Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting

Transcription

1 Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting IBM SECURITY SUPPORT OPEN MIC To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. You will not hear sound until the host opens the audio line. For more information, visit: 08-February-2018 NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.

2 Panelists Sachin Marawar IBM Security Guardium L2 Technical Support Jack Kerbert AGS Greg Holmes Guardium Support Chris Beaney Manager, Guardium Support Andrew McCarl Moderator Knowledge Manager, IBM Security 2 IBM Security

3 Agenda Sniffer introduction Frequent scenarios while working with sniffer Reading sniffer logs Buffer Usage Monitor Known cases and immediate resolutions to try before opening a case with IBM Support Open an effective case for support to work 3 IBM Security

4 Sniffer Introduction

5 Sniffer ORA, DB2, MySQL, Aster, Sybase, MSSQL Sniffer COLLECTOR Analyzing and parsing the traffic Logging in progress ORA, DB2, MySQL, Aster, Sybase, MSSQL Internal MySQL DB 5 IBM Security

6 Sniffer Frequently Faced Scenario STAP is green but traffic is not seen on the collector. Sniffer crashing with segfault DB_USER missing OR blank and? SOURCE_PROGRAM missing OR blank and? Collector stopped collecting traffic after resolving space crunch issue How can I be sure that I am not missing the traffic? snif.log file growing suddenly STAPs are flickering red/green 6 IBM Security

7 What do we need? support must_gather sniffer_issues Export Of Policy Definition Snif-debug Sessions List SLON Trace Depending on scenario a slon looper that we build for you Lot of WebEx sessions in some cases. 7 IBM Security

8 Sniffer must_gather

9 System_output.txt 9 IBM Security

10 System_output.txt 10 IBM Security

11 System_output.txt 11 IBM Security

12 System_output.txt 12 IBM Security

13 System_output.txt 13 IBM Security

14 db_output.txt 14 IBM Security

15 db_output.txt 15 IBM Security

16 db_output.txt 16 IBM Security

17 db_output.txt 17 IBM Security

18 sniffer_output.txt 18 IBM Security

19 sniffer_output.txt 19 IBM Security

20 sniffer_output.txt 20 IBM Security

21 sniffer_output.txt 21 IBM Security

22 iptraf_output.txt 22 IBM Security

23 iptraf_output.txt 23 IBM Security

24 GDM_SNIFFER_PERFORMANCE.csv 24 IBM Security

25 snif_nanny_messages.txt 25 IBM Security

26 snif_nanny_messages.txt 26 IBM Security

27 Buff Usage Monitor Report

28 Buff Usage Monitor 28 IBM Security

29 Buff Usage Monitor 29 IBM Security

30 Buff Usage Monitor restart sniffer_buffer_usage 30 IBM Security

31 Buff Usage Monitor 31 IBM Security

32 Buff Usage Monitor How much traffic is queued for analyzer to process. 32 IBM Security

33 Buff Usage Monitor 33 IBM Security

34 Buff Usage Monitor 34 IBM Security

35 Just B4 Opening a Case

36 STAP is green but traffic is not seen on the collector. Is this happening for all the STAPs on this particular collector? Is the inspection engine configured? If the inspection engine is configured, is the configuration correct? Is the policy disallowing the traffic specifically from this particular STAP? Is the result the same after pointing this STAP to a different collector? Did you check network ports connectivity issues? 36 IBM Security

37 DB_USER / SOURCE_PROGRAM is blank /? Is the sniffer restarting? Encrypted traffic and configurations for capturing normal traffic? If it is just the DB_USER being blank, do those entries belong to the local Oracle sessions where the OS User Authentication was used? MSSQL with Kerberos Authentication change the STAP configuration to be async Oracle DB : check DB_INSTALL_DIR and Process Name in the IE If consistently missing Oracle DB_USER, restart Oracle Listener If it is intermittent behavior, check sniffer performance IBM Security

38 Space crunch issue resolved and still no traffic! Check if the policy is installed? Sniffer / inspection-core running? restart stopped_services command run was missed out after resolving disk full issue How can I be sure that I am not missing the traffic? Frame OR Use the needed reports Check sniffer health Allow the environment to be the latest with regular maintenance Use of alerts 38 IBM Security

39 Sniffer Crashing With Segfaults Appliance s /var filling up due to growing snif.log Patching issue Mostly seen happening on a test collector where STAPs keep moving in and out Older Snif Patch? The nanny process killed the sniffer Check buffer usage monitor report Control the traffic as snif memory goes over 90% causing nanny process to do as designed 39 IBM Security

40 Quick Links For Ready Reference: Identifying and resolving common sniffer problems using Buffer Usage Monitor Report. alert when the flat log requests are increasing on a Guardium IBM Security Guardium Open Mic: Configuring your policy to prevent appliance problems Sniffer cannot connect to UNIX S-TAP Nanny process is killing sniffer Inspection Engine CLI commands 01.ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg PHH_10.1.0/com.ibm.guardium.doc.admin/tshoot/sta p_sniffer_cannot_connect_to_stap.html PHH_10.1.0/com.ibm.guardium.doc.admin/tshoot/sni f_nanny.html PHH_10.1.0/com.ibm.guardium.doc.reference/cli_api /inspection_engine_cli_commands.html 40 IBM Security

41 Quick Links For Ready Reference: My Guardium reports have blank database user for certain sessions Missing OS User or DB User in Guardium reports from Windows STAP 'DB User Name', 'OS User' and 'Source Program' fields are empty in my IBM Security Guardium reports when using SPAN port on MS SQL SERVERS Guardium DB User? for sessions with Oracle errors ORA or ORA DB USER NAME shows "?" and SOURCE PROGRAM information appears blank (missing) on Infosphere Guardium reports for ORACLE databases ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg ibm.com/support/docview.wss?uid=swg IBM Security

42 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Raise your hand by clicking Raise Hand. The Raise Hand icon appears next to your name in the Attendees panel on the right in the WebEx Event. The host will announce your name and unmute your line. or Type a question in the box below the Ask drop-down menu in the Q&A panel. Select All Panelists from the Ask drop-down-menu. Click Send. Your message is sent and appears in the Q&A panel. To ask a question after this presentation: You are encouraged to participate in the dw Answers forum: < 42 IBM Security

43 IBM Security Learning Academy New content published daily! Learning at no cost! Learning Videos Hands-on Labs Live Events 43 IBM Security

44 Where do you get more information? Questions on this or other topics can be directed to the dw Answers forum: Useful links: Get started with IBM Security Support IBM My Support Sign up for My Notifications FREE learning resources on the Security Learning Academy Follow us: 44 IBM Security

45 THANK YOU FOLLOW US ON: facebook.com/ibmsecuritysupport SecurityLearningAcademy.com securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

46 Using Buffer Usage Monitor Report & Sniffer must_gather for troubleshooting 46 IBM Security