Realsecure IDS messages
Hey everyone! This is my first posting in the forum. I am fairly new to enVision and have a lot to learn. The issue I am having difficulty with involves how I set up my views for ISS Realsecure IDS events. I set them up by alert level. There are 5 alert levels that have IDS events. Therefore I set up 5 views, one for each alert level. We recently went to a new hardware platform and an RSA tech came out and set everything up. But, some of the views couldn't be exported from the old system to the new system. Therefore, I am trying to put all my filters back into the views for ISS Realsecure IDS events. Most views contain several thousand messages each. Do to the large amount of messages, it takes me forever to apply a filter within the view. Has anyone had any experience setting up views for ISS realsecure? Should I import all the messages from ISS to each view and filter them as I am doing? Is there a more efficient way to do this? I am really having trouble understanding what the messages even mean. Any help is greatly appreciated. Thanks!
It doesn't make sense to alert on all events seen by ISS RealSecure IDS - or any device for that matter. Nor is it a sound strategy to create views alert levels. Not only will you flood yourself with thousands of alert, but you won't be taking advantage of the more advanced features of alerting.
A sound strategy for you would be to start investigating the use of correlation rules to provide the solid foundation for an effective alerting strategy.
Take a look at some of the pre-canned IDS correlation rules included within enVision. This will give you an idea as to how to start creating correlation rules.
Add some of these rules to a view and observe the behaviour.
Does this help you? If you need more info, let me know.
On a side note, you may want to consider some RSA training.
Thanks for your reply. I still need help with this. Something is not clicking. I understand the basics of correlated alerts, how to build them, and have customized a few of the canned ones. But, I don't really understand where to start on building my own. I believe you are definitely right. But, how do I even begin to define what I want to see from the IDS? There are 10,000 messages. How would I know what I want to choose to alert on? Each message from the IDS can alert me to a problem out there, if I don't have the messages, I may miss things that I should see (especially new signatures if I don't know to add them). I am in a situation where I have been told that I have to import all of these messages (because that is how it has been done in the past). I don't agree with that, so I have to figure out how to make the situation better. Just so you know, I have attended the RSA enVision Administration and Operations 3 day course. The instructor was very good but again, it was the basics. I have since then, inquired about more training from RSA but they haven't offered any new classes for what I need. If you can help me, I really would appreciate it. Thanks!
Yes, it does seem overwhelming, with over 10,000 messages, and each of them seeming critical. The important thing to note is that not all of these 10,000 messages are equally critical for your environment. So how do you start identifying what's critical to your environment?
Here's what I suggest you do.
Use the risk-based profile of the assets that you are monitoring with the IDS solution and map the requirements out of the risk profile to the enVision Event Categories provided within the RealSecureIDS parser for each event. This will allow you to prioritize the categories for each asset - or network the asset(s) are located in, and then you can create correlation rules for each of the general areas that are identified from the mapping.
For example, if you are using the IDS to protect perimeter devices (Firewall - in front and behind of -, web servers, etc.) These assets represent "The Perimeter." Based upon your risk-profile, you might already identified event types such as Denial of Service, Brute Force Attacks, Injection Attempts, Recon sweeps that may result in the highest risk to your perimeter.
You can then create customized rules for each Event Category to include the necessary events (all if necessary for each event category.) One example could be a rule called "Denial of Service attempts" in which events that relate to the event category "Denial of Service" are included, with possible customized IP addresses that pertain to your Perimeter.
These "Perimeter Rules" can then be enclosed within a Overall View called the "IDS Monitored - Perimeter" - in which now you will put the correlation rules themselves, instead of the thousands of events. These rules will be your starting point to understand what's happening in your environment, how to tune, and develop more advanced rules going forward.
One note about Recon Sweeps - these usually introduce many false positives, as it equates to someone knocking on the front door without actually getting in. Perhaps you can create a rule with a high threshold from the baseline (say 50%) to help reduce the amount of alerts and identify exceptions. hat covers Perimeter Devices.
Rinse and repeat for different subnets or device groupings. For an internal subnet, a few suggestions for correlation rules would be more access-control oriented rules, virus/worm/trojan activities, and injection attempts, and create the Views as necessary.
You are going to have to do your research to understand what many of these messages could mean potentially to your environment, but at least now you don't have to learn 10,000 events!
Does this help?
Great info! Thanks for the help. I think it gives me the starting point that I need to take this in the right direction. I will start to map the requirements out of the risk profile to the enVision Event Categories. If I run into trouble I may contact you again. Thanks so much. Newbies like me sometimes need a little jump start!
I would start by going back to the ISS Siteprotector Console and take a look at the messages being generated.
You can significantly reduce the amount of "noise" generated within enVision by tuning your ISS deployment.
Quite a few of the event messages generated by Realsecure are Windows informational events already captured by enVision if you are capturing Windows logs. Unless you have a compelling reason for such duplication - you could simply disable the Windows informational events.