Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3)
|
|
- Angel Perry
- 5 years ago
- Views:
Transcription
1 Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3) The newest version of this document is available at the following URL:
2 Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 LOG PARSING AND NORMALIZATION... 3 SEARCHING LOG DATA FROM THE COMMAND-LINE WRITING LOG CORRELATION ENGINE PLUGINS FOR MORE INFORMATION ABOUT TENABLE NETWORK SECURITY Copyright , Tenable Network Security, Inc. 2
3 Introduction This document discusses writing plugins for Tenable Network Security s Log Correlation Engine 3.4. Please share your comments and suggestions with us by ing them to support@tenable.com. It is assumed that the reader has the following prerequisite skills: A working knowledge of Secure Shell (SSH) and key exchange. Experience with the Unix Operating System, including Unix regular expressions. Familiarity with Tenable s Log Correlation Engine (LCE) operation and architecture as described in the Log Correlation Engine Administration and User Guide. Knowledge of general log formats from various operating systems, network devices and applications. This document is intended to be used with LCE installations for version 3.4 and higher. Standards and Conventions Throughout the documentation, filenames, daemons and executables are indicated with a courier bold font such as gunzip, httpd and /etc/passwd. Command line options and keywords will also be printed with the courier bold font. Command line options may or may not include the command line prompt and output text from the results of the command. Often, the command being run will be boldfaced to indicate what the user typed. Below is an example running of the Unix pwd command. # pwd /opt/lce/ # Important notes and considerations are highlighted with this symbol and grey text boxes. Log Parsing and Normalization Architecture The LCE daemon, lced, receives entire log messages from SYSLOG messages or LCE clients. For example, the following log message could arrive at the LCE through one of the LCE s log parsing clients or have been sent via SYSLOG across the network directly: Jun 22 01:02:34 godzilla kernel: eth1: Setting promiscuous mode. Normalization When the LCE receives these logs, it uses libraries (known as.prm files) to analyze the message. The first part of analysis is to recognize the message type with unique keywords. Copyright , Tenable Network Security, Inc. 3
4 Once a message type is recognized, it is normalized and relevant data is populated into an event schema. Type abuse access-denied application backdoor blacklist compliance compromise connection correlated database data-leak detected-change dhcp dns Description Events and logs dealing with access to pornography, illegal content and other types of network usage against policy. Events from devices that indicate that access was prevented, but did not necessarily require a login. For example, many web sites have content that might deny access to a non-logged in users. Generic logs from applications not specifically given their own types like ftp, database, web or mail. Any type of IDS or system log that indicates the presence of or probing for a known backdoor or Trojan. Logs generated by TASL correlation scripts that compare connection event types as well as network sessions with known lists of hostile IP networks. Events that track compliance standards such as PCI DSS and SOX. Logs that indicate IDS and system logs showing sever attacks. These are high-priority attacks that have been detected. For example, a Snort administrator access attempt or a system log that indicated that a known attack had occurred would both be normalized to this type. Any log from a web proxy, firewall, load balancer or other type of network device that logs a successful network connection event. There are a variety of TASL scripts that look for common types of network abuse, successful attacks and compromised systems. These alerts are categorized under the correlated type. Examples include successful password guessing and detection of systems that have had a worm outbreak. Logs from MySQL, MS-SQL, Oracle and other types of databases. Any event that indicates data leakage. These events originate from commercial data leakage vendors. Logs that indicate the network, system or users have somehow changed. Examples include changing a user s access rights as well as new hosts being added to the network. These logs originate from a variety of DHCP servers. These logs originate from a variety of DNS servers. Copyright , Tenable Network Security, Inc. 4
5 dos error firewall ftp games hids honeypot intrusion lce login login-failure logout mail nbad nbs All network IDS logs that indicate a denial of service attack are normalized with this type. Logs from a variety of applications, network devices and communications logs that also indicate some sort of resource attack are also normalized as dos type events. Any log from a system, application or log that indicates some sort of error condition is logged to this type. This can include errors from user input, hardware errors and many other types of logs. Any firewall log that has occurred from preventing access is tagged as a firewall event. For example, if an internal host was prevented from connecting to the outside world, it would be normalized as a firewall event. If a firewall allowed the connection, it would be logged as a connection event. Any logs from FTP servers that are not actual login or login-failure events. These include files and directories accessed as well as file transfers. Any logs from network monitoring applications such as NIDS that indicate the occurrence or presence of Internet and LAN games. Any logs from host based IDS systems that are distinct from antivirus systems. Any logs from commercial or open source honeypots that indicate connections from other networks. Logs from network IDS and systems that indicate intrusion events that are probes or likely non-compromise types of events. Any logs from the Log Correlation Engine clients about their status and overall CPU, storage and memory information about the systems they are connected to. For Windows systems, this also includes USB inserts and deletes. Any successful login event. These can come from servers, network events and applications. Any unsuccessful login event. These can come from servers, network events and applications. Some applications and systems also log when a user logs out of a system. Logs from Sendmail, Exchange, Postfix and many other types of servers that indicate receptions of and sending of . Logs from commercial network based anomaly systems. Any type of log that has never been seen before. There is a TASL script that keeps track of every local system and every log that has Copyright , Tenable Network Security, Inc. 5
6 ever occurred for it. If a new event occurs on a host, the LCE will alert if this has never occurred in the past. nessus network p2p-activity phishing process Any log from the Nessus vulnerability scanner except for remote connection events that are normalized to login or login-failure events. Any log from the Tenable Network Monitor or Tenable NetFlow Monitor or their post-processed events. Both of these LCE clients log network sessions and multiple TASL scripts further analyze these logs to generate logs for large bandwidth connections as well as connections lasting longer than 15 minutes. Any network monitoring application such as a NIDS that indicates the occurrence of P2P traffic such as LimeWire or Bittorrent. Any logs, such as those from an SPAM appliance, that indicates phishing activity. Any Windows or Unix program execution event. It includes hourly and daily summaries of program executions. This information comes from the process accounting logs in Unix and Audit process tracking on Windows. This category is supplemented by a TASL script (program_accounting.tasl), which generates a list of all programs being run on an hourly and daily per-system basis and also a daily list of programs per user. pup-activity radius reboot router SC3 scanning shutdown Any logs from system or network applications that indicate the presence of potentially unwanted software. Any authentication logs from Radius servers. Any type of log from a system, application or network device that indicates it has restarted. Any log from a variety of routers that indicates something has been done to the current system. For example, a router that logs changes to the OSPF routing table would be classified under this type. Any logs from the Security Center such as scan launches, additions of new users, deletion of reports and much more. Any type of log that indicates port scanning or port sweeping events. These logs can originate from many different sources including the Passive Vulnerability Scanner, network IDSes, firewalls and host-based applications. Any log that indicates a network device, operating system or application has been turned off. Copyright , Tenable Network Security, Inc. 6
7 spam startup stats switch system usb user-activity version virus vmware vpn vulnerability web web-error wireless Any logs, such as those from an SPAM appliance, that indicates the attempt to send a SPAM . Any log that indicates a network device, operating system or application has been started. Any logs generated by the LCE stats daemon that indicate large spikes in activity on a per-type basis. For example, the stats daemon will automatically alert when there has been a spike in login-failures. Any log from a variety of switches that indicates something has been done to the current system. For example, a switch that logs changes to its local configuration would be classified under this type. Any log from a router, switch or operating system that indicates some sort of activity. For example, a Red Hat Linux server running the up2date command would have the logs from that activity classified as a system type. Tracks the insert and remove events generated by LCE Windows agents when they detect drive insertion and removal. Any log from a router, switch or operating system that indicates some sort of activity. Any log from any device, application or system that can help identify the actual running version. Any log from host based anti-virus applications or network based IDS systems that indicate the occurrence or presence of virus activity. Any logs from VMware based applications. Logs from operating system, appliance based and firewall based VPNs. Any log that indicates the presence of a vulnerability. All web server logs, as well as web proxy logs that indicate some form of successful web access. All web server logs that indicate some form of web access that has resulted in an error such as 400 and 500 style HTTP codes. Any logs from wireless access devices. Below is an example screen capture of events as shown in a Security Center for a 24 hour period: Copyright , Tenable Network Security, Inc. 7
8 This portion of events (the screen image only shows SC3 types through lce types for 24 hours) offers some interesting patterns. The dark areas represent 6:00 PM through 6:00 AM. The activity graph shows that some types of events occur all the time, such as the intrusion types and lce types. If a Security Center user where to mouse over the graphs, they would be shown a pop up image of the total amount of events at that point and the exact times. Clicking on any of the event counts would bring the user to a list of unique events. For example, clicking on the 23 next to the SC3 type would show: This similar display displays the specific different set of normalized events that are part of the SC3 type. Event Schema Copyright , Tenable Network Security, Inc. 8
9 Every normalized event will attempt to populate as much of the following schema as possible: Source and destination IP addresses IP Protocol Source and Destination Ports Unique Event Name Unique Event Type Sensor name Time of Event User Name For example, the above promiscuous mode message is parsed by the LCE rule number The rule is shown below: id=1316 name=promiscuous mode enabled. match= kernel: match=: Promiscuous mode enabled. log=event:linux-promiscuous_mode_enabled type:system If this rule matches an event, it will populate the schema with the source IP of either the original SYSLOG message or the LCE client. It will also set an event name of Linux- Promiscuous_Mode_Enabled and an event type of system. This is an extremely simple normalization rule. This document will provide several examples that normalize similar log messages as well as more complex log messages such as firewall and intrusion detection logs. Libraries The LCE daemon references the.prm libraries located in the /opt/lce/daemons/plugins directory. The location of the directory used by LCE is controlled in the lce.conf file and may be located in other places if configured as such by the LCE administrator. Each library contains one or more LCE plugins that are designed to parse specific types of log files. The libraries may also contain specific information about the devices they support. For example, the library that parses certain types of Windows security events may contain information on how the Windows LCE Client should be configured. Missing Events It is quite likely that the LCE will receive logs for events but not have a rule designed to parse those events. The LCE is designed to only normalize what it has been told how to normalize. If configured to do so, through a setting in the lce.conf file, the LCE daemon will log any missing event to a file named notmatched.txt. This can be configured to keep the last 10,000 log events (which can be configured to be much higher if desired) and is useful for an immediate listing of what types of log events are being missed by the LCE. Copyright , Tenable Network Security, Inc. 9
10 Through analysis of the contents of this log, users can see what the actual log messages look like and modify their.prm libraries accordingly. Matching Multiple Events The LCE can also be configured (via the lce.conf file) to continue to parse each log message across the entire.prm library of plugins. This is useful if more than one plugin is destined for a specific type of log file. For example, for a firewall that performs network address translation, each log may have three IP addresses. One IP address will be the internal address, another would be the public address and the third would be an Internet address. A university may have their students on a private network such as , translate them to a public university IP address and finally log the fact that they downloaded their from Google s web site. By allowing the LCE to parse the same log multiple times, multiple events can be logged. More examples for the reason why multiple log hits would be required could be: Separate rules to parse web logs for valid/invalid web hits as well as performing IDS analysis of the URLs for suspicious attacks Separate rules for generic firewall accept/deny as well as matching on specific denied ports Separate rules for valid/invalid logins as well as alerting on specific user names such as root and administrator Force Sensor Name for Events In many cases, by the time syslog data reaches the LCE, the true source of the UDP packet is lost because of packet modification by intermediary forwarding systems. Because of this, LCE may inadvertently normalize data with a sensor name that does not truly match the originating system. To remediate this, a sensor named can be assigned to each IP address sending data to the LCE. This sensor name will be associated with all logs from the designated source, regardless of whether or not another sensor name is extracted from the log text. The configuration option is syslog-sensors-file and uses the following format: syslog-sensors-file /opt/lce/admin/syslog_sensors.txt The format of the syslog_sensors.txt file would be similar to the format below: CiscoPIX Corporate FW# CiscoPIX Corporate FW# CiscoPIX Corporate FW#3 Column one indicates the IP address obtained from the syslog packet, while column two indicates the desired sensor name. Searching Log Data from the Command-line Starting in LCE 3.2, LCE data may now be searched quickly and efficiently from the command-line. This functionality allows for programmatic searches of data and extends the power of LCE beyond the Security Center graphical user interface. Copyright , Tenable Network Security, Inc. 10
11 In order to search the compressed log archive data, a command-line search utility is provided: /opt/lce/search_logs The command-line format for a search is: # /opt/lce/search_logs <max results> <start date> <end date> <boolean expression> The <start date> and <end date> parameters must be in the form YYYY-MM-DD. The <max results> parameter indicates the maximum number of results to display. The search will terminate when this many results have been found, or when all logs within the provided date range have been searched (whichever comes first). Boolean expressions are described in the note below. For example, the following command provides the first 25 logs stored between January 1, 2001 and January 1, 2010 that contain the term illegal : # /opt/lce/search_logs illegal The output of the utility is in the form: <matching log event 1>... <matching log event N> When no results are found, the output is blank. A search with no matching results is expected to complete very quickly (the lazy evaluation is most efficient when negation is not used), while the time required for a search with results is a function of the amount of data being searched. For example, in order to complete a search for a month of data, all compressed logs from the month, perhaps several gigabytes, must potentially be read from disk. The only other possibility is that the archive data contains at least <max results> results, allowing the search to terminate when this number is reached. Writing Log Correlation Engine Plugins Log Correlation Engine Database Events Tenable s LCE is designed to receive log messages, parse out relevant fields of those log messages and then store the results in a proprietary database. Each entry stored in the database is known as a LCE event and contains the following fields: srcip - the source IP address of the event dstip - the destination IP address of the event srcport - the source port of the event dstport - the destination port of the event proto - the protocol of the event sensor - the name of the sensor that sent the event event - the actual event name type - the type of sensor that sent the event (IDS, firewall, etc.) Copyright , Tenable Network Security, Inc. 11
12 message - the full log message that triggered the storing of this event user name the actual login name used for the matching user An event stored in the database may not have all of these fields set. The number of the fields that are set depends on how much information was parsed and recorded by the LCE when receiving each log message. At a minimum, the event name and message fields should always be set. Log Correlation Engine Plugin Keywords There are several keywords available for writing plugins for the LCE. Some of these keywords are mandatory and some are optional. Keyword name=<plugin name> match=<match> Description This keyword specifies the name of the plugin. The name of the plugin generally describes what sort of log event this plugin is designed to trigger on. Multiple LCE plugins may have the same name. Match strings have the following format: [!]string! : Means that the packet must NOT match <string> A plugin may have multiple match statements. Here is a full example for a Snort ICMP event: match=snort: match=-> match={icmp} regex=<regex> This keyword specifies a complex regular expression search rule that will be applied to the log message. A regex is applied only after a log message has matched all of the match= patterns. For example: match=snort: match=-> match={icmp} regex=snort:.+\] ([a-za-z0-9_ \.]+) \[.*\{ICMP\} ([0-9]+(\.[0-9]+){3}) -> ([0-9]+(\.[0-9]+){3}) Parentheses are used in this regular expression to allow the LCE to remember and save matched patterns in a received log message. These matched patterns are generally the fields of the log message that you want to save in an event structure. If the above regex was applied against the following Snort ICMP alert, then the following fields of the log message would be saved Copyright , Tenable Network Security, Inc. 12
13 because of the presence of parenthesis in the regex rule: SYSLOG alert: <33>Mar 24 08:01:33 fwall snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} > Saved patterns: "ICMP PING CyberKit 2.2 Windows", " ", " " These matched patterns may be recalled using dollar sign notation to indicate which match we are referring to. These are of the forms $[0-9] where the digit 0-9 specifies which pattern (in the order each pattern was matched) to recall. So for the above example, each pattern could be recalled resulting in these matches: $1 - which recalls "ICMP PING CyberKit 2.2 Windows" $2 - which recalls " " $4 - which recalls " " Notice that the destination IP address is recalled using $4 and not $3. This is because each IP address regex pattern actually contains two sets of parenthesis: ([0-9]+(\.[0-9]+){3}) The first set of parenthesis, which are the outer parenthesis, match on the IP address as a whole. The second set of parenthesis, which are the inner parenthesis match on the last three octets of the IP address. Thus, this IP address regular expression results in two saved patterns. It just happens that in this case, we are only interested in the first of these saved patterns (the IP address as a whole). A match statement OR a regex is required. A plugin may contain multiple match statements but only one regex statement. log=<log options> The log keyword provides a way to specify what information to store in the LCE database if this plugin matches a received log message. As stated earlier, each entry stored in the LCE database is stored as a LCE event structure. The log keyword enables one to set each field of a stored event to either a value extracted from the received log message (using the saved patterns from the regex rule) or to a hard coded value written explicitly in the log statement. In this way a person can Copyright , Tenable Network Security, Inc. 13
14 save only those pieces of a log message that are useful. For example, the regex rule may specify a search rule for an IP address pattern. If this search rule matches an IP address in a received log message, then the log keyword allows one to specify whether the IP address should map to the source IP or the destination IP when storing the event for this message. Mapping may be done for each field in an event structure using the following keywords: srcip, dstip, proto, event, type,user and sensor. The syntax for each mapping is as follows: keyword:<value> Where keyword is one of srcip, dstip, proto, event, type, user or sensor and <value> is either written explicitly or is a reference to a saved match pattern from the regex rule. For example, suppose we had the following set of match patterns and regex rules designed to match a Snort ICMP event: match=snort: match=-> match={icmp} regex=snort:.+\] ([a-za-z0-9_ \.]+) \[.*\{ICMP\} ([0-9]+(\.[0-9]+){3}) -> ([0-9]+(\.[0-9]+){3}) An example Snort event that we would match on in this case is: <33>Mar 24 08:01:33 fwall snort: [1:483:2] ICMP PING CyberKit 2.2 Windows [Classification: Misc activity] [Priority: 3]: {ICMP} > Here the regex contains parenthesis so as to save the event name and source and destination IP addresses from this field. In order to store this event to the LCE database, we could set up the following log options: log=srcip:$2 dstip:$4 proto:1 event:snort_icmp_event type:ids Here the event name and protocol are hard-coded and the rest of fields are based on extracted patterns from the received log message as specified by the regex rule. Note that if a value is hard coded it may NOT contain spaces. So in the above log rule, event:snort_icmp_event could NOT have been written as event:snort ICMP event. Only the event mapping must be specified when writing a plugin. The rest of the mappings are optional. If no dstip mapping is specified, then by default the LCE will set the destination IP Copyright , Tenable Network Security, Inc. 14
15 address of an event to the address of the machine it received the log message from. All other mappings are zero-valued if not specified in the log rule. The log keyword is always required and within the log statement, the event keyword (e.g.: event:snort_tcp_event ) is required as well. User Tracking The LCE can be used to track the IP addresses a network user is originating from and then tag any other events from that IP address as belonging to that user. To make use of this, the LCE needs to know which types of logs in your organization contain the username you wish to correlate and track IP addresses from. Please refer to the LCE Administraion and User Guide to learn how to configure this. When the LCE is configured, it will only use PRM IDs that have been configured to process user to IP address relationships. Consider the following PRM from the auth_bluesocket.prm file: id=1032 name=the BlueSocket device had a network user start their network session. match=user_tracking: match=event=user_l match=event=user_login_successful match=obj=user regex=&ipaddr=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)&name=(.*)&msg= log= type:login event:bluesocket-user_login srcip:$1 user:$2 An actual user authentication message for BlueSocket looks like this: <181>user_tracking: event=user_login_successful&loglevel=notice&obj=user&ipaddr= &name=user1@nessus.org&msg=login RADIUS user user1@nessus.org on Primary RADIUS server at [00:13:02:89:d1:f5]/ as role Authenticated, login time = :39:29, sessionid = 00:0E:0C:73:A4:E0: & The regex and log statements in the PRM extracts the string and assigns it to srcip, and the username is assigned user1@nessus.org. If the LCE has not been configured to process ID 1032 as a source of user to IP address tracking, the event is normalized and logged as any other event. However, if ID 1032 were enabled for user to IP tracking, the LCE would perform the following steps: It would check the current table of usernames. If this were a new user, an additional new user event would be generated. It would also check the current table of usernames and IP address matches. If this were a new IP address for an existing user, then a new user to IP address message would be generated. Copyright , Tenable Network Security, Inc. 15
16 Lastly, for any other events originating from the IP address of this login (in this case ) they would all be automatically assigned a username of user1@nessus.org. Log Correlation Engine Plugin Management The LCE is distributed with a large number of plugins, but they may not all be of interest in a particular environment. To improve performance and facilitate log analysis, configure the LCE server with only the plugins desired for analysis. To disable a plugin, edit the file /opt/lce/admin/disabled-prms.txt and add in the full name of the PRM you wish to be ignored and then restart the LCE. Desired libraries, modified libraries and custom plugins should be placed in a separate plugins directory and the lce.conf file can be configured to direct the lced process to pull its events from this new directory. Modifying Tenable PRM files is not recommended, as any update process will overwrite them with subsequent changes made by Tenable. Log Correlation Engine Clients There are a number of LCE clients available for a variety of events and operating systems. They are all roughly configured the same way in that they are pointed to a data source, and they are connected to the LCE server by specifying the IP addresses and shared secret. Each LCE client must have the corresponding shared secret key specified in the LCE server s lce.conf file. Each of the available LCE clients are covered in a separate document entitled LCE Client Guide. For More Information Tenable has produced a variety of other documents detailing the LCE s deployment, configuration, user operation and overall testing. These are listed here: Log Correlation Engine Administration and User Guide additional information for installing, configuring and operating the LCE Log Correlation Engine Client Guide how to configure, operate and manage the various Unix, Windows, netflow, OPSEC and other clients TASL Reference Guide explanation of the Tenable Application Scripting Language with extensive examples of a variety of correlation rules Log Correlation Engine Statistics Daemon Guide configuration, operation and theory of the LCE s statistic daemon used to discover behavioral anomalies Documentation is also available for Nessus, the Passive Vulnerability Scanner and the Security Center. Please feel free to contact us at support@tenable.com, sales@tenable.com or visit our web site at Copyright , Tenable Network Security, Inc. 16
17 About Tenable Network Security Tenable, headquartered in Columbia, Md., USA, is the world leader in Unified Security Monitoring. Tenable provides agent-less solutions for continuous monitoring of vulnerabilities, configurations, data leakage, log analysis and compromise detection. For more information, please visit us at TENABLE Network Security, Inc Columbia Gateway Drive Suite 100 Columbia, MD TEL: Copyright , Tenable Network Security, Inc. 17
Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1)
Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.2_log_analysis.pdf
More informationLog Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1)
Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1) The ne west version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.0_log_analysis.pdf
More informationLog Correlation Engine 3.4 Statistics Daemon Guide July 29, 2010 (Revision 3)
Log Correlation Engine 3.4 Statistics Daemon Guide July 29, 2010 (Revision 3) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.4_stats.pdf Table
More informationLog Correlation Engine 4.0 Statistics Daemon Guide. August 13, 2012 (Revision 1)
Log Correlation Engine 4.0 Statistics Daemon Guide August 1, 2012 (Revision 1) Table of Contents Introduction... Standards and Conventions... Basic Operation... Configuring the Statistics Daemon... 6 File
More informationLog Correlation Engine 4.4 Statistics Daemon Guide. February 26, 2015 (Revision 1)
Log Correlation Engine 4.4 Statistics Daemon Guide February 26, 2015 (Revision 1) Table of Contents Introduction... Standards and Conventions... Basic Operation... Configuring the Statistics Daemon...
More informationLog Correlation Engine 4.0 Log Normalization Guide
Log Correlation Engine 4.0 Log Normalization Guide September 21, 2012 (Revision 1) The newest version of this document is available at the following URL: http://static.tenable.com/prod_docs/lce_4.0_log_analysis.pdf
More informationLog Correlation Engine 4.0 High Performance Configuration Guide
Log Correlation Engine 4.0 High Performance Configuration Guide July 10, 2012 (Revision 2) Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered
More informationJuly 18, (Revision 3)
3D Tool 2.0 User Guide July 18, 2011 (Revision 3) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security,
More informationLog Correlation Engine 4.2 Quick Start Guide. September 4, 2014 (Revision 3)
Log Correlation Engine 4.2 Quick Start Guide September 4, 2014 (Revision 3) Table of Contents Introduction... 3 Standards and Conventions... 3 Product Overview... 3 Prerequisites... 3 LCE Quick Start...
More informationLCE Splunk Client 4.6 User Manual. Last Revised: March 27, 2018
LCE Splunk Client 4.6 User Manual Last Revised: March 27, 2018 Table of Contents Getting Started with the LCE Splunk Client 3 Standards and Conventions 4 Install, Configure, and Remove 5 Download an LCE
More informationTenable Event Correlation
Tenable Event Correlation March 1, 2012 (Revision 1) Ron Gula, CEO Tenable Network Security Copyright 2002-2012 Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are
More informationVenusense UTM Introduction
Venusense UTM Introduction Featuring comprehensive security capabilities, Venusense Unified Threat Management (UTM) products adopt the industry's most advanced multi-core, multi-thread computing architecture,
More informationHost Identity Sources
The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating
More informationTenable Common Criteria Evaluated Configuration Guide. October 29, 2009 (Revision 4)
Tenable Common Criteria Evaluated Configuration Guide October 29, 2009 (Revision 4) Table of Contents TABLE OF CONTENTS... 2 OVERVIEW... 3 SECURITY CENTER COMPONENTS... 3 NESSUS VULNERABILITY SCANNER...
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationTenable Hardware Appliance Upgrade Guide
Tenable Hardware Appliance Upgrade Guide June 4, 2012 (Revision 3) The newest version of this document is available at the following URL: http://static.tenable.com/prod_docs/tenable_hardware_appliance_upgrade.pdf
More informationTenable Network Security Support Portal. November 9, 2010 (Revision 8)
Tenable Network Security Support Portal November 9, 2010 (Revision 8) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 OBTAINING ACCESS TO THE TENABLE SUPPORT PORTAL... 3 MANAGING YOUR NESSUS
More informationTraining UNIFIED SECURITY. Signature based packet analysis
Training UNIFIED SECURITY Signature based packet analysis At the core of its scanning technology, Kerio Control integrates a packet analyzer based on Snort. Snort is an open source IDS/IPS system that
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationCorrelating IDS Alerts with Vulnerability Information
Correlating IDS Alerts with Vulnerability Information December 2002 (Updated January 2009) Ron Gula Chief Technology Officer Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 INTRUSION DETECTION
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationSecurityCenter Upgrade Guide. July 21, 2015 (Revision 1)
SecurityCenter 5.0.1 Upgrade Guide July 21, 2015 (Revision 1) Table of Contents Introduction... 3 Standards and Conventions... 3 Software Requirements... 4 Supported Operating Systems... 4 Dependencies...
More informationDoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel
CCNA4 Chapter 4 * DoS Attacks DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. DoS attacks prevent authorized people from using a service by consuming
More informationSecurityCenter 5.1 Upgrade Guide. November 12, 2015 (Revision 2)
SecurityCenter 5.1 Upgrade Guide November 12, 2015 (Revision 2) Table of Contents Introduction... 3 Standards and Conventions... 3 Software Requirements... 4 Supported Operating Systems... 4 Dependencies...
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More informationSystrome Next Gen Firewalls
N E T K S Systrome Next Gen Firewalls Systrome s Next Generation Firewalls provides comprehensive security protection from layer 2 to layer 7 for the mobile Internet era. The new next generation security
More informationCompTIA Security+(2008 Edition) Exam
http://www.51- pass.com Exam : SY0-201 Title : CompTIA Security+(2008 Edition) Exam Version : Demo 1 / 7 1.An administrator is explaining the conditions under which penetration testing is preferred over
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationLogging. About Logging. This chapter describes how to log system messages and use them for troubleshooting.
This chapter describes how to log system messages and use them for troubleshooting. About, page 1 Guidelines for, page 7 Configure, page 8 Monitoring the Logs, page 26 History for, page 29 About System
More informationACS / Computer Security And Privacy. Fall 2018 Mid-Term Review
ACS-3921-001/4921-001 Computer Security And Privacy Fall 2018 Mid-Term Review ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been adopted and/or modified
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationSecurityCenter 5.0 SCAP Assessments. May 28, 2015 (Revision 2)
SecurityCenter 5.0 SCAP Assessments May 28, 2015 (Revision 2) Table of Contents Overview... 3 Standards and Conventions... 3 Abbreviations... 3 Simple Assessment Procedure... 4 XCCDF Certified vs. Lower-Tier
More informationSecurityCenter 4.6 Administration Guide. April 11, 2013 (Revision 5)
SecurityCenter 4.6 Administration Guide April 11, 2013 (Revision 5) Table of Contents Introduction... 5 Standards and Conventions... 5 Abbreviations... 6 SecurityCenter Administrator Functions... 6 Starting/Halting
More informationInstallation of RHEL 5 for Tenable SecurityCenter Evaluation
Installation of RHEL 5 for Tenable SecurityCenter Evaluation These instructions are for the installation of Red Hat Enterprise Linux (RHEL) 5 in preparation for installing Tenable SecurityCenter 4.4 for
More informationStep-by-Step Configuration
Step-by-Step Configuration Kerio Technologies C 2001-2004 Kerio Technologies. All Rights Reserved. Printing Date: April 25, 2004 This guide provides detailed description on configuration of the local network
More informationLog Correlation Engine 3.6 Administration and User Guide
Log Correlation Engine 3.6 Administration and User Guide May 7, 2012 (Revision 7) The newest version of this document is available at the following URL: http://cgi.tenable.com/lce_3.6_admin_user.pdf Copyright
More informationAccessEnforcer Version 4.0 Features List
AccessEnforcer Version 4.0 Features List AccessEnforcer UTM Firewall is the simple way to secure and manage your small business network. You can choose from six hardware models, each designed to protect
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationNessus Enterprise for Amazon Web Services (AWS) Installation and Configuration Guide
Due to technical issues with AWS, Nessus Enterprise for AWS is currently not available for purchase. To protect your AWS cloud infrastructure, please purchase Nessus Cloud http://www.tenable.com/products/
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationSecurityCenter 4.8.x Upgrade Guide. December 16, 2014 (Revision 1)
SecurityCenter 4.8.x Upgrade Guide December 16, 2014 (Revision 1) Table of Contents Introduction... 3 Standards and Conventions... 3 Software Requirements... 4 Supported Operating Systems... 4 Dependencies...
More informationPrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps
PrepAwayExam http://www.prepawayexam.com/ High-efficient Exam Materials are the best high pass-rate Exam Dumps Exam : 250-530 Title : Administration of Symantec Network Access Control 12.1 Vendors : Symantec
More informationBeyond a sensor. Towards the Globalization of SURFids. FIRST 20 th Annual Conference Vancouver, Canada
Beyond a sensor Towards the Globalization of SURFids Wim.Biemolt@surfnet.nl FIRST 20 th Annual Conference Vancouver, Canada 1 SURFnet6 2 SURFcert 3 18 th Annual FIRST Conference Goals - Understanding:
More informationSecurity Assessment Checklist
Security Assessment Checklist Westcon Security Checklist - Instructions The first step to protecting your business includes a careful and complete assessment of your security posture. Our Security Assessment
More informationSecurityCenter 5.1 Administration Guide. November 12, 2015 (Revision 2)
SecurityCenter 5.1 Administration Guide November 12, 2015 (Revision 2) Table of Contents Introduction... 6 Standards and Conventions... 6 Abbreviations... 7 SecurityCenter Administrator Functions... 7
More informationSOURCEFIRE 3D SYSTEM RELEASE NOTES
SOURCEFIRE 3D SYSTEM RELEASE NOTES Version 5.3.0.2 Original Publication: April 21, 2014 Last Updated: April 25, 2016 These release notes are valid for Version 5.3.0.2 of the Sourcefire 3D System. Even
More informationModular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
More informationForeScout Extended Module for Symantec Endpoint Protection
ForeScout Extended Module for Symantec Endpoint Protection Version 1.0.0 Table of Contents About the Symantec Endpoint Protection Integration... 4 Use Cases... 4 Additional Symantec Endpoint Protection
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationSnort Rules Classification and Interpretation
Snort Rules Classification and Interpretation Pop2 Rules: Class Type Attempted Admin(SID: 1934, 284,285) GEN:SID 1:1934 Message POP2 FOLD overflow attempt Summary This event is generated when an attempt
More informationIntrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.
or Detection Comp Sci 3600 Security Outline or 1 2 3 4 5 or 6 7 8 Classes of or Individuals or members of an organized crime group with a goal of financial reward Their activities may include: Identity
More informationSonicWALL / Toshiba General Installation Guide
SonicWALL / Toshiba General Installation Guide SonicWALL currently maintains two operating systems for its Unified Threat Management (UTM) platform, StandardOS and EnhancedOS. When a SonicWALL is implemented
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationLog Correlation Engine 5.1 User Guide. Last Updated: August 28, 2018
Log Correlation Engine 5.1 User Guide Last Updated: August 28, 2018 Table of Contents Welcome to Log Correlation Engine 9 Standards and Conventions 10 Components of the Log Correlation Engine 11 Hardware
More informationForescout. Configuration Guide. Version 3.5
Forescout Version 3.5 Contact Information Forescout Technologies, Inc. 190 West Tasman Drive San Jose, CA 95134 USA https://www.forescout.com/support/ Toll-Free (US): 1.866.377.8771 Tel (Intl): 1.408.213.3191
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationConfiguring the Cisco NAM 2220 Appliance
CHAPTER 5 This section describes how to configure the Cisco NAM 2220 appliance to establish network connectivity, configure IP parameters, and how to perform other required administrative tasks using the
More informationASA Access Control. Section 3
[ 39 ] CCNP Security Firewall 642-617 Quick Reference Section 3 ASA Access Control Now that you have connectivity to the ASA and have configured basic networking settings on the ASA, you can start to look
More informationPort Mirroring in CounterACT. CounterACT Technical Note
Table of Contents About Port Mirroring and the Packet Engine... 3 Information Based on Specific Protocols... 4 ARP... 4 DHCP... 5 HTTP... 6 NetBIOS... 7 TCP/UDP... 7 Endpoint Lifecycle... 8 Active Endpoint
More informationLog Correlation Engine 3.6 Architecture Guide
Log Correlation Engine 3.6 Architecture Guide August 19, 2011 (Revision 5) The newest version of this document is available at the following URL: http://cgi.tenable.com/lce_3.6_architecture.pdf Copyright
More informationCompTIA Security+ CompTIA SY0-401 Dumps Available Here at: https://www.certification-questions.com/comptia-exam/sy0-401-dumps.html
CompTIA Security+ CompTIA SY0-401 Dumps Available Here at: /comptia-exam/sy0-401-dumps.html Enrolling now you will get access to 1776 questions in a unique set of SY0-401 dumps Question 1 Sara, the security
More informationObjectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats
ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Enterprise Network Security Describe the general methods used to mitigate security threats to Enterprise networks
More informationReal-Time PCI Compliance Monitoring
Real-Time PCI Compliance Monitoring Leveraging Asset-Based Configuration and Vulnerability Analysis with Real-Time Event Management January 28, 2010 (Revision 6) Ron Gula Chief Technology Officer Table
More informationCisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection
Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection Document ID: 98705 Contents Introduction Prerequisites Requirements Components Used Conventions
More informationCIH
mitigating at host level, 23 25 at network level, 25 26 Morris worm, characteristics of, 18 Nimda worm, characteristics of, 20 22 replacement login, example of, 17 signatures. See signatures SQL Slammer
More informationIntegrate Clavister Firewall
Integrate Clavister Firewall EventTracker v7.x Publication Date: July 7, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract The highly acclaimed Clavister cos offers
More informationTenable for Palo Alto Networks
How-To Guide Tenable for Palo Alto Networks Introduction This document describes how to deploy Tenable SecurityCenter and Nessus for integration with Palo Alto Networks next-generation firewalls (NGFW).
More informationSyslog Logging Descriptions and Formatting for SonicWALL Firewalls
Syslog Logging Descriptions and Formatting for SonicWALL Firewalls Introduction The purpose of this paper is to describe how the SonicWALL firewall uses syslog. This includes required settings for the
More informationAvailable Commands CHAPTER
CHAPTER 2 This chapter contains the Cisco IPS 6.2 commands listed in alphabetical order. It contains the following sections:. anomaly-detection load, page 2-4 anomaly-detection save, page 2-5 banner login,
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationIncorporating Network Flows in Intrusion Incident Handling and Analysis
Regional Visualization and Analytics Center Incorporating Network Flows in Intrusion Incident Handling and Analysis John Gerth Stanford University gerth@stanford.edu FloCon 2008 1 EE/CS Network Infrastructure
More informationNortel TPS Remediation Module for Nortel VPN Gateway Installation and Configuration
Nortel TPS Remediation Module for Nortel VPN Gateway Installation and Configuration Nortel TPS Remediation Module for NVG Installation and Configuration Release 4.7.0.2 Part No. NN47240-103 (324602-A)
More informationForeScout CounterACT. (AWS) Plugin. Configuration Guide. Version 1.3
ForeScout CounterACT Hybrid Cloud Module: Amazon Web Services (AWS) Plugin Version 1.3 Table of Contents Amazon Web Services Plugin Overview... 4 Use Cases... 5 Providing Consolidated Visibility... 5 Dynamic
More informationBehavior-Based IDS: StealthWatch Overview and Deployment Methodology
Behavior-Based IDS: Overview and Deployment Methodology Lancope 3155 Royal Drive, Building 100 Alpharetta, Georgia 30022 Phone: 770.225.6500 Fax: 770.225.6501 www.lancope.com techinfo@lancope.com Overview
More informationAgent and Agent Browser. Updated Friday, January 26, Autotask Corporation
Agent and Agent Browser Updated Friday, January 26, 2018 2018 Autotask Corporation Table of Contents Table of Contents 2 The AEM Agent and Agent Browser 3 AEM Agent 5 Privacy Mode 9 Agent Browser 11 Agent
More informationUser Management: Configuring User Roles and Local Users
6 CHAPTER User Management: Configuring User Roles and Local Users This chapter describes the following topics: Overview, page 6-1 Create User Roles, page 6-2 Create Local User Accounts, page 6-15 For details
More informationStep-by-Step Configuration
Step-by-Step Configuration Kerio Technologies C 2001-2006 Kerio Technologies. All Rights Reserved. Printing Date: May 3, 2006 This guide provides detailed description on configuration of the local network
More informationMsActivator (VSOC 8.2) Administration Guide
MsActivator (VSOC 8.2) Administration Guide 18-20 rue Henri Barbusse B.P. 2501 38035 GRENOBLE cedex 2 FRANCE Phone : +33 (0) 438 498 360 Fax : +33 (0) 438 498 361 support@ubiqube.com Copyright 2009 UBIqube
More informationHow-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018
How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationCSTNET Security Considerations
CSTNET Security Considerations Ling Wang wangling@cstnet.cn Computer Network Information Center Chinese Academy of Sciences Agenda CSTNET topology and applications Current CSTNET Security State The Threaten
More informationIntrusion Detection and Prevention IDP 4.1r4 Release Notes
Intrusion Detection and Prevention IDP 4.1r4 Release Notes Build 4.1.134028 September 22, 2009 Revision 02 Contents Overview...2 Supported Hardware...2 Changed Features...2 IDP OS Directory Structure...2
More informationSYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet
SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document
More informationCyberoam Virtual Security Appliance - Installation Guide for VMware Player. Version 10
Cyberoam Virtual Security Appliance - Installation Guide for VMware Player Version 10 Document Version 10.6.1-26/05/2014 Contents Preface... 4 Base Configuration... 4 Installation Procedure... 4 Cyberoam
More informationNessus 4.4 User Guide
Nessus 4.4 User Guide January 12, 2012 (Revision 18) The newest version of this document is available at the following URL: http://static.tenable.com/documentation/nessus_4.4_user_guide.pdf Copyright 2002-2012
More informationConfiguring Network-based IDS and IPS Devices
CHAPTER 7 Revised: November 30, 2007 Network intrusion detection and intrusion preventions systems are a critical source for identifying active attacks to MARS. This chapter explains how to bootstrap and
More informationVideoscape Distribution Suite Software Installation Guide
First Published: August 06, 2012 Last Modified: September 03, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800
More informationReviewer s guide. PureMessage for Windows/Exchange Product tour
Reviewer s guide PureMessage for Windows/Exchange Product tour reviewer s guide: sophos nac advanced 2 welcome WELCOME Welcome to the reviewer s guide for NAC Advanced. The guide provides a review of the
More informationKERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE
KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE (4/20/07) WHO IS KERIO? Kerio Technologies provides Internet messaging and firewall software solutions for small to medium sized networks,
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationManual Ftp Windows Server 2008 Firewall Rule Priority
Manual Ftp Windows Server 2008 Firewall Rule Priority However, if you're looking to setup your own FTP server in Windows using IIS, you can of IIS and was included with Windows Server 2008 and Windows
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationLogging. Steven M. Bellovin December 6,
Logging Steven M. Bellovin December 6, 2009 1 Shadow Hawk Shadow Hawk Busted Again As many of you know, Shadow Hawk (a/k/a Shadow Hawk 1) had his home searched by agents of the FBI... When he was tagged
More informationHands-On Ethical Hacking and Network Defense 3 rd Edition
Hands-On Ethical Hacking and Network Defense 3 rd Edition Chapter 13 Network Protection Systems Last modified 1-11-17 Objectives Explain how routers are used to protect networks Describe firewall technology
More informationSecurity+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:
Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing International Standard Book Number: 0789731517 Warning and Disclaimer Every effort has been made to make this book
More informationAnnexure E Technical Bid Format
Annexure E Technical Bid Format ANTIVIRUS SOLUTION FOR MAIL SERVER SECURITY AND SERVER SECURITY FOR DESKTOP,LAPTOP Sr. No Description Compliance (Y/N) Remark 01 Must offer comprehensive client/server security
More information