Friday, February 8, 2013

Mcafee Nitro SIEM "Out of hours activity" rule customization in ADM

Monitoring out of office hours activity is important to identify malicious activities in your network. However it is important to not leave this ADM rule on its default settings but optimize it according to your environment. With default settings, the rule might trigger hundreds of thousands of events that shouldn't actually be triggering under this category. Moreover there are many correlation rules that will trigger based on out of hours activity rule events. Not optimizing this rule properly will also result in many false positives of different correlation rules events.

Optimization Steps
The first step is to make sure the time settings is correct. All time values should be set to GMT 0 time zone. Even setting up the correct time values will significantly reduce number of events in out of hours activity rule.

Once correct time settings are applied, the next step is to identify top source IP addresses generating these events. By analyzing events from these IP addresses you should be able to identify and separate events that should be triggering from those that shouldn't. For example you might have network monitoring servers in your environment that send probes to all network devices on port 161 and these probes are sent 24 hours a day. This activity can cause huge number of events in the out of hours activity rule. So you know that network monitoring servers sending probes on port 161 is not a malicious traffic and it should be excluded from these events. Similarly you can analyze events of all top IP sources and identify if the activity is legitimate or not based upon which you can exclude that specific traffic from out of hours activity rule.

Now comes the most important point in optimizing the rule. Below screen shot shows that IP address 10.255.222.16 is sending SNMP packets to different network devices on port 161.

By looking at the events it seems obvious to add following statement in the out of hours activity rule to exclude this IP address:

any "object source ip" NEQ [10.255.222.16]
AND
any "object destination port" NEQ [161]

However above condition will never work. If you open the session details of this event you will notice a difference which is the IP addresses and ports are reversed in the session detail. So in above case, the source IP will be written as the destination IP and destination port will become source port. So now the correct statement to include in the rule will be following:

any "object destination ip" NEQ [10.255.222.16]
AND
any "object source port" NEQ [161]






1 comments:

great post.......really informative :))

Post a Comment

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More