and Checkpoints at once

RSA enVision® Discussions

NIC011 - Login Failure followed by Successful login on Firewall Devices ???

RSA enVision^® Discussions