Network Security Monitoring Settings¶
For all settings related to Network Security Monitoring, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task
list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Change NSM settings for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings you can choose/click a particular output for further Basic (enable/disable) or Advanced editing.
Enable or disable protocols for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the three dots to the right side of the probe listing and click Edit probe.
Click on subsection Protocols. Select (or deselect) the desired protocols for the remote probe and then click on Submit.You should be able to
verify the change as displayed in the NSM settings sub menu on the right hand side panel view.
Click on Apply change(s) under the sub menu Pending modification(s) from
the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented - you will be
informed about the details of the task execution - status, duration, started, retries, etc.
Common settings for protocols¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the Protocol name.
A protocol has four different possible states:
Disable: No analysis on the protocol is done, all detections using keywords dedicated to this protocol will be skipped.
No logging: Analysis on the protocol is done and all detection with dedicated keywords will be done. But no log will be generated.
Conditional logging: As previous stage for analysis and detection but transaction logs will be generated for this protocol for flows that have alerted
Full logging: As previous stage for analysis and detection but all transaction logs will be generated for this protocol
In the edit page of the protocol, a menu allows you to select the value you want for this protocol.
It is recommended to select at least Conditional logging as it will provide context around IDS alerts that is really beneficial when doing investigation.
Add custom or extended HTTP information¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the HTTP icon.
If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.
Custom fields can be any of these below:
accept
accept-charset
accept-datetime
accept-encoding
accept-language
accept-range
age
allow
authorization
cache-control
connection
content-encoding
content-language
content-length
content-location
content-md5
content-range
content-type
cookie
date
dnt
etags
from
last-modified
link
location
max-forwards
origin
pragma
proxy-authenticate
proxy-authorization
range
referrer
refresh
retry-after
server
set-cookie
te
trailer
transfer-encoding
upgrade
vary
via
warning
www-authenticate
x-forwarded-proto
x-requested-with
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add custom or extended SMTP information¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the SMTP icon.
If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.
Custom fields can be any of these below:
bcc
content_md5
date
importance
in_reply_to
message_id
organization
priority
received
references
reply_to
sensitivity
subject
user_agent
x_mailer
x_originating_ip
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add custom DNS information¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the DNS icon.
If you would like to add custom fields make sure Custom logging is selected and add the desired fields in the List of fields section.
Custom fields can be any of these below:
A
AAAA
CNAME
MX
NS
PTR
TXT
Click on the Submit button.
Click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add packet data or payload to the alerts information¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the ALERT icon and select the desired option. Click on the Submit button.
To apply it immediately, click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task list presented -
you will be informed about the details of the task execution - status, duration, started, retries, etc.
File handling capabilities¶
For all settings related to file handling, you need to apply changes on the probe once you are happy with your change set.
To do so click on Apply change(s) under the sub menu
Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately. Click on the Apply button. In the task
list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Enable or disable file extraction for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the three dots to the right side of the probe listing and click Edit probe.
Click on subsection Settings. Select (or deselect) the Activate file extraction for the remote probe and enter maximum file size (just a number indicates MB).
Click on Submit.
To apply it immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately.
Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Add Hahsum, file magic or mimetype information¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
On the right hand side under NSM settings click on the File Info icon and select the desired option. Click on the Submit button.
To apply it immediately, click on Apply change(s) under the sub menu Pending modification(s) from the left hand side panel. Choose if you would like to schedule the change or apply it immediately.
Click on the Apply button. In the task list presented - you will be informed about the details of the task execution - status, duration, started, retries, etc.
Rule Activity for a probe¶
Review rules activity for a probe¶
Click on Appliances major menu -> Select the desired probe - as available under name the Stamus Probes list. Click on the View button to the right side of the probe listing.
You are presented with an overview of the rules activity for that particular probe over a period of time. You can click on the settings icon to the top right to select or change the timespan shown.
Under the Rule Activity section you will have a summary aggregation of the different rules subdivided by - Sid, Msg, Category Hits and the alerts each rules has generated for that
particular probe. You can click on the sid number for the rule in question under Sid row.
Alerts generated by a rule on a particular probe can be deleted as well.
Click on Delete generated alerts under sub menu Action from the left hand side panel.
Confirm by clicking on the Delete alerts button.
If you would like to see the rule itself yo can click on the Msg for that particular rule.
To see one particular rule activity’s:
rule definition
activity (including) on other probes
Status in the ruleset
you can click on the sid number for that rule under Sid row under Rule Activity sub section. You can subsequently enable, disable that rule or delete the generated alerts by that rule.