Network Security Monitoring Settings¶
For all settings related to Network Security Monitoring, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task
list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Change NSM settings for a probe¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
you can choose/click a particular output for further Basic
(enable/disable) or Advanced
editing.
Enable or disable protocols for a probe¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the three dots
to the right side of the probe listing and click Edit probe
.
Click on subsection Protocols
. Select (or deselect) the desired protocols for the remote probe and then click on Submit
.You should be able to
verify the change as displayed in the NSM settings
sub menu on the right hand side panel view.
Click on Apply change(s)
under the sub menu Pending modification(s)
from
the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task list presented - you will be
informed about the details of the task execution - status, duration, started, retries, etc.
Common settings for protocols¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the Protocol name.
A protocol has four different possible states:
Disable: No analysis on the protocol is done, all detections using keywords dedicated to this protocol will be skipped.
No logging: Analysis on the protocol is done and all detection with dedicated keywords will be done. But no log will be generated.
Conditional logging: As previous stage for analysis and detection but transaction logs will be generated for this protocol for flows that have alerted
Full logging: As previous stage for analysis and detection but all transaction logs will be generated for this protocol
In the edit page of the protocol, a menu allows you to select the value you want for this protocol.
It is recommended to select at least Conditional logging
as it will provide context around IDS alerts that is really beneficial when doing investigation.
Add custom or extended HTTP information¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the HTTP
icon.
If you would like to add custom fields make sure Custom logging
is selected and add the desired fields in the List of fields
section.
Custom fields can be any of these below:
accept
accept-charset
accept-datetime
accept-encoding
accept-language
accept-range
age
allow
authorization
cache-control
connection
content-encoding
content-language
content-length
content-location
content-md5
content-range
content-type
cookie
date
dnt
etags
from
last-modified
link
location
max-forwards
origin
pragma
proxy-authenticate
proxy-authorization
range
referrer
refresh
retry-after
server
set-cookie
te
trailer
transfer-encoding
upgrade
vary
via
warning
www-authenticate
x-forwarded-proto
x-requested-with
Click on the Submit
button.
Click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add custom or extended SMTP information¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the SMTP
icon.
If you would like to add custom fields make sure Custom logging
is selected and add the desired fields in the List of fields
section.
Custom fields can be any of these below:
bcc
content_md5
date
importance
in_reply_to
message_id
organization
priority
received
references
reply_to
sensitivity
subject
user_agent
x_mailer
x_originating_ip
Click on the Submit
button.
Click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add custom DNS information¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the DNS
icon.
If you would like to add custom fields make sure Custom logging
is selected and add the desired fields in the List of fields
section.
Custom fields can be any of these below:
A
AAAA
CNAME
MX
NS
PTR
TXT
Click on the Submit
button.
Click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add packet data or payload to the alerts information¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the ALERT
icon and select the desired option. Click on the Submit
button.
To apply it immediately, click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
File handling capabilities¶
For all settings related to file handling, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s)
under the sub menu
Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply
button. In the task
list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Enable or disable file extraction for a probe¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the three dots
to the right side of the probe listing and click Edit probe
.
Click on subsection Settings
. Select (or deselect) the Activate file extraction
for the remote probe and enter maximum file size (just a number indicates MB).
Click on Submit
.
To apply it immediately, click on Apply change(s)
under the sub menu Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately.
Click on the Apply
button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add Hahsum, file magic or mimetype information¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
On the right hand side under NSM settings
click on the File Info
icon and select the desired option. Click on the Submit
button.
To apply it immediately, click on Apply change(s)
under the sub menu Pending modification(s)
from the left hand side panel. Choose if you would like to schedule the change or apply it immediately.
Click on the Apply
button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Rule Activity for a probe¶
Review rules activity for a probe¶
Click on Appliances
major menu -> Select the desired probe - as available under name
the Stamus Probes
list. Click on the View
button to the right side of the probe listing.
You are presented with an overview of the rules activity for that particular probe over a period of time. You can click on the settings icon to the top right to select or change the timespan shown.
Under the Rule Activity
section you will have a summary aggregation of the different rules subdivided by - Sid, Msg, Category Hits and the alerts each rules has generated for that
particular probe. You can click on the sid number for the rule in question under Sid
row.
Alerts generated by a rule on a particular probe can be deleted as well.
Click on Delete generated alerts
under sub menu Action
from the left hand side panel.
Confirm by clicking on the Delete alerts
button.
If you would like to see the rule itself yo can click on the Msg
for that particular rule.
To see one particular rule activity’s:
rule definition
activity (including) on other probes
Status in the ruleset
you can click on the sid number for that rule under Sid
row under Rule Activity
sub section. You can subsequently enable, disable that rule or delete the generated alerts by that rule.