XGS: Making use of Logs and Captures

Size: px

Start display at page:

Download "XGS: Making use of Logs and Captures"

Simon Caldwell
5 years ago
Views:

IBM Security Network Protection XGS Open Mic webcast #6 June 24, 2015 XGS: Making use of Logs and Captures Panelists Bill Klauke (Presenter) Product Lead L2 Support Maxime Turlot Product Lead L2

1 IBM Security Network Protection XGS Open Mic webcast #6 June 24, 2015 XGS: Making use of Logs and Captures Panelists Bill Klauke (Presenter) Product Lead L2 Support Maxime Turlot Product Lead L2 Support Eddie Leisure L2 Support Analyst Paul Ermerins Advisory Software Engineer Craig Knapik Technical Product Manager Moazzam Khan L3 Software Engineer Thomas Gray (Moderator) Escalations Manager L2 Support Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA: USA toll: Participant passcode: Slides & additional dial-in numbers: NOTICE: By participating in this call, you give your irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM's use of such recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call IBM Corporation

2 Agenda Using the Logs feature added in Syntax Use with Updates log Use with System log Use with Analysis log Using the Capture feature added in 5.3 Working with the Protection Interfaces Working with the Management Interface 2

3 Making use of the Logs feature 3

1 firmware was released on May 8, 2015, and included a new feature that allows users to access the log files

4 New feature in the Firmware The firmware was released on May 8, 2015, and included a new feature that allows users to access the log files on the appliance via the command line. This new feature gives users the ability to tail a log file or to use the less program to view and search within a log file. Combined with the use of debugging parameters, these new tools give users much greater visibility into their appliances. 4

If left unspecified, the default number of lines displayed is 10.

5 Tail command syntax The tail command only has 2 syntax options available: The -n option allows a user to specify the number of lines to display. If left unspecified, the default number of lines displayed is 10. The -F option allows a user to run a continuous tail on the log file. To terminate the tail, use Ctrl-C. 5

Less command syntax The less command offers no options when launching the viewer. Unlike the tail command however, you have access to previous versions of logs that have been rotated.

6 Less command syntax The less command offers no options when launching the viewer. Unlike the tail command however, you have access to previous versions of logs that have been rotated. The system, analysis, & updates log will retain 14 previous versions while the webserver log will retain 4 previous versions. Once you launch the log viewer, you can use the following to navigate: /<regex>?<regex> &<regex> n N ENTER or j k SPACE b q h SHIFT+G search down from the present position search up from present position search and only show lines that match go down to the next search result go up to the next search result scroll down one line scroll up one line scroll down one page scroll up one page quit help go to bottom of file 6

Using less and tail on the Updates log This message indicates a problem accessing the update servers, but we can t tell anything specific about it.

7 Using less and tail on the Updates log This message indicates a problem accessing the update servers, but we can t tell anything specific about it. When we run a tail F on the Updates log and then force a refresh via the Available Updates page in the LMI, we can see an error code, but we still don t have enough. 7

8 Using less and tail on the Updates log, continued By adding the following parameter to the Advanced Tuning Parameters Policy, you expose more information on the error. In this case, the appliance simply can t connect to the configured update server. In the example above, the local SiteProtector Update Server was configured, but with port 443 instead of

9 Using less on the System log This System Alert above will appear if one of the policies deployed to the sensor has an error of some kind. For issues with processing policies, use the less feature to view the System log. Depending on how long ago the issue occurred, you may have to look in the previous versions of the logs 9

Using less on the System log, continued Once you launch less, you can locate the alert by searching for the alert code: /FNXPY0001E You can then use the n key to locate the correct instance of the

10 Using less on the System log, continued Once you launch less, you can locate the alert by searching for the alert code: /FNXPY0001E You can then use the n key to locate the correct instance of the error. In the case below, there is a host address object missing from the Network Access Policy which would require the policy be checked in either SiteProtector or the LMI for any missing policy objects. XGS Policy Names: 10

11 Using less on the System log, continued A user might see this error below if there is a problem with Agent Manager communication: By using less to access the System log, you can locate the error message by entering /GLGSP1001E and then use the n key to find the correct instance. In this case, the Agent Manager is configured to require a username and password to connect, so a 401 error code is generated. 11

Using less on the System log, continued If the logs don t provide the detail needed, the tuning parameters below can be used to provide debug output.

12 Using less on the System log, continued If the logs don t provide the detail needed, the tuning parameters below can be used to provide debug output. While the eventsd debug logging will show you information about events and responses, the spad logging will show information for SiteProtector related actions. You could then use the following filters in less to quickly locate the messages: &Debug: &mesa_eventsd &mesa_spad 12

13 Using less on the System log, continued Below is the debug output using the &mesa_spad filter in less. With debug enabled, we can see much more information about the communication process with configured Agent Managers. 13

14 Using less on the System log, continued When you want to get debugging information on events that are being triggered, you have to use the alpsd.debug.level=(0 1 2) parameter in the Advanced Tuning Parameters Policy. Please be aware that this parameter can negatively impact the appliance performance and will cause the links to reset when applied. Network Access Policy Rule Events In the image to the right, I ve triggered an event against a Network Access Policy rule that was configured to reject traffic that had a bad IP Reputation score. 14

15 Using less on the System log, continued Here is the log output for the previous event with alpsd.debug.level set to 1. Here you can see the event matching ACL rule #1. You can then see the packet capture response configured for the rule. 15

16 Using less on the System log, continued And here is the much more verbose logging with alpsd.debug.level set to 2. Here we can see the XGS recognize the connection, identify the protocol, and then match the ACL rule. 16

17 Using less on the System log, continued Intrusion Prevention Events Here I ve triggered an HTTP_Get IPS event accessing From the details below, you can see this particular event was triggered on a GET request for /favicon.ico. 17

18 Using less on the System log, continued Here is the output for the previous HTTP_Get event at alpsd.debug.level=1: In the logs above, you can see the event trigger, followed by messages about the packet capture response. In this case, I had no packet capture response configured on the IPS Policy object, so no capture was generated. We also see a message about any matching event filters for the reported issueid. 18

Using less on the System log for event debugging, continued Here is the alpsd.debug.level=2 output for the same traffic which provides much more information.

19 Using less on the System log for event debugging, continued Here is the alpsd.debug.level=2 output for the same traffic which provides much more information. In the entries above, you can see the connection being first identified, then the protocol. 19

20 Using less on the System log, continued Here you can see the traffic being checked against IP Reputation database and the URL database. You can also see checks for applications and protocols as well as the event report. This packet capture contained only 20 packets, yet generated 195 lines of messages. 20

Log. Once less is launched, enter &Info to filter on the informational messages and view the

21 Using less on the Analysis Log to view OpenSignature info Whenever the appliance reloads the analysis engine, it prints out information on the OpenSignature configuration to the Analysis Log. Once less is launched, enter &Info to filter on the informational messages and view the OpenSignatures reporting. Here you can see the configuration and rule summaries along with the variables. 21

22 Making use of the Capture feature 22

23 Making use of captures The 5.3 firmware introduced the command line packet capture feature that allows users to run tcpdump on the management or protection interfaces. It can be found under the Tools menu in the CLI. 23

the option to delete, download to USB, and list the capture files present on the appliance.

24 Making use of captures, continued Once you access the captures menu, you can select: Pinterface = Work with captures on the Protection Interfaces Minterface = Work with captures on the Management Interface You also have the option to delete, download to USB, and list the capture files present on the appliance. The limits command will show you the packet capture settings on the appliance, which can be changed via the Advanced Tuning Parameters policy. 24

In the example below, I added a single filter that specified the interface, the

25 Making use of captures, continued When you work with the Protection Interfaces, you can apply multiple filters when setting up your capture. In the example below, I added a single filter that specified the interface, the destination port, and the protocol. Once the capture is stopped, an id is provided which will help us to locate the capture in the LMI. 25

26 Making use of captures, continued In this example, I added 3 separate filters for the interface, the destination port, and the protocol. In the LMI below, you can see how splitting up the filters captured more traffic. 26

27 Working with captures, continued When you work with the Management Interface, you get a more traditional tcpdump command. 27

com, which is the default update server.

28 Working with captures, continued In this example, I ve setup a capture to run on ibmxpu.flexnetoperations.com, which is the default update server. I used CTRL-C to terminate the capture and then located the capture in the LMI using the name I provided. 28

29 Questions for the panel? Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the SmartCloud Meetings chat To ask a question after this presentation: You are encouraged to participate in our dw Answers XGS forum topic, Is there a way to generate packet captures and logs on the XGS? URL: 29

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

systems, products or services to be most effective.

30 Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

IBM Security Network Protection Open Mic - Thursday, 31 March 2016

IBM Security Network Protection Open Mic - Thursday, 31 March 2016 Application Control and IP Reputation on the XGS Demystified Panelists Tanmay Shah, Presenter IPS/Network Protection Product Lead Bill