Network Security Monitoring Settings

For all settings related to Network Security Monitoring, you need to apply changes on the probe once you are happy with your change set.

To do so click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Change NSM settings for a probe

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings you can choose/click a particular output for further Basic (enable/disable) or Advanced editing.

Enable or disable protocols for a probe

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the three dots to the right side of the probe listing and click Edit probe. Click on subsection Protocols. Select (or deselect) the desired protocols for the remote probe and then click on Submit.You should be able to verify the change as displayed in the NSM settings sub menu on the right hand side panel view.

Click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Common settings for protocols

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the Protocol name.

A protocol has four different possible states:

  • Disable: No analysis on the protocol is done, all detections using keywords dedicated to this protocol will be skipped.

  • No logging: Analysis on the protocol is done and all detection with dedicated keywords will be done. But no log will be generated.

  • Conditional logging: As previous stage for analysis and detection but transaction logs will be generated for this protocol for flows that have alerted

  • Full logging: As previous stage for analysis and detection but all transaction logs will be generated for this protocol

In the edit page of the protocol, a menu allows you to select the value you want for this protocol.

It is recommended to select at least Conditional logging as it will provide context around IDS alerts that is really beneficial when doing investigation.

Add custom or extended HTTP information

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the HTTP icon. If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.

Custom fields can be any of these below:

  • accept

  • accept-charset

  • accept-datetime

  • accept-encoding

  • accept-language

  • accept-range

  • age

  • allow

  • authorization

  • cache-control

  • connection

  • content-encoding

  • content-language

  • content-length

  • content-location

  • content-md5

  • content-range

  • content-type

  • cookie

  • date

  • dnt

  • etags

  • from

  • last-modified

  • link

  • location

  • max-forwards

  • origin

  • pragma

  • proxy-authenticate

  • proxy-authorization

  • range

  • referrer

  • refresh

  • retry-after

  • server

  • set-cookie

  • te

  • trailer

  • transfer-encoding

  • upgrade

  • vary

  • via

  • warning

  • www-authenticate

  • x-forwarded-proto

  • x-requested-with

Click on the Submit button.

Click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Add custom or extended SMTP information

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the SMTP icon. If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.

Custom fields can be any of these below:

  • bcc

  • content_md5

  • date

  • importance

  • in_reply_to

  • message_id

  • organization

  • priority

  • received

  • references

  • reply_to

  • sensitivity

  • subject

  • user_agent

  • x_mailer

  • x_originating_ip

Click on the Submit button.

Click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Add custom DNS information

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the DNS icon. If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.

Custom fields can be any of these below:

  • A

  • AAAA

  • CNAME

  • MX

  • NS

  • PTR

  • TXT

Click on the Submit button.

Click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Add packet data or payload to the alerts information

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the ALERT icon and select the desired option. Click on the Submit button.

To apply it immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

File handling capabilities

For all settings related to file handling, you need to apply changes on the probe once you are happy with your change set.

To do so click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Enable or disable file extraction for a probe

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the three dots to the right side of the probe listing and click Edit probe. Click on subsection Settings. Select (or deselect) the Activate file extraction for the remote probe and enter maximum file size (just a number indicates MB). Click on Submit.

To apply it immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Add Hahsum, file magic or mimetype information

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing. On the right hand side under NSM settings click on the File Info icon and select the desired option. Click on the Submit button.

To apply it immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.

Rule Activity for a probe

Review rules activity for a probe

Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.

You are presented with an overview of the rules activity for that particular probe over a period of time. You can click on the settings icon to the top right to select or change the timespan shown.

Under the Rule Activity section you will have a summary aggregation of the different rules subdivided by - Sid, Msg, Category Hits and the alerts each rules has generated for that particular probe. You can click on the sid number for the rule in question under Sid row.

Alerts generated by a rule on a particular probe can be deleted as well. Click on Delete generated alerts under sub menu Action from the left hand side panel. Confirm by clicking on the Delete alerts button.

If you would like to see the rule itself yo can click on the Msg for that particular rule. To see one particular rule activity’s:

  • rule definition

  • activity (including) on other probes

  • Status in the ruleset

you can click on the sid number for that rule under Sid row under Rule Activity sub section. You can subsequently enable, disable that rule or delete the generated alerts by that rule.