Symantec™ Event Collector
4.3 for Cisco PIX® Quick
Symantec™ Event Collector for Cisco PIX® Quick
Reference
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Legal Notice
Copyright © 2008 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security, Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, Symantec Scan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection, Symantec Enterprise Security Manager, Symantec Intruder Alert, Symantec Sygate Enterprise Protection, Symantec Mail Security, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ A telephone and web-based support that provides rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection ■ Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.
When you contact Technical Support, please have the following information available:
■ Available memory, disk space, and NIC information ■ Operating system
■ Version and patch level ■ Network topology
■ Router, gateway, and IP address information ■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/
Customer Service is available to assist with the following types of issues: ■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers) ■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts ■ Information about the Symantec Value License Program
■ Advice about Symantec's technical support options ■ Nontechnical presales questions
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan:[email protected]
■ Europe, Middle-East, and Africa:[email protected]
■ North America and Latin America:[email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur.
Symantec Early Warning Solutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Consulting Services
Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. Educational Services
To access more information about Enterprise services, please visit our Web site at the following URL:
www.symantec.com
Technical Support
... 4Chapter 1
Introducing Symantec Event Collector for Cisco
PIX
... 9About this quick reference ... 9
Compatibility requirements for Cisco PIX Event Collector ... 10
System requirements for the Cisco PIX Event Collector computer ... 10
About the installation sequence for Cisco PIX Event Collector ... 11
About configuring Cisco PIX to work with the collector ... 12
Setting the Cisco PIX severity level ... 12
Disabling the timestamp option ... 13
Enabling Cisco PIX syslog event forwarding ... 13
Disabling the Cisco PIX EMBLEM format logging ... 14
Sensor properties for Cisco PIX Event Collector ... 14
About syslog event forwarding ... 15
About Syslog Director ... 16
Running LiveUpdate for collectors ... 16
Chapter 2
Implementation notes
... 21Product ID for Cisco PIX Event Collector ... 21
Event example ... 21
Schema packages ... 22
Event mapping for Information Manager ... 22
Chapter 3
Event filtering and aggregation
... 25Event filtering and aggregation for Cisco PIX Event Collector ... 25
Introducing Symantec Event
Collector for Cisco PIX
This chapter includes the following topics: ■ About this quick reference
■ Compatibility requirements for Cisco PIX Event Collector
■ System requirements for the Cisco PIX Event Collector computer
■ About the installation sequence for Cisco PIX Event Collector
■ About configuring Cisco PIX to work with the collector
■ Sensor properties for Cisco PIX Event Collector
■ About syslog event forwarding
■ About Syslog Director
■ Running LiveUpdate for collectors
About this quick reference
This quick reference includes information that is specific to Symantec™ Event Collector for Cisco PIX®. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of Cisco PIX.
For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide.
For information on Cisco PIX, see your product documentation.
1
Compatibility requirements for Cisco PIX Event
Collector
The collector is compatible with the following Cisco PIX products: ■ Cisco PIX Security Appliance Software 6.34, 7.0.1, or 8.0 ■ Cisco PIX Firewall Software 6.2
The collector runs on the following operating systems: ■ Microsoft Windows 2000 with Service Pack 4 or later
■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later ■ Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later
You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2003.
■ Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later ■ Windows XP with Service Pack 2 or later
You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2003.
■ Red Hat Enterprise Linux AS 3.0 ■ Red Hat Enterprise Linux AS 4.0 ■ Red Hat Enterprise Linux AS 5.0
Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003.
System requirements for the Cisco PIX Event Collector
computer
Minimum system requirements for a remote collector installation are as follows: ■ Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) ■ 512 MB minimum, 1 GB of memory recommended for the Symantec Event
Agent
■ 35 MB of hard disk space for collector program files
■ 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector
■ TCP/IP connection to a network from a static IP address
About the installation sequence for Cisco PIX Event
Collector
The collector is preinstalled on the Information Manager 4.6 appliance. You can also install this collector on a remote computer or on an Information Manager 4.5 appliance.
The collector installation sequence is as follows: ■ Configure Cisco PIX to work with the collector.
■ Close the Symantec Security Information Manager Client console. ■ Register the collector for all off-appliance collector installations.
If you use Information Manager 4.6, the collector has been pre-registered. You do not have to register it.
■ Install the Symantec Event Agent on the collector computer. You must install the agent for all remote installations. Symantec Event Agent 4.5.0 build 12 or later is required. ■ Run LiveUpdate on earlier collectors.
If you install a 4.3 collector on a computer that has an earlier collector on it, you must first run LiveUpdate on all components of the earlier version of the collector. You must update the earlier collector before you install the 4.3 collector.
See“Running LiveUpdate for collectors”on page 16. ■ Install the collector component.
The collector is preinstalled on the Information Manager 4.6 appliance. If you want to use the collector on a remote computer, you must install it on the remote computer.
You can install the collector on the Information Manager 4.5 appliance. However, you must first apply Information Manager 4.5.1 with Maintenance Release 1 (or later) upgrade package on the appliance.
■ Configure the sensor.
■ Configure Syslog Director, optional. See“About Syslog Director”on page 16. ■ Run LiveUpdate.
See“Running LiveUpdate for collectors”on page 16.
For all procedures that are not covered in the quick reference, see the Symantec
Event Collectors Integration Guide.
About configuring Cisco PIX to work with the collector
Use the configuration tools that are provided with Cisco PIX, to complete the following steps:■ Set the Cisco PIX severity level.
See“Setting the Cisco PIX severity level”on page 12. ■ Disable the Cisco PIX timestamp option.
See“Disabling the timestamp option”on page 13. ■ Enable Cisco PIX syslog event forwarding.
See“Enabling Cisco PIX syslog event forwarding”on page 13.
■ Disable Cisco PIX EMBLEM format logging, if it is enabled. The EMBLEM format is not supported by the collector.
See“To disable Cisco PIX EMBLEM format logging”on page 14.
■ You can use Syslog Director along with your on-appliance collector. You must configure Cisco PIX to send syslog event data to port 514 with the UDP protocol. Syslog Director is preconfigured to listen for all syslog events through port 514.
See the Symantec Event Collectors Integration Guide.
Setting the Cisco PIX severity level
Severity levels range from 0 (for emergency messages only) to 7 (the highest severity level, used primarily for debugging). Each level includes the levels below it. For example, severity level 4 includes all log messages of severity 0-4.
When you select the appropriate severity level, you must balance the need for detailed log information against additional network traffic and disk space that is used by the log data.
The collector functions regardless of the severity level that is selected. However, a high severity level provides the collector with more data to analyze and report to Information Manager.
A severity level of 6 or 7 detects successful connection activity. If the severity level is set to 5 or lower, the collector does not process and report successful connection activity.
Severity level 5 or higher detects more firewall management events, such as remote management connections and changes to the firewall's saved configuration. Introducing Symantec Event Collector for Cisco PIX
Severity level 4 or higher detects most denied connections and dropped packets. These events are often important indicators of an attack or scan. For this reason, do not set the severity level lower than 4.
To set the Cisco PIX severity level
◆ At the Cisco PIX command prompt, type the following command: logging trap severity_level
Disabling the timestamp option
You must disable the Cisco PIX timestamp option in order for Cisco PIX to work with the collector.
To disable the Cisco PIX timestamp option
◆ At the Cisco PIX command prompt, type the following command: no logging timestamp
Enabling Cisco PIX syslog event forwarding
You must enable Cisco PIX syslog event forwarding in order for Cisco PIX to work with the collector.
To enable Cisco PIX syslog event forwarding
◆ At the Cisco PIX command prompt, type the following command: logging host interface_name IP_address udp/port_number where:
interface_name is the Cisco PIX network interface that is used to send the
syslog messages
IP_address is the IP address of the computer that receives the syslog messages
(the collector computer in most cases)
udp is the default protocol. This parameter needs to be entered only if the port_number is not 514.
[/port_number] is the syslog port number preceded by a /
An example command that uses UDP as the syslog protocol and port 514 is as follows:
logging host dmz1 192.168.1.5
An example command that uses a port other than 514 is as follows: logging host dmz1 192.168.1.5 udp/516
Disabling the Cisco PIX EMBLEM format logging
You must disable the Cisco PIX EMBLEM format logging in order for Cisco PIX to work with the collector.
To disable Cisco PIX EMBLEM format logging
◆ At the Cisco PIX command prompt, type the following command: no logging emblem
Sensor properties for Cisco PIX Event Collector
Table 1-1shows the sensor properties for the syslog sensor. Introducing Symantec Event Collector for Cisco PIX
Table 1-1 Syslog sensor properties Description
Sensor properties
Specify UDP or TCP. UDP is the syslog standard protocol and is faster than TCP; however, UDP provides few error recovery services, and there is no guarantee that events are delivered. TCP is slower than UDP, but it guarantees event delivery by establishing a connection.
Protocol
Specify the IP addresses or names of the host computers that the collector monitors. Specify * (or any) to allow any host to send events to the collector, or specify multiple host names. Separate multiple host names with commas or semicolons.
Host Names
Specify the port number to which you have configured Cisco PIX to send syslog messages. The default port number is 10515.
Port Number
Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer.
You can use a time offset value if both the following statements are true:
■ The time zone of the collector computer and the point product are different
■ The timestamps in the point product data are not Coordinated Universal Time (UTC). You do not need to use this property if the collector and the point product computers are in the same time zone.
Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is the number of hours (-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00. For example, if Pacific Standard Time (PST) is the time zone of the collector computer, you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific Standard Time. You can specify +3 to convert incoming events with a
Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time.
If you enter and distribute an erroneous time zone offset, the collector automatically resets the offset value to the default value of +00:00. An error message is posted in the collector’s log.
Time Offset
About syslog event forwarding
If you forward events to a standard syslog server, you can use a syslog forwarder on that server rather than change the settings on your security device. A syslog forwarder can receive and forward events to both Information Manager and your existing syslog server.
15 Introducing Symantec Event Collector for Cisco PIX
About Syslog Director
If you use the collector on the Information Manager appliance, you can set up this collector to use Syslog Director. Syslog Director accepts syslog events from any device or application that sends events to the standard port for syslog messages, UDP port 514. (You can also configure Syslog Director to listen on other UDP or TCP ports.) Syslog Director identifies the incoming events by their signatures (specific patterns that identify each collector) and redirects the events that are received to the appropriate collector. All events that are not identified by a signature are sent to the Generic Syslog Collector.
You can upgrade Syslog Director 4.2 to Syslog Director 4.3 on your Symantec Security Information Manager 4.5 appliance.
For a detailed procedure, see the Symantec Event Collectors Integration Guide.
Note: In all deployments, you must list the Generic Syslog Collector last, and you must leave its Collector Signature empty.
The default Syslog Director settings for this collector are as follows: Cisco(R) PIX(R) Event Collector
Collector name
%PIX, %ASA Collector signature
10515 Default port
For detailed procedures on Syslog Director, see the Symantec Event Collectors
Integration Guide.
Running LiveUpdate for collectors
You can run LiveUpdate to receive collector updates such as support for new events and query updates.
If you install a collector on Information Manager 4.5, you must complete the following procedures in the order presented:
■ Run LiveUpdate for collectors added to the Information Manager 4.5 appliance. See“To run LiveUpdate for collectors added to the Information Manager 4.5 appliance”on page 17.
■ Verify that LiveUpdate ran successfully on Information Manager 4.5. See“To verify that LiveUpdate ran successfully on Information Manager 4.5”
on page 18. Introducing Symantec Event Collector for Cisco PIX About Syslog Director
If you install a collector on Information Manager 4.6, or if you use a collector that is preinstalled on Information Manager 4.6, you must complete the following procedures in the order presented:
■ Use the Administrator Web page to run LiveUpdate.
■ Use the Administrator Web page to verify that LiveUpdate ran successfully. See“To run LiveUpdate from the Administrator Web page”on page 17. If you installed the collector on a separate computer, you must complete the following tasks in the order presented:
■ Run LiveUpdate for a collector installed on a separate computer.
See“To run LiveUpdate for a collector installed on a separate computer”
on page 18.
■ Verify that LiveUpdate ran successfully for a collector installed on a separate computer.
See“To verify that LiveUpdate ran successfully for a collector installed on a separate computer”on page 19.
For information on running LiveUpdate on internal LiveUpdate servers, see the
Symantec LiveUpdate Administrator User's Guide.
To run LiveUpdate from the Administrator Web page
1
From a Web browser, navigate to the Information Manager Administrator Web page, and then log in with administrator credentials.2
From the list on the left, click LiveUpdate.3
In the list of products, to select the items to update, in the corresponding check box, check Update.At the bottom of the page, you can also click Check All.
4
At the bottom of the page, click Update.If LiveUpdate runs successfully, the status column in the Summary page displays Success.
5
To troubleshoot a problem with LiveUpdate, under Session Log, click View Log File.To run LiveUpdate for collectors added to the Information Manager 4.5 appliance
1
Connect to the Information Manager 4.5 appliance, and log in as root.2
Navigate to the collectors directory.The default directory is /opt/Symantec/sesa/Agent/collectors/pix
17 Introducing Symantec Event Collector for Cisco PIX
3
At the command prompt, type the following command: sh ./runliveupdate.sh4
To stop the Symantec Event Agent, type the following command: service sesagentd stop5
To change the ownership of the updated collector files, type the following command:chown -R sesuser.ses *
6
Navigate to the Symantec Event Agent directory. The default directory is /opt/Symantec/sesa/Agent/7
To restart the Symantec Event Agent, type the following command: service sesagentd startTo verify that LiveUpdate ran successfully on Information Manager 4.5
1
Connect to the Information Manager 4.5 appliance, and log in as root.2
Navigate to the collectors subdirectory of the Symantec Event Agent directory. The default directory is as follows:/opt/Symantec/sesa/Agent/collectors/pix
3
Verify that a file named LiveUpdate-Collector.txt exists.This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added.
4
Navigate to the LiveUpdate directory. The default directory is as follows: /opt/Symantec/LiveUpdate5
To view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log | moreThe first part of the log is in text format; the second part of the log repeats the information in XML format.
If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file.
For example, Status = Failed (return code - 2001).
To run LiveUpdate for a collector installed on a separate computer
1
On the collector computer, navigate to the collector directory as follows: Introducing Symantec Event Collector for Cisco PIXOn Windows, the default directory is as follows: ■
C:\Program Files\Symantec\Event Agent\collectors\pix ■ On UNIX, the default directory is as follows:
/opt/Symantec/sesa/Agent/collectors/pix
2
At a command prompt, do one of following tasks: ■ On Windows, type the following command:runliveupdate.bat
■ On UNIX, as the root user, type the following command: runliveupdate.sh
To verify that LiveUpdate ran successfully for a collector installed on a separate computer
1
On the collector computer, navigate to the collector directory as follows: ■ On Windows, the default directory is as follows:C:\Program Files\Symantec\sesa\Event Agent\collectors\pix ■ On UNIX, the default directory is as follows:
/opt/Symantec/sesa/Agent/collectors/pix
2
Verify that a file named LiveUpdate-Collector.txt exists.This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added.
3
Navigate to the LiveUpdate directory as follows:■ On Windows, the default LiveUpdate directory is as follows:
C:\Documents and Settings\All Users\Application Data\Symantec\ Java LiveUpdate
■ On UNIX, the default LiveUpdate directory is as follows: /opt/Symantec/LiveUpdate
4
To view the liveupdt.log file, do one of the following tasks:■ On Windows, use a text editor such as Notepad to view the liveupdt.log file.
■ On UNIX, to view the last 100 lines of the liveupdt.log file, type the following command:
tail -100 liveupdt.log | more
The first part of the log is in text format; the second part of the log repeats the information in XML format.
19 Introducing Symantec Event Collector for Cisco PIX
If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file.
For example, Status = Failed (return code - 2001). Introducing Symantec Event Collector for Cisco PIX
Implementation notes
This chapter includes the following topics: ■ Product ID for Cisco PIX Event Collector■ Event example
■ Schema packages
■ Event mapping for Information Manager
Product ID for Cisco PIX Event Collector
The product ID of the collector is 3119.Event example
Sep 04 16:21:33 10.193.111.244 %PIX-2-106001: Inbound TCP connection denied from 10.193.111.40/8181 to 10.0.1.3/21 flags ACK on interface outside
Sep 04 16:21:33 10.193.111.244 %PIX-6-106002: protocol Connection denied by outbound list Moe src 10.0.1.3/21 dest 10.193.111.25/ 9898dest faddr
Sep 04 16:21:33 10.193.111.244 %PIX-2-108002: SMTP replaced |: out 213.76.104.173 in 10.0.0.10 data:mail from: |root
Event structure:
Syslog time, followed by proxy machine, followed by vendor code. "from"/"for" is followed by source IP and source port, or by user name. "to" is followed by
2
destination IP and destination port. Additional information is described in the mapping tables.
Schema packages
Table 2-1shows the schema event class packages that are used by the collector. Table 2-1 Schema packages
Comment Information Manager event class
Events that contain information about PIX firewall bytes sent and received are sent as firewall statistics class event.
symc_fw_conn_stats
Most of the events belong to firewall class, depending on their type event ID is selected
symc_firewall_network
Included as a parent class for previous class, no events from network class are sent
symc_network
Event mapping for Information Manager
Table 2-2shows event mapping. Table 2-2 Event mapping
Relationship to the Cisco PIX event Information Manager field name
“Application” or “Security” Category ID
Description of the event that is captured Description
Destination host name if it exists; otherwise the destination IP address Destination Host Name
Interface of the destination that is used Destination Interface Name
Date and time of the event Event Date
Duration of the connection, in seconds Elapsed Time (seconds)
REPETITION Event Count
Event ID that is associated to each event
Indicates whether the event is a firewall, VPN, connection statistics, or Base or Configuration event
Event Type ID
MAC address of the client computer, if necessary. Host MAC
Table 2-2 Event mapping (continued) Relationship to the Cisco PIX event Information Manager field name
Code number that provides more information about the ICMP operation ICMP Code
ICMP protocol operation type number Stores the actual ICMP Type number ICMP Type
Destination IP address of the event IP Destination Address
Destination port of the event, if available IP Destination Port
Source IP address of the event IP Source Address
Source port of the event, if available IP Source Port
Protocol that is associated with the event Network Protocol
PIX information Proxy Machine
Name of the rule that is associated with the event that is logged, if it exists Rule
Source host name if it exists; otherwise, the source IP address Source Host Name
Interface of the source that is used Source Interface Name
The target of the intended event
Any URL, user name, or file server’s IP address, if available in the event Target Resource
Standard string abbreviations that indicate the TCP flags that are set in the packet header
TCP Flags
Translated destination IP address, if it exists Translated Destination IP Address
Translated destination port, if it exists Translated Destination Port
Translated source IP address, if it exists Translated Source IP Address
Translated source port, if it exists Translated Source Port
User name
User name may exist after the key phrase User: or at the end of the event (USER_NAME)
User Name
Signature to identify and distinguish various PIX events (%PIX-n-XXX) Vendor Signature
Implementation notes
Event filtering and
aggregation
This chapter includes the following topics:
■ Event filtering and aggregation for Cisco PIX Event Collector
Event filtering and aggregation for Cisco PIX Event
Collector
VPN or firewalls generate many events that may not be required for correlating events. Depending on your environment, these events may be considered excess events. You can filter or aggregate similar events, provided that the role of Symantec Security Information Manager is not the retention of all events. Possible filters and aggregators include the following examples:
■ Connection rejected
Connection rejected events indicate that the firewall is operating as it is configured. These events do not ordinarily pose security threats and can be filtered at the collector.
This filter removes ICMP traffic that was rejected at the firewall. Filter or aggregator properties are set as follows:
■ Network Protocol ID = 167104 ■ Event Type ID = 512001 ■ Connection accepted
Connection accepted events are generated by legitimate network traffic. You can filter or aggregate these events by IP address. If an individual event from
3
an unwanted connection is accepted, and defense-in-depth theories are properly applied, the intrusion detection system identifies and reports the attack. This aggregation consolidates successful ICMP Echo Request connections from a single source.
Filter or aggregator properties are set as follows: ■ ICMP Type ID = 8
■ Event Type ID = 912001
■ IP Source Address as the similar property Event filtering and aggregation
