risk manager '[ u'[ y'e k c...
TRANSCRIPT
Tivoli®
Risk Manager ���������
����� 3 ���� 8GC88-8881-01
(Q865'GC32-0703-01)
Tivoli®
Risk Manager ���������
����� 3 ���� 8GC88-8881-01
(Q865'GC32-0703-01)
xn"=(
Copyright © 2000, 2001 IBM Corporation. All rights reserved. Tivoli Systems Software License Agreement"IBM Wm0i
`N4HQrob7/OHQ@sro^?O3liKP9k Tivoli =JNi$;s9psb7/OC'K-\NroK7
?,CFN_"3N8qrHQ9k3H,G-^9#$+JkA0^?OjJ (ER*"!#*"'$*"wX*"JX
*"j0^?O=N>NA0&jJr^`#) G"CFb"Tivoli Systems RNqLKhkv0NvzJ7K"\qN$+
Jkt,b"#="w."#L"!w79F`XN-?"^?O$UN3sTe<?<@lXNQ9rT&3HOG-^
;s# Tivoli Systems RO"*RM4+H,HQ9k\*GO<I3T<^?O!#DID=J8qN#=*rn.9k
)B5l?"xrvz7^9,"=N#=*KO9YF"Tivoli Systems RNxn"=(rU9kbNH7^9#xn"K
pE/=N>N"xO"Tivoli Systems RNqLKhkv0NvzJ7KU?5lk3HO"j^;s#3N8qO"8:
*JHQrU^7F*i:"$+Jk]ZbJ7KCj*H7F=89k^^NuVGs!5l^9#
3N8qKO"&J-N]Z"Cj\*,g-N]Z*hS!'eNlS4]U$r^a"$+Jk]Zb,Q5l^;
s#
Fq/\!Xf<6<N"xN)B = IBM Corporation HNVN GSA ADP Schedule Contract Khj"HQ"#="*
hS+(,)B5l^9#
&8
IBM"AIX"DB2"FirstSecure"OS/2"RS/6000"SecureWay"Tivoli"Tivoli Management Environment"TME 10 Enterprise
Console"TME Framework"*hS TME 10 O"IBM Corporation N&8G9#
Microsoft"Windows"Windows NT"*hS Windows m4O"Microsoft Corporation NFq*hS=N>NqK*1k&
8G9#
UNIX O"The Open Group ,i$;s97F$kFq*hS=N>NqK*1kP?&8G9#
Java *hS9YFN Java X"N&8*hSm4O" Sun Microsystems, Inc. NFq*hS=N>NqK*1k&8^?
OP?&8G9#
>NqR>"=J>*hS5<S9>JIO=l>lFRN&8^?OP?&8G9#
C-v`
\qK*$F"Tivoli Systems ^?O IBM =J"Wm0i`"^?O5<S9KD$F@Z^?Ob@9klg,"j^
9#7+7"3N3HO"Tivoli Systems ^?O IBM ,DHrTCF$k9YFNqK*$F3Nh&J=J"Wm0i
`"^?O5<S9,xQD=G"k3Hr,:7b(9bNGO"j^;s#\qG3liN=J"Wm0i`"^?
O5<S9K@Z7F$kt,,"CFb"3N3HO Tivoli Systems ^?O IBM =J"Wm0i`"^?O5<S9
N_,HQD=G"k3HrU#9kbNGO"j^;s#3liN=J"Wm0i`"^?O5<S9Ke(F"Tivoli
Systems ^?O IBM N-zJN*j-"^?O=N>N!*K]n5l?"xK>$"!=*K1yN=J"Wm0i
`"^?O5<S9rHQ9k3H,G-^9#?@7"Tivoli Systems ^?O IBM KhCF@(*KXj5l?bNr
|-">RN=JHH_go;?lgN`nN>AH!ZO*RMNU$GTCF$?@-^9#
Tivoli Systems ^?O IBM O"\qGb@9kCv" (CvPjfNbNr^`) rj-7F$klg,"j^9#\q
Ns!O"*RMK3liNCv"KD$FB\"rvz9k3HrU#9kbNGO"j^;s#HQvzKD$F
O"<-N8hKqLKF4Hq/@5$#
)106-0032 l~TAh;\Z 3 z\ 2-31
IBM World Trade Asia Corporation
Intellectual Property Law & Licensing
J<N]ZO"q^?OOhN!'KhoJ$lgO",Q5l^;s#
IBM *hS=N>\^?OV\NRqRO"\qrCj*H7F=89k^^NuVGs!7"&J-N]Z"Cj\*
,g-N]Z*hS!'eNlS4]U$r^`9YFN@(b7/O[(N]ZU$rioJ$bNH7^9#q^?
OOhKhCFO"!'N/T,jKhj"]ZU$N)B,X8ilklg"/T,jN)Bru1kbNH7^9#
\qOj|*K+>5l",WJQ9 (?H(P";Q*KT,ZJ==dm"JI) O"\qN!GKH_~^l^9#
IBM O"o~"3N8qK-\5lF$k=J^?OWm0i`KP7F"~I^?OQ9rT&3H,"j^9#
\qK*$F IBM J0N Web 5$HK@Z7F$klg,"j^9,"X9N?a-\7?@1G"j"h7F=li
N Web 5$Hrd)9kbNGO"j^;s#=liN Web 5$HK"kqAO"3N IBM =JNqANltGO"
j^;s#=liN Web 5$HO"*RMNU$G4HQ/@5$#
\^Ke"kKX9k4U+d46[O"!N URL +i*wj/@5$##eN2MK5;F$?@-^9#
http://www.ibm.com/jp/manuals/main/mail.html
J*"|\ IBM /TN^Ke"kO$s?<MCHP3Gb4X~$?@1^9#\7/O
http://www.ibm.com/jp/manuals/ NV4m8KD$FWr4w/@5$#
(URL O"Q9KJklg,"j^9)
!6!5' GC32-0703-01
Tivoli®
Risk Manager User’s Guide
Version 3 Release 8
!/!T' |\"$&S<&(`t0qR
!4!v' J7gJk&is2<8&5]<H
h1~ 2001.11
3N8qGO"?.@+N™W3"?.@+N™W9"?.Q47C/N™W3"?.Q47C/N™W5"*hS?.Q47C/N™W7rHQ7F$^9#3N (qN*) O"(b) |\,J(qHHQ@sryk7HQ7F$kbNG9#U)sHH7F5G#=9k3HOX_5lF$^9#
�* �����™W3������™W9���������™W3���������™W5���������™W7
© Copyright International Business Machines Corporation 2001. All rights reserved.
© Copyright IBM Japan 2001
iiiRisk Manager f<6<:&,$I
iv P<8gs 3 jj<9 8
��
= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
^(,- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
\qNP]IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
0sroHJkqA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
X"qA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Risk Manager qA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
\qN=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
FON=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
\qN=-,' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
*RM5]<HXNd$go; . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Risk Manager N Web ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
>N=JKX9k Web ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
h1O \jj<9N7!= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
*Zl<F#s0&79F`N5]<HNWs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Web 5<P<N5]<HNWs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
G<?Y<9N5]<HNWs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Tivoli Management Framework *hS Tivoli Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
7,N Web Y<9Nps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
J1KJC?77$$s9H<k}! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
7,*hS!=/=5l?"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
*Zl<F#s0&79F` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
z(HQU)<^s9N/= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
I-easF<7gsNF=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
h2O Tivoli Risk Manager N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Risk Manager N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Risk Manager Nx@ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Risk Manager ,;-ejF#<X"Ndjrh}9k}! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
/~N?$W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Risk Manager Khk/~nTNh}}! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Risk Manager N3s]<MsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
,\N Tivoli =J . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Risk Manager H Tivoli Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
$YsH&G<?Y<9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
TEC $YsH&5<P< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
vRisk Manager f<6<:&,$I
TEC "@W?<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
BAROC U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
/i9jA9F<HasH&U!$k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
U)<^CH&U!$k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
h3O Tivoli Enterprise Console GNpsN=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Risk Manager Web Intrusion Detection System (IDS) N7Jj* . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
TEC $YsH&0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
$YsH&Se<"< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Risk Manager uV$YsH&0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7Jj*K5iK?/N$YsHrIC9k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
TEC $YsH&Se<"< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Risk Manager Web Y<9psNHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
h4O Risk Manager N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
$s9H<kN5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
#tN$YsH&5<P<NWh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
$s9H<kgx. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Risk Manager N0K$s9H<k9k=J. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Risk Manager Event Integration Facility NWo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Risk Manager $s9H<kN3s]<MsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5<P<I}P]N<I&QC1<8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Risk Manager G-N$s9H<k&QC1<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
$s9H<k*hS=.}!N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Tivoli G9/HCWKhk Risk Manager 3s]<MsHN$s9H<k . . . . . . . . . . . . . . . . . . . . . 39
Risk Manager D-QtXN"/;9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
G-N$s9H<kKhk Risk Manager 3s]<MsHN$s9H<k . . . . . . . . . . . . . . . . . . . . . 39
AIX 79F`K*1k"@W?<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Linux 79F`K*1k"@W?<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Solaris 79F`K*1k"@W?<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows 79F`K*1k"@W?<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
$YsH&5<P<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
$YsH&5<P<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Risk Manager H TME "@W?<NU)<^CH&U!$kNkg . . . . . . . . . . . . . . . . . . . . . 47
ACF rHQ7? Risk Manager "@W?<N=.*hS[[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
ACF G=.,D=J"@W?<*hS;s5< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
ACF WmU!$krHQ7?"@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
$YsH&0k<W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
$YsH&0k<WNn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Web Y<9psQN Risk Manager N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Web Y<9psQNG<?Y<9&Se<N_j. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
vi P<8gs 3 jj<9 8
Web Y<9psr=(9k?aN TEC _j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Risk Manager 3s]<MsHN|n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
I}P]N<I+iN|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
G-N}!Khk"@W?<N"s$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
h5O Risk Manager Server Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
uV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Risk Manager Correlation 3s]<MsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Risk Manager Correlation N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
=._jNQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Risk Manager =.9/jWH. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Prolog U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Risk Manager Server Correlation N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
k<k&Y<9Nh} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Risk Manager Server Correlation 9/jWHNBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
uV$YsHNbK?<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
MCHo</&[9HNjA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Hi9FCI&[9HNP? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
;s5<&$s9?s9NXj. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
;s5<&$s9?s9&$YsHNEgYN@&s0l<I . . . . . . . . . . . . . . . . . . . . . . . . . 67
;s5<&$s9?s9&$YsHN8.N^) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
$YsHNf<6<jA0-N_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
vF5lk?$`&9?sWQLN_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
uVN-z|B,ZlkPa~VN_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
-z|B,Zl?uVr/j<s"CW9k?aN~VVVN_j . . . . . . . . . . . . . . . . . . . . . . 70
jUlC7e&?$^<N~VVVN_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
lL*JbN+iqN*JbNXNuV$YsHN40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
qN*JbN+ilL*JbNXNuV$YsHN40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
:jMN_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
s;-e"&$YsHN|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
uVG<?N>w. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
uVG<?r>w9k~|N_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
uVG<?NLN$YsH&5<P<XN>w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
9H<`&$YsHN7-$MNjA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
$YsHNjs/. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
E#$YsHN!P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
77$+F4j<NXj. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
9<Q</i9&+F4j<NdjvF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
j<U&/i9N+F4j<XNdjvF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
CjN$YsH&/i9KD$FjXWm;9rHQTDK9k. . . . . . . . . . . . . . . . . . . . . . . . 81
(9+l<7gs7-$MN_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
$YsH&-cC7e&5$:N!:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
viiRisk Manager f<6<:&,$I
Risk Manager Server NQU)<^s9NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
h6O Risk Manager Event Integration Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Risk Manager Event Integration Facility N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Risk Manager Event Integration Facility H Tivoli Event Integration Facility HNfS. . . . . . . . . . 88
Risk Manager Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Event Integration Facility &Qi$Vij< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Perl 5]<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
"@W?<&U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Risk Manager EIF 3^sI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Risk Manager EIF N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
U)<^CH&U!$k*hS/i9jA9F<HasH&U!$kN=[ . . . . . . . . . . . . . . . 92
Perl 5]<HN$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
TME ^?Os TME D-QN Risk Manager EIF N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
rmeif_cfg 3^sINc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Risk Manager EIF =.U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Risk Manager EIF =.U!$k&U)<^CH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
rmad.conf =.U!$kN-<o<I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
$YsH&U#k?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
$YsH&PCU!<&U#k?<`n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
rmad_summary.rules U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Ws!=NcrHQ7?nH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
7,Wsk<kNn. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
A'C/&k<k&9/jWHNHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
=N>N Risk Manager EIF U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
h7O Risk Manager TEC N?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
TEC ?9/NXj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
UNIX 79F`N TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Windows 79F`N TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
$YsHr"<+$V9k?aN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Risk Manager "@W?<r+O9k?aN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Risk Manager "@W?<rd_9k?aN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Check Point FireWall-1 QN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Cisco Secure PIX Firewall QN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Cisco Secure IDS QN TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
h8O Web Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Web Intrusion Detection System N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5]<H5lk Web 5<P< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Perl 5]<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
viii P<8gs 3 jj<9 8
CLF "/;9&m0&U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
sig.nefarious 70KAc<&U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Web IDS $YsHKP9k TEC jX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Web IDS *hS Risk Manager Event Integration Facility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
m<k*<P<&5]<HN?aNm0&U!$k&"/;9NXj . . . . . . . . . . . . . . . . . . . 121
Web IDS N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Web 5<P<KP9k Web IDS N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Risk Manager EIF H;Q9k?aN Web IDS N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
TEC "@W?<H;Q9k?aN Web IDS N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Web 5<P<&"/;9&m0&U!$kN=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Web IDS N$s9H<kNEv-!: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
I}?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Web IDS =.U!$kNT8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Web IDS N+O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Web 6b$YsHN,O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
70KAc<&/i9NICH|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Web 6b70KAc<NICH|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Q?<s&F9HNkgH\Y= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
T3J[9HNIC^?O|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
T3J"/F#SF#<N?$WNXj . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Hi9FCI&70KAc<NIC^?O|n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
7-$MH:jMN40 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
h9O Cisco Secure IDS Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Cisco Secure IDS QN"@W?<N$s9H<kH=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Risk Manager EIF H&KHQ9k?aN Cisco Secure IDS QN"@W?<N=. . . . . . . . . . 141
Cisco Secure IDS DataFeed 3s]<MsHH&KHQ9k?aN Cisco Secure IDS Q"@W
?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
"I_K9Hl<?<N?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Cisco Secure IDS "@W?<N+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Cisco Secure IDS QN"@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Cisco Secure IDS "@W?<N+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Cisco Secure IDS "@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Cisco Secure IDS DataFeed N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Cisco Secure IDS "@W?<NP9&(i<Nrh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Unix *hS Linux 79F`: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Windows 79F`: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
ixRisk Manager f<6<:&,$I
h10O ISS RealSecure Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SNMP HiCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
ISS RealSecure Q"@W?<N$s9H<k*hS=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
ISS RealSecure Q"@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
]j7<Nn.*hS,Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
$YsHQYNGg= . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
TEC SNMP "@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
UNIX QN Tivoli J0N SNMP "@W?<N;CH"CW . . . . . . . . . . . . . . . . . . . . . . . . . . 151
ISS RealSecure Q"@W?<NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
SNMP "@W?<N+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
SNMP "@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
h11O Cisco k<?<Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Cisco k<?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Cisco k<?<Q"@W?<N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
$s9H<kNWh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
$s9H<k&9FCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Cisco k<?<Q"@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
TEC SNMP "@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Cisco k<?<N;CH"CW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
UNIX QN Tivoli J0N SNMP "@W?<N;CH"CW . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Cisco k<?<NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SNMP "@W?<N+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SNMP "@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
SNMP G<bsNd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
$YsH&5<P<NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
UNIX 5<S9&U!$kNT8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Cisco k<?<NHiCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Cisco k<?<G-NHiCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
FoNHiCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
lL*J SNMP 'Zc2HiCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
h12O Cisco Secure PIX Firewall Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Cisco Secure PIX Firewall N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
U!$"&)<kI}$YsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
x P<8gs 3 jj<9 8
TEC k<k&(s8sKhk=G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Cisco Secure PIX Firewall Q"@W?<N$s9H<k*hS=. . . . . . . . . . . . . . . . . . . . . . . . . . 167
Cisco Secure PIX FirewallQ"@W?<r$s9H<k9k0K . . . . . . . . . . . . . . . . . . . . . . . . 167
Cisco Secure PIX Firewall Q"@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Cisco Secure PIX Firewall Q"@W?<N=.KD$FN+p. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Cisco Secure PIX Firewall N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Cisco Secure PIX Firewall TEC ?9/rBT9k0K. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Q9o<I*hS?9/psN]n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
;s5<&"/;9=.NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
;s5<=.psN=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
;s5<&m.s0=.NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Cisco Secure PIX Firewall NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
h13O Check Point FireWall-1 Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Check Point FireWall-1 Q"@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Check Point FireWall-1 Q"@W?<N$s9H<k*hS=. . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Check Point FireWall-1 N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Risk Manager EIF GHQ9k?aN Check Point FireWall-1 Q"@W?<N=. . . . . . . . . . . 179
=.U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
OPSEC 5<P<H7FN Check Point FireWall-1 N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
OPSEC /i$"sHH7FN Check Point "@W?<N=. . . . . . . . . . . . . . . . . . . . . . . . . . 182
SAM 5<P<N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
OPSEC 5<P<XN Check Point "@W?<N\3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
"@W?<K*1k Check Point FireWall-1 "i<`Nh}]j7<N_j . . . . . . . . . . . . . . . . . . 184
Check Point FireWall-1 "@W?<NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
TEC ?9/rT&0K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Windows NT GN+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Solaris GN+O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Linux GN+O. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
IP "Il9psNWa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
=<9*hS8hKD$FNpsNWa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Windows NT GN"@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Solaris GN"@W?<Nd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Linux GN"@W?<Nd_. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
I}`n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Check Point FireWall-1 G<bsNO0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Check Point FireWall-1 G<bsNd_ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
(i<h} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
xiRisk Manager f<6<:&,$I
Check Point FireWall-1 m0&aC;<8*hS0- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
/~X"Nm0&aC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
/~X"J0Nm0&aC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
U!$"&)<k0-N_j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
h14O Host Intrusion Detection Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Host IDS Q Risk Manager "@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Host IDS Q"@W?<N$s9H<k*hS=.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
$s9H<kN`w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
$s9H<k&9FCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Host IDS N=.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
h15O McAfee Alert Manager Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
McAfee Alert Manager Q"@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
"@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
McAfee Alert Manager *hS McAfee NetShield "i<H&aC;<8 . . . . . . . . . . . . . . . . . 200
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
McAfee Alert Manager Q"@W?<N$s9H<k*hS=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
$s9H<kN`w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Windows 2000 K*1k McAfee Alert Manager N=.KX9kM8v`. . . . . . . . . . . . . . . . . 202
h16O Norton AntiVirus Q"@W?< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Norton AntiVirus Q"@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
;s5<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
"@W?<N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Norton AntiVirus $YsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
TEC Correlation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Norton AntiVirus Q Risk Manager "@W?<N$s9H<k*hS=.. . . . . . . . . . . . . . . . . . . . . 205
$s9H<kN`w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Tivoli (sI]$sHK*1k$s9H<k*hS=.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
s Tivoli N<IK*1k$s9H<k*hS=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Windows 2000 K*1k Norton AntiVirus N=.KX9kM8v` . . . . . . . . . . . . . . . . . . . . . 206
h17O Network IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Network IDS N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Network IDSTEC Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Network IDS "i<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Network Intrusion Detection System N$s9H<k*hS=.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Network Intrusion Detection Option N$s9H<k&QC1<8 . . . . . . . . . . . . . . . . . . . . . . . 212
xii P<8gs 3 jj<9 8
$s9H<kNWh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Network IDS N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
=.9FCW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Risk Manager TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Network IDS TEC ?9/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Network IDS NI} . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
nids 3^sIKhk Network IDS N+0O0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
+0O07J$lg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
70KAc<&U!$kN97 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Network IDS "i<H*hSpsNm.s0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
(?*Zl<7gsNF9H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
IP "Il9NJ, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
[9H>Nh@ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
nids 3^sI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Network IDS 6b70KAc<. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
H_~_"i<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
70KAc<&Y<9N"i<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
h18O Tivoli Decision Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Tivoli Decision Support for Enterprise Risk Management N5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Tivoli Decision Support for Enterprise Risk Management qA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Tivoli Decison Support N$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Tivoli Decision Support for Enterprise Risk Management N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
RISK Manager TEC G<?Y<9K*1k"<+$V&F<Vk"Se<"*hSHj,<Nn. 223
Tivoli Decision Support for Enterprise Risk Management NI}?9/ . . . . . . . . . . . . . . . . . . . . . . . 225
U?A. Risk Manager NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Risk Manager NjXaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Network Intrusion Detection System NaC;<8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
$s9H<k&aC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Check Point FireWall-1 NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Check Point FireWall-1 ?9/NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Cisco Secure IDS NaC;<8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Risk Manager 5<P<NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Web Y<9NpsaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Risk Manager Event Integration Facility NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Risk Manager EIF Observer NaC;<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Web IDS NaC;<8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
U?B. ^$0l<7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
"@W?< P<8gs 3.8 JeNF$s9H<k^?O"CW0l<I. . . . . . . . . . . . . . . . . . . . . 285
xiiiRisk Manager f<6<:&,$I
Risk Manager P<8gs 3.7 rHQ7F$s9H<k5l?"@W?<+iN^$0l<7gs 286
Risk Manager Server N^$0l<7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
U?C. Cisco Secure IDS 6b70KAc< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
U?D. ISS RealSecure 6b70KAc< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
MCHo</6b70KAc< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
79F`6b70KAc< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
U?E. McAfee Alert Manager *hS McAfee NetShield "i<H&aC;<8 301
U?F. Network IDS 6b70KAc< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Network IDS H_~_"i<H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
PC/&I" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
5<S982 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
LOKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
e! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
9Fk9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
70KAc<&Y<9N"i<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
FQ"i<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
'Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
PC/&I" . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
5<S982 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Gopher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
LOKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
e! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Ql8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
wz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
xiv P<8gs 3 jj<9 8
�
1. Risk Manager *Zl<F#s0&79F`N5]<H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Risk Manager Web IDS ,5]<H9k Web 5<P< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Risk ManagerU)<^CH&U!$k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. $s9H<k*hS=.}!N5W. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5. AIX G$s9H<kD=J Risk Manager QC1<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6. Linux G$s9H<kD=J Risk Manager QC1<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7. Solaris G$s9H<kD=J Risk Manager QC1<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8. Windows 79F`QN Risk Manager QC1<8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
9. Risk Manager "@W?<r"s$s9H<k9k?aNG-N3^sI . . . . . . . . . . . . . . . . . . . . . . 55
10. Risk Manager Server Correlation KhjjA5lkuV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
11. ~VVVrCKQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
12. Risk Manager KhjjA5lk+F4j< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
13. 7-$MH</sNjA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
14. uVN?$W*hS5k5lkz-t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
15. ;s5<KhCFu.5lk*j8JkN$YsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
16. Ws!=Khjh}5l?$YsH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
17. Web IDS ,5]<H9k Web 5<P< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
18. Check Point FireWall-1 Khj5]<H5lkHiC/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
19. "i<HN+F4j< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
xvRisk Manager f<6<:&,$I
xvi P<8gs 3 jj<9 8
����
\qGO"Tivoli® Risk Manager (\qGO Risk Manager HFS^9) N$s9H<k"=
."*hSI}N}!KD$Fb@7^9#^?"Risk Manager NF3s]<MsHN5W
rb@7^9#
�������\qO"Tivoli Management Framework *hS Tivoli Enterprise Console KX9k=wN1r
}CF$kMrP]H7F$^9#ITO"!N3HrB]KP37F$k,W,"j^9#
¶ 5<I&Q<F#<N/~!N"Wj1<7gsN$s9H<k*hSHQ#
¶ =JN$s9H<k#Risk Manager O Tivoli G9/HCWrHQ7F"=J$a<8r
$s9H<k7^9#
¶ Tivoli "@W?<=.!= (ACF) *hS"@W?<=.WmU!$k (ACP) NHQ#
Risk Manager O"MCHo</N;-ejF#<&]j7<"CK/~!N79F` (IDS)
N$sWjasH4vT~1N=JG9#ITO"MCHo</&;-ejF#<NBQ*J
N1,"j"Aw)fWmH3k / $s?<MCH&WmH3k (TCP/IP)"MCHo<-s
0NpC50"*hSP)Xj5l?MCHo</KD$F=,K}r7F$k,W,"j^
9#
���������ITO"Tivoli Enterprise Console (TEC) rHQ9kK"?CF"J<N^Ke"kr}r7
F$k,W,"j^9#
¶ Tivoli Framework Planning and Installation Guide" Tivoli Framework f<6<:&,$
I"*hS Tivoli Framework jU!ls9&^Ke"k
3liNqAGO"G9/HCW"I}P]N<I""I_K9Hl<?<"]j7<&
j<8gs"WmU!$k"mUv`"?9/"918e<js0"*hS3^sIT$
s?<U'<9 (CLI) 3^sIKD$F\7/b@7F$^9#
¶ Tivoli Enterprise Console f<6<:&,$I
3NqAO"Enterprise Console NHQKD$F\7/-\7^9#
����J<NqAO"0sroHJkqAK-\5lF$kpsrd-9kbNG9#
¶ Tivoli Enterprise Console k<k&Sk@<Q,$I
3NqAO"7,k<krn.7F}g9k}!KD$F\7/-\7^9#
¶ Tivoli Event Integration Facility User’s Guide
3NqAGO"Event Integration Facility (EIF) rHQ7F"H+N$YsH&"@W?<
r+/9k}!rb@7^9#3liN$YsH&"@W?<O"ITNMCHo</D
-*hSITNCjN,W-K~8Fj,C(il^9#
¶ Tivoli Enterprise Console Reference Manual
3NqAO"3^sIT$s?<U'<9KD$F\7/-\7^9#
xviiRisk Manager f<6<:&,$I
¶ Tivoli Enterprise Console "@W?<&,$I
3NqAO"=_~jG-k Tivoli Enterprise Console "@W?<KD$F\7/b@7
^9#
Risk Manager ��Risk Manager NqAKO"!NbN,"j^9#
¶ VTivoli Risk Manager jj<9&N<HWGO"Risk Manager KX9kpsr8q=7
F$^9#3NU!$kO"J<N=J CD Nk<H&G#l/Hj<K"j^9#
¥RM38relnotes.pdf
¶ \qG"kVTivoli Risk Manager f<6<:&,$I P<8gs 3.8WO" PostScript
Document Format A0NU!$k (.pdf) H7F=J CD Gs!5l^9#3NU!$k
O"!NG#l/Hj<K"j^9#
¥books¥rm38user.pdf
¶ VTivoli Risk Manager GYmCQ<:&,$I P<8gs 3.8WKO" Risk Manager
Event Integration Facility N5W"API *hS3^sIT$s?<U'<9ps"*hSH
+N Risk Manager _9"@W?<Nn.}!KX9kps,^^lF$^9#3NU!
$kO"!NG#l/Hj<K"j^9#
¥books¥rm38devgd.pdf
¶ Tivoli Decision Support for Enterprise Risk Management Njj<9&N<HO"J<NG
#l/Hj<K"j^9#
¥books¥tdserm11.pdf
�����=J*hS\qNQ9bFKD$FO"VTivoli Risk Manager jj<9&N<HWr2H7
F/@5$#
�����
¶ 1Z<8NX\jj<9N7!=YGO"\jj<9GNQ9bFrj9H7^9#^?"
,WJpsr+U1d9/9k?aNm<I^CWbs!7^9#
¶ 7Z<8NXTivoli Risk Manager N5WYGO"Risk Manager N5Wr(7^9#
¶ 33Z<8NXRisk Manager N$s9H<kYGO"Risk Manager 3s]<MsHN$s
9H<k}!KD$Fb@7^9#
¶ 57Z<8NXRisk Manager Server CorrelationYGO"jXKX9kQl"Wm;9"*h
SI}?9/r^`"Risk Manager TEC Correlation rRp7^9#
¶ 87Z<8NXRisk Manager Event Integration FacilityYGO"Risk Manager Event
Integration Facility KD$Fb@7^9#3lO"Risk Manager _9NH+N"@W?<
rn.9k?aK Risk Manager ,s!9kD<k-CHG9#
¶ 107Z<8NXRisk Manager TEC N?9/YGO"Risk Manager ,s!9k TEC ?9
/rRp7^9#
¶ 113Z<8NXWeb Intrusion DetectionYGO"Risk Manager s!N;s5<G"k Web
Intrusion Detection System (Web IDS) KD$Fb@7^9#
xviii P<8gs 3 jj<9 8
¶ 139Z<8NXCisco Secure IDS Q"@W?<YGO"Cisco Secure IDS (J0O
NetRanger) QN"@W?<rRp7^9#
¶ 147Z<8NXISS RealSecure Q"@W?<YGO"ISS RealSecure QN"@W?<KD$
Fb@7^9#
¶ 155Z<8NXCisco k<?<Q"@W?<YGO"Cisco k<?<QN"@W?<KD$
Fb@7^9#
¶ 163Z<8NXCisco Secure PIX Firewall Q"@W?<YGO"Cisco Secure PIX Firewall
QN"@W?<rRp7^9#
¶ 177Z<8NXCheck Point FireWall-1 Q"@W?<YGO"Check Point FireWall-1 QN
"@W?<rRp7^9#
¶ 193Z<8NXHost Intrusion Detection Q"@W?<YGO"Host Intrusion Detection
System (IDS) QN"@W?<KD$Fb@7^9#
¶ 197Z<8NXMcAfee Alert Manager Q"@W?<YGO"McAfee Alert Manager QN"
@W?<KD$Fb@7^9#
¶ 203Z<8NXNorton AntiVirus Q"@W?<YGO"Norton AntiVirus QN"@W?<K
D$Fb@7^9#
¶ 209Z<8NXNetwork IDSYGO"Network Intrusion Detection (Network IDS) *W7gs
KD$Fb@7^9#
¶ 221Z<8NXTivoli Decision SupportYGO"Tivoli Decision Support for Enterprise Risk
Management rWs7^9#
\qO"/~!NH;-ejF#<X"QlNQl8Hwzr^_^9#
�������\qGO"Windows® 79F` O"Windows NT™ ^?O Windows 2000™ *Zl<F#s
0&79F`rHQ9k3sTe<?<&79F`rU#7^9#UNIX 79F` O"
AIX™"Linux™"^?O Solaris™ JIN UNIX™ *Zl<F#s0&79F`rHQ9k3
sTe<?<&79F`rU#7^9#
\qGO"CLJQld"/7gsKD$F$/D+NqNN,'rHQ7^9#3liN,
'KO!NU#,"j^9#
,' U#
@z 3^sI"-<o<I"Ui0JINpsO@zG(7^9#
$?jC/f<6<,~O9k,WN"kQt"*hS7,NQlO$?jC/ G(7^
9#/4lgb"$?jC/ G(7^9#
������ 3<G#s0c"PO"*hSU!$k>O������G(7^9#
���������� qA*hS+9?^<&5]<HKD$FODH4vTK*?:M/@5$#
xixRisk Manager f<6<:&,$I
Risk Manager � Web ��Tivoli *hS IBM Tivoli N+9?^<O"Tivoli ;-ejF#<=J*hS Risk Manager
KX9k*si$spsrxQ9k3H,G-^9#
Risk Manager KX9k=JNG7N97bF"*hS5<S9psKD$FO"Web 5$H
(http://www.tivoli.com/support/secure_download_bridge.html) r2H7F/@5$#
Tivoli Risk Manager =JKD$FO"!N Web 5$Hr2H7F/@5$#
http://www.tivoli.com/products/index/risk_mgr/
>N Tivoli ;-ejF#<I}=JKD$FO"!N Web 5$Hr2H7F/@5$#
http://www.tivoli.com/products/solutions/security/
�������� Web ��\qG2H7F$k>N=J*hS5<S9KX9k*si$spsO"\qNPG~@K*
1kG7psG9#
xx P<8gs 3 jj<9 8
�������
3N;/7gsGO"Risk Manager 3.8 KC(il?"0Njj<9+iNQ9@KD$Fb
@7^9#
� ������������������=1 K"\jj<9K*$F Risk Manager 3s]<MsH,5]<H9k*Zl<F#s
0&79F`rj9H7^9#
= 1. Risk Manager *Zl<F#s0&79F`N5]<H
AIX 4.3.3 Solaris2.7
Solaris 2.8 Linux Windows NT4.0
Windows 2000
Risk
Manager
5<P<
X X X X
Tivoli
Decision
Support
X
Check Point
FireWall-1
X X X RedHat
6.2/7.0
X
Cisco Secure
IDS
"@W?<
X X Linux
Kernel
2.2.16
X X
Norton
AntiVirus
X X
McAfee Alert
Manager
X X
Host IDS X X X RedHat
6.2/7.0
X X
Network IDS X X X RedHat
6.2/7.0
Web IDS X X X RedHat
6.2/7.0
X X
Cisco Secure
PIX Firewall
"@W?<
X X X X
Cisco
k<?<
X X X X
ISS
RealSecure
X X X X
1
1Risk Manager f<6<:&,$I
1.�
���
��
�
= 1. Risk Manager *Zl<F#s0&79F`N5]<H (3-)
AIX 4.3.3 Solaris2.7
Solaris 2.8 Linux Windows NT4.0
Windows 2000
ISS
RealSecure
*hS Cisco
k<?<r
5]<H9
k TEC
SNMP "@
W?<
X X X X
Risk
Manager
Event
Integration
Facility
X X X RedHat
6.2/7.0
X X
Web �����������=2 K"Risk Manager Web IDS ,5]<H9k Web 5<P<rj9H7^9#
= 2. Risk Manager Web IDS ,5]<H9k Web 5<P<
Web 5<P< AIX 4.3.3 Solaris 2.7 Solaris 2.8 Windows NT 4.0
Apache 1.3.17 X X
Apache 1.3.9 X X
Domino 5.0.6 X X
I-Planet 4.1 X X X X
Microsoft ISS 4.0 X
IBM HTTPD
1.3.12.2
X X
WebSeal 3.7 X X
�������������Risk Manager 3.8 O"J<NG<?Y<9r5]<H7F$^9#
¶ Oracle Database P<8gs 8.1.x
¶ IBM DB2 P<8gs 6.1 *hS 7.1
¶ Sybase Adaptive Server Enterprise (ASE) P<8gs 11.5"11.9x"*hS 12.0
Tivoli Management Framework �� Tivoli Enterprise ConsoleRisk Manager 3.8 N3s]<MsHO"J<G'Z5lF$^9#
¶ Tivoli Management Framework V3.7"V3.7.1
¶ Tivoli Enterprise Console V3.7.1
2 P<8gs 3 jj<9 8
��� Web ������Risk Manager 3.8 KO"Risk Manager uV$YsHKD$FN Web Y<9Nps,^^l
F$^9# Risk Manager uVKX"7?D9N Risk Manager $YsHKX9kICpsr
=(9k3H,G-^9#3NpsO"Tivoli Enterprise Console (TEC) G~j9k3H,G
-^9#
����������������Risk Manager 3s]<MsHH"@W?<O"5<P<KG-NJ<N$s9H<k&Wm
0i`rHQ7F$s9H<k9k3H,G-^9#
¶ installp (AIX Nlg)
¶ pkgadd (Solaris Nlg)
¶ rpm (Linux Nlg)
¶ InstallShield (Windows 79F`Nlg)
U!$krr`7"j0G$s9H<k9k,WO"j^;s# Software Installation Services
(SIS) Khk$s9H<k}!O5]<H5lJ/Jj^7?#
����������������
McAfee Alert Manager "@W?<
Risk Manager KO"McAfee Alert Manager P<8gs 4.5 QN"@W?<,"j^
9#3N"@W?<KD$F\7/O"197Z<8NXMcAfee Alert Manager Q"@
W?<Yr2H7F/@5$#X"9k McAfee Alert Manager N$YsHO"TEC
Windows Event Log "@W?<+ihj~^l^9#
Internet Security Systems RealSecure (ISS RealSecure) "@W?<
ISS RealSecure 6.0 O"ISS RealSecure 6.0 Network Engine *hS System Agent K
hCFn.5lk"7,^?OQ95l? Simple Network Management Protocol
(SNMP) HiCWr5]<H7F$^9#
Check Point FireWall-1Check Point FireWall-1 O"Operations Security (OPSEC) i$Vij<r977^7
?#Linux WiCHU)<`,5]<H5lF$^9#
Cisco Secure IDS "@W?<
Cisco Secure IDS "@W?<O"Software Development Kit (SDK) rHQ7F>hN
Netranger "@W?<r"CWG<H7?$sWjasF<7gsG9#3N$sWj
asF<7gsO"Fo Cisco IDS =Jr5]<H7F$^9#
Host IDSWindows 2000 WiCHU)<`O"$YsH&m0+iN Active Directory N$Y
sHr^a"Risk Manager Host IDS G5]<H5lF$^9#
Host Intrusion Detection System (Host IDS) O"RedHat Linux 6.2 *hS 7.0 G5]
<H5lF$^9#
Web IDSWeb IDS O"RedHat Linux *hS Windows 2000 eG5]<H5lF$^9#
3Risk Manager f<6<:&,$I
1.�
���
��
�
[HsIN Web 5<P<O"$UN~V,Pa9kHLNm0&U!$kKZjX
(kh&K918e<k9k3H,G-^9 (?H(P 1 |K 1 s)# Web IDS
O"*;;:K7,Nm0&U!$kKZjX(k3HbG-km<k*<P<&m
0&5]<Hr5]<H7F$^9#
Norton AntiVirusP<8gs 7.0 *hS 7.5 ,5]<H5lF$^9#
� �����������Web IDS"Risk Manager Event Integration Facility"Risk Manager Perl"Host IDS"*hS
Network IDS G"Linux ,5]<H5lkh&KJj^7?#
TEC ���J<N TEC ?9/,IC5l^7?#
;s5<&$YsHN"<+$V
Tivoli Decision Support (TDS) rHQ7F"G<?&^$Ks0QK Risk Manager
;s5<&$YsHr"<+$V9k3H,G-^9#
$YsHN"<+$VN918e<k
G<?&^$Ks0N?aK"Risk Manager ;s5<N$YsH&G<?rj|*K
"<+$V9kh&918e<k9k3H,G-^9#
=N>N TEC ?9/O"CjN*Zl<F#s0&79F`&WiCHU)<`4HK!=
/=,^ilF$^9#
����� �!�����z(HQU)<^s9KP7FO"J<N/=,^ilF$^9#
¶ Risk Manager Event Integration Facility Observer GO"h}Nz(r5iKe2"MCH
o</&HiU#C/r/J/7"jXrb.KT&?aK"$YsHNm<+kh}r
Xj9k3H,G-^9#\jj<9GOJ<Nh&KJj^7?#
v Risk Manager "@W?<+i TEC Kwilk$YsHNt,:/7^7?#Ws$
YsHrHQ7F"fS*?tNE#^?O`wN$YsHr=93H,G-^9#
v $YsHO"J39Hl<8K]I5l^9#7?,CF"G<?O"TEC 5<P<
r=NlGHQG-J/Fb":ol^;s#
v Tivoli Management Enterprise (TME) N(sI]$sH*hS TME J0N(sI]$
sHN>},5]<H5lF$^9#
¶ G-N$s9H<k}!Khj"$s9H<kNz(,~e5l^7?#
¶ R9Hj<&l]<H,5iKz(=5l"TDS "<+$V&G<?Y<9KsoK?t
ND9N$YsHrhj~`3H,G-kh&KJj"l}G 1 ! TEC 5<P<K?(
kFAr.5/7F$^9#
¶ Tivoli Management Framework 3.7.1 !=rHQ7F"U!$"&)<krLk]<Hr/
J/7F SSL rHQ7";-ejF#<r~I7F$^9#
4 P<8gs 3 jj<9 8
�"#$����%�����
Network Intrusion Detection (Network IDS) *W7gs\qGO Network IDS ;s5<KD$F8q=7F$^9#J0O"1;s5<N
m8H8q=OL9KTolF$^7?#
(i<&aC;<8
\qKO"Risk Manager 3s]<MsHKP9k(i<&aC;<8Nb@,^^l
F$^9# Risk Manager aC;<8KD$FO"227Z<8NXRisk Manager Na
C;<8Yr2H7F/@5$#
\qNI-easF<7gsNgt,,F=.5l^7?#ONgVrBSX("$s9H<
kpsO 1 DN$s9H<kNOK<akh&K7^7?#
5Risk Manager f<6<:&,$I
1.�
���
��
�
6 P<8gs 3 jj<9 8
Tivoli Risk Manager ���
%@"OC+<"Ku ] 3liO9YF e-business KP9kG7N5$P<6bG"j";
-ejF#<KP7F^kAYs@<Khk}g*J"Wm<Ar+/9k,W-r/49k
bNG9#77$A0N5$P<6bNP=Khj"e-business GO"3liN6b+i88
kS8M9&j9/Kj^Ph7J1lPJj^;s#
Tivoli Systems Inc. (Tivoli) O"e-business ,3liN5$P<6br'17FI_9k3Hr
D=K9k;-ejF#<I}*hS"/;9)f=je<7gsrs!9k@G"h3*J
rdrL?7F$^9# Tivoli Nl"N;-ejF#<=JO"e-business K;-ejF#
<&Ul<`o</rs!7^9#3NUl<`o</O"H%,H+N IT pWr]n9k
?aNo,KG@rvF?+/rT&NKr)A^9#
Tivoli O"*<WsG91<iSjF#<Nb$"#tNWiCHU)<`K&LNF/Nm
8<I}=je<7gsrs!7F*j"3liOMCHo</"79F`""Wj1<7g
s"*hSkHV (B2B) N e-commerce KZS^9#$&Nh,K)DkHO"Tivoli =U
H&'"*hS Tivoli Ready =JrHQ7F"MCHo</"79F`"G<?Y<9"*
hS"Wj1<7gsNI}N39HH#(5ro:9kNKr)FF$^9#Tivoli Ready
=JN}gQ<HJ<O"Tivoli I}=UH&'"H}g9kh&'Z5l?"*RM,~j
G-kO<I&'"*hS=UH&'"=JNOOrH%7F$^9#
Risk Manager ���kHr]n9kKO"H+N e-business N$sUi9Hi/Ac<KP9kCjN;-ejF
#<Wor~?9;-ejF#<=Jrw(F*+J1lPJj^;s#^?"kHKO"#
tN;-ejF#<&3s]<MsHr 1 DN3s=<kKH_~`?aK"I}3s]<
MsH@1GJ/G1NB)*hS]j7<r$sWjasH9kNrgu9k;-ejF#
<&5<S9s!Tb,WG9#
Risk Manager O"Gh<;QrHQ7?/~!NQNI}79F`G9#Risk Manager O"
5^6^Jb"*hS5<I&Q<F#<N;s5<&"Wj1<7gs+i/~!N"i<
Hru.9k!=rw(F$^9#/~!N79F`O"5<S9826b"k$O"9-c
s6bdUiCG#s06br\*H7?/~rj"k?$`G!P*hSbK?<7^9#
Risk Manager O"/~!N"i<HN+0h}Khj"\vN"i<HHVcC?"i<H
rhL9kNru1^9#3N+0h}O4/lL*JbNG"j";s5<+NKOX8J
/"#tN/~!N79F`+iN"i<Hrh}9k3H,G-^9#
Risk Manager ���Risk Manager O"J<N@+i"e-business N]nKr)A^9#
¶ 6b"<w"*hSx+NbK?<rl5I}7^9#/~!N79F`O?tN"i<
Hr8.7^9#"i<HO"j_K)\KX"7F$?j",\*KO18djKhC
2
7Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
Fz-/35l?j"^?O/~!N79F`+NKhCFz-/35l?j9k3H,
"j^9#1lN/~!N$YsH&3s=<kG"k Tivoli Enterprise Console O";
-ejF#<jX$YsHr}g7FI}7^9#
¶ /~!N79F`Nf<6<,",~-N"k;-ejF#<jJG~z7d9/7^
9#
¶ "Wj1<7gs"5<S9"G<?Y<9"MCHo</&GP$9"*hS*Zl<
F#s0&79F`Ne@KPh7^9#
¶ spJ7[o (false positive) JINT,WJpsro:9kl}G"B]N;-ejF#
<<Rr1L7^9#
¶ ;-ejF#<NlgHGJ$f<6<,";-ejF#<eNj9/rj"k?$`G
bK?<7F>AG-kh&K7^9#
Risk Manager �&"#���������������Risk Manager O"/~d;-ejF#<X"Ndj,/87?lgK""I_K9Hl<?
<,"i+8aWh5l?~zrFSP93H,G-kh&"MCHo</&^M<8c<^
?O"I_K9Hl<?<K"i<HrP7^9#GiK""I_K9Hl<?<O"JK+
,/87?3HrNk,W,"j^9#!K"JK,/87?N+"I3G/87?N+"=
7FJ</87?N+rNk,W,"j^9#GeK""I_K9Hl<?<O""i+8a
Wh5l?~zrFSP93H,G-^9#
Risk Manager O"F/~nTKX9kJ<NpsrM8K~l^9#
=<9 /~nT,/87?lj#3NpsO"[9H>^?O IP "Il9G"k3H,"
j^9#
?<2CH
/87?/~nTNP]#?<2CHO"[9H"Web 5<P<"Q9o<I&U!
$k"^?O=N>N"ifk79F`&j=<9G9#^?"PC/lYk&Wm
0i`^?O&#k9N$s9?s9NHQrnT7F$klgb"j^9#
/~st
=<9+i/~nT,Tol?st"*hSFAru1??<2CHNt#
+F4j<
/~nTN?$W#/~nTKO"5<S9826b"Web 6bJI,"j^9#
EgY Risk Manager N=.~K"/~nTNEgYrhj7^9#
������MCHo</G/89k/~KOto`NbN,"j^9#Risk Manager O"3li9YF
No`N6b+iN]nrs!7^9#
/~KO"v3K/87?bNb"lP"5EKBT5l?;-ejF#<6bNlgb"j
^9# 9Z<8N^1 O"1 DN=<9+i 1 DN?<2CHKP7FTol?/~nTr
(7?bNG9#=N=<9+i=N?<2CHKO"/~,#tsTolF$kD=-,"
j^9#
8 P<8gs 3 jj<9 8
#tN=<9+i 1 DN?<2CHXN/~nT,/89k3Hb"j^9#"k0k<W
,CjN5<P<r5]9k[INlF6brE]1?H[|7F/@5$# ^2 O"#t
N=<9+i 1 DN?<2CHXN/~nTr(7?bNG9# ^2 K(7F$kNOtD
N/~nTG9,"B]N/~nTO?iKbek3H,"j^9#
b& 1 DNcH7F"1 DN=<9,#tN?<2CHN;-ejF#<N/2rnT9k
lg,"j^9# 1 DN0k<W"k$ODM,"MCHo</bN#tN?<2CHKO
}*K"/;9rn_klg,"j^9# ^3 O"1 DN=<9+i#tN?<2CHXN
/~nTr(7?bNG9# ^3 K(7F$kNOtDN/~nTG9,"B]N/~nT
O?iKbek3H,"j^9#
GeK"#tN=<9+i#tN?<2CHK~1FN6b,M(il^9# 10Z<8N^4
O"#tN=<9+i#tN?<2CHXN/~nTr(7?bNG9#10Z<8N^4 K(
7F$kNOo:+tDN/~nTK9.^;s,"B]N/~nTO?iKbek3H,"
j^9#
^ 1. 1 DN=<9+i 1 DN?<2CHXN/~nT
^ 2. #tN=<9+i 1 DN?<2CHXN/~nT
^ 3. 1 DN=<9+i#tN?<2CHXN/~nT
9Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
Risk Manager ������������3N;/7gsNcGO"Risk Manager ,/~nTrINh&Kh}9k+r(7^9#3
Nc"*hS^5 GO"999 N/~nT,/87F$^9#9YFN/~nTO18=<9+
iNbNG"j"18?<2CH,=NFAru1F$^9#gLbNtzO"J<r(7F
$^9#
1 /~nTN=<9
2 /~nTN?<2CH
3 /~nTN+F4j<#3lO"/~nTNo`G9#
EgYO""I_K9Hl<?<,Xj7^9#"I_K9Hl<?<O"3N$YsH&?
$WNtz,g-/JkH"/~nTNEgY,}93HbXj7F$^9#3N=<9+i
N 1 DN$YsHO=l[IEgJbNGO"j^;s#7+7"18=<9+i18?<
2CHX 999 bN/~nT,/89kH"vOEgKJj^9#
�������
XRisk Manager Khk/~nTNh}}!YO"999 N/~nTr(7F$^9#Risk
Manager NjX5<P<O""I_K9Hl<?<,h}G-kh&K9k?aK"999 N/
^ 4. #tN=<9+i#tN?<2CHXN/~nT
^ 5. /~nT
10 P<8gs 3 jj<9 8
~nTr TEC Kw.9k3H,G-^9,"3lOz(*GO"j^;s#"I_K9Hl
<?<O"?iH$&U#NJ$$YsHK5]5lF"EgJ/~nTr+:CF7^&3
H,"j^9#
jXO"$YsHNF3s]<MsHG"k 1"2"3"*hS=NEgYrfS7^9#
=NeojK"Risk Manager O"$YsHrfS7F"`wN$YsHr8s9k3H,G
-^9#3NcGO"999 N$YsHO9YF`wNbNG9# Risk Manager O$YsH
r"999 N`wN$YsHr^` 1 DNuVK8s7^9#
8s9k$YsH"/~$YsHN?$WKdjvFkEgY"*hS$YsH,B]K/8
7?H-K"I_K9Hl<?<,HkWh"/7gsrXj9k3H,G-^9#
Risk Manager �'���(�Risk Manager KO"J<N3s]<MsH,^^lF$^9#
1lN/~!N*hSI}3s=<k
Risk Manager O79F`I}H/~!NN>}r\*H7F"1lN8fI}3s=
<kG"k Tivoli Enterprise Console (TEC) +i e-business N;-ejF#<eNj
9/rI}7^9#3N3s=<k,s!9k/~!N$YsHN=(O"I}Ul
<`o</KhCFh}5lk>N$YsHN=(K`w7F$kNG"I},hj
z(*KJj^9#
5<P<&N$YsHjX
Risk Manager O"#tN;s5<+i~OG<?r}87"F;s5<+iNPO*
hS"i<HrX"U1F"B]K6b,"k+I&+r=G7^9#!K Risk
Manager ,3Npsr"8fI}3s=<kN Tivoli "I_K9Hl<?<Kwj^
9#
Event Integration Facility (EIF) D<k-CH
Risk Manager O"H+N$YsH}g!=D<k-CHG"k Risk Manager Event
Integration Facility (EIF) rH_~sG$^9#"Wj1<7gs&Wm0i_s0&
$s?<U'<9rHQ9kH"H+N Risk Manager _9"@W?<r+/9k3
H,G-^9#
Risk Manager "@W?<^?O;s5<""k$O=Na/N79F`K Risk
Manager EIF r[V9kH"h}Nz(=JiSKHiU#C/No:rT&3H,
G-^9#
/~!N;s5<
Risk Manager KO"J<K(7?/~!N;s5<N;CH,^^lF$^9#
Web Y<9N/~!N;s5<
Risk Manager KO"Web 5<P<KP9k6b*hS?o7$"/F#SF
#<r!P9k Web Intrusion Detection System (Web IDS) ;s5<,H_~
^lF$^9#
[9H&Y<9N/~!N;s5<
;-e"J*Zl<F#s0&79F`K Host Intrusion Detection System
(Host IDS) QN Risk Manager "@W?<r[V7F";-ejF#<dj
^?O/2r!P9k3H,G-^9#
11Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
MCHo</&Y<9N/~!N;s5<
Risk Manager MCHo<//~!N79F` (Network IDS) ;s5<O"M
CHo</&Y<9N6b*hS?o7$"/F#SF#<r!P7^9#
/~!N"@W?<
Risk Manager O";s5<4HK"@W?<rs!9k3HKhj"TNN;s5<
KhCF8.5l?$YsHrhj~_^9#
Risk Manager O"TNN5<I&Q<F#<N;s5<+iG<?rhj~`?a
K"J<N"@W?<rs!7F$^9#
¶ ISS RealSecure QN"@W?<#3N"@W?<O"ISS RealSecure NTNP<8
gsKhCF8.5l?"i<`r TEC $YsHK^CW7^9#
¶ Cisco Secure IDS Q"@W?<#3N"@W?<O"Cisco Secure /~!N79
F` (J0N>NO NetRanger) NTNP<8gsKhCF8.5l?"i<`r
TEC $YsHK^CW7^9#
¶ Cisco Routers Q"@W?<#3N"@W?<O"Cisco k<?<KhCF8.5
l?*rQ_N"i<`r"TEC SNMP "@W?<rHQ7F TEC $YsHK
^CW7^9#
¶ Cisco Secure PIX Firewall Q"@W?<#3N"@W?<O"Cisco Secure PIX
Firewall KhCF8.5l?"i<Hr TEC $YsHK^CW7^9#
¶ Check Point FireWall-1 Q"@W?<#3N"@W?<O"Check Point™
Firewall-1® =JKhCF8.5l?"i<Hr TEC $YsHK^CW7^9#
¶ McAfee Alert Manager Q"@W?<#3N"@W?<O"McAfee Alert Manager
=JKhCF8.5l?"i<Hr TEC $YsHK^CW7^9#
¶ Norton AntiVirus Q"@W?<#3N"@W?<O"Norton AntiVirus =JKhC
F8.5l?"i<Hr TEC $YsHK^CW7^9#
¶ Host IDS Q"@W?<#3N"@W?<O"*Zl<F#s0&79F`KhC
F!P5l"m0K-?5l?$YsHr TEC $YsHK^CW7^9#
Tivoli Decision Support for Enterprise Risk ManagementTivoli Decision Support (TDS) for Enterprise Risk Management O"Tivoli Risk
Manager =Jrd/9kbNG9#TDS O"U!$"&)<k""sA&#k9&"
Wj1<7gs"*hS/~!N79F`JINMCHo</&;-ejF#<&7
9F`NQU)<^s9KX9kHqr+/9k}!r-R7F$^9#
13Z<8N^6 O"Risk Manager N3s]<MsHVNblYkNX8rA$?bNG9#
12 P<8gs 3 jj<9 8
��� Tivoli ��Risk Manager O"Tivoli Management Enterprise Framework bG0n7^9#Risk Manager r
HQ9kKO"$/D+N Tivoli =J,,WG9# Risk Manager H&KHQ9k?aK,
\N Tivoli =JKO"J<NbN,"j^9#
¶ Tivoli Management Enterprise Framework (J0N TME/10 Management Enterprise
Framework)"P<8gs 3.7.1
¶ Tivoli Enterprise Console"P<8gs 3.7.1
¶ Tivoli Management Agent"P<8gs 3.7 ^?OP<8gs 3.7.1
¶ Tivoli Adapter Configuration Facility (ACF) P<8gs 3.7.1 (*W7gs)
¶ Tivoli Decision Support P<8gs 2.1.1 (*W7gs)
Risk Manager O"0sroHJk Tivoli =Jr"=JNltH7FOs!7F$^;s#
$s9H<kNjgKD$FO"F=JN Tivoli NI-easF<7gsr2H7F/@5
$#
^ 6. Risk Manager 3s]<MsHN@$"0i`
13Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
3liN=JN5]<HO"Risk Manager N+9?^<&5]<HNltH7FOs!5l
F$^;s#
9GK3liN,\N=Jr"5]<H&lYkG$s9H<k7F"klg"F$s9H<
kOTWG9#Risk Manager r$s9H<k9k0K"3liN=JN$s9H<krWh
7J1lPJj^;s#
Risk Manager � Tivoli Enterprise ConsoleTEC O"Tivoli Management Framework NGeLK8_7^9#TEC O"3NUl<`o<
/NL.5<S9Hjl<7gJk&G<?Y<9&$s?<U'<9r>N3s]<MsH
H&KHQ7^9#
Risk Manager O"J<N TEC 3s]<MsHrHQ7^9#
¶ TEC $YsH&5<P<#3lO"u.$YsHKk<kr,Q7^9#
¶ TEC $YsH&3s=<k&5<P<
¶ TEC $YsH&3s=<k
¶ "@W?<=.!= (ACF)
¶ "@W?<
Risk Manager O"1lN/~!N79F`&3s=<kG"k Tivoli Enterprise Console +
i"e-business N;-ejF#<eNj9/rI}7^9# TEC KX9k04JpsKD$
FO"Tivoli Enterprise Console NI-easF<7gsr2H7F/@5$#
TEC $YsH&3s=<kO"1l$YsH&3s=<kG"79F`I}H/~!NN>
}N$YsHrh}7^9#$YsHO"Tivoli Enterprise Console KhCFh}5lk>N
$YsHH18}!G=(5l^9#$YsHr18}!G=(9k3HKhj"TEC $Y
sH&3s=<kN*Zl<?<O=lirz(*Kh}9k3H,G-^9#
TEC O"Risk Manager X"N$YsHN}8"I}"*hSjXrHk?aNa+K:`r
s!7F$^9#15Z<8N^7 K"TEC 5<P<H3s=<kNX8r(7^9#
14 P<8gs 3 jj<9 8
Risk Manager O"Tivoli "I_K9Hl<?<,h}G-kh&KJ<N$YsHr}8
7"=lir$YsH&3s=<kK>w7^9#J<N$YsHN+F4j<K$YsH&
0k<WrjA9kh&"TEC r+9?^$:9k3H,G-^9#
¶ uV$YsH
¶ ;s5<&$s9?s9
¶ Hi9FCI&[9H+iN"/F#SF#<
¶ Risk Manager KhCF!P5lkc0
¶ 9YFN Risk Manager ;s5<&$YsH
Risk Manager $YsH&3s=<kO"MCHo</bN;s5<+iu.7?$YsHN
#gSe<r=(7^9#Risk Manager O$YsH&3s=<kK$YsHr=(7^9
,"$YsH&3s=<kGO$YsH&"/F#SF#<N#tNSe<,=(5l^9#
Risk Manager O$YsH&3s=<keG$YsH&0k<W*hS$YsH&U#k?<
rn.9k?aN$s]<H&U!$krs!7^9#
����������TEC O"u.7? Risk Manager $YsHr"$YsH&G<?Y<9 HFPlkjl<7
gJk&G<?Y<9I}79F` (RDBMS) K]I7^9#
^ 7. TEC 5<P<H3s=<kNX8
15Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
TEC ��������TEC $YsH&5<P<O"u1hC?9YFN$YsH*hSbtG8.5l?9YFN
$YsHNh}rI}7^9#e.$YsHO"$YsH&G<?Y<9K-?5l"k<
k&;CHK>CFh}5l^9#btG8.5l?$YsHO"18k<k&;CHK>C
Fh}5lF+i"$YsH&j]8Hj<K]I5l^9#k<kNBTfK"$YsHO
TEC $YsH&5<P<KwilFFh}5lk3H,"j^9#Fh}Ne"$YsH&
j]8Hj<bN(sHj<O",WK~8F975l^9#5iK TEC $YsH&5<P
<O"9YFN TEC $YsH&3s=<kr=_N$YsHpsG977^9#
Risk Manager O TEC $YsH&5<P<rHQ7F"/~!N$YsHNu."]I"*
hS`nrBT7^9#TEC $YsH&5<P<N\YKD$FO"Tivoli Enterprise
Console NI-easF<7gsr2H7F/@5$#
TEC �����Tivoli O"$YsHrU)<^CH7F"=lr TEC 5<P<Kw.9k?aNFQN
TEC "@W?<rs!7F$^9#Risk Manager "@W?<H;s5<O"Risk Manager $
YsHrU)<^CH7F=lr Risk Manager 5<P<K>w9k?aK"?/Nlg"
TEC "@W?<KM87^9#
"@W?<Oj=<9rI}G-kh&Kj=<9rbK?<7^9#"@W?<,bK?<
P]Nj=<9+i8.5l?$YsHr!P9kH""@W?<O=N$YsHrU)<^
CH7F"=lr Tivoli $YsH&5<P<Kw.7^9#"@W?<O"B]K$YsH
r8.7F$kbK?<P]Nj=<9+i$YsHru.9k3HbG-^97"=<9,
m0&U!$kraC;<8G979k?SK"=.D=J$s?<PkG ASCII m0&U
!$kr4Yk3HbG-^9#
"@W?<O"Tivoli $s?<U'<9 ^?O Tivoli J0N$s?<U'<9 rHQ7F"
$YsHr Tivoli $YsH&5<P<Kw.9k3H,G-^9#Tivoli $s?<U'<9
O"Tivoli Management Framework KhCFs!5lk5<S9rHQ7F"\3rN)7^
9#Tivoli J0N$s?<U'<9O"[9H>"^?O$s?<MCH&WmH3k (IP)
N"Il9A0JIN8`Wm;9VL.Na+K:`rHQ7F"\3rN)7^9#
(sI]$sHeK$s9H<k5l?"@W?<O"=N$YsHr(sI]$sH&2<
H&'$Kw.7^9#9kH"(sI]$sH&2<H&'$,=liN$YsHrPsI
k7F"Tivoli $YsH&5<P<K>w7^9#
(sI]$sHQK Risk Manager ,5]<H7F$k TEC "@W?<O"UNIX NlgO
Tivoli Logfile "@W?<"Windows 79F`NlgO Windows Event Log "@W?<G
9# SNMP "@W?<b5]<H5lF$^9#
m: \qGO""@W?<, Tivoli Logfile "@W?<"Windows Event Log "@W?<"^
?O SNMP "@W?<NIlG"k+rXj9keojK"mN*J TEC "@W?<
H$&QlrHQ7^9#
;s5<O$YsHr8.7"=lir,ZJm.s0!=rP39kh&KP)rja^
9#$YsHO=Nm.s0!=Khj",ZJ TEC "@W?<Gh}5l"TEC Kwi
l^9#Tivoli $YsH&5<P<GO"Risk Manager TEC Correlation k<krHQ7F"
jX,Tol^9#Risk Manager TEC Correlation O"IDS $YsHr+0*K0k<W=
16 P<8gs 3 jj<9 8
7"MCHo</N;-ejF#<uVr(9J1J^r=(7^9#57Z<8NXRisk
Manager Server CorrelationYr2H7F/@5$#
F TEC "@W?<KOi|$YsH&i$Vij<,U07F$^9#3Ni$Vij<
O"v0jA5l?$YsH&;CHKP7F90KHQD=J5]<Hrs!7^9#!N
U!$k,$YsH&i$Vij<r=.7^9#
BAROC U!$k (BAROC file)BAROC U!$kO$YsHr"k<k&;CHb+i$YsH&5<P<K,`7
^9#$YsH&/i9 HO$YsHNoLG9#p\*K"$YsH&/i9O"
"@W?<,INpsr$YsH&5<P<Kw.9k+rhj9k""@W?<H
Tivoli $YsH&5<P<HNVNgUv`G9#Risk Manager O"5]<H5lF
$k;s5<H"@W?<4HK BAROC U!$krs!7F$^9#\YKD$F
O"XBAROC U!$kYr2H7F/@5$#
U)<^CH&U!$k
3liN"@W?<KX9k$YsH&/i9NQ9OU)<^CH&U!$kGB
T5l"!K"=NU)<^CH&U!$k+i7,N/i9jA9F<HasH
(.cds) U!$k,8.5l^9#U)<^CH&U!$kO"$YsH&=<9+i
hj~^lkaC;<8NU)<^CHrjA7^9#U)<^CH&U!$kO"
TEC "@W?<QN/i9jA9F<HasH (.cds) U!$kr8.9klgKb
HQ5l^9#Risk Manager O"5]<H5lF$k;s5<H"@W?<4HKU
)<^CH&U!$k (.fmt) rs!7F$^9#
/i9jA9F<HasH&U!$k (.cds)TEC "@W?<O CDS U!$k (.cds) rHQ7F"D9N$YsHr$YsH&/
i9K^CW7"=N$YsH0-rjA7F+i"=N$YsHr$YsH&5<
P<K>w7^9# Risk Manager O SNMP "@W?<rHQ9k"@W?< (ISS
RealSecure Q"@W?<*hS Cisco k<?<Q"@W?<) K .cds U!$krs
!7^9#
3liNU!$krQ99k3HKhj"$YsHN/i9rIC"Q9"*hSXj9k3
H,G-^9#"@W?<H&Ks!5lF$ki|$YsH&i$Vij<O"3N"@W
?<KhCFh}5lk&L$YsHr5]<H7^9#^?"$YsH&i$Vij<O"
7,N$YsHjArn.9k?aNcbs!7F$^9#
BAROC �)��F"@W?<KO"TEC "@W?<,5]<H9k$YsHN/i9r-R7? BAROC U
!$k,U07F$^9#3NU!$kO TEC "@W?<=NbNKhCFHQ5lko1
GO"j^;s,""@W?<H$YsH&5<P<HNVN,\js/H7FNrdrL?
7^9#$YsH&5<P<O3NU!$krm<I7F+iGJ1lP""@W?<+iu
.7?$YsHr}r9k3H,G-^;s#BAROC U!$kKOLo .baroc NH%R,
U$F$^9#
Risk Manager BAROC U!$kO"TEC /i9,Xr-R7^9#9YFN/i9O
EVENT /i9+iQ57^9#Risk Manager NGeLNj]/i9"*hS3s]<MsH
TEC $YsH&/i9jAO"J<N=N BAROC U!$kK"j^9#
BAROC U!$kN>0 /i9N?$W
riskmgr.baroc jXKHQ5lk Risk Manager /i9#
17Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
BAROC U!$kN>0 /i9N?$W
sensor_abstract.baroc ;s5<KX"7?GeLNj]/i9#3liN/i9N$s9?
s9O TEC KOw.7J$G/@5$#3NU!$kbN3liN
/i9O"riskmgr.baroc U!$kbN/i9KM87F$^9#
sensor_generic.baroc "@W?<NW.J+/r%J9k?aKHQ5lkFQ/i9#3
NU!$kbN/i9O"sensor_abstract.baroc U!$kbN/i
9KM87F$^9#
realsecure.baroc ISS RealSecure Q"@W?<N[9H&Y<9*hSMCHo</&
Y<9N$YsH&/i9#3NU!$kbN/i9O"
sensor_abstract.baroc U!$kbN/i9KM87F$^9#
csids.baroc Cisco Secure IDS QN"@W?<N$YsH&/i9#3NU!$
kbN/i9O"sensor_abstract.baroc U!$kbN/i9KM8
7F$^9#
webids.baroc Web IDS $YsH&/i9#3NU!$kbN/i9O"
sensor_abstract.baroc U!$kbN/i9KM87F$^9#
cpfw.baroc Check Point FireWall 1 Q"@W?<N$YsH&/i9#^?"3
liN$YsH&/i9O"$/D+NFQU!$"&)<k&$Y
sHrjA7F$^9#3NU!$kbN/i9O"
sensor_abstract.baroc U!$kbN/i9KM87F$^9#
pix.baroc Cisco Secure PIX Firewall Q"@W?<N$YsH&/i9#^?"
3liN$YsH&/i9O"$/D+NFQU!$"&)<k&$
YsHrjA7F$^9#3NU!$kbN/i9O"
sensor_abstract.baroc U!$kbN/i9KM87F$^9#
os.baroc Host IDS Q"@W?<N$YsH&/i9#3NU!$kbN/i
9O"sensor_abstract.baroc U!$kbN/i9KM87F$^
9#
crouter_snmp.baroc Cisco k<?<Q"@W?<N$YsH&/i9#^?"3liN$
YsH&/i9O"FQk<?<&$YsHrjA7^9#3NU!
$kKO"Cisco k<?<QN/i9NI8*,^^lF$^9#3
NU!$kbN/i9O"sensor_abstract.baroc U!$kbN/i
9KM87F$^9#
rmvirus.baroc Norton AntiVirus N$YsH&/i9QN"@W?<H McAfee
Alert Manager QN"@W?<#^?"3liN$YsH&/i9
O"FQ"sA&#k9&$YsHrjA7^9#
3NU!$kbN/i9O"sensor_abstract.baroc U!$kbN/
i9KM87F$^9#
nids.baroc Risk Manager Network IDS N$YsH&/i9#3NU!$kbN
/i9O"sensor_abstract.baroc U!$kbN/i9KM87F$
^9#
�*������$���)��"@W?<O .cds U!$krHQ7F"u1hC?D9N$YsHrCjN/i9K^CW
7"$YsHN0-rjA7F+i"$YsHr$YsH&5<P<K>w7^9#.cds U
!$kO"3NU!$krHQ9k"@W?<,5]<H9k$YsH&/i94HK"
SELECT"FETCH"*hS MAP 9F<HasHrXj7^9#[HsIN"@W?<GO3
NU!$k,,WG9#=N?a"3NU!$kNU)<^CHO"3lrHQ9kIN"@
18 P<8gs 3 jj<9 8
W?<Gb1lNbNHJCF$^9#Xj5lF$k$YsH&/i9O9YF"
sensor.abstrac.baroc N/i9+iI87?p\/i9+i,ZKI87F$J1lPJj
^;s#
.cds U!$kbN$YsHjArQ99klgO"Basic Recorder of Objects in C (.baroc)
U!$kbNP~9k$YsH&/i9jAbQ99k,W,"j^9#VTivoli Event
Integration Facility f<6<:&,$IWGO"$YsHjANbF*hS=8rrb7^
9#
lLK""@W?<rBT9kh&K .cds U!$krQ99k,WO"j^;s#J<J
i"3NU!$kOU)<^CH&U!$k+i8.5lk+iG9 (XU)<^CH&U!
$kYr2H)# Tivoli GO"/i9jA9F<HasH&U!$krn.9k?aKHQ9
k tecad_logfile.fmt"tecad_nt.fmt"*hS tecad_win.fmt U!$krs!7F$^9#
Risk Manager U)<^CH&U!$kO"GU)kHN TEC U)<^CH&U!$kNv
xKUC5l^9#"k$O"GU)kHN TEC U)<^CH&U!$krV-9(k3H
,G-^9#
Risk Manager O"TEC SNMP "@W?<H&KHQ9k/i9jA9F<HasH&U!$
krs!7^9#tecad_snmp.cds U!$krHQ7F"Internet Security Systems RealSecure
ISS RealSecure *hS Cisco k<?<KhCF8.5l?$YsHrhj~`h&K SNMP
"@W?<r=.7^9#
� �!+��)��HQ7F$k"@W?<KU)<^CH&U!$k,,WJlgKO"J<N$:l+ 1 D
rT$^9#
¶ Risk Manager U)<^CH&U!$kr TEC "@W?<NU)<^CH&U!$kKU
C7F"2 DNU!$kr^<87^9#
¶ *j8JkN TEC "@W?<NU)<^CH&U!$kNbFr"Risk Manager U)<
^CH&U!$kNbFGV-9(^9#Host IDS QN"@W?<NlgO"3lO,\
N9FCWG9#
48Z<8Ncr2H7F/@5$#
TEC SNMP "@W?<KO .cds U!$k,,WG9#
TEC "@W?<O79F`&m0&aC;<8+ipsrjP7^9#3NU)<^CH*
hSU#O}-/Qok3H,"j^9#
aC;<8r$YsH&/i9KM-go;k,W,"j^9#3N?$WNM-go;O"
U)<^CH&U!$k GTol^9#Lo"U)<^CH&U!$kKO".fmt H$&H
%R,U$F$^9#U)<^CH&U!$kO!N\*N?aKHQ7^9#
¶ aC;<8H$YsH&/i9N^CAs0N?aN!wU!$kH7F#lW9kbN
,J$lgKO"$YsH,Q~5l^9#
¶ .cds U!$kN8.~N~OH7F (18Z<8NX/i9jA9F<HasH&U!$
kYr2H)#
19Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
Risk Manager U)<^CH&U!$kKO"!NbN,"j^9#
= 3. Risk ManagerU)<^CH&U!$k
Risk Manager U)<
^CH&U!$k
Risk Manager "@W?<
"@W?<&?$W WiCHU)<`
webids.fmt Web IDS Risk Manager EIF Unix *hS Windows
79F`
Logfile "@W?< Unix 79F`
webids.nt.fmt Web IDS Windows Event Log "
@W?<
Windows 79F`
pix.fmt Cisco Secure PIX
Firewall Q"@W?<
Tivoli Logfile "@W?
<
UNIX 79F`
pix_nt.fmt Cisco Secure PIX
Firewall Q"@W?<
Windows Event Log "
@W?<
Windows 79F`
csids.fmt Cisco Secure IDS Q"
@W?<
Risk Manager EIF Unix *hS Windows
79F`
Logfile "@W?< Unix 79F`
csids.nt.fmt Cisco Secure IDS Q"
@W?<
Windows Event Log "
@W?<
Windows 79F`
os_aix.fmt Host IDS Q"@W?< Logfile "@W?< AIX 79F`
os_solaris.fmt Host IDS Q"@W?< Logfile "@W?< Solaris 79F`
os_nt.fmt Host IDS Q"@W?< Windows Event Log "
@W?<
Windows 79F`
os_linux.fmt Host IDS Q"@W?< Logfile "@W?< Linux 79F`
rnmac.fmt McAfee Alert Manager
Q"@W?<
Windows Event Log "
@W?<
Windows 79F`
rmnav.fmt Norton AntiVirus Q"@
W?<
Windows Event Log "
@W?<
Windows 79F`
cpfw.fmt Check Point FireWall-1
Q"@W?<
Risk Manager EIF Unix *hS Windows
79F`
Logfile "@W?< Unix 79F`
cpfw.nt.fmt Check Point FireWall-1
Q"@W?<
Windows Event Log "
@W?<
Windows 79F`
tecad_snmp.cds Cisco Router"ISS
RealSecure Q"@W?<
SNMP "@W?< Unix *hS Windows
79F`
m: Cisco k<?<*hS ISS RealSecure Q"@W?<O Tivoli SNMP "@W?<rHQ7
^9#3N"@W?<O"tecad_snmp.cds N Risk Manager P<8gsrHQ7F=.
9k,W,"j^9#
U)<^CH&U!$kO"P~9k BAROC U!$kH1|5;F*+J1lPJj^;
s#U)<^CH&U!$kN=$O18G9#GiN$/D+NU)<^CHOFQjA
G"=liOINaC;<8HblW7^;s#H$&NO"B]N IDS =JaC;<8H
M-go;k?aNFsWl<HH7F"3liNU)<^CHrHQ9k?aG9#
Risk Manager U)<^CH&U!$kN$:l+NbFr=(9kKO"4HQNWiCH
U)<`N!NG#l/Hj<bN Tivoli $YsH&5<P<eK"kU)<^CH&U!
$k (.fmt) r2H7F/@5$#
$BINDIR/../generic_unix/RISKMGR/ACF_REP
20 P<8gs 3 jj<9 8
BINDIR O"$YsH&5<P<&P$Jj<,$s9H<k5lF$kljG9#
21Risk Manager f<6<:&,$I
2.T
ivoli
Risk
Man
ager�
��
22 P<8gs 3 jj<9 8
Tivoli Enterprise Console �������
3NOGO"Tivoli Enterprise Console (TEC) G Risk Manager NuV,INh&K=(5l
kN+KD$Fb@7^9#^?"CjN$YsHKX9kpsNh@}!KD$Fbb@7
^9#
Risk Manager Web Intrusion Detection System (IDS) ��,�3NOGO"/3j@k7Jj*KD$Frb7^9#Risk Manager O"Risk Manager Web
IDS rHQ9k$/D+N Web 5<P<rbK?<7F$kbNH7^9#3N7Jj*G
O"6b,/87?lgK?,/3k+KD$FJ1Jb@r7"6bGz-/35l?/~
!N$YsHr=(9k TEC NHQ}!r(7^9#>N Risk Manager ;s5<*hS5
<I&Q<F#<NTN=JKhCF!P5l?6bb1MN"Wm<ArHQ7F=(9k
3H,G-^9#
6b,TolkH?,/3kNG7g&+#Risk Manager Web IDS ;s5<O"Web 5<
P<6br!P9k?aK"Web 5<P<KhCF8.5lk"/;9&m0&U!$kr
,O7^9#Web IDS O"N1Y<9N"Wm<ArHQ7F"Web 5<P<6bNFQ7
0KAc<rjA9k3HKhj"?o7$6kq$r!P7^9#3liN70KAc<
O"-OOJ6br!P9k?aKHQ5l^9#Web IDS ;s5<O"?o7$"/F#
SF#<KP9k~zH7F TEC $YsHr8.7"=N$YsHr TEC 5<P<Kwj
^9#
3N7Jj*GO"Web IDS , Apache Web 5<P<KP9k6br!P7"#tN/~!
N$YsHr TEC 5<P<KLN7^7?# IDS ;s5<&$YsHr TEC ,u.9k
H"$YsHjX(s8s,=liN$YsHr,O7F"6bQ?<sr57^9# TEC
jX(s8sO"Risk Manager KhCFs!5lF$k TEC k<k&;CHH7F$sW
jasH5lF$^9#
Risk Manager jXO"6bQ?<sr!w9klgK"3 DN-<rHQ7^9#GiN-
<O"$YsH&/i9N+F4j<G9#Risk Manager O"Web 6b"Hm$NZO"5
<S96b"5<S982"*hS&#k9N"/F#SF#<JI"$/D+N?$WN?
o7$"/F#SF#<r+F4j<=7F$^9#3N7Jj*GNGiN-<"9JoA
+F4j<O"Web 6bG9#2 D\N-<O"8h[9H>^?O IP "Il9G"3 V
\N-<O"=<9N[9H>"k$O IP "Il9G9#
jX(s8sO"3li 3 DNG<?&-<H3liN-<NH_go;KpE$F$Ys
Hr8s7"7-$M"k4j:`KpE- TEC K"i<`r8.7^9#"i<`O u
V HFPl^9#FuVKO"EgY,X"U1ilF$^9#EgYO"?o7$"/F
#SF#<,3$F$klg"0*Ke2""/F#SF#<,E^C?lg"<2k3H,
G-^9# Risk Manager NuVO"!Nh&KFQ-Nc$g+ijA5lF$^9#
3
23Risk Manager f<6<:&,$I
3.T
EC��
���
��
uV 1$YsHOGbBj*G"+F4j<"8h[9H"*hS=<9&[9HN 3 DN
-<9YFKlW9k$YsH+i8.5l^9#
uV 2$YsHO"2 DN-<@1KlW9k$YsH+i8.5l^9#$YsHO"$
UN 2 DN-<KlW7^9#
uV 3$YsHO"1 DN-<KN_lW9k$YsH+i8.5l^9#
uV 1 N$YsHO"1 DN=<9+i 1 DN8hXNsoKEgJ6br(7F$k3H
,"j^9#uV 3-3 N$YsHO"#tN=<9+i#tN8hXNCjN6b?$Wr
=7F$^9#3li 2 DJ0Kb"+F4j<"8h[9H"*hS=<9&[9HNH
_go;KhCFICN6b?$W,=5l^9#
TEC ��������^8 O"TEC $YsH&0k<WK0k<W=5lk Risk Manager N$YsHr0iU#
C/=(7? TEC NSe<G9#
VRM Events (RM $YsH)W0k<WKO"u1hC? Risk Manager ND9N;s5<&
$YsH,9YF^^l^9#3N7Jj*GNl"N Web 6bKhj"27 ND9N$Y
sH, TEC 5<P<Kwil^9#VRM Situations (RM uV)W0k<WKO"?o7$"
/F#SF#<KpE-jX(s8s,8.7?9YFNuV$YsH,^^l^9#3N7
Jj*GO"1 DNuV,8.5l^9#3NuVNEgYO/jF#+k HJj^9#
b& 1 DN$YsH&0k<WKO"VRM Trusted (RM Hi9FCI)W,^^l^9#3
lKO"Hi9FCI&[9HH7FXj5lF$k;s5<+iu1hC?$YsH,^^
l^9#Hi9FCI&[9HrXj9kH"spJ7[o (false positive) Nt,G.KJ
j^9#VRM Sensor (RM ;s5<)W0k<WKO;s5<N$s9?s9,^^l"
VRM Exceptions (RM c0)W0k<WKO Risk Manager (i<rsp9k$YsH,^^
l^9#
^ 8. TEC Se< -- P<&Ac<H
24 P<8gs 3 jj<9 8
����-#���VRM Events (RM $YsH)WP<r/jC/7F$YsH&Se<"<r)Ae2"u1h
C?9YFN Risk Manager $YsHr=(7^9# ^9 O"u1hC?$YsHNcr(
7?bNG9#
#tN Web 6b,/87F$^9#3liN6bO"1 DN=<9&[9H+i 1 DN8
h[9HKP7F/87?bNG9#9YFN6bO"18"@W?<&[9H ApacheServer
K~1ilF$^9#Web 6bN?$WO"$YsH&/i9> WW_InsecureCgi G=5l
^9#5V/@sO"6b, Web IDS KhCF!P5l?3Hr(7F$^9#0N Risk
Manager uVNb@KpE-"3N"37?6bKhj"uV 1 N$YsH,8.5l^
9#$YsHNt,3N6b+F4j<"D^j"18=<9&[9H+i188h[9HK
P9k6bN$YsH7-$Mr6(F$k+iG9#
TEC 3s=<kK=(5lF$k hostname 0-KO"6br}r9kNKr)DJ<Nh
&J-WJps,^^lF$^9#
¶ J1JA0Khk6b+F4j<Nb@#3NcGO"+F4j<O WEB G9#
¶ $YsHr8.7?;s5<N[9H>^?O IP "Il9#3NcGO"ApacheServer
, Web IDS "@W?<,os7F$k Web 5<P<N[9H>G9#
¶ 6bN=<9N[9H>^?O IP "Il9#3N7Jj*GO"[9H>O SourceHost
G9#
¶ 6bN8hN[9H>^?O IP "Il9#3NcGO"[9H>O DestHost1 G9#
l]<HKO"J<Npsb^^lF$^9#
EgY (Severity)TEC $YsHNEgY#
/i9 (Class)$YsHN/i9>#
^ 9. TEC $YsH&Se<"<
25Risk Manager f<6<:&,$I
3.T
EC��
���
��
[9H> (Hostname)hostname 0-KX9ke-Npsr^sG$^9#
aC;<8 (Message)$YsHrb@9kJ1JaC;<8^?O70KAc<#
/@ (Origin)"@W?<N IP "Il9#
"@W?<&[9H (Adapter Host)"@W?<N[9H>#
5V/@ (Suborigin);s5<^?O"@W?<N>0#3N7Jj*GO"webids ,?(ilF$^9#
u7 (Status)$YsHN TEC u7#Risk Manager O";s5<N$YsHr*<WsuVN^^
K7^9#
/8~o (Time Occurred)$YsH,8.5l?~o#
+jV7st (Repeat_count)$YsH, Risk Manager Event Integration Facility KhCF8.5l?Ws$YsH
NlgKO"<mJ0NMK_j7^9#<mJ0NMO"Ws$YsHG=5lk
D9N;s5<&$YsHNtr=7^9#
M,<mNlgO"$YsH,Ws$YsHGOJ$3Hr(7F$^9#FWs$
YsHO"rm_Level H$&Mb}CF$^9 (3lO""@W?<=l+NG_j
5lk+"GU)kHGO"@W?<N baroc U!$k+i_j5l^9)#Ws$Y
sH, Risk Manager 5<P<Gu.5lkH"Risk Manager 5<P<O3N$Ys
HN rm_Level ,J<KJkh&K3NMr407^9#
(1 + repeat_count) * (rm_Level ����)
?H(P"repeat_count M, 299 G"GU)kHN rm_Level , 0.5 NWs$Ys
HN rm_Level 0-O 150.0 K_j5l^9#
rm_Level 0- (uV$YsHr8.9k+I&+H$D8.9k+"*hS=NE
gYlYkrhj7^9) Khj"uVN7-$MK#7F$k+I&+,h^j^
9#
m: repeat_count 0-KO"-1 G=5lk$YsHt,^^lF$^9# 2 DN$
YsH, 1 DNWs$YsHKWs5lF$klgO"=N repeat_count M
O 1 KJj^9#
Risk Manager ����������TEC KaCF Risk Manager uV$YsH&0k<Wr*r7"9YFN Risk Manager uV
r(7F$k$YsH&Se<"<r=(7^9#
26 P<8gs 3 jj<9 8
^10 O"uV 1 N$YsHG"k RM_Situation1 ,8.5lF$k3Hr(7^9#3N$
YsHO"?tN$YsH,/87?3Hr(7F$^9#$YsHtO 1 DN=<9&[
9H (SourceHost) +i 1 DN8h[9H (DestHost1) KP7F/87?1lN6b+F4j
< (Web 6b) N$YsH7-$Mr6(F$^9#uV 1 $YsHNEgYO"=N$Y
sH, 1 DN8hKP9k8f6br(7F$kNG"/jF#+k KJj^9#
�,����������������5iK6b,}C7?lgOINh&KJkG7g&+#
3N187Jj*rQ97F"LNkLr(93H,G-^9#Web IDS ;s5<,"LN
Apache Web 5<P<eGLN Web 6bN;CH,/87?3Hr!P7?H[j7^9#
3liN Web 6bO0N6bN;CHH186b+F4j<G"18=<9&[9H+i/
87F$^9,"LN8h[9HK6bN7h,~1ilF$^9#
3liNl"N6bK~z7F"jX(s8sO 2 DNICu7$YsHr8.7^9#
1 DN=<9&[9H (SourceHost) +i/87"1 DN8h[9H (SourceDest2) r?<2C
HH9k186b+F4j< (Web 6b) N$YsH7-$Mr6(k?tN$YsH,/8
7?NG"2 V\Nu7 1 N$YsH,8.5l^9#
3liN$YsHOGiN6b;CHN8h[9H (DestHost1) HO[Jk8h[9H
(DestHost2) KP7F~1il?NG"u7 2 N$YsHb8.5l^9#3liOGiN6
b;CHH18+F4j< (Web 6b) G"18=<9&[9H (SourceHost) +i8.5l
^9#
^ 10. uV 1 *hS RM uV 1 r(7F$k TEC
27Risk Manager f<6<:&,$I
3.T
EC��
���
��
3 DNjX-<Nb 2 D@1,3liN$YsHKlW7^9 (+F4j<H=<9)# ^11
O"3lKP~7F"uVH;s5<&$YsHNt,}(F$k3Hr(7F$^9#
TEC ����-#���Risk Manager uV$YsH&0k<Wr*r7^9#$YsH&Se<"<O"3 DNuV
$YsHr9YF)Ae2"=(7^9#
^ 11. RM uVN}Cr(7F$k TEC
28 P<8gs 3 jj<9 8
RM_Situation1 $YsHNVHostname ([9H>)WO"6bNCjN=<9H8hr(7F$
^9#
RM_Situation2 $YsHNVHostname ([9H>)WO"#tN8h[9Hr?<2CHH9k
1 DN=<9&[9Hr(7F*j"aC;<8&U#<kIK"lW9k 2 DNjX-<
,+F4j<H=<9G"k3Hr(7"6bN?$Wr=(7F$^9#
RM_Situation2 $YsHr*r7F"uV$YsHN0- (30Z<8N^13 Ncr2H) r^
`"uV$YsHKX9k\YpsN\YSe<r=(7^9#0-O"uV$YsHK&L
N\Yr=7^9#
^ 12. TEC $YsH&Se<"<K=(5l? 3 DNuV$YsH
29Risk Manager f<6<:&,$I
3.T
EC��
���
��
^ 13. TEC $YsH&Se<"<K=(5l?$YsH 1 N\Y
30 P<8gs 3 jj<9 8
Risk Manager Web ��������CjNuV$YsHKX89kqN*J;s5<&$YsHKD$FNpsKb=#,"kG
7g&#?H(P"3N7Jj*GO"RM_Situation2 $YsHKX89k;s5<&$Ys
HKD$FN\YpsK=#,"kG7gNpsr=(9kKO"J<Nh&K7^
9#
1. Risk Manager uVSe<"<Kaj"RM_Situation2 $YsHr*r7^9#
2. RM_Situation2 $YsHr&/jC/7F^14 K(7?]CW"CW&&#sI&r=(
7^9#^?O"LN}!H7F"RM_Situation2 $YsHr*r7"VInformation (ps)Wr/jC/9k3HbG-^9#
3. 3lKhj"GU)kHN Web Vi&6<H"uV$YsHKX9kICpsr(7?
Web Z<8,m<I5l^9#J<Nps,=(5l^9#
RM_Situation2 $YsHHOuV 2 N$YsHNjA,=(5l^9#
ICpsr!wG-klj
*si$s&I-easF<7gsXNjs/#
3Nu7KX89kD9N$YsH
3Nu7KX89k$YsH&;CHr=(9kKO";s5<&$YsH4H
K"4Yk,WN"kqN*J0- (J<r2H) r*r7^9#
¶ Class
¶ Date_Event
¶ Severity
¶ SensorHostname
¶ SourceHostname
¶ SourceIPAddr
¶ SourcePort
¶ DestinationHostname
¶ DestinationIPAddr
^ 14. TEC $YsH&Se<"<K=(5l?6bKX9kps
31Risk Manager f<6<:&,$I
3.T
EC��
���
��
¶ DestinationPort
¶ ClassCategories
¶ Subsource
¶ Message
¶ Signature
VSubmit (h}Mj)Wr/jC/7^9#
^15 K(9h&K"Web Z<8KO"*r5lF$ku7$YsHKX89kD
9N;s5<&$YsH,=(5l^9#
^ 15. *r5lF$kuV$YsHKX89kD9N;s5<&$YsHNc
32 P<8gs 3 jj<9 8
Risk Manager ������
3NOGO"Risk Manager 3s]<MsHN$s9H<k}!KD$Fb@7^9#$s9
H<kr+O9k0K"VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'
"*hSO<I&'"WoKX9kICps"*hS Risk Manager KX9k$s9H<kp
sNQ9@r4YF/@5$#
$s9H<k&aC;<8KD$FO"253Z<8NX$s9H<k&aC;<8Yr2H7
F/@5$#Risk Manager Server NaC;<8KD$FO"263Z<8NXRisk Manager 5
<P<NaC;<8Yr2H7F/@5$#
\qGO"J<N$s9H<kjgO7CF$^;s#
¶ 0sroHJk Tivoli =J
¶ Tivoli Management Enterprise (TME) "@W?<
¶ Tivoli Enterprise Console (TEC) U)<^CH&U!$k*hS/i9jAU!$k
¶ 5<I&Q<F#<N;s5<&"Wj1<7gs
3NOGO"3liN5<I&Q<F#<=;s5<&"Wj1<7gsQ Risk Manager "
@W?<N$s9H<k}!KD$Fb@7^9#
��������$s9H<krOak0K"$s9H<k9k=JH"=Jr$s9H<k9k79F`KD
$F!$7F/@5$#$s9H<kGO"=NgxKmU9k,W,"j^9#Lo""@
W?<r$s9H<k9k0K;s5<r$s9H<k7^9#F3s]<MsH4HN$s
9H<kgxK>CF/@5$#
Risk Manager =JKO"0sroHJk Tivoli =J,^^lF$^;s# Risk Manager r
$s9H<k9k0K"3liN Tivoli =Jr$s9H<k7J1lPJj^;s#{8N
Tivoli =J,57$lYkG"lP"=N=JrHQ9k3H,G-^9#
��������������Risk Manager GO"#tN$YsH&5<P<,5]<H5l^9##tN$YsH&5<
P<rHQ9kH"(s?<Wi$:N?tN+9?^<,#tN Tivoli I}j<8gs
(TMR) r;CH"CW9k3H,G-^9#MCHo</N[JkNhN TMR 4HK 1 D
N$YsH&5<P<,,WG9#
$YsH&5<P<r,XT.G[V9kH"#tN$YsH&5<P<NVGjXh}r,
69k3H,G-^9#^?"Risk Manager KhCF8.5lkuV"i<HN8f=(b
D=KJj^9#
4
33Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
<LN=l>lN$YsH&5<P<O"u.7?$YsHKP7FjXrBT7"eLN$
YsH&5<P<KuVG<?r>w7^9#eLN$YsH&5<P<O"uVG<?ru
.7",9"$YsH&3s=<kGuV$YsHr=(7^9#
#tN5<P<rHQ9klg"$YsHNh},,65lk3HKhj"91<iSjF#
<,~e7^9#
LN5<P<Kpsr>wG-kh&K9kKO"73Z<8NXuVG<?N>wYr2H7
F/@5$#
m: F Tivoli Enterprise Console (TEC) $YsH&5<P<O",:=N TMR NasP<G
J1lPJi:"=l>lN$YsH&5<P<,+iNG<?Y<9&$s9?s9r
}D,W,"j^9#
Risk Manager N$YsHjX5<P<&3s]<MsHO",XT.bN=l>lN TEC
5<P<K$s9H<k7J1lPJj^;s#
�������$s9H<kgxN5WrJ<K(7^9#
Risk Manager ������������,WJlYkN3li=J,$s9H<kQ_Nlg"F$s9H<kN,WO"j^;s#
^@$s9H<k7F$J$lgO"J<N=Jr!K(9gxG$s9H<k7F/@5
$#
1. Tivoli Management Framework (J0N TME/10 Management Enterprise Framework)"P<
8gs 3.7.1
m: TEC 5<P<O"Tivoli Management Framework P<8gs 3.7.1 r$s9H<k7
?79F`eK$s9H<k7J1lPJj^;s#
^ 16. "<Ho</: #tN$YsH&5<P<N^
34 P<8gs 3 jj<9 8
2. Tivoli Management Agent (sI]$sH&=UH&'" (J0N LCF (sI]$sH)"
P<8gs 3.6.3 J_#
3. $YsH&G<?Y<9H7FHQ9k0tjl<7gJk&G<?Y<9I}79F`
(RDBMS)
$YsH&G<?Y<9O"TEC HOLDK$s9H<k7^9#TEC r!=5;k?
aKO"$YsH&5<P<H18[9HeK RDBMS /i$"sH&=UH&'"r$
s9H<k7J1lPJj^;s#Tivoli Management Framework N RDBMS Interface
Module (RIM) 3s]<MsHrHQ7F"G<?Y<9K"/;97^9#$YsH&G
<?Y<9N\YKD$FO"Tivoli NqAr2H7F/@5$# Risk Manager O"!
NG<?Y<9r5]<H7^9#
¶ IBM DB2 P<8gs 6.1, 7.1
¶ Oracle Database G<?Y<9 8.1.x
¶ Sybase Adaptive Server Enterprise (ASE) P<8gs 11.5"11.9x"*hS 12.0
4. TEC P<8gs 3.7.1
¶ TEC P<8gs 3.7.1 $YsH&5<P<
¶ TEC P<8gs 3.7.1 f<6<&$s?<U'<9 (UI) 5<P<
¶ TEC P<8gs 3.7.1 $YsH&3s=<k
¶ Tivoli "@W?<=.!= (ACF) P<8gs 3.7.1
ACF Khj""@W?<N=.U!$krT87F"=.U!$kN3T<r#tN
(sI]$sHKw.9k3H,G-^9#=.,wF$k79F`K#tN;s5
<&"Wj1<7gs&$s9?s9,"klg"ACF rHQ9kHz(*G9#
ACF O"TME "@W?<r$s9H<k9k(sI]$sHK2<H&'$&5<
S9rs!7^9#TEC $YsH&5<P<eKO"@W?<r$s9H<k7J$
G/@5$#=NeojK""@W?<r TEC $YsH&5<P<+i[[7F/@
5$#WmU!$krHQ7F"@W?<r[[9klg""@W?<=.!=
(ACF) r$s9H<k9k,W,"j^9#
m: ACF O Tivoli I}j<8gs (TMR) *hS(sI]$sH&2<H&'$eK
$s9H<k7J1lPJj^;s#
¶ ,ZJ TME "@W?< ]!Risk Manager Event Integration Facility rHQ7F$J
$lg
v Tivoli Logfile "@W?< (syslogd) (UNIX 79F`Q)
v Windows Event Log "@W?<
v SNMP "@W?< (UNIX 79F`^?O Windows 79F`Q)
5. ;s5<&"Wj1<7gs (,WK~8F 1 D^?O#t)#
6. Tivoli Decision Support P<8gs 2.1.1 ] Tivoli Decision Support for Enterprise Risk
Management ,$IrHQ9klg
35Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
Risk Manager Event Integration Facility ���Risk Manager Event Integration Facility (Risk Manager EIF) GO"Java Runtime Environment
(JRE) P<8gs 1.3 ,,WG9#
Windows 79F`:
Windows $s9H<k&QC1<8KO",\lYkN JRE rHQ9k?aK$s9H<k
7J1lPJiJ$3s]<MsH,^^lF$^9#
AIX 79F`:
AIX Nlg"QC1<8 Java130.rte , Risk Manager EIF N0sroHJj^9#3NQ
C1<8O"Risk Manager CD N usr/sys/inst.images G#l/Hj<K"j^9#
Java 1.3 KO"AIX *Zl<F#s0&79F`G bos.rte P<8gs 4.3.3.10 J_,,W
G9#3NQC1<8r$s9H<k9kKO"lgKhCFO AIX *Zl<F#s0&7
9F`r"CW0l<I9k,W,"j^9#,WH5lk"CWG<HKD$FO"IBM
5<S9*hS!N Web 5$H^G*d$go;/@5$#
http://techsupport.services.ibm.com/eserver/fixes
Solaris 79F`:
Solaris Nlg"Risk Manager EIF KO SUNWj3rt Java is?$` QC1<8,,WG
9# SUNWj3rt QC1<8O"!N Sun Java Web 5$H+i~j9k3H,G-^9#
http://java.sun.com
Linux 79F`:
Linux GO"Risk Manager EIF KO IBMJava2-JRE QC1<8"P<8gs 1.3 J_,,
WG9#3NQC1<8O"Risk Manager CD N linux_client G#l/Hj<K"j^
9#
Risk Manager ������'���(�Tivoli Risk Manager 3.8 =JGO"=N CD NeLG#l/Hj<K$/D+NU!$k&
QC1<8,^^lF$^9# 37Z<8NX$s9H<k*hS=.}!N5WYO"Risk
Manager 3s]<MsHH=N$s9H<k}!NWsr(7^9#
��������.����+/�0
¶ Tivoli Risk Manager 5<P< 3.8
Risk Manager 5<P<NQC1<8KO"Risk Manager "@W?<=.U!$k,^^
l^9#ACF rHQ7F"$YsH&"@W?<r=.*hS+9?^$:7"I}P]
(sI]$sHK[[9k3H,G-^9#3liN=.U!$kO"ACF Keok"@
W?<N$s9H<k}!H7F"Risk Manager G-N$s9H<k&QC1<8Kb^
^lF$^9#
36 P<8gs 3 jj<9 8
¶ Tivoli Risk Manager Perl 5]<H 3.8
3NQC1<8r"Tivoli I}P]N<I"Tivoli (sI]$sH"^?Os Tivoli (s
I]$sHK$s9H<k7^9#
Web IDS"Risk Manager s!N TEC ?9/ (Cisco Secure PIX Firewall Q"@W?<G
HQ)"^?O Risk Manager Event Integration Facility Perl $s?<U'<9r$s9H
<k7FHQ9kKO"Perl 5]<H&QC1<8,,WG9#
Risk Manager ����������+/�0
Tivoli Risk Manager Event Integration Facility 3.83NQC1<8r Tivoli D-^?Os Tivoli D-N(sI]$sHK$s9H<k
7^9#I}P]N<IGNHQO5]<H5lF$^;s#
Tivoli Risk Manager Web Intrusion Detection System 3.83NQC1<8r Tivoli D-^?Os Tivoli D-N(sI]$sHK$s9H<k
7^9#I}P]N<IGNHQO5]<H5lF$^;s#
Tivoli Risk Manager "@W?< (Cisco Secure IDS 3.8 Q)3NQC1<8r Tivoli D-^?Os Tivoli D-N(sI]$sHK$s9H<k
7^9#I}P]N<IGNHQO5]<H5lF$^;s#
Tivoli Risk Manager "@W?< (Check Point FireWall-1 3.8 Q)3NQC1<8r Tivoli D-^?Os Tivoli D-N(sI]$sHK$s9H<k
7^9#I}P]N<IGNHQO5]<H5lF$^;s#
Tivoli Risk Manager Network Intrusion Detection System 3.83NQC1<8r Tivoli D-N(sI]$sHeK$s9H<k7^9#I}P]N
<IGNHQO5]<H5lF$^;s#
��������������=4 K"D=J$s9H<k}!NWsr(7^9#
= 4. $s9H<k*hS=.}!N5W
Risk Manager3s]<MsH
$s9H<k}!
TEC "@W?<
^?O RM EIFN?$W
U)<^CH&
U!$k^?O
.cds U!$k
TivoliG9/HCW
(sI]$sHX
NG-N
$s9H<k
(sI]$sHe
N ACF
5<P< "j -
Perl Support "j "j -
Risk ManagerEIF "j - rmad.fmt
Check Point
FireWall 1 Q
"@W?<
"j Risk Manager EIF
/ Logfile "@W
?<^?O
Windows Event
Log "@W?<
cpfw.nt.fmt cpfw.fmt
37Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
= 4. $s9H<k*hS=.}!N5W (3-)
Risk Manager3s]<MsH
$s9H<k}!
TEC "@W?<
^?O RM EIFN?$W
U)<^CH&
U!$k^?O
.cds U!$k
TivoliG9/HCW
(sI]$sHX
NG-N
$s9H<k
(sI]$sHe
N ACF
Cisco Secure IDS
Q"@W?<
"j Risk Manager EIF
/ Logfile "@W
?<^?O
Windows Event
Log "@W?<
csids.fmt csids.nt.fmt
Host IDS "j "j Logfile "@W?
<^?O
Windows Event
Log "@W?<
os_nt.fmt"os_aix.fmt"
os_solaris.fmt"
os_linux.fmt
McAfee Alert
Manager Q
"@W?<
"j "j Windows Event
Log "@W?<
rmmac.fmt
Norton AntiVirus
Q"@W?<
"j "j Windows Event
Log "@W?<
rmnav.fmt
Web IDS "j Risk Manager EIF
/ Logfile "@W
?<^?O
Windows Event
Log "@W?<
webids.fmt ^?O
webids.nt.fmt
Cisco Secure PIX
Firewall Q
"@W?<
"j "j Logfile "@W?
<^?O
Windows Event
Log "@W?<
pix.fmt ^?O
pix_nt.fmt U)<^C
H&U!$k
ISS RealSecure Q
*hS Cisco
k<?<Q"@W
?<
"j "j SNMP "@W?
<
tecad_snmp.cds *hS
tecad_snmp.oid U!$
k
Tivoli Decision
Support
InstallShield
Network IDS "j "j Logfile "@W?
<
nids.fmt
G-N$s9H<k}!:
¶ installp (AIX Nlg)
¶ pkgadd (Solaris Nlg)
¶ RPM (Linux Nlg)
¶ InstallShield Wm0i` (Windows 79F`Nlg)
38 P<8gs 3 jj<9 8
Tivoli ���+���� Risk Manager '���(�������
Tivoli G9/HCWrHQ7F"!N Risk Manager 3s]<MsHr$s9H<k9k3H
,G-^9#
¶ Risk Manager 5<P<
¶ Risk Manager Perl 5]<H
VTivoli Enterprise Console f<6<:&,$IWK-R5lF$k"8` Tivoli G9/HC
WjgK>CF/@5$#
Risk Manager �������&�UNIX 79F`GO"Risk Manager EIF G$s9H<k5l?!ND-9/jWHr=<9
H7FHQ9k3H,G-^9#
/etc/Tivoli/rma_eif_env.sh
3N9/jWHO"Risk Manager D-Qtr_j7F"Risk Manager N bin G#l/Hj<
rQ9KIC7^9#Risk Manager EIF D-9/jWHN=<9r]$sH9kH"!Nh
&KJj^9#
¶ RMADHOME Qt,"U!$k,$s9H<k5lF$k Risk Manager G#l/Hj<
rX7^9#
¶ RMJREHOME QtO"Risk Manager G Java 1.3 is?$`NljH7F[j5lkG
#l/Hj<rX7^9#
¶ $RMADHOME/bin *hS $RMJREHOME/bin G#l/Hj<, PATH KIC5l^9#
¶ Risk Manager BTD=U!$kO $RMADHOME/bin G#l/Hj<K[V5l^9#
¶ Risk Manager =.U!$kO $RMADHOME/etc G#l/Hj<K[V5l^9#
Windows 79F`GO"$s9H<kfK RMADHOME *hS RMJREHOME D-Qt,
_j5l"79F`D-N PATH KIC5l^9#
����������� Risk Manager '���(�������
G-N$s9H<k}!Khj"Risk Manager Q"@W?<r$s9H<k9k3H,G-
^9#
AIX ������������������=5 K"AIX G$s9H<kD=JQC1<8Nj9Hr(7^9#
= 5. AIX G$s9H<kD=J Risk Manager QC1<8
Risk Manager3s]<MsH
QC1<8> U!$k&;CH
>
,WJQC1<8 U)<^CH
(.fmt) ^?O(.cds) U!$k
=N>N=.U!$k
Event Integration
Facility
rmgr.eif rmgr.eif.rte Java130.rte rmad.conf
rmad_summary.rules
Perl Support rmgr.perl rmgr.perl.rte
39Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
= 5. AIX G$s9H<kD=J Risk Manager QC1<8 (3-)
Risk Manager3s]<MsH
QC1<8> U!$k&;CH
>
,WJQC1<8 U)<^CH
(.fmt) ^?O(.cds) U!$k
=N>N=.U!$k
Host IDS
5]<H
rmgr.support rmgr.support.hostids os_aix.fmt1
PIX Firewall N
5]<H
rmgr.support rmgr.support.pix rmgr.eif.rte pix.fmt1
SNMP 5]<H rmgr.support rmgr.support.snmp tecad_snmp.cds2
tecad_snmp.oid
Web Intrusion
Detection System
rmgr.web rmgr.web.rte rmgr.eif.rte
rmgr.web.sig
webids.fmt1 webids.cfg
Web IDS 70K
Ac<
rmgr.web rmgr.web.sig rmgr.web.rte sig.nefarious
Network IDS rmgr.nids rmgr.nids.bff bos.mp"bos.net"
bos.up
nids.fmt
1. Risk Manager EIF *hS TEC Logfile "@W?<GHQ
2. TEC SNMP "@W?<GHQ
'!������ Risk Manager ������
Risk Manager 3s]<MsHr3^sIT+i$s9H<k9k3H,G-^9#
AIX 79F`K Risk Manager "@W?<r$s9H<k9kKO"installp rHQ7^9#
Tivoli Risk Manager CD r CD-ROM Ii$VK^~7F^&sH7^9#?H(P"!N
h&K~O7^9#
mount -v cdrfs -r /dev/cd0 /mnt
AIX QN$s9H<k&$a<8O"/mnt/usr/sys/inst.images K"j^9#
!N3^sIO"3^sIT+i Risk Manager 3^sIr$s9H<k9k}!r(7^
9#3NcGO"installp G -g Ui0rHQ7F0sroHJkU!$kr+0*K$s9
H<k7" -X Ui0KhjU!$k&79F`r+0*K8+7F$^9#!NcN dir
r"4HQN AIX $a<8N"kG#l/Hj<KV-9(F/@5$#
AIX ��� Risk Manager Web IDS ������
!N3^sIr~O7^9#
installp -agXd dir rmgr.web
AIX ��� Risk Manager SNMP ���������
Risk Manager SNMP 5]<HKO"Cisco k<?<*hS ISS RealSecure N5]<H,^^
l^9#
!N3^sIr~O7^9#
installp -agXd dir rmgr.support.snmp
40 P<8gs 3 jj<9 8
AIX ��� Risk Manager Cisco Secure PIX Firewall ���������
!N3^sIr~O7^9#
installp -agXd dir rmgr.support.pix
AIX ��� Risk Manager Host IDS ���������
!N3^sIr~O7^9#
installp -agXd dir rmgr.support.hostids
AIX ��� Risk Manager Network IDS ������
!N3^sIr~O7^9#
installp -agXd dir rmgr.nids
AIX ��� smit ����������������
smit ^?O smitty rHQ7F Risk Manager 3s]<MsHr$s9H<k9kKO"!N
3HrT$^9#
1. !NH*j~O7^9#
smitty install_latest
2. VINPUT device / directory for software (=UH&'"N~OGP$9 / G#l/Hj<)WU#<kIK"CD GP$9 (c"/dev/cd0) ^?OG#l/Hj<N>0r~O7
^9#
3. VSOFTWARE to install ($s9H<k9k=UH&'")W~OU#<kIr/4=(
7^9#
4. j9H&-< (F4) r!7F"CD eN Risk Manager 3s]<MsHr$s9H<k7^
9#aKe<KO"!Nh&Jj9H,=(5l^9#
rmgr.eif
+ 3.8.0.0 Risk Manager Event Integration Facility
rmgr.perl
+ 3.8.0.0 Risk Manager Perl Support
rmgr.support
+ 3.8.0.0 Risk Manager SNMP Support
+ 3.8.0.0 Risk Manager Support for Cisco Secure PIX Firewall
+ 3.8.0.0 Risk Manager Support for Host IDS
rmgr.web
+ 3.8.0.0 Risk Manager Web IDS Signatures
+ 3.8.0.0 Risk Manager Web Intrusion Detection System
rmgr.nids
+ 3.8.0.0 Network Intrusion Detection System
*r-< (F7) rHQ7F"$s9H<k9k3s]<MsHr*r7^9#
5. Enter r!7F"VLATEST Available Software (G7NHQD==UH&'")WaKe<
+iVInstall and Update ($s9H<k*hS97)WKaj^9#
41Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
6. Enter r!7F"*r7?3s]<MsHr$s9H<k7^9#
7. VARE YOU SURE? (N')WWmsWHGFY Enter r!7F"$s9H<kr31^
9#
Linux ������������������=6 K"Linux G$s9H<kD=JQC1<8Nj9Hr(7^9#
= 6. Linux G$s9H<kD=J Risk Manager QC1<8
Risk Manager3s]<MsH
QC1<8> ,WJQC1<8 U)<^CH (.fmt)^?O (.cds)U!$k
=N>N=.U!$k
Event Integration
Facility
rmgr-eif-3.8.0-
0.i386.rpm
IBMJava2-JRE-1.3 ¶ rmad.conf
¶ rmad.err
¶ rmad_summary.rules
Perl 5]<H rmgr-perl-3.8.0-
0.i386.rpm
Host IDS 5]<H rmgr-shost-3.8.0-
0.i386.rpm
os_linux.fmt1
PIX Firewall Q"@
W?<
rmgr-spix-3.8.0-
0.i386.rpm
pix.fmt1
CheckPoint FireWall-1
Q"@W?<
rmgr-cpfw-3.8.0-
0.i386.rpm
rmgr-eif cpfw.fmt1 rma_cpfw.conf
Cisco Secure IDS Q
"@W?<
rmgr-csids-3.8.0-
0.i386.rpm
rmgr-eif csids.fmt1
SNMP 5]<H rmgr-ssnmp-3.8.0-
0.i386.rpm
tecad_snmp.cds2
tecad_snmp.oid
Web Intrusion
Detection System
rmgr-web-3.8.0-
0.i386.rpm
rmgr-eif rmgr-perl webids.fmt1 webids.cfg sig.nefarious
Network IDS rmgr-nids-3.8-
0.i386.rpm
nids.fmt
1. Risk Manager EIF *hS TEC Logfile "@W?<GHQ
2. TEC SNMP "@W?<GHQ
Linux 79F`K Risk Manager "@W?<r$s9H<k9kKO"rpm rHQ7^9#
1. Tivoli Risk Manager CD r CD-ROM Ii$VK^~7^9#
2. CD-ROM Ii$Vr^&sH7^9#
mount -r /dev/cdrom /xmnt
3. !N3^sIr~O7^9#
rpm -i /mnt/cd_drive_name/file_name
file_name O"$s9H<k9kQC1<8N>0G9#
4. Wm0i`NX(K>$"$s9H<kr0;7^9#
Solaris ������������������43Z<8N=7 K"Solaris QN$s9H<k&QC1<8Nj9Hr(7^9#
42 P<8gs 3 jj<9 8
= 7. Solaris G$s9H<kD=J Risk Manager QC1<8
Risk Manager3s]<MsH
QC1<8> ,WJQC1<8 U)<^CH (.fmt)^?O (.cds)U!$k
=N>N=.U!$k
Event Integration
Facility
RMGReif SUNWj3rt ¶ rmad.conf
¶ rmad.err
¶ rmad_summary.rules
Perl Support RMGRperl
Host IDS 5]<H RMGRshost os_solaris.fmt1
PIX Firewall N
5]<H
RMGRspix RMGReif pix.fmt1
SNMP 5]<H RMGRssnmp tecad_snmp.cds2
tecad_snmp.oid
Web Intrusion
Detection System
RMGRweb RMGReif RMGRperl webids.fmt1 webids.cfg sig.nefarious
CheckPoint FireWall-1
Q"@W?<
RMGRcpfw RMGReif cpfw.fmt1 rma_cpfw.conf
Cisco Secure IDS Q
"@W?<
RMGRcsids RMGReif csids.fmt1
Network IDS RMGRnids nids.fmt
1. Risk Manager EIF *hS TEC Logfile "@W?<GHQ
2. TEC SNMP "@W?<GHQ
3^sIT+i Risk Manager 3s]<MsHr$s9H<k9kKO"CD Ii$VK CD
r^~7^9#[HsIN Solaris 79F`GO"CD ,+0*K^&sH5l^9#?H(
P"CD Ii$V 0 K CD r^~9kH"CD N$a<8, /cdrom/cdrom0 K^&sH5l
^9#3NcGO"Risk Manager N$s9H<k&$a<8O /cdrom/cdrom0/solaris
G#l/Hj<KV+lF$^9#
!NcN dir r"4HQN Solaris Q$a<8,"kG#l/Hj<KV-9(F/@5$#
Solaris ��� Risk Manager Web IDS ������
!N3^sIr~O7^9#
pkgadd -d dir RMGReif RMGRperl RMGRweb
Solaris ��� Risk Manager Network IDS ������
!N3^sIr~O7^9#
pkgadd -d dir RMGRnids
Solaris ��� Check Point FireWall-1 � Risk Manager �����������
!N3^sIr~O7^9#
pkgadd -d dir RMGReif RMGRcpfw
Solaris ��� Cisco Secure IDS � Risk Manager �����������
!N3^sIr~O7^9#
pkgadd -d dir RMGReif RMGRcsids
43Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
Solaris ��� Risk Manager SNMP ���������
Risk Manager SNMP 5]<HKO"Cisco k<?<*hS ISS RealSecure N5]<H,^^
l^9#
!N3^sIr~O7^9#
pkgadd -d dir RMGRssnmp
Solaris ��� Cisco Secure PIX Firewall � Risk Manager ���������
!N3^sIr~O7^9#
pkgadd -d dir RMGReif RMGRspix
Solaris ��� Host IDS � Risk Manager ���������
!N3^sIr~O7^9#
pkgadd -d dir RMGRshost
Windows ������������������=8 K"Windows 79F`QN$s9H<k&QC1<8Nj9Hr(7^9#
= 8. Windows 79F`QN Risk Manager QC1<8
Risk Manager $s9H<
kD=*W7gs
,WJ*W7gs U)<^CH (.fmt) ^?O(.cds) U!$k
=N>N=.U!$k
Web Intrusion Detection
System
¶ Risk Manager EIF
¶ Java 1.3 is?$`
¶ Perl 5]<H
¶ Web IDS 70KAc<
webids.fmt1 webids.nt.fmt2 webids.cfg
Web Intrusion Detection
System 6b70KAc<
sig.nefarious
Cisco Secure IDS Q
"@W?<¶ Risk Manager EIF
¶ Java 1.3 is?$`
csids.fmt1 csids.nt.fmt2
CheckPoint FireWall-1 Q
"@W?<¶ Risk Manager EIF
¶ Java 1.3 is?$`
cpfw.fmt1 cpfw.nt.fmt2 rma_cpfw.conf
Risk Manager EIF; s TME
$s?<U'<9
Java 1.3 is?$` ¶ rmad.conf
¶ rmad.err
¶ rmad.summary.rules
Risk Manager EIF; TME
$s?<U'<9
Java 1.3 is?$` ¶ rmad.conf
¶ rmad.err
¶ rmad.summary.rules
Event Log *hS SNMP
5]<H; Host IDS 5]<
H
os_nt.fmt2
Event Log *hS SNMP
5]<H; PIX Firewall
5]<H
pix_nt.fmt2
Event Log *hS SNMP
5]<H; Norton Anti-Virus
5]<H
rmnav.fmt2
44 P<8gs 3 jj<9 8
= 8. Windows 79F`QN Risk Manager QC1<8 (3-)
Risk Manager $s9H<
kD=*W7gs
,WJ*W7gs U)<^CH (.fmt) ^?O(.cds) U!$k
=N>N=.U!$k
Event Log *hS SNMP
5]<H; McAfee Alert
Manager
rmmac.fmt2
Event Log *hS SNMP
5]<H; SNMP 5]<H
tecad_snmp.cds3
tecad_snmp.oid
Java 1.3 is?$`
1. Risk Manager EIF GHQ
2. Windows Event Log "@W?<GHQ
3. TEC SNMP "@W?<GHQ
Windows 79F`GN Risk Manager "@W?<N$s9H<kKO"InstallShield rHQ
7^9#
1. Tivoli Risk Manager CD r CD-ROM Ii$VK^~7^9#
2. $s9H<k&QC1<8N"kG#l/Hj<K\07^9#
cd x:¥windows
x: O4HQN CD-ROM Ii$VG9#
3. Windows InstallShield Wm0i`r/09kKO"!NH*j~O7^9#
setup
4. InstallShield Wm0i`NX(K>CF"$s9H<kr0;7^9#
��������������3N;/7gsGO"!N5<P<X"N$s9H<kjgKD$Fb@7^9#
¶ 8`N Tivoli "@W?< (TME "@W?<HFPlk) N$s9H<k
¶ Tivoli Entprise Console (TEC) U)<^CH&U!$k*hS/i9jA9F<HasH
(.cds) U!$kN$s9H<k
¶ $YsH&5<P<&U!$kN$s9H<k
TME �����
Tivoli Management Enterprise (TME) "@W?<O"psr}87"m<+k&U#k?<`
nrBT7":v9k$YsHr TEC KhCFHQG-kU)<^CHKQ99k=UH&
'"&Wm0i`G9#TME "@W?<H7FO"Tivoli Logfile "@W?< (UNIX *Zl
<F#s0&79F`Q)"Windows Event Log "@W?<"^?O SNMP "@W?<,D
=G9#TME "@W?<O",ZJU)<^CH&U!$krHQ9k3HKhCF"TEC
$YsHr8.7^9#
TME "@W?<O"(sI]$sH^?Os Tivoli 79F`G$s9H<k5l^9#TME
(sI]$sH&"@W?<O""@W?<=.!=HloKQC1<85lF$^9#
TME "@W?<O"=liN$YsHr TEC 2<H&'$Kw.7^9#TEC 2<H&'
$O"=liN$YsHrPsIk7"$YsH&5<P<K>w7^9#L.KO TME $
45Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
s?<U'<9,HQ5l^9#TEC 2<H&'$O"GU)kHKhCF"5<P<XN
\3X~5<S9rHQ7^9#\3X~5<S9HO""@W?<,i|=5lkH-K\
3,N)5l"$YsHNw.QK\3,]}5lk3HrU#7^9#TEC 2<H&'$
Khj""@W?<NhjFWJ8+H"Tivoli ACF N"@W?<=.WmU!$k (ACP)
Khk"@W?<N97,D=KJj^9#
TME "@W?<O"=liN$YsHrCjN 1 !^?O 2 !$YsH&5<P<Kw.
9kh&K=.5l^9#TEC O",9"$YsHr>w7^9#TEC 2<H&'$O"(
sI]$sH&2<H&'$&5<S9rs!7F$kNH18I}P]N<IGT/7^
9#TEC 2<H&'$H"F(sI]$sH&WiCHU)<`QN,WJ"@W?<&U
!$kO"I}P]N<IK$s9H<k5l^9#"@W?<H"@W?<X"U!$kr
(sI]$sHK[[G-kh&K9k?aK"ACF O"(sI]$sH&2<H&'$H
18I}P]N<IK$s9H<k9k,W,"j^9#7?,CF"Tivoli I}j<8gs
(TMR) bG(sI]$sH&2<H&'$H7F=.5lk9YFNI}P]N<IK ACF
r$s9H<k9k3H,EWG9#
\qGO"TME "@W?<N$s9H<k*hS=.KD$FO7$^;s#Risk Manager
GHQ9k!N"@W?<r$s9H<k9k}!KD$FO"VTivoli Enterprise Console
"@W?<&,$IWr2H7F/@5$#
¶ Tivoli Logfile "@W?< (UNIX syslogd)
¶ Tivoli Windows Event Log "@W?<
¶ SNMP "@W?<
TME "@W?<r$s9H<k7?e"U)<^CH*hS/i9jA9F<HasH&U
!$kr$s9H<k7J1lPJj^;s#jgKD$FO"VTivoli Enterprise Console
f<6<:&,$IWr2H7F/@5$#
����������)��������
Risk Manager U)<^CH*hS=.U!$kO"Tivoli Risk Manager 5<P< 3.8 H$&iYk,U$?$s9H<k&QC1<8G"Risk Manager =JHloKs!5l^9#
TEC $YsH&5<P<eG Risk Manager Server r$s9H<k9kKO"Tivoli G9/
HCWKhk$s9H<k}!,D=G9#
�����������$YsH&5<P<*hSjX3s]<MsHN$s9H<kr0;7?e"J<N?9/r
TCF"$YsH&5<P<,$YsHru1~l"jX5;"=(9kh&K=.7F/@
5$#
¶ J<N3HrTCF"Tivoli $YsH&5<P<, Risk Manager $YsHru1~l"
jX5;"=(9kh&K=.7^9#
v 77$k<k&Y<9rn.9k+"^?O{8Nk<k&Y<9r979k#
v Risk Manager BAROC U!$krk<k&Y<9K$s]<H9k#
v Risk Manager k<k&U!$krk<k&Y<9K$s]<H9k#
v k<k&Y<9r3sQ$k9k#
46 P<8gs 3 jj<9 8
v Prolog =.U!$kr3sQ$k9k#
v 3sQ$kQ_Nk<k&Y<9rm<I9k#
v Tivoli $YsH&5<P<rd_7"FO09k#
Risk Manager GO"3liN?9/rT&?aN TEC Correlation rmcorr_cfg =.Wm
0i`,QU5lF$^9#\7/O"64Z<8NXRisk Manager Server Correlation 9
/jWHNBTYr2H7F/@5$#
¶ Risk Manager U)<^CH&U!$krUC9k3HKhCF"TME "@W?<QNU
)<^CH&U!$kr977^9#\7/O"XRisk Manager H TME "@W?<NU
)<^CH&U!$kNkgYr2H7F/@5$#
Risk Manager � TME ������� �!+��)�����TME "@W?<r$s9H<k""s$s9H<k"*hSGPC09k}!KD$FO"
VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
"@W?<=.!= (ACF) rHQ7F"977?U)<^CH&U!$kr TME "@W?
<K8+9k=jG"klgO"/i$"sHNU)<^CH&U!$kH Risk Manager U
)<^CH&U!$kr">}NU)<^CH&U!$kK&L9kljK3T<7^9#
ACF rHQ7F[[9k0K"2 DNU)<^CH&U!$kr^<87F/@5$#
J<NjgrHQ9k3HKhj"/i$"sHG",WJ Risk Manager U)<^CH&U
!$kr TME "@W?<NU)<^CH&U!$kHj0Gkg9k3H,G-^9#
TEC H Risk Manager NU)<^CH&U!$krj0Gkg9kKO"!Nh&K7^
9#
1. $YsH&5<P<+i"TME "@W?<r$s9H<k7?(sI]$sHKU)<^
CH&U!$kr>w7^9#Risk Manager U)<^CH&U!$kQNl~G#l/H
j< (?H(P"¥tmp¥fmt) rn.7"$YsH&5<P<+i3NG#l/Hj<KU)
<^CH&U!$kr>w7^9#
2. !Nh&K~O7F"l~G#l/Hj<bN Risk Manager U)<^CH&U!$kr
TME "@W?<N etc G#l/Hj<K3T<7^9#
Windows 79F`:
copy ¥tmp¥fmt¥*.fmt TecAdHome¥etc
TecAdHome O"TME "@W?<NGU)kHN$s9H<kljG9#
C:¥Program Files¥Tivoli¥lcf¥bin¥w32-ix86¥TME¥TEC¥adapters¥etc
UNIX 79F`:
cp /tmp/fmt/*.fmt TecAdHome/
TecAdHome O"TME "@W?<NGU)kHN$s9H<kljG9#
(sI]$sH, Solaris 79F`Nlg"GU)kHN$s9H<kLVO!NH*j
G9#
/opt/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/
47Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
(sI]$sH, AIX 79F`Nlg"GU)kHN$s9H<kLVO!NH*jG
9#
/opt/Tivoli/lcf/bin/aixr4-r1/TME/TEC/adapters/
3. !Nh&K~O7F""@W?<N etc G#l/Hj<K\07^9#
Windows 79F`:
cd TecAdHome¥etc
UNIX 79F`:
cd TecAdHome/etc
4. !Nh&K~O7F"5NU)<^CH&U!$kNPC/"CW&3T<rn.7^
9#
Windows 79F`:
copy tecad_nt.fmt tecad_nt.fmt.bak
UNIX 79F`:
cp tecad_logfile.fmt tecad_logfile.fmt.bak
5. *j8JkNU)<^CH&U!$kK",WJ Risk Manager U)<^CH&U!$k
(Windows QN tecad_nt.fmt ^?O tcad.win.fmt""k$O UNIX QN
tecad_logfile.fmt) r"k7^9#
Host Intrusion Detection QN Risk Manager "@W?<rHQ9klg (os_nt.fmt"
os_aix.fmt"^?O os_solaris.fmt)"tecad_nt.fmt"tcad.win.fmt"^?O
tecad_logfile.fmt U!$kN*j8JkNbFrV-9(^9#
U)<^CH&U!$kN"k
Windows NT U)<^CH&U!$k
cat tecad_nt.fmt.bak > tecad_nt.fmt
cat webids.nt.fmt >> tecad_nt.fmt
cat pix_nt.fmt >> tecad_nt.fmt
AIX U)<^CH&U!$k
cat tecad_logfile.fmt.bak >tecad_logfile.fmt
cat webids.fmt >>tecad_logfile.fmt
cat csids.fmt >>tecad_logfile.fmt
cat rmnav.fmt >>tecad_logfile.fmt
cat pix.fmt >>tecad_logfile.fmt
Solaris U)<^CH&U!$k
cat tecad_logfile.fmt.bak >tecad_logfile.fmt
cat webids.fmt >>tecad_logfile.fmt
cat csids.fmt >>tecad_logfile.fmt
cat rmnav.fmt >>tecad_logfile.fmt
cat pix.fmt >>tecad_logfile.fmt
48 P<8gs 3 jj<9 8
6. .cds U!$krF8.7^9#gencds Wm0i`KD$FNGU)kHNljO"!N
H*jG9#
Windows 79F`:
..¥TME¥TEC¥adapters¥bin¥nt_gencds tecad_nt.fmt tecad_nt.cds
UNIX 79F`:
../opt/Tivoli/lcf/dat/1/cache/Solaris2/TME/TEC/adapters/bin/
7. Windows 79F`NV3sHm<k QMkWrHQ9k+"^?O!Nh&K~O9k
3HKhCF"TME "@W?<rd_7"FO07^9#
Windows 79F`:
%LCFROOT%¥..¥tec¥adapters¥bin¥net stop TECNTadapter%LCFROOT%¥..¥tec¥adapters¥bin¥net start TECNTadapter
UNIX 79F`:
../bin/init.tecad_logfile stop
../bin/init.tecad_logfile start
ACF ����� Risk Manager ������������ACF rHQ7F"Tivoli D-N(sI]$sHeG"U)<^CH&U!$k"=.U!$
k".cds"*hS70KAc<&U!$kr=.9k3H,G-^9#
ACF r(sI]$sH&2<H&'$H18I}P]N<IeK$s9H<k7F"Risk
Manager "@W?<*hS"@W?<X"U!$kr(sI]$sHK[[9k3H,G-^
9#TMR 4NG(sI]$sH&2<H&'$H7F=.5l?9YFNI}P]N<Ie
K ACF r$s9H<k9k3H,EWG9#^?"ACF r TMR 5<P<=NbNKb$
s9H<k7^9#ACF Khk$s9H<kKD$FO"VTivoli Enterprise Console f<6
<:&,$IWKb@,"j^9,"ACF rHQ7? Risk Manager 3s]<MsHN=.
9FCWN5,rJ<K(7^9#
1. f{]$sH+i$s9H<k9kKO"Risk Manager CD +i$s9H<k&$a<8
,$s]<H5lF$k3HrN'7F/@5$#
2. ,:"Tivoli G9/HCWeK",ZJvDNrd!=r}D"I_K9Hl<?<H7
Fm0*s7F/@5$#
3. "I_K9Hl<?<N TME G9/HCWG"VTEC-Region (TEC Nh)W"$3sr@Vk/jC/7^9#
4. VProfiles for Enterprise Risk Management (Enterprise Risk Management NWmU!$k)WWmU!$k&"$3sr@Vk/jC/7F"VProfile Manager (WmU!$
k&^M<8c<)W&#sI&r=(7^9#
5. WmU!$k&"$3sr@Vk/jC/7F"WmU!$krT87^9#,WK~8
FQ9rC(?e"VSave & Close (]I & /m<:)Wr/jC/7F"VAdapter
Configuration Profile ("@W?<=.WmU!$k)W&#sI&Kaj^9#
6. [[9kWmU!$kr*r7^9#
7. VDistribute Profiles (WmU!$kN[[)W&#sI&,=(5l^9#
8. VProfile Manager (WmU!$k&^M<8c<)Wr/jC/7F"VDistribute ([[)Wr/jC/7^9#
49Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
9. [[}!H5V9/i$P<KX9kpsr0.5;F"VDistribute Now ((~[[)Wr/jC/7^9#
ACF ��������������&���ACF rHQ7F"!N Risk Manager "@W?<^?;s5<r=.7^9#
¶ Host IDS Q Risk Manager "@W?<
¶ Norton AntiVirus Q Risk Manager "@W?<
¶ Cisco Secure PIX Firewall Q Risk Manager "@W?<
¶ Check Point FireWall-1 Q Risk Manager "@W?<
¶ Internet Security Systems RealSecure (ISS RealSecure) Q Risk Manager "@W?<
¶ Cisco k<?<Q Risk Manager "@W?<
¶ Cisco Secure IDS Q Risk Manager "@W?<
¶ McAfee Alert Manager Q Risk Manager "@W?<
¶ Risk Manager Web IDS ;s5<
¶ Risk Manager Network IDS ;s5<
ACF �1�)���������������(sI]$sHK Risk Manager "@W?<r$s9H<k9kH"Lo"Risk Manager
ACF WmU!$krHQ7FICN=.rT&3H,G-^9#3liN ACF WmU!$
k,n09k?aKO"(sI]$sHeK TME "@W?<r"i+8a$s9H<k7F
*+J1lPJj^;s#
J<N Risk Manager WmU!$krHQ9k3HKhj"$s9H<keN=.rYg7?
j"Risk Manager "@W?<r+0*K+O9k3H,G-^9#
¶ Web IDS Q"@W?<
3N Risk Manager WmU!$krHQ7F"Web IDS =.U!$k (sig.nefarious *
hS webids.cfg) r977^9#
¶ Web IDS Q Event Integration Facility "@W?<
3N Risk Manager WmU!$krHQ7F"Risk Manager Event Integration Facility r
977^9#=N]"Web IDS U)<^CH&U!$k (webids.fmt) rHQ7^9#
¶ Check Point FireWall-1 Q"@W?<
3N Risk Manager WmU!$krHQ7F""@W?<N=.U!$k
(rma_cpfw.conf) r977^9#
¶ Risk Manager Event Integration Facility Q=.U!$k
3N Risk Manager WmU!$krHQ7F"Risk Manager Risk Manager Event
Integration Facility =.U!$k (rmad.conf) r977^9#
¶ Risk Manager Event Integration Facility QU)<^CH&U!$k
3N Risk Manager WmU!$krHQ7F"Risk Manager Risk Manager Event
Integration Facility U)<^CH&U!$k (rmad.fmt) r977^9#
¶ Host IDS N?9/&5]<H
3N Risk Manager WmU!$krHQ7F"rmt_ntaudit.exe BTD=U!$kr
Windows NT (sI]$sHK[[7^9#
50 P<8gs 3 jj<9 8
m: Windows NT (sI]$sHrVis/r^`G#l/Hj<<K$s9H<k7J
$G/@5$#
?H(P"Program Files G9#
¶ Network IDS Q"@W?<
3N Risk Manager WmU!$krHQ7F"Network Intrusion Detection System =.U
!$k (ids.cfg *hS ids.rules) r977^9#
TME "@W?<N=.rYg9k?a"!NWmU!$k,QU5lF$^9#
¶ Web IDS Q Logfile
¶ Host IDS Q Logfile
¶ Cisco Secure PIX Firewall Q Logfile "@W?<
¶ Cisco Secure IDS Q Logfile "@W?<
¶ Symantec Norton AntiVirus Q$YsH&m0&"@W?<
¶ Cisco k<?<Q SNMP "@W?<
¶ ISS RealSecure Q SNMP "@W?<
¶ Network IDS Q Logfile
��������Risk Manager $YsH&0k<Wrn.7J1lPJj^;s#$YsH&0k<Wrn.
9k3HKC(F"3liN$YsH&0k<WQNU#k?<rjA7J1lPJj^;
s#Risk Manager GO"d)5lk$YsH&0k<WHU#k?<r^`"(/9]<H
Q_N$YsH&0k<WjAU!$k,s!5l^9#0k<Wrn.7"U#k?<rj
A9k}!KD$FO"52Z<8NX$YsH&0k<WNn.Yr2H7F/@5$#
!K"Risk Manager G-N$YsH&0k<Wr"I_K9Hl<?<KdjvF^9#"
I_K9Hl<7gsNrdN\YKD$FO"VTivoli Enterprise Console f<6<:&,
$IWr2H7F/@5$#
!N=GO"d)5lk Risk Manager $YsH&0k<WKD$FNpsrWs7^9#
$YsH&3sFJ<> jAQ_NU#k?< $YsH&0k<W
RM_Reception RM_SensorEvent 9YFN Risk Manager $YsH#
RM_SensorEvent +i5V/i9=5lk9Y
FN$YsHr^_^9#
RM_Situations RM_Situation jXWm;9KhCF!P5lkT3Jh0#/
i9 RM_Situation1"RM_Situation2"*hS
RM_Situation3 N9YFN$YsHr^_^9#
RM_TrustedHosts RM_TrustedHost /i9 RM_TrustedHost N9YFN$YsHr^_^9#
RM_Exceptions RM_Error !Nh&J"9YFNbt(i<r^_^9#
¶ RM_InputErr¶ RM_SituationErr¶ RM_PrologErr
RM_Sensors RM_Sensor ;s5<&$s9?s9#
51Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
i|$s9H<k*hS=.Ne"$YsH&0k<WrQ97?j"H+N$YsH&0k
<Wrn.7F"U#k?<rjA7?j9k3H,G-^9#\7/O"X$YsH&0k
<WNn.Yr2H7F/@5$#
�����������$s9H<k*hSi|=.Ne"J<NjgK>CF"TEC QN Risk Manager $Ys
H&0k<WH"X"9kU#k?<rn.7F/@5$#
1. Tivoli Enterprise Console r+O7^9#
2. 8^&9&\?sr/jC/7"VFile (U!$k)WaKe<r*r7"VImport ($s]<H)Wr*r7^9#
3. VBrowse (2H)W\?sr/jC/7F" TEC 5<P<eN!NljK"k
riskmgr_eventgroups.dat U!$kr*r7^9#
Windows 79F`:
%BINDIR%¥RISKMGR¥corr
UNIX 79F`:
$BINDIR¥RISKMGR¥corr
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
4. VEvent Groups ($YsH&0k<W)W&#sI&K=(5lk$YsH&0k<Wr
*r7^9#
RM Events (RM $YsH)
RM Situations (RM uV)
RM Sensors (RM ;s5<)
RM Trusted (RM Hi9FCI)
RM Exceptions (RM c0)
5. %g9HiF8<KX9k,WJ*W7gsr*r7"VOKWr/jC/7^9#
VChange Names (>0NQ9)W*W7gsr*r9kH"0k<W,9GK8_9kl
gK>0,Q95lk?a"GbB4G9#
6. VNotice (LN)WQMkGVOKWr/jC/7"3s=<krFO07^9#
7. $YsH&0k<W*hS*Zl<?<r,ZJ3s=<kKdjvF^9#
Web ������� Risk Manager ���Risk Manager 3.8 KO"Risk Manager uV$YsHQN Web Y<9Nps,^^lF$^
9# Risk Manager uVKX"7?D9N Risk Manager $YsHKX9kICpsr=(9
k3H,G-^9#3NpsO"TEC +ixQ9k3H,G-^9#
Web ��������������-#����3N;/7gsGO"$YsHKX9k Web Y<9Npsr=(9k0KG<?Y<9&S
e<N_jrT&}!KD$Fb@7^9#VTivoli Decision Support for Enterprise Risk
Management jj<9&N<HWNb@K>$G<?&^$Ks0QKD-,_j5lF$k
lgO"3NSe<,n.5lF$kNG"J<N9FCWrT&,WO"j^;s#
52 P<8gs 3 jj<9 8
m: G<?Y<9>"f<6< ID"*hSQ9o<IO"WiCHU)<`*hSD-KG
-NbNG9#\YKD$FO"79F`&"I_K9Hl<?<K*d$go;/@5
$#
1. Risk Manager 5<P<N $BINDIR/RISKMGR/corr/sql G#l/Hj<N SQL Wm7<8
c<&U!$kr57^9#
2. J<Nj9HK"k"$s9H<k5lF$kG<?Y<9QN3^sIrHQ7^9#
TEC G<?Y<9,$s9H<k5lF$k79F`G3^sIrBT7^9#
Oracle 79F`:
sqlplus userid/password@service_name@tds_rm_tec_v_evt.ora.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9#GU)kHMO tec G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#GU)kHMO tectec G9#
service_name
Oracle /i$"sH=.Wm0i`GjA5l? Oracle G<?Y<9NMCH&
5<S9> (″Net8 Assistant″"″Net8 Configuration Assistant″"^?O ″Net8 Easy
Configuration″)""k$O/i$"sHN
%ORACLE_HOME%¥NETWORK¥ADMIN¥TNSNAMES.ORA U!$kNF`\r1L9k>0r
=7^9#
DB2 79F`:
db2 connect to tec user userid using passworddb2 -t -f tds_rm_tec_v_evt.DB2.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9#UNIX® NlgNGU)kHMO"
db2inst1 G9# Windows NT® NGU)kHMO"db2admin G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#
Sybase 79F`:
isql -U userid -P password -Dtec -Sservername -c/ -i tds_rm_v_evt.syb.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9#GU)kHMO tec G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#GU)kHMO tectec G9#
server DSEDIT /i$"sH=.Wm0i`GjA5l? Sybase G<?Y<9N5<P
<>"^?O/i$"sHN Sybase $s?<U'<9&U!$k
%SYBASE%¥INI¥SQL.INI NF`\r1L9k>0r=7^9#
53Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
Web ������������� TEC ��Risk Manager N Web Y<9psr_j9kKO"TEC _jrT&,W,"j^9#!Nh
&K7^9#
1. VTEC Configuration (TEC =.)W&#sI&G"VConsoles (3s=<k)Wr*r7^
9#
2. &/jC/7F"VConsole Preferences (3s=<k_j)Wr*r7^9#
3. VWeb Server (Web 5<P<)Wr*r7F+F4j<rH%7"VEvent Information($YsHps)Wr=(7^9#
4. VEvent Information ($YsHps)Wr*r7^9#
5. Wm0i`&Q9&U#<kIrT87"/cgi-bin/rmtec_help.pl H7^9#
6. VOKWr/jC/7^9#
m:
DB2® QNGU)kHN9F<HasH&R<W&5$:O"G<?Y<9&Se<+i
N$YsHNjP~KBT5lk#(J SQL 9F<HasHr5]<H9kKOT=,
G9#Web Y<9ps!=rHQ7F"D9N$YsH\YK"/;99k]"(i
<&aC;<8 SQL0101N ����������������,=(5lklg,
"j^9#3N(i<rrh9kKO"9F<HasHNR<W&5$:r 8000 JeK
Q97^9#
R<W&5$:r979kKO"IBM DB2 3^sI&WmsWHr+-"!Nh&K~
O7^9#
> db2 update db cfg for tec using stmtheap 8000
9F<HasHNR<W&5$:r977?e"Q9,?G5lkh&"IBM DB2 +i
9YFN"Wj1<7gsrZG7^9#Q9,?G5lkH"YpaC;<8
SQL0437W ������� �������������� ��������
,=(5lklg,"j^9#3lOYpJNG"5k7F=$^;s#
IBM DB2 N=."QU)<^s9*hS40KD$FO"VIBM® DB2 UDB I}Nj
z-"1 A 3 ,W*hSVIBM DB2 UDB 3^sIrbWr2H7F/@5$#
Risk Manager '���(����Tivoli wuninst 3^sIrHQ7F"Risk Manager $YsH&5<P<*hS Perl Support
3s]<MsHrI}P]N<I+i|n7^9#"@W?<r|n9kKO"G-N3^s
IrHQ7F/@5$#
����.�������Risk Manager $YsH&5<P<*hS Perl Support 3s]<MsHO"I}P]N<Ie
K$s9H<k5l^9#Tivoli wuninst 3^sIrHQ7F"U!$kr|n7^9#
!NH*j~O7^9#
wuninst tag node_name -rmfiles
54 P<8gs 3 jj<9 8
tag O"RISKMGR_CORR ^?O RISKMGR_PERL N$:l+" node_name O"=Jr|n9kI
}P]N<IG9#
���������������������=9 NjgK>$"Risk Manager "@W?<r"s$s9H<k7^9#
= 9. Risk Manager "@W?<r"s$s9H<k9k?aNG-N3^sI
WiCHU)<` "s$s9H<k&3^sI
AIX installp -u package_name
Linux rpm -e package_name
Solaris pkgrm package_name
Windows 79F` install -u package_name
55Risk Manager f<6<:&,$I
4.R
iskM
anag
er����
��
56 P<8gs 3 jj<9 8
Risk Manager Server Correlation
$s9H<k7?=l>lN;s5<O"1lNj=<9 ([9Hdk<?<JI) ^?Oj
=<9NMCHo</rbK?<7^9#=l>lN;s5<GO"$YsH ("i<HHb
FPlk) NAGps,8.5l^9#3liN$YsHO";s5<KhCF!P5l?T
3Jh0^?O;-ejF#<X"Ndjr=7^9#
jXO"$YsHrfS7F"l"Nk<krbHK0n7^9#Risk Manager KU0NG
U)kH&k<krHQ9k3HbG-lP"k<krQ99k3HbG-^9#3NOG
O"3liNk<kKpE$F Risk Manager N0nrjA9k?9/KD$Fb@7^9#
[HsIN?9/GO""I_K9Hl<?<,=.U!$krT87"=.U!$krh}
9k9/jWHrBT9k,W,"j^9#
Risk Manager NjXWm;9GO"e.7?9YFN Risk Manager $YsH,,O5l"
Q?<s,!w5l^9#Q?<sN!wNkLH7F!P5l?T3Jh0^?OdjO"
uV HFPl^9#uVO"Tivoli Event Console (TEC) G TEC $YsHH7F=(5l^
9#
jXWm;9O"#tN;s5<+iN/~!Npsr7)K4:7"X8N"kpsrJi
JU)<^CHG=(9k?a"i9YH*Zl<?<NaiYro:9kNKr)A^9#
jXK*$F/89k"^?O=.U!$kNT8fK/89k(i<KD$FO"227Z<
8NXRisk Manager NjXaC;<8YGb@7^9#
��Q?<sN!wNkLH7F!P5l?T3Jh0^?OdjO"uV HFPl^9#3l
iNuVO"!N-<KpE$F=L5l^9#
¶ $YsHN+F4j<
¶ T3Jh0N8h[9H -- "/;95lF$kj=<9
¶ T3Jh0N=<9&[9H -- h0N/85
Risk Manager Server Correlation GO"uVr>A9k?aKICps (6bN|~d"Eg
YJI) ,HQ5l^9#?@7"3liNpsO"uVNjAKOHQ5l^;s#e.7
?$YsHNEgYM,"riskmgr_thresholds.pro =.U!$kGjA5l?7-$Mr6
(kH" Risk Manager Server Correlation KhCFuV$YsHNn.,/0 5l^9#
RM_Situation /i9O"uV$YsHNp\/i9G9#uV$YsHO"8s*hSjX
Wm;9NkLG9#8s*hSjXWm;9NkL"{8NuV$YsHNQ9,/3k3
Hb"j^9#uVKO"!N 3 DNFQ?$W,"j^9 (FQ-Nc$bN+igKj
5
57Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
9H7^9)#
RM_Situation1 $YsH 3 DN-<,9YFXj5lk#
RM_Situation2 $YsH 2 DN-<,Xj5lk#
RM_Situation3 $YsH 1 DN-<,Xj5lk#
Risk Manager Server Correlation GO"!NuV?$W,jA5lF$^9#
= 10. Risk Manager Server Correlation KhjjA5lkuV
uV?$W -< 1 -< 2 -< 2 b@
1 +F4j< 8h =<9 1 DN=<9&[9H+i 1 DN8h
[9HKP7FTol?"Xj5l?+
F4j<NCjNh0r=7^9#
2-1 Destination/Source 8h =<9 +F4j<Nj
9H
"k[9H+iLN[9HKP7FTo
l?"-OONT3Jh0r=7^9#
2-2
Category/Destination
+F4j< 8h =<9Nj9H #tN=<9+i 1 DN[9HKP7
FTol?"Xj5l?+F4j<NT
3Jh0NQ?<sr=7^9#
2-3 Category/Source +F4j< =<9 8hNj9H 1 DN=<9+i#tN8hKP7FT
ol?"Xj5l?+F4j<NT3J
h0NQ?<sr=7^9#
3-1 Source =<9 +F4j<Nj9H 8hNj9H 1 DN=<9+iTol?"-OOKo
?kh0NQ?<sr=7^9#
3-2 Destination 8h +F4j<Nj9H =<9Nj9H #tN=<9+i 1 DN8h[9HK
P7FTol?"-OOKo?kh0N
Q?<sr=7^9#3N7Jj*O"
4/lL*KO"0tG-OOKHQ5
lk5<P< (Web 5<P<JI) KP
9kbNG9#
3-3 Category +F4j< 8hNj9H =<9Nj9H #tN=<9H#tN8hr}DCjN
?$W (1 DN+F4j<b) NT3J
h0NQ?<sr=7^9#3N7Jj
*OaC?K"j^;s,"6bKP9
k7?Je@,-/Nikh&KJC?
H-K/3kD=-,"j^9#
vBe"uVNFQ-,b$[I"hjqN*JuV+iNps,^^l^9#D^j"uV
2 O":v9k9YFNuV 1 U!/H+iNG<?N_QG"j"uV 3 O":v9k9
YFNuV 2 U!/H+iNG<?N_QG9#FQ-Nb$uVU!/HKO"hjqN
*JuVU!/HKhCF=5lk9YFNps,^^lkHOBj^;s#FQ-Nb$u
VNEgYlYkO"hjqN*JuVN_Q7?EgYlYkr?G7^9#
F$YsHNpsO"l"NTK=(5l^9#FTKO"GgG 256 P$HN-?*hS
=(,D=G9#TNps,?9.klgOZjNFil^9#
Hj,<NroO"9YFNuVG18G9#uVO"EgYMH7-$Mr}A^9#Eg
YMO">0NM"GeN97+iNPa~V"*hS77$$YsHNEgYM+i"t0
rHQ7FW;5l^9#EgYM,7-$Mr6(kH"Risk Manager KhCFuV$Y
sH,n.5l^9#
58 P<8gs 3 jj<9 8
Risk Manager Correlation '���(�3liN Risk Manager Correlation *hS Tivoli $YsH&5<P<&3s]<MsHN[
[KO"Tivoli Risk Manager 5<P< 3.8 QC1<8rHQ7^9#
¶ Risk Manager .baroc U!$k
¶ Risk Manager .pro U!$k
¶ Risk Manager .rls U!$k
¶ Risk Manager .fmt U!$k
¶ Risk Manager .cds *hS .oid U!$k
¶ Risk Manager =.U!$k
Tivoli G9/HCWrHQ7F"Tivoli Risk Manager 3.8 $s9H<k&QC1<8N
Risk Manager TEC Correlation *hS Risk Manager X"N5<P<&3s]<MsHr
Tivoli D-NI}P]N<IK$s9H<k7^9#
Risk Manager Correlation N$s9H<k,0;7?e"Risk Manager Correlation N=.rT
$^9#
Risk Manager Correlation ���$YsH&5<P<*hSjX3s]<MsHr$s9H<k7?e"J<N?9/rTC
F"$YsH&5<P<,$YsHru1~l"jX5;"=(9kh&K=.7F/@5
$#
1. ,WK~8F"Correlation =.U!$kN_jrT87^9#\7/O"X=._jNQ
9Yr2H7F/@5$#
2. TEC Correlation N rmcorr_cfg =.9/jWH&U!$krBT7F"Risk Manager k
<kN3sQ$kHH_)F"Tasks for Enterprise Risk Management ?9/&i$Vij
<N3sQ$kH$s9H<k"*hS Profiles for Enterprise Risk Management N$s9
H<krT$^9#\7/O"64Z<8NXRisk Manager Server Correlation 9/jWHN
BTYr2H7F/@5$#
3. Risk Manager G-N$YsH&0k<Wr"I_K9Hl<?<KdjvF^9#"I_
K9Hl<7gsNrdN\YKD$FO"VTivoli Enterprise Console f<6<:&,$
IWr2H7F/@5$#
4. Risk Manager H Tivoli Management Enterprise (TME) "@W?<&U)<^CH&U!$
krkg7^9#\7/O"47Z<8NXRisk Manager H TME "@W?<NU)<^C
H&U!$kNkgYr2H7F/@5$#
�������=._jrQ99kKO"J<N=.U!$krT87^9#
=.U!$kO"!NLVK"j^9#
Windows 79F`:
%BINDIR%¥RISKMGR¥corr¥tec
59Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
UNIX 79F`:
$BINDIR/RISKMGR/corr/tec
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
62Z<8NXRisk Manager Server Correlation N=.YK"=.U!$kKP7FT&3HN
G-kQ9Nj9HH"=l>lNQ9}!r(7^9#
=.U!$krT87?e"rmcorr_cfg 9/jWHrBT7FQ9rT$^9#
Risk Manager �����Risk Manager =.9/jWH&U!$k rmcorr_cfg O"Tivoli $YsH&5<P<, Risk
Manager $YsHru.7"jX5;"=(9kh&K=.7^9#
rmcorr_cfg =.7'k&Wm0i`KO"!N*W7gs,"j^9#
-delete =TN TEC $YsH&5<P<+i Risk Manager 3s]<MsHr|n7
^9 (3lKO"=TNk<k&Y<9*hSk<k&Y<9&G#l/Hj
<No|,^^l^9)#GU)kHN TEC k<k&Y<9,Fm<I5l
^9#
-dir k<k&Y<9N$s9H<khNG#l/Hj<rXj7^9#
-exist Risk Manager N$s9H<k~KHQ5lk{8Nk<k&Y<9rXj7
^9#
-install k<k&Y<9r$s9H<k7^9#
-new Risk Manager N$s9H<k~KHQ5lk7,Nk<k&Y<9rXj7
^9#
-reconfig Q97?=.U!$kr977"$YsH&5<P<rFO07^9#
riskmgr_ GO^k .pro =.U!$krQ97?lgK"3N*W7gsr
HQ7J1lPJj^;s#
-status Risk Manager 3s]<MsHNu7r=(7^9#
-tasklib Risk Manager ?9/&i$Vij<r3sQ$k7FGU)kHN8gVr
n.7^9#
-uninstall =TN TEC $YsH&5<P<+i Risk Manager 3s]<MsHr|n7
^9 (?@7"=TNk<k&Y<9Oo|7^;s)#
-update =TNk<k&Y<9r977^9# BAROC U!$krQ9^?OIC7
?eKHQ7F/@5$#
3liF*W7gsNHQ}!KD$FO"63Z<8NXk<k&Y<9Nh}Yr2H7F
/@5$#
setup_env =.9/jWHrBT7F"Tivoli BINDIR D-Qtr_j7^9#
60 P<8gs 3 jj<9 8
Prolog �)��Risk Manager O TEC k<k&;CH*hSX"9k Prolog 3<IH7FjXh}r$sW
jasH7^9#Risk Manager O"77$$YsHN;CHrX8U1k?aK(~KHQ
G-k{8Nk<krs!7^9#Risk Manager O=._jpsrl"N Prolog U!/H
H7F==7^9#
i|_jU!$k (boot.rls) O Prolog U!$krm<I7^9#h}O TEC k<k&(
s8sbGBT5l^9#
TEC Correlation r$s9H<k7Fi|=.9kH-K"Risk Manager O=.U!$kKG
U)kHMr_j7^9#Risk Manager TEC Correlation rHQ9kH-K""i<`,?9
.?j/J9.?j9klgKO"3liNMr409k3H,G-^9#
k<k&U!$kOT87J$G/@5$#=NeojK"Prolog U!$krT87F"TEC
Correlation r=.7^9#
Prolog U!$k> HQ\*
riskmgr_hosts.pro k<kh}KX9k[9H*hS;s5<NpsrjA7^9#3N
U!$kbN!N=._jMrQ99k3H,G-^9#
¶ [9H&^7s
¶ Hi9FCI&[9H&^7s
¶ ;s5<&$s9?s9 ($s9?s9n.NJAc<*hS5
kb^`)
riskmgr_parameters.pro Server Correlation K_jG-kQia<?<rjA7^9#
riskmgr_thresholds.pro uV$YsHNn.KX"7?7-$MrjA7^9#
82Z<8NX(9+l<7gs7-$MN_jYr2H7F/@5
$#
riskmgr_links.pro $C)N RM_SensorEvent $YsHNVNX8rjA7^9#
riskmgr_categories.pro Risk Manager +F4j<rjA7^9#Risk Manager Server
Correlation O=l>lN$C) RM_SensorEvent r+F4j<K
~l^9#
=._jMrQ99kH-KO"!NvAK1U7F/@5$#
¶ psN9Hjs0O"1lzQd (' ') GO^J1lPJj^;s#
¶ tMO1lzQdGO`,WO"j^;s#
¶ Tj*I (.) G=l>lN Prolog U!/Hr*;7^9#
¶ gLNPGz-tj9HrO_^9#
¶ =l>lN Prolog U!/HO!NA0K>$^9#
fact_name (arg1,arg2,...,argN).
3liNU!$krT87?eO"rmcorr_cfg =.7'k&Wm0i`rFBT9k,W,
"j^9#Risk Manager rF=.9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
61Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
Risk Manager Server Correlation ���Tivoli "I_K9Hl<?<O"Risk Manager Server Correlation KD$F"3N;/7gs
Gb@9knHrBT7^9#?9/O!NH*jG9#
¶ 63Z<8NXk<k&Y<9Nh}Y
¶ 63Z<8NXRisk Manager 3s]<MsHNu7N=(Y
¶ 64Z<8NXRisk Manager 3s]<MsHN$YsH&5<P<+iN|nY
¶ 64Z<8NXRisk Manager Server Correlation 9/jWHNBTY
¶ 64Z<8NXuV$YsHNbK?<Y
¶ 64Z<8NXMCHo</&[9HNjAY
¶ 65Z<8NXHi9FCI&[9HNP?Y
¶ 66Z<8NX;s5<&$s9?s9NXjY
¶ 67Z<8NX;s5<&$s9?s9&$YsHNEgYN@&s0l<IY
¶ 67Z<8NX;s5<&$s9?s9&$YsHN8.N^)Y
¶ 68Z<8NXvF5lk?$`&9?sWQLN_jY
¶ 69Z<8NXuVN-z|B,ZlkPa~VN_jY
¶ 70Z<8NX-z|B,Zl?uVr/j<s"CW9k?aN~VVVN_jY
¶ 70Z<8NXjUlC7e&?$^<N~VVVN_jY
¶ 71Z<8NXlL*JbN+iqN*JbNXNuV$YsHN40Y
¶ 71Z<8NXqN*JbN+ilL*JbNXNuV$YsHN40Y
¶ 72Z<8NX:jMN_jY
¶ 72Z<8NXs;-e"&$YsHN|nY
¶ 73Z<8NXuVG<?N>wY
¶ 73Z<8NXuVG<?r>w9k~|N_jY
¶ 73Z<8NXuVG<?NLN$YsH&5<P<XN>wY
¶ 74Z<8NX9H<`&$YsHN7-$MNjAY
¶ 75Z<8NX$YsHNjs/Y
¶ 76Z<8NXE#$YsHN!PY
¶ 77Z<8NX77$+F4j<NXjY
¶ 79Z<8NX9<Q</i9&+F4j<NdjvFY
¶ 81Z<8NXj<U&/i9N+F4j<XNdjvFY
¶ 81Z<8NXCjN$YsH&/i9KD$FjXWm;9rHQTDK9kY
¶ 82Z<8NX(9+l<7gs7-$MN_jY
62 P<8gs 3 jj<9 8
����������3N;/7gsGO"rmcorr_cfg rHQ7FBTG-k"Risk Manager k<k&Y<9KX
89k$YsH&5<P<X"NI}Q?9/KD$Fb@7^9#Risk Manager 3s]<
MsHrP]H7FBT9k3H,G-k=N>N?9/KD$Fbb@7^9#
¶ {8Nk<k&Y<9N$s9H<kHm<I
¶ 7,k<k&Y<9Nn.
¶ =Tk<k&Y<9N97
¶ Risk Manager 3s]<MsHNu7N=(
¶ Risk Manager 3s]<MsHN$YsH&5<P<+iN|n
5<P<Kk<k&Y<9,$s9H<k5lF$k+I&+rN'9kKO"!N3^sI
rHQ7^9#
rmcorr_cfg -status
�����������������1��
Risk Manager jX3s]<MsHr{8Nk<k&Y<9K$s9H<k7Fm<I9kK
O"!Nh&K~O7^9#
rmcorr_cfg -install -dir directory -exist existing_rulebase
F`\O"!NH*jG9#
directory
7,k<k&Y<9r]I9kU!$krXj7^9#
existing_rulebase
{8Nk<k&Y<9N>0rXj7^9#
������������
Risk Manager jX3s]<MsHr^`k<k&Y<9rn.9kKO"!Nh&K~O7
^9#
rmcorr_cfg -install -dir directory -new new_rulebase
F`\O"!NH*jG9#
directory
7,k<k&Y<9&U!$kr]I9kG#l/Hj<rXj7^9#
new_rulebase
7?Kn.5lkk<k&Y<9N>0rXj7^9#
������������
=TNk<k&Y<9r Risk Manager BAROC Hk<kpsG979kKO"!NH*j
rmcorr_cfg Wm0i`rBT7^9#
rmcorr_cfg -update
Risk Manager '���(�������
Risk Manager 3s]<MsHNu7r=(9kKO"!NH*j rmcorr_cfg Wm0i`rBT7^9#
63Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
rmcorr_cfg -status
Risk Manager '���(���������������
Risk Manager 3s]<MsHr=TN TEC $YsH&5<P<+i|n9kKO"!NH
*j rmcorr_cfg Wm0i`rBT7^9#
rmcorr_cfg -uninstall
^?O"
Risk Manager 3s]<MsHr=TN TEC $YsH&5<P<+i|n7F"GU)k
H&k<k&Y<9rm<I9kKO"!NH*j rmcorr_cfg Wm0i`rBT7^9#
rmcorr_cfg -delete
Risk Manager Server Correlation ������
m: Risk Manager Gs!5lkk<k&;CHrQ97J$G/@5$#Risk Manager Nj
Xk<k&Y<9r$s9H<k^?O979kKO"rmcorr_cfg Wm0i`rBT7
^9#
TEC Correlation r=.9kKO"{8Nk<k&Y<9K Risk Manager NjX3s]<M
sHrm<I9k+"^?O Risk Manager NjX3s]<MsHr^`7,Nk<k&Y<
9rn.7^9#
7,Nk<k&Y<9rn.9klgO"rmcorr_cfg -exist *W7gsrHQ7F"{8N
k<k&Y<9 (*W7gJk) rXj9k3H,G-^9#3lrXj9kH"Risk
Manager O"Default H$&>0NGU)kHNk<k&Y<9GOJ/"{8Nk<k&Y
<9KpE$F7,Nk<k&Y<9rn.7^9#
=.U!$kN=8N\YKD$FO"60Z<8NXRisk Manager =.9/jWHYr2H
7F/@5$#
k<k&Y<9rn.^?Om<I7?e"Risk Manager G-N$YsH&0k<Wr"I
_K9Hl<?<KdjvF^9#"I_K9Hl<7gsNrdN\YKD$FO"
VTivoli Enterprise Console f<6<:&,$IWr2H7F/@5$#
������23��;s5<O"T3Jh0r!P9kH"G<?r}87"=lr TEC K>w7^9#Risk
Manager O"3liN$YsHrh}7"Q?<sr!w7"uV$YsHNAG"i<`r
8.7^9#uV$YsHO"TEC G=(9k3H,G-^9#
uV$YsHN\YKD$FO"57Z<8NXuVYr2H7F/@5$#
(+4���5����Risk Manager GO"$C)N;s5<&$YsH,u.5lkH"[9Hps,0*K=L
5l"_Q5l^9#?@7";s5<&$YsHbNps,T04Jlgb"j^9#;s
5<&$YsHKO"[9H>,~CF$kbNN"IP "Il9,~CF$J$3Hb"l
P"IP "Il9,~CF$kbNN"[9H>,~CF$J$3Hb"j^9#
riskmgr_hosts.pro U!$kN set_host (sHj<rHQ9kH"MCHo</eN{NN
^7sKD$FN04J[9Hps (IP "Il9H[9H>) rjA9k3H,G-^9#
64 P<8gs 3 jj<9 8
Risk Manager ,04J[9HpsrNBK~jG-kh&K7?j"#tNMCHo</&
$s?<U'<9^?O#tNL>r}D^7sKD$FN[9HpsrjA7?j9kK
O"set_host (sHj<rHQ7F/@5$#
MCHo</&[9H&^7srXj9kKO"!Nh&K7^9#
1. riskmgr_hosts.pro U!$krT87"MCHo</&[9H&^7s4HKL9N(s
Hj<rIC7^9#
set_host('host_ipaddress','hostname').
F`\O"!NH*jG9#
host_ipaddress [9H&^7sN IP "Il9rXj7^9#?H(P"'1.2.111.23' J
IG9#
hostname [9H&^7sN?aKHQ5lk>0rXj7^9#?H(P"
'machine.company.com' JIG9#
9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*ojKOTj*I (.)rXj7J1lPJj^;s#
2. ,WG"lP"!Nh&K"18H</srHQ9k#tN[9HrjA7^9#
/* Multihomed: */set_host ('1.1.111.11','my.machine1.com').set_host ('10.10.10.11','my.machine1.com').
/* Aliases: */set_host ('1.1.111.12','my.machine2.com').set_host ('1.1.111.12','othermachine2com').
#tN(sHj<r}D[9HNlg"0iU#+k&f<6<&$s?<U'<9
(GUI) K=(5lk>0^?O IP "Il9O"GiKjA5l?[9H>^?O IP "
Il9G9#
3. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
*��+��5����Risk Manager GO"CjNHi9FCI&[9H+iN"/F#SF#<r5k9k?aN
=.rT&3H,G-^9#TEC Correlation O"riskmgr_hosts.pro =.U!$kGHi9
FCIH7FXj5l?=<9&[9H+iN"/F#SF#<r!P9kH"
RM_TrustedHost $YsHr8.7^9#TEC Correlation GO"8h^7sH70KAc<
Nl3<I,]85l^9,"[9H,Hi9FCIG"k?a"psNjXOTol^;
s#
Hi9FCI&[9HrP?9kKO"!Nh&K7^9#
1. riskmgr_hosts.pro U!$krT87"!NA0rHQ7FHi9FCI&[9H4HK
L9N(sHj<rIC7^9#
set_trusted_host('host_ipaddress','hostname').
F`\O"!NH*jG9#
65Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
host_ipaddress
[9H&^7sN IP "Il9rXj7^9#?H(P"'1.2.111.23' JIG
9#
hostname
[9H&^7sQKHQ9k>0rXj7^9#?H(P"
'machine_name.company.com' JIG9#
9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*ojKOTj*I (.)rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
$YsHO"TEC N RM_TrustedHosts 3sFJ<bK=(5l^9#
&�������������Risk Manager GO";s5<&$s9?s9rjA9k?aN=.rT&3H,G-^9#
;s5<HO"Risk Manager _9"@W?<rHQ9k$YsH&bK?<&"Wj1<7
gsG9#Risk Manager GO"_9"@W?<N;CHbQU5lF$^97"H+N"@
W?<rn.9k3HbG-^9#H+N"@W?<rn.9klgKO"VTivoli Risk
Manager GYmCQ<:&,$IWr2H7F/@5$#
;s5<rXj9kKO"!Nh&K7^9#
1. riskmgr_hosts.pro U!$krT87"!NA0rHQ7F;s5<4HKL9N(sH
j<rIC7^9#
set_sensor('sensor_type','host_ipaddress','hostname').
F`\O"!NH*jG9#
sensor_type
;s5<N?$WrXj7^9#?H(P"webids JIG9#
host_ipaddress
[9H&^7sN IP "Il9rXj7^9#?H(P"'1.2.133.23' JIG
9#
hostname
[9H&^7sQKHQ9k>0rXj7^9#?H(P"
'machine_name.company.com' JIG9#
9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*ojKOTj*I (.)rXj7J1lPJj^;s#IC9k set_sensor (sHj<O"IN set_host (sHj<HblW9k,WO"j^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
$YsHO"TEC $YsH&3s=<kN RM_Sensors $YsH&0k<WbK=(5l
^9#
66 P<8gs 3 jj<9 8
&��������������������6�����Risk Manager O"EgYr(9?aK$YsHr,`7^9#v0jANEgYlYkO"
!NH*jG9 (EgYNb$bN+igKj9H7^9)#
FATAL"CRITICAL"MINOR"WARNING"HARMLESS"*hS UNKNOWN#
jXWm;9G"riskmgr_hosts.pro U!$kG=.5lF$J$;s5<,!P5lkH"
TEC Correlation O";s5<&$s9?s9 (RM_Sensor) $YsHr8.7"$YsHK
D$FNGU)kHNEgY (WARNING) r+0*KdjvF^9#=.U!$kG;s5
<rjA9kKO"set_sensor _jrHQ7^9#
;s5<NGU)kHN$YsHEgYr HARMLESS K@&s0l<I9kKO"!Nh
&K7^9#
1. riskmgr_hosts.pro U!$krT87"!N(sHj<rIC7^9#
set_downgrade_sensor_creation('sensor_type').
sensor_type O";s5<N?$WrXj7^9#;s5<HO"Risk Manager _9"@W
?<rHQ9k$YsH&bK?<&"Wj1<7gs (?H(P"'webids') G9#
9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*ojKOTj*I (.)rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
$YsHO"TEC N RM_Sensor $YsH&0k<WbK=(5l^9#
&��������������������Risk Manager GO"CjN;s5<&?$WKD$F;s5<&$s9?s9&$YsHN
8.r^)9k?aN=.rT&3H,G-^9#Lo"jXWm;9G;s5<,!P5l
kH"TEC Correlation O RM_Sensor $YsHr8.7^9#
;s5<&$s9?s9&$YsHN8.r^)9kKO"!Nh&K7^9#
1. riskmgr_hosts.pro U!$krT87F"!Nh&J(sHj<rIC7^9#
set_ignore_sensor_creation('sensor_type').
sensor_type KO";s5<N?$WrXj7^9#
9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*ojKOTj*I (.)rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
��������������$YsHrsp9k;s5<N?$W"^?O8h[9HK~8"CjNMK0-r_j9k
3H,G-^9#
^?"CjN[9H+i/89k$YsHd"CjN[9HKP9k$YsHNlYkrQ9
9k3HbG-^9#
67Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
0-rjA9kKO"TEC ^?O Risk Manager 5<P<G riskmgr_parameters.pro U!
$krT87FQ97^9#
!Nh&KU)<^CHr_j7^9#
attribute_map(attrib_to_set,value_to_use,attrib_to_compare,compare_value,attrib_to_compare,compare_value2).
!Kcr(7^9#
attribute_map('severity','HARMLESS','rm_SourceIPAddr','9.3.32.1','rm_SensorType','webids').
3NTKhj"rm_SourceIPAddr , 9.3.32.1 G rm_SensorType , webids NlgK"EgY
0-, HARMLESS K_j5l^9#
attribute_map('severity','CRITICAL','rm_SensorType','CPFW','rm_Level','5').
3NTKhj"rm_SensorType , CPFW G rm_Level , 5 NlgK"EgY0-,
CRITICAL K_j5l^9#
0-rHQ9k3HKhj"$YsHr1L7F"3lr+9?^< ID K^CW9k3H,
G-^9#?H(P"QKK$YsHr/89k^7s,"kH7^9#"kf<6<r"h
j\YKbK?<7J1lPJiJ$H7^9#=Nf<6<KD$FO"0- rm_Level N
Mrb/_j9k3H,G-^9#
!Nh&K7^9#
$YsH0-r_j^?OQ99kKO"riskmgr_parameters.pro U!$krT87F0-
rQ97^9#!NcO"GU)kHMr(7F$^9#
¶ Cisco k<?<Nlg:
attribute_map('severity','WARNING','rm_Level',1,'rm_SensorType','csids').attribute_map('severity','WARNING','rm_Level',2,'rm_SensorType','csids').attribute_map('severity','MINOR','rm_Level',3,'rm_SensorType','csids').attribute_map('severity','MINOR','rm_Level',4,'rm_SensorType','csids').attribute_map('severity','CRITICAL','rm_Level',5,'rm_SensorType','csids').
¶ Internet Security Systems RealSecure (ISS RealSecure) Nlg:
attribute_map('severity','WARNING','rm_Priority','Low','rm_SensorType','realsecure').attribute_map('rm_Level',1.0,'rm_Priority','Low','rm_SensorType','realsecure').
attribute_map('severity','MINOR','rm_Priority','Medium','rm_SensorType','realsecure').attribute_map('rm_Level',3.0,'rm_Priority','Medium','rm_SensorType','realsecure').
attribute_map('severity','CRITICAL','rm_Priority','High','rm_SensorType','realsecure').attribute_map('rm_Level',5.0,'rm_Priority','High','rm_SensorType','realsecure').
F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
������������������$/D+N=.*W7gsrHQ9k3HKhj"C1LG~VVVr_j9k3H,G-^
9# 69Z<8N=11 rHQ7F"lL*J~VVVrCKQ97^9#
68 P<8gs 3 jj<9 8
= 11. ~VVVrCKQ9
~VVV C
1 , 60 C
5 , 300 C
10 , 600 C
30 , 1800 C
1 ~V 3600 C
2 ~V 7200 C
12 ~V 43200 C
1 | 86400 C
1 5V 604800 C
1 vn (4 5V) 2419200 C
Risk Manager GO"$YsH,$YsH&5<P<K~e7?H-KvF5lk?$`&9
?sWQLr)f9k?aN=.rT&3H,G-^9#18G<?&9Hj<`bN$Ys
HNVVH7Fu1~lD=JCtr=G7"3NtMr riskmgr_parameters.pro U!$k
G_j9k3H,G-^9#
jXWm;9O"vF5lk?$`&9?sWQLrHQ7F"$YsH&5<P<Gu.5
l?$YsHN?$`&9?sW&U#<kI,"189Hj<`bN>N$YsHHg}K
[JCF$J$+I&+A'C/7^9#jXWm;9G"18G<?&9Hj<`bN 2
DN$YsHVN?$`&9?sWVV,g-9.k3H,!P5lkH"TEC Correlation
O RM_InputErr c0r8.7^9#Risk Manager O"gxU1r last_timestamp Kj;CH7^9#
vF5lk?$`&9?sWQLrXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_timestamp_jitter(seconds).
seconds QtO"18G<?&9Hj<`bN$YsHNVVH7FvF5lk~V (C1
L) G9#
GU)kH_jO 1 | (86400 C) G9#
seconds MO"0 hjg-J0tGJ1lPJj^;s#U!/HN*ojKO"Tj*I
(.) rXj7J1lPJj^;s#
lL*JC1LN~VVVKD$FO"=11 r2H7F/@5$#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
$YsHO"TEC N RM_Exceptions $YsH&0k<WbK=(5l^9#
������������������Risk Manager GO"uVN-z|B,ZlkPa~VrXj9k?aN=.rT&3H,G
-^9#
69Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
jXWm;9G"Xj5l?~VNPaeKuVU!/H,Q95lF$J$3H,!P5l
kH" TEC Correlation O"=NuVU!/Hr prolog U!/H&Y<9+i|n7^9#
Risk Manager O"P~9k"-z|B,Zl?uV$YsHNu7r CLOSED Kj;CH7"EgYr UNKNOWN Kj;CH7^9#
uVN-z|B,ZlkPa~VrXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_situation_expiration(seconds).
seconds QtKO"uVN-z|B,ZlkPa~VrXj7^9#GU)kH_jO
86400 CG9#
seconds MO"60 JeN0tGJ1lPJj^;s#U!/HN*ojKO"Tj*I (.)rXj7J1lPJj^;s#
lL*JC1LN~VVVKD$FO"69Z<8N=11 r2H7F/@5$#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
���������������+�������������Risk Manager GO"-z|B,Zl?uVU!/HNA'C/*hS/j<s"CWNHj
,<VVH7FvF5lk~V (C1L) r)f9k?aN=.rT&3H,G-^9#u1
~lD=JCtr=G7"=lr riskmgr_parameters.pro U!$kG_j9k3H,G-^
9#
jXWm;9G"~VVV,6a5lF$k3H,!P5lkH"TEC Correlation O"-z
|B,Zl?uVU!/H,J$+I&+A'C/7"=liNU!/HN/j<s"CWr
+O7^9#
-z|B,Zl?uV,J$+I&+A'C/9k?aN~VVVrXj9kKO"!Nh&
K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_situation_cleanup_interval(seconds).
seconds QtKO"-z|B,Zl?uV$YsHN/j<s"CW,/05lk^GN~
V (C1L) rXj7^9#GU)kH_jO 3600 CG9#
seconds MO"60 CJeN0tGJ1lPJj^;s#U!/HN*ojKO"Tj*I
(.) rXj7J1lPJj^;s#
lL*JC1LN~VVVKD$FO"69Z<8N=11 r2H7F/@5$#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
��+�#���!���������Risk Manager GO"jUlC7e&?$^<NHj,<VVH7FvF5lk~V (C1L)
r)f9k?aN=.rT&3H,G-^9#3N~VVVO"riskmgr_parameters.pro U
!$kGXj9k3H,G-^9#
70 P<8gs 3 jj<9 8
jXWm;9G"~VVV,6a7F$k3H,!P5lkH"uV$YsH,975l"=
li,F,ON?aKBTMj5l"$YsH&3s=<kK=(5lF$k$YsH,jU
lC7e5l^9#
$YsHrjUlC7e9k?aN~VVVrXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_interface_refresh(seconds).
seconds QtKO"-z|B,Zl?uV$YsHN/j<s"CW,/05lk^GN~
V (C1L) rXj7^9#GU)kH_jO 60 CG9#
seconds MO"10 Chjg-$0tGJ1lPJj^;s#U!/HN*ojKO"Tj
*I (.) rXj7J1lPJj^;s#
lL*JC1LN~VVVKD$FO"69Z<8N=11 r2H7F/@5$#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
����������������������Risk Manager GO"hjqN*JuV$YsHr*V?aK"hjFQ*JuV$YsHr
|n9kWm;9r409k?aN=.rT&3H,G-^9# ratio_down 8tO"{8
NuV 1 ^?O 2 r*V?aK"uV 2 ^?O 3 ,|n5lk~|r)f7^9#3N8
tO"Lo"1.0 Ka$M (0.90 d 0.95 JI) G9#
|nWm;9O"riskmgr_parameters.pro U!$kG409k3H,G-^9#
uV$YsHrlL*JbN+iqN*JbNX409k3HrXj9kKO"!Nh&K7
^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FtMrQ97^9#
set_ratio_down(0.95).
set_ratio_down NMO"1.0 J<GJ1lPJi:" 0.0 A 1.0 NOOKBj5l^
9#tMrTj*IG*oi;k3HOG-^;s (?H(P"1.)#GU)kH_jO
0.95 G9#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
����������������������Risk Manager GO"hjlL*JuV$YsHr*V?aK"hjqN*JuV$YsHr
|n9kWm;9r409k?aN=.rT&3H,G-^9#ratio_up 8tO"uV 1 ^
?O 2 ,"^^lF$kuV,9YF,uV 2 *hSuV 3 (^?OuV 2) NbNhj+
Jjc$?aK|n5lk~|r)f7^9#LoO"3lO"1.0 hj+Jjc$M (0.25
d 0.5 JI) G9#
|nWm;9O"riskmgr_parameters.pro U!$kG409k3H,G-^9#
71Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
uV$YsHrqN*JbN+ilL*JbNX409k3HrXj9kKO"!Nh&K7
^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FtMrQ97^9#
set_ratio_up(n.nn).
n.nn O"set_ratio_up NtMr=7^9#3NtMO"1.0 J<GJ1lPJi:"
0.0 A 1.0 NOOK)B5l^9#tMrTj*IG*oi;k3HOG-^;s (?H
(P"1.)#GU)kH_jO 0.25 G9#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
������Risk Manager GO"uVr979k77$$YsH,~e7J$H-K"uVNEgYlY
k,c<9k.5r)f9k?aN=.rT&3H,G-^9#
?H(P":jM, 600 CK_j5lF$F"uV$YsHNlYk, 50.0 NlgK"
600 CV":v9kG<?,u.5lJ$H"EgYlYkO 25.0 Kc<7^9#3Nc
O"~V:j!=GHQ5lk>:|G9#
3N~V:jM (C1L) O"riskmgr_parameters.pro U!$kGXj9k3H,G-^9#
:jMr_j9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7F:jMrQ97^9#
set_decay_value(seconds).
seconds QtKO"uVr979k77$$YsH,~e7J$H-K"EgYlYk,c
<9k^GN~V (C1L) rXj7^9#GU)kH_jO 7200 CG9#
seconds MO"0tGJ1lPJi:"0 Chjg-/J1lPJj^;s#U!/HN*
ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
�&"#��������drop_unsecure_event O"s;-e" (s Tivoli) RM_SensorEvent $YsHNh}r*
s^?O*UK9k?aKHQ7^9#
Risk Manager GO"riskmgr_parameters.pro U!$kG"3Nh}r)f9k?aN=.r
T&3H,G-^9#
s;-e"&$YsHrh}9k+I&+rXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FQia<?<r*U+i
*sK"^?O*s+i*UKQ97^9#
drop_unsecure_events(off).
72 P<8gs 3 jj<9 8
GU)kH_jO off G9#*sK9kH"s;-e" (s Tivoli) RM_SensorEvent $YsH,u.5lkH90K|n5lkh&KJj^9#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
��������uVG<?rLN TEC $YsH&5<P<K>w9kh& Risk Manager r=.9k3H,
G-^9#uV>wN*s / *UNZjX(O"riskmgr_parameters.pro U!$kGXj9
k3H,G-^9#
uV>wN*s / *UrZjX(kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FQia<?<r*U+i
*sK"^?O*s+i*UKQ97^9#
forward_situations(off).
GU)kH_jO off G9#*sK9kH"uVG<?,LN TEC $YsH&5<P<
K>w5l^9#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
���������������Risk Manager GO"$YsHr TEC $YsH&5<P<Kw.9kVVH7FvF5lk
~Vr)f9k?aN=.rT&3H,G-^9#3N~VVVO"riskmgr_parameters.pro
U!$kGXj9k3H,G-^9#
uVG<?r>w9k?aN~VVVrXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_forward_interval(300).
seconds QtKO"uVG<?,>w5lk^GN~V (C1L) rXj7^9#GU)k
H_jO 300 CG9#
seconds MO"10 CJeN0tGJ1lPJj^;s#U!/HN*ojKO"Tj*I
(.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
�������������������Risk Manager GO"m<+kuVG<?N>whHJk TEC $YsH&5<P<r)f9
k?aN=.rT&3H,G-^9#
73Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
uVG<?N>whHJk TEC $YsH&5<P<N>0O"=.U!$kGXj7^9#
=.U!$kNFsWl<HGO"=.U!$k,U!$k>KhCFN_2H5lF*j"
.conf U!$k>H%ROU1ilF$^;s#Gg 50 DN=.U!$k,1~K8_7^
9#
3N$YsH&5<P<O"riskmgr_parameters.pro U!$kGXj9k3H,G-^9#
$YsHrjUlC7e9k?aN~VVVrXj9kKO"!Nh&K7^9#
1. riskmgr_parameters.pro U!$krT87"!NA0rHQ7FCtrQ97^9#
set_forward_tec(config_file, sensor_type, tec_ipaddr,tec_hostname).
F`\O"!NH*jG9#
config_file
m<+kuVG<?N>whHJk?<2CH TEC $YsH&5<P<rXj9
k?aKHQ5lk=.U!$kN>0#
sensor_type
;s5<&?$WrXj7^9#m<+k TEC $YsH&5<P<O"?<2C
H TEC $YsH&5<P<G;s5<&$s9?s9H7F=(5l^9#;s
5<&$YsH,=(5lJ$h&K9klgO"?<2CH TEC $YsH&5
<P<G ignore_sensor_creation rHQ7F/@5$#
tec_ipaddr
m<+k TEC $YsH&5<P<N IP "Il9rjA7^9#
tec_hostname
m<+k TEC $YsH&5<P<N[9H>rjA7^9#
m: 9YFNQia<?<rXj7J1lPJj^;s#5iK"Qia<?<&9Hj
s0r1lzQdGO^J1lPJj^;s#
?H(P"!NH*jG9#
set_forward_tec('tec_forward','riskmgr','10.10.40.23','my.tecserver.org').
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
���������������9H<`&$YsHHO"ping UiCG#s0JI";|VKgLN$YsH,=|5lk
u7G9#Lo"Risk Manager GO"3liN$YsHKP7FG.BNh}rBT7^
9#
;s5<=JGO"?tNDL$YsHKP7FH+Nh}rT$"1lN$YsHrsp9
k3H,?$G9#9H<`&$YsHMr_j9k]KO"3N3HrM8K~lF/@5
$#VmC/7-$M},O",9:i9+"04K|n9k,W,"j^9#
"k$YsH,9H<`&$YsHH7Fh}5lklgO"=lrjs/&$YsH^?O
E#$YsHH7Fh}9k3HOG-^;s#
74 P<8gs 3 jj<9 8
Risk Manager GO"9H<`&$YsHKD$FNVmC/7-$M},r)f9k?aN
=.rT&3H,G-^9#VmC/7-$M},MK#9kH"uVU!/H*hS$Ys
HN0497,Tol^9#3NVmC/7-$MO"riskmgr_links.pro U!$kGXj9
k3H,G-^9#
VmC/7-$MrXj9kKO"!Nh&K7^9#
1. riskmgr_links.pro U!$krT87"!NA0rHQ7FMrXj7^9#
set_storm_events(Classname, Attribute_List,Block_Threshold_List, Block_Threshold_Increment).
F`\O"!NH*jG9#
Classname
/i9N>0rjA7^9#3lO"1lzQdGO^J1lPJj^;s#
Attribute_List
$YsHr9H<`NltH+J9?aKlW5;J1lPJiJ$0-Nj9H
rjA7^9#0-Nj9HKO"=l>l1lzQdGOs@9Hjs0Nj9
HrH_~^J1lPJj^;s#
Block_Threshold_List
0497NBT~KHQ5lk7-$MrjA7^9#MO"0tNj9H (:
g) GJ1lPJj^;s#tMrTj*IG*oi;k3HOG-^;s (?H
(P"5.)#0tNeKO<mrU1J1lPJj^;s (?H(P"25 O 25.0
H7J1lPJj^;s)#
Block_Threshold_Increment
VmC/7-$Mj9HNGeNMK#7?eGHQ5lk7-$M},MrjA
7^9#MO0tGJ1lPJj^;s#tMrTj*IG*oi;k3HOG-
^;s (?H(P"5.)#0tNeKO<mrU1J1lPJj^;s (?H(P"
25 O 25.0 H7J1lPJj^;s)#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
9H<`&$YsH&(sHj<O"RM_SensorEvent /i9GjA7^9#!NcGO"
9H<`&$YsH&(sHj<r(7^9#
set_storm_events('RS_TearDrop',['rm_DestinationToken'], [10,50,100,250],250).
������Risk Manager GO"ClJU#r}D"L9N/i9+iN 2 DN$YsHrjs/9k?
aN=.rT&3H,G-^9#?H(P"WW_SuspiciousCgi $YsHNeK"P~9k
WW_Success $YsH,3$?lgO"1HN WW_SuspiciousCgi $YsHhjbEgG"k
H+J9Y-G9#
"k/i9r9H<`&$YsHH7FjA9kH"=lOjs/&$YsHH7Fh}5l
J/Jj^9#"k$YsH,js/&$YsHH7Fh}5lklg"=lOE#$YsH
H7Fh}5l^;s#
75Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
2 DN$YsHNVNjs/O"riskmgr_links.pro U!$kGXj9k3H,G-^9#
$YsHrjs/9kKO"!Nh&K7^9#
1. riskmgr_links.pro U!$krT87"!NA0rHQ7FMrXj7^9#
set_linked_events(Classname1, Classname2, Attribute_List,* Severity_Value).
F`\O"!NH*jG9#
Classname1
GiN$YsHN/i9N>0rjA7^9#>0O"1lzQdGO^J1lP
Jj^;s#
Classname2
X"9ke3N$YsHN/i9N>0rjA7^9#>0O"1lzQdGO^
J1lPJj^;s#
Attribute_List
$YsH,X"7F$kH+J5lk?aKlW7J1lPJiJ$0-Nj9H
rjA7^9#=l>lN0-O"1lzQdGO_"3s^G,1J1lPJj
^;s#
Severity_Value
e3N$YsHKD$F"LoNEgYMNeojKHQ9kEgYMrjA7^
9#EgYMO"tM (Bt^?O0t) GJ1lPJj^;s#tMrTj*I
G*oi;k3HOG-^;s (?H(P"5.)#0tNeKO<mrU1J1lP
Jj^;s (?H(P"25 O 25.0 H7J1lPJj^;s)#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
!NcGO"RM_SensorEvent /i9re3NX"$YsHKjs/9k(sHj<r(7
^9#
set_linked_events('WW_SuspiciousCgi','WW_Success',['rm_SensorToken','webids_requid'],25.0).
set_linked_events('WW_InsecureCgi','WW_Success',['rm_SensorToken','webids_requid'],20.0).
GiN^CAs06x$YsH,HQ5l^9#e-NcGO"WW_SuspiciousCgi H
WW_InsecureCgi N>}N^CAs06x$YsH,8_9klg" WW_SuspiciousCgi NM
,HQ5l"WW_InsecureCgi NMO5k5l^9#
��������E#$YsHO"04JE#H+J5lk$YsHG9#Lo"0-Nj9HKO
rm_Timestamp32 ,H_~^l"$YsH,[\1~K/87F$J1lPJiJ$3Hr
(7^9# rm_Timestamp32 0-NfS~KO"Wi9^?O^$J9 2 CNP9,vF
5l^9#
76 P<8gs 3 jj<9 8
E#9k$YsHNEgYlYk,5N$YsHhjb$lgO"EgYlYkN9rHQ7
FuVU!/H*hS$YsH,975l^9#E#9k$YsHNEgYlYk,5N$Y
sHJ<G"klg"h}OTol^;s#
"k$YsH,9H<`&$YsH^?Ojs/&$YsHH7Fh}5lklg"=lOE
#$YsHH7Fh}5l^;s#
Risk Manager GO"riskmgr_links.pro U!$kG"E#$YsHr!P9k?aN=.r
T&3H,G-^9#
E#$YsHr!P9kKO"!Nh&K7^9#
1. riskmgr_links.pro U!$krT87"!NA0rHQ7FMrXj7^9#
set_duplicate_events(Classname1, Classname2, Attribute_List).
F`\O"!NH*jG9#
Classname1
$YsH 1 N/i9N>0rjA7^9#>0O"1lzQdGO^J1lPJ
j^;s#
Classname2
$YsH 2 N/i9N>0rjA7^9#>0O"1lzQdGO^J1lPJ
j^;s#
Attribute_List
$YsH,E#7F$kH+J5lk?aKlW7J1lPJiJ$0-Nj9H
rjA7^9#=l>lN0-O"1lzQdGO_"3s^G,1J1lPJj
^;s#
U!/HN*ojKO"Tj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
!NcO"RM_SensorEvent /i9,04KE#9k3Hr(9,W,"k(sHj<r(
7F$^9#
set_duplicate_events('NR_WWW_bat_File', 'RS_HTTP_IE_BAT',['rm_Timestamp32','rm_DestinationToken','rm_SourceToken','rm_Url']).
���7�8����77$>0HG-NH</s ID VfrdjvFk3HKhCF"77$ Risk Manager +F
4j<rXj9k3H,G-^9#G<?Y<9!wr1c=9kKO"3liN?$WNu
Vr1L9k?aNG-N;L>rIC7^9#
+F4j<>rjA9kKO"!Nh&K7^9#
1. riskmgr_categories.pro U!$krT87"!NA0rHQ7F+F4j<>4HKL9
N(sHj<rIC7^9#
set_category_name(categ_nnnnn,'long_name','short_name').
F`\O"!NH*jG9#
77Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
categ_nnnnn
+F4j<KdjvFilkG-NH</srXj9k9Hjs0#3NG-NH
</sKhj"/~!N79F`N?$W,1L5l^9#?H(P"
categ_00001 OH</sG" 00001 O Web X"N"i<HKdjvFilk+
F4j<VfG9# categ_ GO^k+F4j<r1lzQdGO`,WO"j
^;s#?H(P"set_category_name (categ_00001, 'Web Attack', 'WEB'). H
Jj^9#
long_name
+F4j<N?aKHQ5lk04J>0rXj9k9Hjs0 (?H(P"
'Network Management')#9$>0O"uV$YsHN rm_Key1Str"rm_Key2Str"*hS rm_key3Str 0-GHQ5l^9#
short_name
+F4j<N?aKHQ5lkG-N;L>rXj9k9Hjs0#?H(P"
'NETMAN' O Network Management N;LP<8gsG9#
9$>0H;L>N9Hjs0O1lzQdNPGO^J1lPJi:"U!/HN*o
jKOTj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
GU)kHGO"J<N+F4j<,jA5lF$^9#
= 12. Risk Manager KhjjA5lk+F4j<
+F4j< 9$>0 ;L>
categ_00001 Web Attack (Web 6b) WEB
categ_00002 Network Mgmt Activity (MCH
o</I}"/F#SF#<)
NETMAN
categ_00003 EMail Activity (E a<k&"/
F#SF#<)
categ_00004 User-Level Activity (f<6<&
lYk&"/F#SF#<)
USER
categ_00005 Targeted DOS (?<2CHP]
DOS)
TDOS
categ_00006 Service Compromise (5<S9N
E()
SERVCMP
categ_00007 Trojan Horse (Hm$NO) TROJ
categ_00008 Command-Level Activity (3^s
I&lYk&"/F#SF#<)
CMD
categ_00100 Service Attack (5<S96b) SERV
categ_00101 Denial of Service (5<S982) DOS
categ_00200 Virus Activity (&#k9&"/F
#SF#<)
VIRUS
categ_05000 Network Level Attack (MCHo
</&lYk6b)
NETLVL
categ_05001 Host-Level Attack ([9H&lY
k6b)
HOSTLVL
categ_05002 Resource Alert (j=<9&"i
<H)
RESOURCE
78 P<8gs 3 jj<9 8
= 12. Risk Manager KhjjA5lk+F4j< (3-)
+F4j< 9$>0 ;L>
categ_10000 IDS Level (IDS lYk) IDSLVL
categ_10001 Misc Level (Misc iYk) MISCLVL
categ_10100 Authentication Activity ('Z"/
F#SF#<)
SECAUTH
categ_10101 Access Control ("/;9&3s
Hm<k)
SECACCESS
categ_10102 Security Policy (;-ejF#
<&]j7<)
SECPOLICY
categ_10103 Security Admin (;-ejF#<
I})
SECADMIN
categ_10110 Configuration Change (=.Q9) CONFIG
categ_10111 Installation ($s9H<k) INSTALL
categ_10112 State Change (uVQ9) STATECHG
categ_10113 System Error (79F`&(i<) SYSERROR
�����*��7�8����� 9<Q</i9&+F4j<NdjvFrXj9k3HKhCF"+F4j<K
RM_SensorEvent /i9rdjvFk3H,G-^9#qN-Nb$bN+igKXj7F
/@5$#77$>0HG-NH</s ID VfrdjvFk3HKhCF"77$ Risk
Manager +F4j<rXj9k3H,G-^9#Risk Manager jAN+F4j<Nj9HK
D$FO"77Z<8NX77$+F4j<NXjYr2H7F/@5$#
9<Q</i9&+F4j<rdjvFkKO"!Nh&K7^9#
1. riskmgr_categories.pro U!$krT87"!NA0rHQ7F+F4j<>4HKL9
N(sHj<rIC7^9#
category_assign_super(categ_nnnnn, 'class_name').
F`\O"!NH*jG9#
categ_nnnnn
+F4j<KdjvFilkG-NH</srXj9k9Hjs0#3NG-NH
</sKhj"/~!N79F`N?$W,1L5l^9#?H(P"
categ_00001 OH</sG" 00001 O Web X"N"i<HKdjvFilk+
F4j<VfG9# categ_ GO^k+F4j<r1lzQdGO`,WO"j
^;s#
class_name
9<Q</i9N>0rXj9k9Hjs0#hjqN*JdjvF,TolF$
J$Bj"+F4j<N9<Q</i9+i3P5lkj<U&/i9b+F4j
<KdjvFil^9#
H</s^?O/i9>N9Hjs0O1lzQdNPGO^J1lPJi:"U!/H
N*ojKOTj*I (.) rXj7J1lPJj^;s#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
79Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
Risk Manager GO"GU)kHKhCF"J<N9<Q</i9&+F4j<,djvFi
l^9#
category_assign_super (categ_00001, ’RM_WebServer’).
category_assign_super (categ_00002, ’RM_SNMP’).
category_assign_super (categ_00003, ’RM_Email’).
category_assign_super (categ_00004, ’RM_User’).
category_assign_super (categ_00005, ’RM_TDoS’).
category_assign_super (categ_00006, ’RM_ServiceCompromise’).
category_assign_super (categ_00007, ’RM_Trojan’).
category_assign_super (categ_00008, ’RM_Command’).
category_assign_super (categ_00100, ’RM_Service’).
category_assign_super (categ_00100, ’RM_Scan’).
category_assign_super (categ_00101, ’RM_Flood’).
category_assign_super (categ_00200, ’RM_HostVirus’).
category_assign_super (categ_05000, ’RM_IDSNetwork’).
category_assign_super (categ_05001, ’RM_IDSHost’).
category_assign_super (categ_05002, ’RM_HostResource’).
category_assign_super (categ_10100, ’RM_SecAuth’).
category_assign_super (categ_10101, ’RM_SecAccess’).
category_assign_super (categ_10102, ’RM_SecPolicy’).
category_assign_super (categ_10103, ’RM_SecAdmin’).
category_assign_super (categ_10110, ’RM_Configuration’).
category_assign_super (categ_10111, ’RM_Installation’).
category_assign_super (categ_10112, ’RM_StateChange’).
category_assign_super (categ_10113, ’RM_SysError’).
/* Do NOT change the order of the following three facts.
* These must be the last three assignments made.
*/
category_assign_super (categ_10000, ’RM_IDSEvent’).
category_assign_super (categ_10001, ’RM_MiscEvent’).
category_assign_super (categ_99999, ’RM_SensorEvent’).
m: category_assign_super U!/HNgxKOmU9k,W,"j^9#
category_assign U!/HH7F@(*K+F4j<KdjvFilF$J$F Risk
Manager $YsH&/i9O"category_assign_super U!/HKpE-/i9&+F
4j<,djvFil^9#category_assign KhCFCK_j5lF$J$$Ys
H&/i9KO"GiK^CA9k category_assign_super U!/H,HQ5l^9#
category_assign_super U!/HO">N9<Q</i9N5V/i9G"k9<Q<&/
i9,GiK=lkh&[s9k,W,"j^9# RM_IDSEvent"RM_MiscEvent"*hSRM_SensorEvent KX"U1il?+F4j<,"GeN 3 DN category_assign_superU!/HHJkh&K7J1lPJj^;s#
80 P<8gs 3 jj<9 8
m: 18+F4j<K#tN/i9>rdjvFk3H,G-^9#
����*��7�8����� j<U&/i9r+F4j<KdjvFkKO"G-NH</s ID VfrXj7"Xj5l
?+F4j<KdjvFilF$kj<U&/i9Nj9HrIC7^9#
j<U&/i9&+F4j<rdjvFkKO"!Nh&K7^9#
1. riskmgr_categories.pro U!$krT87"J<NA0K7?,CFFdjvF4HKL
9N`\rIC7^9#
category_assign(categ_nnnnn,'class_list').
F`\O"!NH*jG9#
categ_nnnnn
+F4j<KdjvFilkG-NH</srXj9k9Hjs0#3NG-NH
</sKhj"/~!N79F`N?$W,1L5l^9#?H(P"
categ_00001 OH</sG" 00001 O Web X"N"i<HKdjvFilk+
F4j<VfG9# categ_ GO^k+F4j<r1lzQdGO`,WO"j
^;s#
class_list
+F4j<KdjvFilF$kj<U&/i9rXj9k9Hjs0Nj9H#
j<U&/i9O"/i9,XNG<XK"j^9#j<U&/i9HO"LN/
i9NY<9&/i9H7FHQ5l?3HNJ$/i9N3HG9#?H(P"
!Nh&K~O7^9#
category_assign(categ_00003, (['RS_Email_Expn','RS_Email_Decode','RS_Email_Debug','RS_Email_Wiz']).
+F4j<^?Oj<U&/i9N9Hjs0O",:zQdNPGO_"U!/HNG
eKTj*I ( .) rXj9k,W,"j^9#
2. F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
��������*��!� ���1&���������RM_SensorEvent rQ59k/i9OIlb"jXrHQTDK9k3H,G-^9#
jXWm;9rHQTDK9kKO"!Nh&K7^9#
1. Q99k/i9r^` BAROC U!$krT87^9#
2. rm_Correlate U#<kIG"GU)kHMr no KQ97^9#
rm_Correlate : default=no;
$YsH8.GHQG-kh&K9kKO"GU)kHMr yes K_j7^9#
rm_Correlate : default=yes;
3. BAROC U!$kNT8*hS]IeK TEC Correlation r979kKO"!NH*j~
O7^9#
rmcorr_cfg -update
81Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
3NMO"CjN"@W?<KP7F_j9k3H,G-^9#F=.9k"@W?<NI-
easF<7gsr2H7F/@5$#
9�7���%��������l"N$YsH,"i<`u7K(9+l<H9k~|r)f9k7-$MrjA9k3H,
G-^9# TEC Correlation GO""i<`,/89kQYr)f9k?aK"7-$M_j
,HQ5l^9#_jO"jX5lk9YFN$YsHKFA7^9#
_jr407F"CjN[9H^?O6bN?$WKX"7?"i<`,/89kQYre2
?j"<2?j9k3H,G-^9# TEC Correlation r,ZK407J$H"$YsH&3
s=<kK=(5lk$YsH,?9.?j"/J9.?j9k3HKJj^9#40rT&
KO"MCHo</&;-ejF#<NP3,,WG9#
rm_Level 0-O"7-$MjAHX8,"j^9#?H(P"$YsH&3s=<k,;|
VKs 20 DN$YsHru.7"$YsH&/i9, rm_Level=1.0 NEgYlYkG"
7-$MN_j,!NbNG"kH"
set_threshold('situation1',_,5,20,100,200,_,_,_).
jXWm;9Khj"EgYlYk WARNING N RM_Situation1 $YsH,8.5l^
9#
Risk Manager Correlation GO"=.U!$k riskmgr_thresholds.pro G7-$M_jrj
A7^9#
=._jrQ99kKO"riskmgr_thresholds.pro U!$krT87F"J<NA0G(s
Hj<rQ9^?OIC7^9#T8N0K"GU)kHN riskmgr_thresholds.pro U!$
kNPC/"CW&3T<rn.7F/@5$#
m: U!/HN*ojKO"Tj*I (.) rH_~^J1lPJj^;s#
F`\O"!NH*jG9#
set_threshold(situation,situation_type,thresh_closed,thresh_warning,thresh_minor,thresh_critical,arg1,arg2,arg3).
situation uV>#3N>0O"!N$:l+GJ1lPJj^;s#
¶ ’situation1’
¶ ’situation2’
¶ ’situation3’
situation_type uVN?$W#
¶ ’situation1’ Nlg"3lO<~ (_) GJ1lPJj^;s#
¶ ’situation2’ Nlg"3lO!N$:l+G9#
v <~ (_)
v ‘Category/Destination’
v ‘Category/Source’
v ‘Destination/Source’
82 P<8gs 3 jj<9 8
¶ ’situation3’ Nlg"3lO!N$:l+G9#
v <~ (_)
v ‘Category’
v ‘Destination’
v ‘Source’
TEC Correlation GO"1lzQd (‘ ’) ,,WG9#
thresh_closed CLOSED 7-$M#
thresh_warning WARNING 7-$M#uVNlYk,3NMr6(kH"Risk Manager O"
$YsHNEgYr WARNING KQ99k+""k$O$YsHrn.7^
9 (,WJlg)#
thresh_minor MINOR 7-$M#uVNlYk,3NMr6(kH"Risk Manager O"$
YsHNEgYr MINOR KQ99k+""k$O$YsHrn.7^9
(,WJlg)#
thresh_critical CRITICAL 7-$M#uVNlYk,3NMr6(kH"Risk Manager O"
$YsHNEgYr CRITICAL KQ99k+""k$O$YsHrn.7^
9 (,WJlg)#
arg1 =13 K"kH</sjAr2H7F/@5$#
= 13. 7-$MH</sNjA
uV ?$W H</s arg1 H</s arg2 H</s arg3
1 _ 6bN+F4j< 6bN8h 6bN=<9
2_
6bN+F4j<^?
O8h
6bN8h^?O=
<9
<~ (_) GJ1lP
JiJ$#
’Category/Destination’ 6bN+F4j< 6bN8h <~ (_) GJ1lP
JiJ$#
’Category/Source’ 6bN+F4j< 6bN=<9 <~ (_) GJ1lP
JiJ$#
’Destination/Source’ 6bN8h 6bN=<9 <~ (_) GJ1lP
JiJ$#
3_
6bN+F4j<"8
h"^?O=<9
<~ (_) GJ1lP
JiJ$#
<~ (_) GJ1lP
JiJ$#
’Category’ 6bN+F4j< <~ (_) GJ1lP
JiJ$#
<~ (_) GJ1lP
JiJ$#
’Destination’ 6bN8h <~ (_) GJ1lP
JiJ$#
<~ (_) GJ1lP
JiJ$#
’Source’ 6bN=<9 <~ (_) GJ1lP
JiJ$#
<~ (_) GJ1lP
JiJ$#
arg2 =13 K"kH</sjAr2H7F/@5$#
arg3 =13 K"kH</sjAr2H7F/@5$#
F=.rT$"Q9r-zK9kKO"!NH*j~O7^9#
rmcorr_cfg -reconfig
83Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
= 14. uVN?$W*hS5k5lkz-t
uV?$W 5k5lkz-t
situation1 situation_type
situation2 arg3
situation2 arg2 *hS arg3
5zJz-tKD$FO"<~ (_) rHQ7J1lPJj^;s#
��9�7���%����������
1. !N(sHj<GO"Web X"$YsHH7F,`5lkuV 1 $YsHKD$F"f
S*g-J7-$Mr_j7^9#
set_threshold('situation1',_,5,10,100,500,categ_00001,_,_)
2. !N(sHj<GO"Xj7?[9H (’1.1.111.11’) ,X87?lgK"uV 1 $YsH
,fS*a/=(5l^9#
set_threshold('situation1',_,0.5,5,10,15,_,'1.1.111.11',_).
3. !N(sHj<GO"Xj7?[9H (’1.1.111.11’) ,X87?lgK"uV 2 $YsH
,fS*a/=(5l^9#
set_threshold('situation2','Category/Destination',0.5,5,10,15,_,'1.1.111.11',_).
4. !N(sHj<GO"=<9&[9H (’1.1.111.13’) +iwilkuV 3 $YsHKD$
F"[HsINk,W,J$3HrXj7^9#
set_threshold('situation3','Source',5,100,1000,10000,'1.1.111.13',_,_).
5. !N(sHj<GO"9YFNuV 2 $YsHrsoKa/(9+l<H5;k3HrX
j7^9 (d)5l^;s)#
set_threshold('situation2',_,0.1,1.0,5.0,10.0,_,_,_).
����":+�#�������TEC D-GO"k<kO$YsH&-cC7eK]I5lk$YsHK,Q5l^9#-c
C7e,$CQ$KJkH"$YsHO|n5lk+"k<kKhCFh}5lJ/Jj^
9#$YsH&-cC7e,$CQ$KJkH"jXNkLKFAr?(kNG"$YsH&
-cC7eN5$:r!:7F/@5$#
TEC ^?O Risk Manager 5<P<N TEC $YsH&-cC7eN5$:rA'C/9kK
O"!Nh&K~O7^9#
wlsesvrcfg
TEC $YsH&-cC7e&5$:Nd)MO"3000 `\G9#$YsH&-cC7erQ
99kKO"!NH*j~O7^9#
wsetesvrcfg -c 3000
m: $YsH&-cC7e,57/_j5lF$J$H"Risk Manager ,u.fN$YsH
rh}G-kh& TEC 5<P<, -cC7er/j"9klg,"j^9#3Nl
g"Risk Manager ,-cC7er/j"9kH" TEC 5<P<O TEC_Notice $Ys
84 P<8gs 3 jj<9 8
Hr/T7"aC;<8&U#<kIO ″Rule Cache full: forced cleaning.″ K_j5l^
9#/)*K-cC7e,/j"5lkH"{8N Risk Manager uV$YsHGO"!
Nh&KJklg,"j^9#
¶ k<kKhjh},d_7^9#3lO"{8NuV$YsH,Wm;9GHQ9k
IC$YsHru1hiJ$lgK/3j^9#-cC7ebK{8N$YsH,J
/Jk?a":jk<kO$YsHKO,Q5l^;s#
¶ $YsH&j]8Hj<bGE#7^9#uVNU!/H&Y<9GHQ5lkIC
$YsH,5<P<Gu.5lkH"E#,/87^9#3&7?E#O"uV$Y
sHN*j8JkN$s9?s9,-cC7e+i|n5l"k<kKhCFh}5
lJ/Jk?aK/3j^9#*j8JkNuV$YsHO"975l^;s (hN
fur2H)#
Risk Manager Server ��� �!�����J<Nj!Khj"Risk Manager Server N9k<WCH,~e7"F;s5<&$YsHN
h}K,WJ5$/k,:klg,"j^9#
1. riskmrg_baroc.lst U!$kKXj5lF$kTWJ .baroc U!$kr|n7^9#
riskmrg_baroc.lst KO"Risk Manager Khjm<I5lkl"N .baroc U!$k,^
^l^9#?H(P"l0N Netranger "@W?<d ISS RealSecure "@W?<rHQ7
J$lg" sensor_baroc.lst U!$k+iJ<r|n7^9#
netranger.barocrealsecure.baroc
2. $YsHN\je<`,Gb?$"@W?<r">N"@W?<N .baroc U!$kN0
KV-^9#
m: riskmgr.baroc *hS sensor_abstract.baroc U!$kO".baroc U!$k&j9
HNh,KV/,W,"j^9#
?H(P"Web IDS $YsHN\je<`,Gb?/"!K$YsH,?$N, Network
IDS G"klg"riskmgr_baroc.lst U!$kbN(lasHO!Nh&KJj^9#
riskmgr.barocsensor_abstract.barocwebids.barocnids.baroc
3liNU!$kK3$F"$YsHN?$gK=N>N .baroc U!$k,[V5l^
9#
3. riskmgr_categories.pro U!$kbNTWJ+F4j<djvF9F<HasHro|9
k+"3asH=7^9#
85Risk Manager f<6<:&,$I
5.R
iskM
anag
erS
erverC
orrelatio
n
86 P<8gs 3 jj<9 8
Risk Manager Event Integration Facility
3NOGO"Risk Manager Event Integration Facility (EIF) KD$Fb@7^9#
Risk Manager Event Integration Facility aC;<8KD$FO"268Z<8NXRisk Manager
Event Integration Facility NaC;<8Yr2H7F/@5$# Risk Manager Observer aC
;<8KD$FO"276Z<8NXRisk Manager EIF Observer NaC;<8Yr2H7F/@
5$#
Risk Manager Event Integration Facility ���3NOGO"Risk Manager EIF N$s9H<k"=."*hSI}}!KD$Fb@7^
9#
Risk Manager EIF KO"Risk Manager Tivoli Enterprise Console (TEC) $YsH&5<P<K
$YsHrw.9k?aNH%!=;CH,woCF$^9#3liN!=KO"C Wm0i
`Q API" Perl 9/jWHQN Perl $s?<U'<9"*hS3^sIT!=,"j^
9#
Risk Manager EIF KO"\je<`Ng-$E#^?O`w7?$YsHr"fS*\je
<`N.5$5^j<&$YsHKL.9kWs!=b^^lF$^9#3lKhj"Risk
Manager 5<P<Kw.5lk$YsHN\je<`rL.7"psNm9,"C?H7Fb
=lrG.BKHIa^9#
(sI]$sHK$s9H<k5lF$klg"Risk Manager EIF O;-e" Tivoli
Management Enterprise (TME) $YsHr TEC Server Kw.7^9# TME J0N79F`
K$s9H<k5lF$klg"Risk Manager EIF Os TME $YsHr TEC Server Kw
.7^9#
J<N Risk Manager "@W?<*hS;s5<O"GU)kHG Risk Manager EIF rHQ
7F Risk Manager Server K$YsHr\w9kh&=.5l^9#
¶ Web IDS
¶ Check Point FireWall-1 Q"@W?<
¶ Cisco Secure IDS Q"@W?<
Risk Manager EIF O"{8N TEC "Wj1<7gsKhjn.5lk TEC $YsHr$s
?<;WH9kh&"m<+k&Wm-7<H7FHQ9k3HbG-^9#{8N TEC "
Wj1<7gsKO"Tivoli N8`Ns TME TEC "@W?< (TEC SNMP "@W?<J
6
87Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
I)"TEC Unix logfile "@W?<" TEC Windows Event Log "@W?<"*hS TEC
Windows Event Log "@W?< (Windows 2000 *hS Windows NT Q) JI,^^l^
9#
7?,CF"Risk Manager EIF Ws!=O"Risk Manager EIF /i$"sHH1879F`
eK"ks TME TEC "Wj1<7gsGbHQ9k3H,G-^9#Ws5l?$YsH
O";-e" (TME) ^?Os;-e" (s TME) TEC WmH3kKhCF"TEC Server X
>w5l^9#Ws!=O"s TME TEC "@W?<KM89k Risk Manager "@W?<
r5]<H9k3HG"HQD=HJj^9#!N"@W?<,"j^9#
¶ Cisco PIX U!$"&)<kQ"@W?<#3lO"TEC logfile "@W?<*hS$Ys
H&m0&"@W?<KM87^9#
¶ Internet Security Systems RealSecure (ISS RealSecure) Q"@W?<#3lO"TEC SNMP
"@W?<KM87^9#
^17 K"Risk Manager EIF ,FoN=<9+i$YsHrhj~sGWs9kh&9r(7
^9#WsWm;9O"rmad_summary.rules U!$kKjA7?k<kKhCF)f5l^
9#
Risk Manager Event Integration Facility � Tivoli Event IntegrationFacility ����
TEC Event Integration Facility (EIF) O"TEC K$YsHrw.9k3HNG-k"Wj1<
7gsn.QND<k-CH*hSi$Vij<G9#Risk Manager EIF O"Risk Manager
Server ,V+lk TEC Server K$YsHrw.9k?aN"hj-YJ!=rw(F$^
9#
^ 17. Risk Manager Event Integration Facility Nh}
88 P<8gs 3 jj<9 8
TEC Server K$YsHrw.9k?aNJ1J API N>K"Risk Manager EIF O"!N!
=rs!7^9#3lO"Risk Manager "Wj1<7gs*hS5<I&Q<F#<N"W
j1<7gsNIAiGbHQD=G9#
¶ &Qi$Vij<&$s?<U'<9rHQ9k3HKhj""Wj1<7gsO"TEC
$YsH&WmH3k"TME ^?Os TME ("k$O;-e" / s;-e") r'19
k,W,J/Jj^9# Risk Manager EIF O"TME ^?Os TME 79F`NIAi
K$s9H<k5lF$k+K~8F",ZJ TEC $YsH&WmH3kr*r7^
9# TME Hs TME D-QKLNP<8gsN"Wj1<7gsrn.9k,WO"j
^;s#
¶ Risk Manager EIF API O"TjA0N$YsH&9Hjs0ru1~l^9#3N9Hj
s0O"U)<^CH (.fmt) *hS/i9jA9F<HasH (.cds) U!$krHQ7
F"TEC $YsHK^CW9k3H,G-^9#3lO"TEC logfile "@W?<Khj
Tolkh}H`w7F$^9#04KA0=5l?9Hjs0bu1~lD=G9#
¶ Risk Manager EIF KO"$YsHNWs!=,H_~^lF$^9#
¶ Risk Manager EIF O"Perl 9/jWH+iN/0r5]<H7^9#
Risk Manager ObserverRisk Manager Observer ^?O RMO HFPlk Risk Manager EIF Ws(s8sO",%7
?G<bsG9#RMO O$YsHrm<+kGWs7"MCHo</&HiU#C/H TEC
Server K++kiYrZ:7^9#RMO 3^sIKD$FO"90Z<8NXRisk Manager
EIF 3^sIYr2H7F/@5$#
Event Integration Facility ��*�;*�Risk Manager EIF KO"C Wm0i_s0@lGHQ9k$YsH&"Wj1<7gs&W
m0i_s0&$s?<U'<9 (API) i$Vij<,^^lF$^9#Risk Manager EIF
&Qi$Vij<O"Risk Manager "@W?<,$YsH&5<P<K$YsHrw.9k
9k?aK,WJ$s?<U'<9rs!7^9#
Risk Manager EIF rHQ9k Risk Manager s!N"@W?<O"3Ni$Vij<Kjs
/Q_G9#Risk Manager QNH+N"@W?<rn.9klgO"Risk Manager EIF &Q
i$Vij<r,:js/7F/@5$#
3liN API N\YKD$FO"VTivoli Risk Manager GYmCQ<:&,$IWr2H7
F/@5$#
Perl ���Risk Manager KO"Risk Manager EIF HN$s?<U'<9rs!9k Perl b8e<k
rmadpm.pm ,^^lF$^9#Perl b8e<krHQ9kKO"Risk Manager Perl Support
QC1<8r$s9H<k7J1lPJj^;s#Risk Manager EIF Perl b8e<krHQ
9kH"9YFN-zJ Perl 9/jWHrHQ9k3H,G-^9#
Risk Manager EIF Perl b8e<kO" Perl b8e<kQK Comprehensive Perl Archive
Network (CPAN) KhCFx=5lF$k,JK`r7F$^9#CPAN KD$FO"!N
Web 5$Hr2H7F/@5$#
http://www.cpan.org
89Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
�������)��"@W?<O"*Zl<7gsN?aK5^6^JU!$krHQ7^9# Risk Manager
EIF ,HQ9kU!$kN?$WO!NH*jG9#
rmad_summary.rulesWsKHQ9kk<krjA7^9#WsNP]HJk/i9&$YsHO"=l>
lKk<k,,WG9#k<kNjAHQ9N\YKD$FO"101Z<8N
Xrmad_summary.rules U!$kYr2H7F/@5$#
U)<^CH&U!$k
"Wj1<7gsN .fmt U!$krHQ9kh& Risk Manager EIF r_j9k3
H,G-^9#TEC logfile "@W?<H1M"Risk Manager EIF O".fmt U!$k
HX"9k .cds U!$krHQ7F"TjA0N$YsH&9Hjs0r,ZJjM
0N TEC $YsHKQ97^9#
CDS U!$kRisk Manager EIF GHQ9kU)<^CH&U!$kO"HQ9k0K .cds U!$
kKQ99k,W,"j^9#Q9rT&KO"riskmgr_gencds 3^sIrHQ7
F/@5$#
=.U!$k
Risk Manager EIF N=.psO"rmad.conf U!$kK-5l^9#=.Qia<?
<N\YKD$FO"94Z<8NXRisk Manager EIF =.U!$k&U)<^CHY
r2H7F/@5$#
Risk Manager EIF '!��Risk Manager Event Integration Facility KO"J<N3HrT&?aN3^sI,^^lF$
^9#
¶ XRisk Manager Observer G<bsNO0Y
¶ 91Z<8NXRisk Manager Observer G<bsNd_Y
¶ 91Z<8NXTEC Server XN$YsHN>wY
¶ 91Z<8NXRisk Manager EIF NI}Y
¶ 91Z<8NXRisk Manager EIF CDS U!$kNn.Y
Risk Manager Observer ��2����
Risk Manager Observer G<bsrO09kKO"!N3^sIrHQ7^9#
UNIX 79F`Nlg:
rmo-init start
Windows 79F`Nlg:
net start rmo
Risk Manager EIF N$s9H<k&Wm0i`O"Risk Manager Observer r+0*KO09
kh&K_j7^9#UNIX 79F`Nlg"Observer O" /etc/inittab (sHj< (AIX)
^?O init.d directories N(sHj< (=N> UNIX WiCHU)<`) rHQ7F+0*K
O09kh&_j5l^9#Windows 79F`Nlg"Risk Manager Observer O+0O05
<S9H7F$s9H<k5l^9#
90 P<8gs 3 jj<9 8
Risk Manager Observer ��2����
Risk Manager Observer G<bsrd_9kKO"!N3^sIrHQ7^9#
UNIX 79F`Nlg:
rmo-init stop
Windows 79F`Nlg:
net stop rmo
9YFN79F`Nlg:
wradmin -kill
TEC Server �������
wrmsendmsg 3^sIKhj"TEC $YsH&5<P<K$YsHr>w7^9#3N3
^sIO"J<N 2 DNA0N$YsH&aC;<8ru1~l^9#
¶ 0->HMNH, 1 D^?O#tH_~^lF$kjM0N9Hjs0#
¶ Risk Manager EIF .cds *hS .fmt U!$krHQ7FU)<^CH9k,WN"km
<&G<?N9Hjs0#
Risk Manager EIF O"$YsHr TEC $YsH&5<P<Kw.9k0K"9Hjs0N
G<?r0-HMNHN;CHKU)<^CH7^9#
0-HMNHN9Hjs0NcrJ<K(7^9#-f Ui0O"9Hjs0,jM0G"j"
9Hjs0NGiNM, TEC $YsH&*V8'/H&/i9>G"k3Hr(7^9#
wrmsendmsg -f "NIDS_DOS;date='12:22:23';rm_SensorIPAddr=11.34.65.99;rm_Timestamp=0x39d8e8ff;rm_DestinationIPAddr=10.0.0.3"
TjM0N9Hjs0NcrJ<K(7^9# Risk Manager EIF .cds U!$kO9Hjs0
r=8rO7"*V8'/HN/i9>rdjvF",ZJ0-KMrdjvFF+i"$Y
sHr TEC Xwj^9#
wrmsendmsg "Oct 3 12:22:23 2000 syslog NIDS foo.tivoli.com0x39d8e8ff 10.0.0.3"
Risk Manager EIF ���
wrmadmin 3^sIKhj"Risk Manager EIF *hS Risk Manager Observer (RMO) r)
f7^9#3N3^sIKO"!N*W7gs,"j^9#
-kill Risk Manager EIF G<bsr*;7^9#"Wj1<7gs,3N*W7gsrFS
P9H"Risk Manager EIF G<bs,+0*KFO07^9#
-info P<8gsKX9kpsr=(7^9#
-restart=.NQ9e"Risk Manager EIF G<bs*hS RMO rd_7FFO07^9#
rmad.conf ^?O rmad_summary.rules U!$krQ97?eO"3N3^sIrB
T9k,W,"j^9#
Risk Manager EIF CDS �)�����
riskmgr_gencds 3^sIrHQ7F"U)<^CH&U!$kpsr rmad.cds U!$k
KIC7^9#
91Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
3^sIO"Risk Manager EIF GHQ9k?aN .cds U!$kr8.7^9# Risk
Manager EIF KO"GU)kHN .cds U!$kO^^lF$^;s#.cds U!$kO"
1 D^?O#tN Risk Manager EIF "Wj1<7gs,"TjM0N$YsH&aC;<
8&9Hjs0rHQ9klgK,WG9#
3NlgO",ZJ .fmt U!$krHQ7F",WJ CDS U!$k,n.5l^9#
Risk Manager EIF ������5]<H5lk*Zl<F#s0&79F`XN Risk Manager EIF N$s9H<k}!KD
$FO"33Z<8NXRisk Manager N$s9H<kYr2H7F/@5$#Risk Manager
EIF O"Tivoli (sI]$sH"*hSs Tivoli N<IK$s9H<k9k3H,G-^
9#s Tivoli N<IHO"Tivoli I}j<8gs (TMR) N(sI]$sHH7FjA5l
F$J$/i$"sHN3HG9#
Risk Manager EIF r$s9H<k7?e"!N3HrT$ Risk Manager EIF r=.7^
9#
¶ ,WK~8F rmad.conf =.U!$krT87^9#
?H(P"Risk Manager EIF .cds U!$kNGU)kH>O" rmad.conf U!$kN
AdapterCdsFile Qia<?<rHQ7FQ97F$J$Bj rmad.cds G9#U)<^
CH&U!$kN\,t>O" .cds U!$kN\,t>H18GJ1lPJj^;s (=
l>l rmad.fmt H rmad.cds)#
¶ U)<^CH&U!$krkg7F .cds U!$krF8.7^9#XU)<^CH&U
!$k*hS/i9jA9F<HasH&U!$kN=[Yr2H7F/@5$#
s Tivoli D-GO"Risk Manager =.U!$krj0GT87".fmt *hSX" .cds U!
$krn.9k3H,G-^9# Tivoli D-GO"ACF rHQ7F=.N97r[V9k3
H,G-^9#ACF NHQ}!KD$FO"49Z<8NXACF rHQ7? Risk Manager "
@W?<N=.*hS[[Yr2H7F/@5$#
� �!+��)�����*������$���)�����J<N9FCWrBT7F" Risk Manager EIF QN7,NU)<^CH&U!$k*hS7
,N .cds U!$krn.7F/@5$#
1. {8N Risk Manager EIF rmad.fmt U)<^CH&U!$k,"klgO"=NU!$k
NemK"Wj1<7gsNU)<^CH&U!$krIC7^9#=lJ0NlgO"
"Wj1<7gs&U)<^CH&U!$kN3T<rn.7F`wN>0 (?H(P"
rmad.fmt02) rU1^9#
2. rmad.fmt U!$kr~OH7F riskmgr_gencds 3^sIrHQ7"77$ .cds U!
$krn.7^9#
riskmgr_gencds rmad.fmt > rmad.cds
Risk Manager EIF .cds U!$kNGU)kH>O"rmad.conf U!$kN AdapterCdsFileQia<?<rHQ7FQ97F$J$Bj rmad.cds G9#U)<^CH&U!$kN\,
t>O".cds U!$kN\,t>H18GJ1lPJj^;s (=l>l rmad.fmt H
rmad.cds)#
92 P<8gs 3 jj<9 8
3liNU!$kO>}"GU)kHG $RMADHOME¥RISKMGR¥adapters¥etc G#l/Hj<K
"j^9#
Perl ���������Risk Manager EIF KO"Perl 9/jWHKhj$YsHr Risk Manager TEC Server Kw.
9k?aN$s?<U'<9,s!5lF$^9# Perl 9/jWH+i Risk Manager EIF
K"/;99kKO" Risk Manager Perl 5]<HN$s9H<kbT$"Risk Manager Perl
G#9HjSe<7gsrHQ7F9/jWHrBT7^9#
Risk Manager GO"UNIX *hS Windows 79F`K*1k Perl r5]<H7^9#
TME ��"� TME ���� Risk Manager EIF ���Risk Manager EIF O"TME ^?Os TME D-NIAiGBT9k+KhCF"[JkP<
8gsN Risk Manager EIF G<bsrHQ7^9#Risk Manager O"UNIX 79F`G
rmeif_cfg 3^sIrHQ7F"Risk Manager r TME ^?Os TME D-GBT9kh&
=.rT$^9#
$s9H<k&Wm;9K*$F"TME (sI]$sHQND-9/jWH lcf_env.sh ,
!P5l?lg"3lO TME D-rHQ7^9##tN lcf_env.sh U!$k,!P5l?
lg"GeK!P5l?U!$k,HQ5l^9#$s9H<k~K_j5l?GU)kH=
.rQ99kKO"rmeif_cfg 3^sIrHQ7^9#
TME ^?Os TME D-N$:lNlgGb Risk Manager EIF rBT9kh&=.9kK
O" rmeif_cfg 3^sIrHQ7^9#3^sIN=8O!NH*jG9#
rmeif_cfg { -n | -t [ -d directory ] }
-n s TME D-rXj7^9#
-t TME D-rXj7^9#
-d directory
TME (sI]$sHN lcf_env.sh D-9/jWH,V+lF$kG#l/Hj<
rXj7^9#
*;~"0 O5o*;r"0 hjg-JMO(i<r(7^9#
-n *W7gsrHQ7F"s TME D-GBT9kh& Risk Manager EIF r=.7^9#
3NUi0Khj"$RMADHOME/bin/rmad_cad 7s\jC/&js/,
$RMADHOME/bin/nontme/rmad_cad (s TME P<8gsN Risk Manager EIF G<bs) rX9
h&Q97^9#Risk Manager D-9/jWH /etc/Tivoli/rma_eif_env.sh GO" TME
(sI]$sHND-9/jWHN=<9T,o|5l^9#
-t *W7gsrHQ7F"TME D-GBT9kh& Risk Manager EIF r=.7^9#3N
Ui0Khj"$RMADHOME/bin/rmad_cad 7s\jC/&js/,
$RMADHOME/bin/tme/rmad_cad (TME P<8gsN Risk Manager EIF G<bs) rX9h&Q
97^9#Risk Manager D-9/jWH /etc/Tivoli/rma_eif_env.sh GO" TME (sI
]$sHND-9/jWHN=<9T,IC5l^9#
93Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
*W7gsN -d directory Ui0r -t Ui0HloKHQ9kH" rmeif_cfg 3^sIO"directory/lcf_env.sh U!$k,8_9klg"3lr TME (sI]$sHND-9
/jWHH7FHQ7^9# -d Ui0r -t HloKHQ7J$lg" rmeif_cfg 3^sIO /etc/Tivoli/lcf G#l/Hj<N9YFN5VG#l/Hj<+i lcf_env.sh U!$
kr!w7^9##tN lcf_env.sh U!$k,!P5l?lg"GeK!P5l?U!$k
, TME (sI]$sHND-9/jWHH7FHQ5l^9,"3lO=N TME (sI
]$sHQN57$D-9/jWHGJ$lg,"j^9#
m: J0N(sI]$sHN$s9H<kr57//j<s"CW;:K(sI]$sHrF
$s9H<k9kH"#tN lcf_env.sh D-9/jWH,8_9klg,"j^9#7
9F`K#tN lcf_env.sh U!$k,"k (/etc/Tivoli/lcf J<KVfU-N#tN
G#l/Hj<,8_9k) lg" -d Ui0r -t HloKHQ7F"HQ9k TME
(sI]$sHQN,ZJD-9/jWH, Risk Manager 9/jWH
(/etc/Tivoli/rma_eif_env.sh) N=<9HJkh&K9k,W,"j^9#
Risk Manager Event Integration Facility N=.r0;9kKO"rmad.conf U!$kr=.9
k,W,"j^9# rmad.conf U!$kN=.KD$FO"XRisk Manager EIF =.U!$
kYr2H7F/@5$#
rmeif_cfg '!����!K rmeif_cfg 3^sINcr(7^9#
1. s TME D-GHQ9kh& Risk Manager EIF r=.9kKO"!Nh&K~O7^
9#
rmeif_cfg -n
2. TME (sI]$sHGHQ9kh& Risk Manager EIF r=.9kKO"!Nh&K~O
7^9#
rmeif_cfg -t -d /etc/Tivoli/lcf/1
3NcGO"lcf_env.sh 9/jWHO /etc/Tivoli/lcf/1 G#l/Hj<K"j^9#
Risk Manager EIF ���)��Risk Manager EIF O"=.*W7gs*hS$YsH&U#k?<Nj]8Hj<H7F
rmad.conf U!$krHQ7^9#3NU!$kO"Risk Manager EIF G<bsN+O~K
I_hil^9#3NU!$krQ99k3HKhCF" Risk Manager EIF r$DGbF=
.9k3H,G-^9#=.Q9r-zK9kKO"Risk Manager Event Integration Facility
rd_7FFO07^9#
rmad.conf U!$kO"!NG#l/Hj<K"j^9#
$RMADHOME/etc
Installation_dir O"Risk Manager EIF N$s9H<kljG9#
Risk Manager EIF ���)���� �!+3asHTO]sI-f (#) GO^j^9#Vis/TrHQ9k3H,G-^9#95Z<8
NX=.U!$kNcYKcr(7^9#
¶ =.*W7gsrXj9kKO"!Nh&K7^9#
keyword=value
94 P<8gs 3 jj<9 8
¶ $YsH&PCU!<Kw.7J$ $YsHN$YsH&U#k?<rXj9kKO"!
Nh&K7^9#
Filter:CLASS=class_name;attribute=value;
m: attribute=value O"J0O slot =value G7?#
¶ $YsH&PCU!<Kw.7J$ $YsHNPCU!<&U#k?<rXj9kKO"
!Nh&K7^9#
FilterCache:CLASS=class_name;attribute=value;
���)����
## Communication Parameters#ServerLocation=ravelServerPort=5529EventMaxSize=4096ConnectionMode=CO# Event Filters#Filter:Class=disk_eventFilter:Class=su_login; origin=126.32.2.14
rmad.conf ���)���"�4��-<o<IO"keyword=value H$&A0G9#
zQdGO^J$Bj"-<o<I&9F<HasHGVis/rHQ7FOJj^;
s#.baroc U!$kKjA5lF$J$/i9>r=.*W7gsHloKHQ7FOJj
^;s#-<o<IN9ZkrVc(?j"-<o<Ir5zJMK_j7Fb"(i<&a
C;<8O/T5l^;s#
Risk Manager EIF rmad.conf =.U!$kKO"J<N-<o<I,^^lF$^9#3l
iN-<o<IO"[HsIN"@W?<K&LG"j"F`\OL9NTK"j^9#
AdapterCdsFile=Path
.cds U!$kNdPQ9>rXj7^9#3N-<o<IO".cds U!$k,=.U
!$kH18G#l/Hj<KJ$lgO,\G9#
AdapterErrorFile=Path
(i<&U!$kNdPQ9>rXj7^9#3N-<o<IO"(i<&U!$k
,=.U!$kH18G#l/Hj<KJ$lgO,\G9#
AdapterSpecificFile=Path
"@W?<G-N=.U!$kNdPQ9>rXj7^9#3N-<o<IO""@
W?<G-NU!$k,=.U!$kH18G#l/Hj<KJ$lgO,\G9#
AdapterTimeOutRisk Manager Event Integration Facility G<bsN?$`"&HrC1LGXj7^
9 (UNIX Nlg)#
BufEvtMaxSize$YsH&"@W?<NPCU!<&U!$kNGg5$:r K P$H1LGXj
7^9#GU)kHMO 64 G9#
BufEvtMaxSize -<o<IO*W7gJkG9#
95Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
BufEvtPath$YsH&"@W?<NPCU!<&U!$kNdPQ9>rXj7^9#UNIX 7
9F`NGU)kHO"/etc/Tivoli/tec/cache G9#Windows 79F`NGU)k
HO cache.dat G9#
BufEvtPath -<o<IO*W7gJkG9#
BufEvtRdblkLenI_hk$YsH&"@W?<&PCU!<&U!$k&VmC/N5$:r K P
$H1LGXj7^9#3N5$:O"/J/Hb 1 DN$YsHK=,K-jkg
-5GJ1lPJj^;s#GU)kHMO 64 G9#
BufEvtRdblkLen -<o<IO*W7gJkG9#
BufEvtShrinkBlk"@W?<NPCU!<&U!$krL.9k]"G<?N3T<fKHQ9kVm
C/&5$:r K P$H1LGXj7^9#
BufEvtShrinkBlk -<o<IO*W7gJkG9#
BufEvtShrinkSizeBufEvtMaxSize r6a7?H-K"$YsH&"@W?<NPCU!<&U!$k
rL.9kLr K P$H1LGXj7^9#GU)kHMO 8 G9#
BufEvtShrinkSize -<o<IO*W7gJkG9#
BufferEvents$YsH&PCU!js0rHQD=K9k+I&+rXj7^9#GU)kHMO
YES G9# BufferEvents r YES J0K_j9kH"$YsHOPCU!<K~
lil^;s#3NMKOg8z.8zNhLO"j^;s#
BufferEvents -<o<IO*W7gJkG9#
BufferFlushRate,v?jKw.5lk$YsHNtrXj7^9#ZG5l?\3,"@W?<Kh
CFs|5l"PCU!<bK$YsH,"klgO"$YsHO,"?j3N.Y
GP<9H1LGw.5l^9#GU)kHMO 0 G"$YsHO 1 DNP<9H
1LGw.5l^9#
BufferFlushRate -<o<IO*W7gJkG9#
BuffersEventsLimit=Limit
$YsH&5<P<,@&s7?lgK"PCU!<K~lilk$YsHNGgt
rXj7^9#GU)kHO5)B (Limit KM,Xj5lF$J$) G9#3lO"
PCU!<K~lilk$YsHNGgtO"abj<LN)B7+u1J$H$&
XjG9#3Nabj<B&r6a9kH"G7N$YsHr~lk?aK-e<N
fNGbE$$YsH,Q~5l^9#
ConnectionMode$YsH&5<P<K\39k?aKHQ9k\3b<IrXj7^9#-zJMO
!NH*jG9#
connection_oriented\3,"@W?<i|=~KN)5l"w.5lk$YsHN?aK]}5l
^9#7,N\3O"i|\3,:ol?lgKN_N)5l^9#\3O"
"@W?<,*;9kHQ~5l^9#
96 P<8gs 3 jj<9 8
gLN"i<`r8.9k"@W?<GHQ9klgO"
connection_oriented"CO"^?O co b<IKhj9k<WCHNz(=
r^k3H,G-^9#
connection_lessw.5lk$YsH4HK7,N\3,N)5l (!$GQ~5l) ^9#3
l,GU)kHMG9#
ConnectionMode -<o<IO*W7gJkG9#
EnableTraceRisk Manager Observer KhjHQ5l^9#3NMr YES K9kH"Observer K
hkHl<9rD=K7^9#GU)kHO NO G9#EnableTrace=YES Nlg"G
<?O TraceFile Qia<?<,_j5lF$lP"=NXjU!$kKq-~^l
^9#_j5lF$J$lg"G<?O8`POKq-~^l^9#
EventMaxSize$YsHNGg9rXj7^9#GU)kHMO 4096 G9#
EventMaxSize -<o<IO*W7gJkG9#
Filter $YsHNU#k?<}!rXj7^9# Filter 9F<HasHO"$YsH&5<
P<Kw.9k$YsHdQ~9k$YsHrhj9k]K" FilterMode KhCFHQ5l^9#$YsH, Filter 9F<HasHHlW9kNO" Filter 9F<H
asHNF attribute=value NH,"$YsHNP~9k attribute=value NHHy7$
lgG9# Filter 9F<HasHKO"$YsH&/i9,~CF$J1lPJi
:"=N$YsH&/i9KjA5lF$k>N9YFN attribute=value HrH_~
`3HbG-^9# Filter 9F<HasHNA0O"!NH*jG9#
Filter:Class=class_name;attribute=value;...;attribute=value
F Filter 9F<HasHO" 512 8z (Gg) N1lNTGJ1lPJj^;s#
Filter -<o<IO*W7gJkG9#U#k?<rXj7J$lgO"$YsHO
$YsH&5<P<Kw.5l^9#
FilterCachePCU!<K~CF$k$YsHNU#k?<}!rXj7^9#$YsHr5oK
$YsH&5<P<Kw.G-J$lgK" BufferEvents=yes rXj7F"k+"
GU)kHG3NXjKJCF$kH"$YsHO-cC7eK~lil^9#$Y
sH, FilterCache 9F<HasHHlW9kNO" FilterCache 9F<HasH
NF attribute=value NH,"P~9k$YsHN attribute=value NHHy7$lgG
9# FilterCache 9F<HasHKO"$YsH&/i9,~CF$J1lPJi
:"=N$YsH&/i9KjA5lF$k>N9YFN attribute=value NHrH_
~`3HbG-^9# FilterCache 9F<HasHNA0O"!NH*jG9#
FilterCache:Class=class name;attribute=value;...;attribute=value
F FilterCache 9F<HasHO" 512 8z (Gg) N1lNTGJ1lPJj^
;s#
FilterCache -<o<IO*W7gJkG9#PCU!<&U#k?<rXj7J$
lgO"$YsHOPCU!<K~lil^9#
97Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
FilterModeFilter ^?O FilterCache 9F<HasHHlW9k$YsHr"w.9k
(FilterMode=IN) N+"|n9k (FilterMode=OUT) N+rXj7^9#GU)kH
MO OUT G9#
FilterMode -<o<IO*W7gJkG9# FilterMode rXj7F$J$lg
O" Filter ^?O FilterCache 9F<HasHN$:lHblW7J$$YsH@
1,"$YsH&5<P<Kw.5l^9#
m: FilterMode=IN r_j9klgO",:"Filter ^?O FilterCache 9F<Ha
sHr 1 D^?O#tjA7F*$F/@5$#3N9F<HasHrjA7F
$J$lg"$YsH&5<P<O"@W?<+i$YsHru.7^;s#
LocalEventPortRisk Manager Observer KhjHQ5l^9#Observer ,$YsHNu.KHQ9k
=1CHrjA7^9#GU)kHN]<HVfO 5529 G9#GU)kHN
LocalEventPort rQ97F+i Risk Manager EIF r+O9k,W,88klg,
"j^9#Risk Manager EIF NO0~KP$sIc0,/89klgO"
LocalEventPort rHQD=J]<HKQ97FFO07F/@5$#
m: RMO r Windows NT Server GBT9klgO" TEC 5<P<N]<HVfH
OLN]<HVfr*r7F/@5$#
LocalEventProcessingRisk Manager Observer KhjHQ5l^9#LocalEventProcessing=YES H_j9
k3HKhj" Risk Manager EIF "Wj1<7gsKD$F$YsHNWs,To
l^9#Risk Manager EIF "Wj1<7gsO"rmad_send_message API rHQ
9k"Wj1<7gsG9#3lKO"Check Point FireWall-1 d Cisco Secure IDS
"@W?<JIN"Wj1<7gs,"j"=Nk<kO rmad_summary.rules Kj
A5l^9#Ws (^?O8s) 5l?$YsHO"TEC Server Xw.5l^9#
LocalEventProcessing=NO Nlg"9YFND9N$YsH, TEC Server K>\
w.5l^9#^?"Risk Manager EIF rHQ9k"@W?<^?O;s5<KWs
k<k,J$lgKb" LocalEventProcessing=NO r_j9k3H,G-^9#
?H(P"Web IDS KOWsk<kO"j^;s#3Nlg"Web IDS , Risk
Manager EIF rHQ9k#lN"Wj1<7gsG"klgO"
LocalEventProcessing=NO r_j9k3H,G-^9#
RetryIntervalConnectionMode=connection_oriented rXj7F"klgG"$YsH&5<P
<XN\3,:olkH""@W?<OXj7?CtT!7?eG"2 !5<P<K
\37?j"$YsHrPCU!<K~l?j7^9#3N|V,~;9kNr"@
W?<,T!7F$kVO""@W?<O7,$YsHrh}7^;s#
3N*W7gsrXj9kH""@W?<O"1 !$YsH&5<P<,;|Vd_
7F$Fb"$YsHr 1 !$YsH&5<P<Kw.G-^9#3lKhCF"7
,Nk<k&Y<9rm<I9kH-JIO"5<P<,W.KFO09kh&KJ
j^9#
3N*W7gsrHQ7F$YsH&5<P<NFO0rT!9kh&K9klg
O"$YsH&5<P<,d_7FFO09kNK,WJ~Vhjb9$~VrMK
_j9k,W,"j^9#
98 P<8gs 3 jj<9 8
GU)kHO 120 CG9#
RetryInterval -<o<IO*W7gJkG9#
RmadLoggingRisk Manager EIF G<bsBTm.s0rHQD=K7^9#RmadLogging=YES^?O RmadLogging=Yes K_j7F"Risk Manager EIF Nh}rHl<97F
rmad.log U!$kK-?7^9#
Rmo_AcceptNonLocalEventsYES rXj9kH"Risk Manager Observer G<bsOjb<H&"Wj1<7gs
+iN\3ru1~l^9#GU)kHO NO G9#m<+kJ0N"Wj1<7g
s+iN\3ru1~l?lgK"Risk Manager EIF , TME ;-ejF#<rHQ
7F$YsHr TEC Kw.9kh&=.5lF$kH"!)3l,/-k?aG
9#
Rmo_EnableTraceRisk Manager Observer G<bsKhkHl<9rHQD=K9kKO"
Rmo_EnableTrace=YES r_j7^9#
Rmo_TraceFileRmo_EnableTrace=YES Nlg"3NQia<?<r_j7F"Hl<9&G<?
rq-~`U!$kr_j7^9# Rmo_TraceFile ,Xj5lF$J$lg"G<
?O8`POKq-~^l^9#
Rmo_WorkingDirRisk Manager Observer NnHG#l/Hj<rXj7^9#GU)kHGO"Risk
Manager Observer O!NG#l/Hj<rJ3*9Hl<8NnHG#l/Hj<H
7FHQ7^9# /var/RISKMGR (UNIX 79F`Nlg) *hS %TEMP% (Windows
79F`Nlg)
ServerLocation$YsH&5<P<r$s9H<k9k[9HN>0rXj7^9#3NU#<kI
NMO"J<N$:l+NA0GJ1lPJj^;s#3lO"Risk Manager EIF G
<bs,I3K$s9H<k5lk+"$YsH&"@W?<,;-e"G"k+s
;-e"G"k+"$YsH&5<P<, Tivoli I}j<8gs (TMR) NltG"
k+I&+KhCF[Jj^9#
lj A0
TME @EventServer
j_\35lF$k TMR N TME @EventServer#RegionName
s TME"s;-e" host name ^?O IP_address
IP_address KO"ICHA0rHQ7^9#
s TME "@W?<Nlg" ServerLocation KO"3s^GhZC?Mr 8 D^
G~lk3H,G-^9#GiNljO 1 !$YsH&5<P<G"2 V\J_Nl
jO 1 !5<P<,@&s7F$kH-KHQ9k 2 !5<P<G9#
TME "@W?<G"k(sI]$sH&"@W?<Nlg"ServerLocation ,Xj
G-kNO 1 !$YsH&5<P<@1G9#TEC 2<H&'$=.U!$kKe
X 2 !$YsH&5<P<rXj7^9#
99Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
ServerLocation -<o<IO,\G9#
m: ServerLocation O"TestMode -<o<IHloKHQ9kH"$YsH&5
<P<GOJ/"$YsHrm0K-?9k?aNU!$kNQ9*hS>0r
jA7^9#
ServerPort$YsH&5<P<,$YsHr listen 9k]<HVfrXj7^9#3N-<o<
IMO"]<H^CQ<,$YsH&5<P<eGHQTDKJCF$J$Bj"
0 (GU)kHM) K_j7F/@5$#]<HVfr 0 H7FXj9k+]<HV
frXj7J$lg"]<HVfO]<H^CQ<rHQ7F!w5l^9#
ServerPort KO"3s^GhZC?Mr 8 D^G~lk3H,G-^9#Xj5l
? ServerLocation MNtHOX8J/"1 DN]<HVfrXj7^9##tN]
<HVfrXj9klgO"ServerLocation M4HKP~9k]<HVfrXj7
J1lPJj^;s#
GU)kHO 0 G9#
ServerPort -<o<IO"$YsH&5<P<, UNIX 79F`eGT/7F$k
lgO*W7gJkG9,"Windows 79F`eGT/7F$klgO,\G9#
m: "@W?<,BT~Ku.]<HrHqG-kh&K9k]<H^CQ<&G<
bsO"Windows NT ^7seK8_7^;s#\3*hS"@W?<~OrT
&?aK"$YsH&5<P<,"Gju.]<H (.tec_config Ntec_recv_agent_port) r listen 7^9# $BINDIR/TME/TEC U!$kN
.tec_config G#l/Hj<N ServerPort r tec_recv_agent_port `\NMK
_j7F/@5$#
TestModeF9H&b<Ir*sK9k+*UK9k+rXj7^9#TestMode=Yes rXj9
kH"ServerLocation -<o<IO"$YsH&5<P<K_j5lkNGOJ
/"$YsHrm0K-?9kU!$krXj7^9#-zMO Yes H No G9(g8z.8zNhLO"j^;s)#GU)kHMO No G9#
TestMode -<o<IO*W7gJkG9#
���������Lo"Risk Manager EIF O"$YsHr$YsH&5<P<Kw.7^9#*W7gsG"
$YsH,$YsH&5<P<Kw.5lkh&""k$Ow.5lJ$h&Xj9k3Hb
G-^9#3lO"?WkrH_~sG$YsHrU#k?<9k3HKhCFT&3H,G
-^9#?Wk KO"$YsH&/i9d"/@"EgY"^?O$YsH&/i9KjA
5lF$k=N>N attribute=value NHJINps,H_~^lF$^9#
F$YsH&U#k?<`\O"rmad.conf =.U!$kfN"512 8z (Gg) NL9NT
KXj7F/@5$#=.U!$kKO"$YsH&U#k?<`\r,WJt@1~lk3
H,G-^9#$YsH&U#k?<`\KXj9k/i9>O"jAQ_N/i9>HlW
7F$J1lPJj^;s#
$YsH&U#k?<`\NA0O"!NH*jG9#
Filter:Class=ClassName;attribute=value;...;attribute=value
100 P<8gs 3 jj<9 8
D-Qt FilterMode rHQ7F"Risk Manager EIF NU#k?<`nrQ99k3H,G
-^9#GU)kHGO"FilterMode O OUT K_j5lF$^9#FilterMode=IN r=.
U!$kKIC9kH"U#k?<HlW9k$YsH@1,$YsH&5<P<Kw#5l
^9#U#k?<`nN\YKD$FO"VTivoli Enterprise Console "@W?<&,$IW
r2H7F/@5$#
�����+�)���������Risk Manager EIF ,$YsH&5<P<^?O TEC 2<H&'$K\3G-J$lgK"
$YsH&PCU!js0,HQD=KJCF$kH"$YsHO Risk Manager EIF PCU
!<&U!$kKw.5l^9#$YsH&PCU!js0rHQD=K9kKO"=.U!
$kNfG BufferEvents=yes r_j7^9#PCU!<&U!$kO"BufEvtPath -<
o<IrHQ7FjA7^9#
$YsH&5<P<Kw.9k$YsHNU#k?<h}H1MK"PCU!<&U!$kK
w.9k$YsHNU#k?<h}rT&3H,G-^9#F$YsH&PCU!<&U#k
?<`\O""@W?<=.U!$kNL9NTKJ1lPJj^;s#=.U!$kKO"
$YsH&PCU!<&U#k?<`\r,WJt@1~lk3H,G-^9#"k$Ys
H&PCU!<&U#k?<`\KXj9k/i9>O"jAQ_N/i9>HlW7F$J
1lPJj^;s#
GU)kHN$YsH&PCU!<&U#k?<O"j^;s#
$YsH&PCU!<&U#k?<`\NA0O"!NH*jG9#
FilterCache:Class=ClassName;attribute=value;...;attribute=value
rmad_summary.rules �)��rmad_summary.rules U!$krHQ7F"U#k?<*hS$YsH8srXj9k3H,
G-^9#
Ws!=rI}9kk<kO"rmad_summary.rules U!$kKjA5lF$^9#Fk<k
O"!NbFrXj7^9#
¶ Ws9k$YsH&/i9N>0#
¶ Xj5l?k<kKlW9k$YsHNpsr}89k~VVV#
¶ Xj7?$YsH&/i9KD$F$YsHNMKlW9k,WN"kMr}D0-N>
0#
¶ $YsHKlW7J$0-rV-9(kM#3liNMO"F5^j<&$YsH4HK
Q(k3H,G-^9#
?H(Pk<kO"!Nps+in.9k3H,G-^9#
FW_connection_denied$YsHN/i9>r1L7^9#
FW_source_IPAddr$YsHNMKlW7J1lPJiJ$=<9 IP "Il9rXj7^9#
FW_destination_IPAddr$YsHNMKlW7J1lPJiJ$8h IP "Il9rXj7^9#
101Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
30000 $YsH, TEC K>w5lk0K"k<kKlW9kIC$YsHrTD~V (_
jC) r=7^9#
Set FW_source_port = *5^j<&$YsHGHQ5lk=<9&]<HQNV9MrXj7^9#
Set FW_dest_port = *5^j<&$YsHGHQ5lk8h]<HQNV9MrXj7^9#
Set msg=″Summarized port scan″5^j<&$YsHGHQ5lk msg 0-NV9MrXj7^9#
3NWs!=O"QKK/89k FW_connection_denied $YsHN;CHr!P7^
9#3liN$YsHO"CjN[9HKP9k]<H&9-csr=7^9#
FW_connection_denied /i9N$YsH, Risk Manager EIF KhCFu.5lkH"k
<k,1L5l"5^j<&$YsH,n.5l"?$^<,+O7^9#5^j<&$Ys
HK>N$YsH ($YsH&/i9>*hS0-M) ,lW9k0K?$^<N-z|B,
Zl?lgO"1lN$YsH, TEC Kwil^9#?@7"#tN$YsH,180-/
i9>H0-Mr}Dlg"$YsHO1lN5^j<&$YsHH7F TEC Kwil^
9#
=NeN 30 CJbK"k<kK>$>N FW_connection_denied $YsH,}85l^
9#33G"FW_source_IPAddr *hS FW_destination_IPAddr 0-O"*j8JkNH
j,<&$YsHH18G"k,W,"j^9# Risk Manager EIF O"repeat_count MK
lW7F3lr}C5;k$YsHr9YFQ~7^9# 30 CeK?$^<N-z|B,Z
lkH" EIF O5^j<&$YsHr=.7F"3lr TEC Xw.7^9#5^j<&$
YsHO"*j8JkNX"$YsHH18/i9>r}A^9# FW_source_port"FW_dest_port"*hS msg 0-NV9MrH_~s@lg"5^j<&$YsHK3li
NM,^^l^9#
m: repeat_count /i9KO"5^j<&$YsHKhCF=5lkD9N$YsHNt,
^^l^9#3N/i9O"TEC Server K>w5lk5^j<&$YsHK^^l^
9#
�������������!K"FW_connection_denied /i9rHQ7?cr(7^9#3NcGO"Risk Manager
EIF O"FW_connection_denied /i9KD$F 30 CJbKD9N$YsHr 10 D8a
^9#
m: 3NcGO 30 CrXj7F$^9,"_jC1LG$UN?$^<_j,D=G9#
3NcGO"Risk Manager EIF O5^j<&$YsHr 3 D]}7F$^9#3lO"$Y
sH&/i9"=<9 IP "Il9"*hS8h IP "Il9K 3 H*jNG-NH_go
;,8_9k?aG9#$YsHN&A 2 D,CjNp`KlW9k?a"3l,5^j
<&$YsHHJj^9# 3 D\N$YsHOCjNp`KlW7J$?a"EIF Ou.5
l?^^NuVG TEC Kwil^9#
103Z<8N=15 O"Risk Manager EIF Khju.5l?$YsHNC-r(7^9#=f
N0-N>"msg 0-O"9-csNP]H5l?8h]<Hr=7F$^9#33K(9
9YFN$YsHN$YsH&/i9O"FW_connection_denied G9#
102 P<8gs 3 jj<9 8
= 15. ;s5<KhCFu.5lk*j8JkN$YsH. =fN0-N>"3NcN msg0-O"$YsH,5^j<&$YsHG"k3Hr(5J1lPJj^;s#33K(9
9YFN$YsHN$YsH&/i9O"FW_connection_denied G9#
5^j<&$YsH =<9 IP "Il9 8h IP "Il9 =<9&
]<H
8h]<H
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.88.99 6000 1000
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.77.88 6000 1001
2 44.55.66.77 66.77.77.88 6000 1002
1 23.56.78.99 32.11.22.33 5432 389
3 11.11.11.11 22.22.22.22 10000 9999
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.77.88 6000 1001
2 44.55.66.77 66.77.77.88 6000 1002
=16 O"Risk Manager EIF Khj>w5l?$YsHNC-r(7^9#
= 16. Ws!=Khjh}5l?$YsH. =fN0-N>"msg 0-O"9-csNP]
H5l?8h]<Hr=7F$^9#33K(99YFN$YsHN$YsH&/i9O"
FW_connection_denied G9#
5^j<&
$YsH ID=<9 IP"Il9
8h IP"Il9
=<9&
]<H
8h]<H repeat_count
Ws 1 23.56.78.99 32.11.22.33 ″*″ ″*″ 3
Ws 2 44.55.66.77 66.77.88.99 ″*″ ″*″ 4
*j8Jk 3 11.11.11.11 22.22.22.22 10000 9999 0
m: repeat_count 0-O"<mJ0NMr}A"5^j<&$YsHKhj=5lk*j8
Jk&$YsHNtr=7^9# repeat_count NMO"B]O"Ws$YsHNthj
1 D.5$MHJj^9#?H(P"10 DN$YsH,Ws5l?lg"repeat_countMO 9 K_j5lF$^9#$YsH,Ws5lJ$lg"repeat_count MN_jO<
mG9#
����������J<NcGO"rmad_summary.rules U!$kK77$Wsk<krn.9k?aNFsWl
<Hr(7^9#
Fk<kKO"5 o`N(lasH,^^lF$^9#cNfG"F(lasHNk<kbG
NLVr,+jd9/9k?a"5 DN(lasHKOVf,U1ilF$^9#
1. 3N(lasHO"k<kNG-iYkG9#3NiYkO"b@QNlgH9k3H,
G-^9,"9Z<9r^`3HOG-^;s#3NcGO"HQ5lkiYkO
PIX_Portscan_In G"j"$sP&sIN]<H&9-csr=7^9#
2. 3N(lasHO"Ws9k$YsHN/i9>G9#3NcGO"/i9>O
PIX_TCP_in_conn_denied G9#
3. PIX_TCP_in_conn_denied /i9K^^lk0-G9#e.$YsHrWs$YsHH9k
KO"=NM,3N0-NMKlW7J1lPJj^;s#3NcKO"lW9k0-,
6 D"j^9 (pix_sev"pix_code"pix_ifname" rm_SourceIPAddr"rm_DestinationIPAddr"*hS rm_SensorIPAddr)#
103Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
4. _jCG_j5l??$`"&HMN;CHG9#3NcK*1k_jO"30000 _jC
G9#
5. 3lO SET G#l/F#VG9#3lKhj"WsKOHQ5lJ$0-NV9Mrj
A7^9#V9M,"msg 0-KP7FXj5l"3l,n.5lk$YsH,Ws$Y
sHG"k3Hr(9ICN$sG#1<?<HJj^9#0-KdjvFkV98zK
9Z<9r^`3HOG-^;s#
!NcO"5 DN(lasH&?$Wr}g7F$^9#
(PIX_PortScan_In # Element 1{PIX_TCP_in_conn_denied} # Element 2[cloneableattributeSet=&pix_sev, # Element 3
&pix_code,&pix_ifname,&rm_SourceIPAddr,&rm_DestinationIPAddr,&rm_SensorIPAddr
]statemachine.collector 30000 # Element 4(true
)!(SummarySET:rm_SrcPort=*,rm_DstPort=*,
msg=SUMMARY_Multiple_TCPIP_Inbound_connections_denied_by_Cisco_PIX_firewall # Element 5);
m: 3N=8GO"gL ( )"ggL [ ]"*hSfgL { } KhkXjN+W;k=rHQ
9k,W,"j^9# SET G#l/F#VK3/9Hjs0GO"9Z<9rHQ9k
3HOG-^;s#V9MrXj9k,W,J$lgO"SET G#l/F#VHMrJ,
9k3H,G-^9#!NcO"SET G#l/F#VrHQ7J$=8r(7^9#
(PIX_Generic_Minor_Evt{PIX_Generic_Minor}[cloneableattributeSet=&rm_SensorIPAddr,
&pixm_code,&msg
]statemachine.collector 30000(
true)
)!Summary);
<=+������������A'C/&k<k (Windows N checkrules.cmd) 9/jWHrHQ9k3HKhj"k<
k&U!$kN=8rA'C/9k3H,G-^9#GU)kHGO"9/jWHO
$RMADHOME/etc/rmad_summary.rules U!$krA'C/7^9#9/jWHKU!$kN0
4$~>rwj">NU!$kbNk<kN=8rA'C/9k3H,G-^9#
m: A'C/&k<k&9/jWHO"k<kN=8N_rA'C/7^9#0-;CH&j
9H^?O SET:attr=value 9F<HasHbN0-,"$YsHN .baroc U!$kK
jA5lF$k0-HlW9k+I&+KD$FOA'C/5l^;s#$YsH0->
,"baroc U!$kK_j5l?MH,:lW9kh&K7F/@5$#lW7J$l
g"WsNkL,6io7/Jj"$YsH&5<P<G$YsHNrO(i<,/89
104 P<8gs 3 jj<9 8
klg,"j^9# Risk Manager Ks!5lk$YsHNWsk<krIC^?OQ9
9klg" baroc U!$k, Risk Manager Server N $BINDIR/RISKMGR/corr/tec G#l
/Hj<K$s9H<k5l^9#
#��� Risk Manager EIF �)��Risk Manager Event Integration Facility O"!NU!$kHN$s?<U'<9Nrdr7^
9#
BAROC (.baroc) U!$k: Risk Manager EIF rHQ9k[HsIN"Wj1<7gsK
O"Risk Manager EIF ,5]<H9k$YsHN/i9r-R9k .baroc U!$k,U$
F$^9#$YsH&5<P<O"3NU!$krm<I7F$J$H"Risk Manager EIF
+iu.9k$YsHr}rG-^;s#.baroc U!$kO"$YsH&5<P<N$s9
H<k~K+0*K$s9H<k*hSm<I5l^9#
/i9jA9F<HasH (.cds) U!$k: /i9jA9F<HasH& U!$kO"
Risk Manager EIF ,"e.$C)$YsHrCjN/i9K^CW7"$YsHr$Ys
H&5<P<K>w9k0K$YsHN0-rjA9k?aKHQ7^9#
U)<^CH&U!$k: Risk Manager EIFK$YsHrw.9k"Wj1<7gsO"Tj
M09Hjs0rs!9k3H,G-^9#=N?a"lgKhCFOaC;<8r$Ys
H&/i9HM-go;k,W,"j^9#3Nh&JM-go;O"U)<^CH&U!$
krHQ7FT$^9#Lo"U)<^CH&U!$kKO".fmt H$&H%R,U$F$^
9#
(i<&U!$k: Risk Manager EIF (i<&U!$k (GU)kH>O rmad.err) Kh
j"clYkNHl<9,D=HJj^9#Risk Manager EIF NFob8e<k (Q<5
<"+<Mk"U'CA"*hS^CWJI) r*r7FGPC0r"/F#VK7"(i<
dHl<9N$UNlYkGNGPC0rT&3H,G-^9#Fb8e<kHlYkNZ"
4HK"LDNm0&U!$krXj9k3H,G-^9#3Nh&JGPC0!=KO"g
LNG#9/&9Z<9rCq7^9#c2KD$F"psrGgBas9kKO"
rmad.err N9YFN /dev/null $s9?s9r /tmp/filename.err KQ97^9 (Windows
GO \%TEMP%\filename.err)#
105Risk Manager f<6<:&,$I
6.R
iskM
anag
erE
vent
Integ
ration
Facility
106 P<8gs 3 jj<9 8
Risk Manager TEC ����
Risk Manager O"Tasks for Enterprise Risk Management (\qGO Tivoli Enterprise Console
(TEC) N?9/HFsG$^9) H$&?9/&i$Vij<rs!7^9#Risk Manager
O"TEC-Region H$&GU)kHN TEC ]j7<&j<8gsK3N?9/&i$Vij
<r$s9H<k7^9#
\OO"TEC GT&?9/N/$C/&jU!ls9G9#F?9/N\YKD$FO"C
jN"@W?<NOGb@7F$^9#
TEC ������Tivoli Enterprise Console ?9/O"TEC GT&?9/G9#CjN"@W?<,$s9H<
k5lF$k79F`GO"=N>N3^sIrBT9k3H,G-^9#F"@W?<KD
$FNOGO""@W?<G-N3^sIKD$Fb@7^9#
TEC ?9/4HK"J<rXj9k,W,"j^9#
¶ ?9/PONw.h (G#9Wl$^?OU!$kN>0)
¶ ?9/rBT9k(sI]$sH
UNIX ����� TEC ���TEC ?9/rHQ7F8`N UNIX 79F`?9/rBT9kKO"J<Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. !Nj9H+i"BT9k TEC ?9/r/jC/7^9#
Deactivate_Unix_User_Account3N TEC ?9/O"f<6<N"+&sHrsh0=9k?aNf<6< ID r
Xj9k?aKHQ7^9#
List_Active_Unix_Processes3N TEC ?9/O",WJ"Wj1<7gs&Wm;9 ID (PID) N>0,,+
CF$klgK"HQ9k!wU#k?<rXj9k?aKHQ7^9#U#k?
<rXj7J$lgO""/F#VJWm;9,j9H5l^9#
View_Component_Status_for_Unix3N TEC ?9/O"UNIX I}P]N<IeN Risk Manager 5<P<Nu7r
=(9k?aKHQ7^9#
7
107Risk Manager f<6<:&,$I
7.R
iskM
anag
erT
EC��
��
Kill_Unix_Process3N TEC ?9/O"d_9kWm;9NWm;9 ID (pid) rXj9k?aKH
Q7^9#
Run_Unix_CommandBT9k UNIX 3^sIr~O7^9#
Windows ����� TEC ���Windows 79F`Nlg"*Zl<F#s0&79F`KU07F$kI}D<k (f<6
<&^M<8c<) rHQ7?H-K"79F`KhCF;-ejF#<&$YsHrhj~
`+I&+r)f9k3H,G-^9#3N?9/GO"Windows 79F`N(sI]$s
HeN;-ejF#<&$YsHNF:rHQG-kh&K7?j"HQG-J$h&K9k
3H,G-^9#
Wm0i` rmt_ntaudit.exe O"F:5lk79F`GHQG-kh&K7F*+J1lP
Jj^;s#3NWm0i`r[[9kH-KO"Risk Manager KU09k Task Support for
Tivoli Host IDS for Windows WmU!$krHQ7^9#
TEC ?9/rHQ7F8`N Windows 79F`&?9/rBT9kKO"J<Nh&K7
^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. !Nj9H+i"BT9k TEC ?9/r/jC/7^9#
Run_Windows_NT_CommandBT9k Windows 79F`&3^sIr~O7^9#3N?9/rBT9kK
O"Perl r Windows 79F`eK$s9H<k7"Perl $s?<Wj?<NLV
r PATH bKjA7F*+J1lPJj^;s#
Enable_Windows_NT_Event_Auditing3N TEC ?9/O"Windows 79F`eGN$YsHF:rHQG-kh&K
9k?aKHQ7^9#
.y^?O:TNMr*r7^9#
¶ .y*hS:T
¶ .y
¶ :T
¶ .yGb:TGbJ$
$YsH&?$Wr*r7^9#
¶ m0*s*hSm0*U
¶ U!$k*hS*V8'/H&"/;9
¶ f<6<"BNHQ
¶ f<6<*hS0k<WI}
¶ ;-ejF#<&]j7<NQ9
¶ FO0"*;"*hS79F`
¶ Wm;9&HiC-s0
108 P<8gs 3 jj<9 8
Disable_Windows_NT_Event_Auditing
3N TEC ?9/O"Windows 79F`eN$YsHF:rHQTDK9k?a
KHQ7^9#
Deactivate_Windows_NT_User_Account3N TEC ?9/O"f<6<N"+&sHrsh0=9k?aN Windows 79
F`Nf<6< ID rXj9k?aKHQ7^9#
List_Active_Windows_NT_Services3N TEC ?9/O"Windows 79F`eG"/F#VKJCF$k Windows 7
9F`N5<S9rj9H9k?aKHQ7^9#
View_Component_Status_for_Windows NT3N TEC ?9/O"Windows 79F`eN Risk Manager 5<P<Nu7r=
(9k?aKHQ7^9#
POO"!NcNh&KJj^9#
rmcorr_cfg:Info: ---------------------------------------------rmcorr_cfg:Info: Checking Status of Risk Manager Components...rmcorr_cfg:Info: ---------------------------------------------rmcorr_cfg:Info: TMR Host: myTMRserverrmcorr_cfg:Info: TMR install dir: f:/Tivoli/bin/w32-ix86rmcorr_cfg:Info: Region name: myTMRserver-regionrmcorr_cfg:Info: Risk Mgr install dir: f:/Tivoli/bin/w32-ix86/
RISKMGR/corrrmcorr_cfg:Info: Current rulebase: rm1002rmcorr_cfg:Info: Current rulebase path: f:\myrulebasermcorr_cfg:Info: Event cache size: 2000rmcorr_cfg:Info: Class RM_SensorEvent is definedrmcorr_cfg:Info: Rules files in rulebase:
Rule Set files--------------normalization.rlssensorevent.rlssituation.rlstimer.rlsboot.rls
Start_Windows_NT_Service3N TEC ?9/O"+O9k Windows 79F`N5<S9N>0rXj9k?
aKHQ7^9#
?H(P"Apache Web 5<P<r+O9klgKO"5<S9>H7F apache
rXj7^9#^?"Check Point FireWall-1 Q"@W?<r+O7?$lgK
O"5<S9>H7F rma_cpfw rXj7^9#
Stop_Windows_NT_Service3N TEC ?9/O"d_9k Windows 79F`N5<S9N>0rXj9k?
aKHQ7^9#
������7�;����� TEC ���Risk Manager TEC N$YsHO"TEC G<?Y<9rHQ7F"<+$V9kh&KXj9
k3H,G-^9#$YsHr}W>A"^?O Tivoli Decision Support HHQ9k?aK]
I9klgO"J<N?9/rHQ9k3H,G-^9# Tivoli Decision Support KD$F
O"VTivoli Decision Support for Enterprise Risk ManagementWr2H7F/@5$#
109Risk Manager f<6<:&,$I
7.R
iskM
anag
erT
EC��
��
TEC G<?Y<9bN Risk Manager N$YsHN9JCW7gCHrn.9klgKO"
Archive_Sensor_Events r*r7F/@5$#
j|*KBT9kh&918e<k9kKO"Schedule_Event_Archiving r*r7F/@
5$#
$YsH,"<+$V5lF$J$Bj"j0^?Oj|*J918e<kN$:lG"CF
b"TDS l]<HOG<?rn.7^;s#TDS rHQ7J$lgO"$YsHr"<+$
V9k,WO"j^;s#TDS l]<HrHQ7F"=lr=(9klgO"j|*J"<
+$Vr918e<k7F/@5$#TEC ?9/rHQ7F$YsHr"<+$V9kK
O"J<rT$^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. !Nj9H+i"BT9k TEC ?9/r/jC/7^9#
Archive_Sensor_EventsTivoli Decision Support rHQ7?G<?&^$Ks0N?aK"Risk Manager N
;s5<&$YsH&G<?r"<+$V9kKO"3N?9/r*r7^9#?
9/,BT5lk4HK"^@"<+$V5lF$J$ Risk Manager ;s5<&
$YsH, TEC N$YsH&j]8Hj<+i Risk Manager N"<+$V&F
<VkK3T<5l^9#9YFN$YsH0-,3T<5lko1GO"j^;
s#\YKD$FO"VDecision Support Guide for Enterprise Risk ManagementW
Gb@7F$^9#
Schedule_Event_Archiving"<+$Vrj|*KBT9kh&K918e<k9kKO"3N?9/r*r7
^9#
Archive_Sensor_Events ,+O7?eNVVr,GXj7^9#3lKhj?9
/O"=NVV4HK$D^Gb+jV5l^9#
VVN95r,GXj7^9#GU)kHO"1 ~VK 1 s (60 ,4H) G9#
3NVV,~;9k?SK"^@"<+$V5lF$J$ Risk Manager N;s5
<&$YsH,9YF"TEC $YsH&j]8Hj<+i Risk Manager "<+
$V&F<VkK3T<5l^9#
9YFN$YsH0-,3T<5lko1GO"j^;s#\YKD$FO"
VDecision Support Guide for Enterprise Risk ManagementWGb@7F$^9#
Risk Manager ������������� TEC ���Risk Manager O"Tivoli G9/HCW+i Risk Manager "@W?<r+O9k?aN?9
/rs!7F$^9# TEC ?9/rBT9k0K""@W?<,(sI]$sHeK$s9
H<k5lF$k3HrN'7F/@5$#
Risk Manager O"Risk Manager "@W?<r+O9k?aNJ<N TEC ?9/rs!7F
$^9#
Start_Cisco_Secure_IDS_Adapter
Start_CheckPoint_FW-1_Adapter_on_Windows_NT
Start_CheckPoint_FW-1_Adapter_on_Solaris
110 P<8gs 3 jj<9 8
Start_NIDS_Adapter
Risk Manager ������������� TEC ���TEC ?9/O"Risk Manager "@W?<rd_9klgKHQ9k3H,G-^9# TEC
?9/rBT9k0K""@W?<,(sI]$sHeK$s9H<k5lF$k3HrN'
7F/@5$#
Risk Manager O"Risk Manager "@W?<rd_9k?aNJ<N TEC ?9/rs!7F
$^9#
Stop_Cisco_Secure_IDS_Adapter
Stop_CheckPoint_Firewall_Adapter_on_Windows_NT
Stop_CheckPoint_Firewall_Adapter_on_Solaris
Stop_NIDS_Adapter
Check Point FireWall-1 �� TEC ���Windows 79F`*hS Solaris eN Check Point FireWall-1 Q"@W?<r+O*hSd_
9k?aN?9/KC(F"Risk Manager O"3N"@W?<lQN!N TEC ?9/rs
!7F$^9#
CheckPoint_FW-1_by_IP_Addressb@KD$FO"186Z<8NXIP "Il9psNWaYr2H7F/@5$#
CheckPoint_FW-1_by_Source_and_Destinationb@KD$FO"187Z<8NX=<9*hS8hKD$FNpsNWaYr2H7F
/@5$#
Cisco Secure PIX Firewall �� TEC ���Cisco Secure PIX Firewall Q Risk Manager "@W?<KO"Cisco Secure PIX Firewall ;s
5<N=.Ky40rC(k?aKHQG-k TEC ?9/N;CH,U07F$^9#
Risk Manager O"Cisco Secure PIX Firewall QKJ<N TEC ?9/rs!7F$^9#
Configure_PIX_Firewall_Access3N?9/O"PIX Firewall N=.rQ97F"\3 ({8*hS7,N>}) rV
mC/=7?j"sVmC/= (FN)rvD9k) 7?jG-kh&K7^9#
Configure_PIX_Firewall_Logging3N?9/O"PIX Firewall Nm.s0=.rQ99kNG"Firewall r7,N Risk
Manager ;s5<H7FJ1KH_~`3H,G-^9#b@KD$FO"172Z<8
NX;s5<&m.s0=.NQ9Yr2H7F/@5$#
Show_PIX_Firewall_ConfigurationPIX U!$"&)<kN=_N=.r=(7^9#3N?9/rHQ9kH"5$H
N;-ejF#<&]j7<N$sWjasF<7gsr!:9k3H,G-^9#
b@KD$FO"172Z<8NX;s5<=.psN=(Yr2H7F/@5$#
111Risk Manager f<6<:&,$I
7.R
iskM
anag
erT
EC��
��
Cisco Secure IDS �� TEC ���Risk Manager O"Cisco Secure IDS Q"@W?<lQN Configure_Cisco_DataFeed TEC ?9
/rs!7F$^9#3N?9/O";s5<H Cisco Secure IDS Q Risk Manager "@W
?<HNVNL.r;CH"CW7^9#\7/O"139Z<8NXCisco Secure IDS Q"@
W?<Yr2H7F/@5$#
112 P<8gs 3 jj<9 8
Web Intrusion Detection
3NOGO"J<N@KD$Fb@7^9#
¶ XWeb Intrusion Detection System N5WY
¶ 115Z<8NX5]<H5lk Web 5<P<Y
¶ 120Z<8NXWeb IDS $YsHKP9k TEC jXY
¶ 122Z<8NXWeb IDS N$s9H<kY
¶ 128Z<8NXI}?9/Y
Web Intrusion Detection System NaC;<8KD$FO"277Z<8NXWeb IDS NaC;
<8Yr2H7F/@5$#
Web Intrusion Detection System ���Web Intrusion Detection System (Web IDS) O"Web 5<P<,8.9k"/;9&m0&U
!$kr,O7^9# Web Intrusion Detection System O"3liNU!$kr,O7F
Web 5<P<6br!P7^9#
Web IDS O"N1Y<9N"Wm<ArHQ7F-UN"k0nr!P7^9#Web IDS
O"Web 5<P<6bNFQ70KAc< rjA9k3HKhCF"5^6^J6br!P
9k3H,G-^9#6b70KAc<O"1cJF-9H&9Hjs0 (phf JI)"^?O
!NcNh&J Perl 5,==G-R9k3H,G-^9#
(?i)count¥.cgi
Risk Manager KO"Web 5<P<6bQN70KAc<r^` sig.nefarious U!$k,
H_~^lF$^9#
Web 5<P<r*}ANlgO"Web IDS rHQ7F/@5$#Web IDS O"Web 5<P
<4HK$s9H<k7F/@5$#
J<rT&KO"Web IDS rHQ7^9#
¶ j"k?$`&b<I^?OPCA&b<IG,OrBT7^9#
j"k?$`&b<I
"/;9&m0&U!$kbN9YFN7,m0`\,I_hil^9#,O
O"7,m0`\,m0&U!$kKIC5lk~KBT5l^9#j"k?$
`&b<INlgO"bK?<P]NF Web 5<P<K Web IDS r[V7J1
8
113Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
lPJj^;s#Web IDS O"m<k*<P<&m0&5]<Hr5]<H7F
$^9#121Z<8NXm<k*<P<&5]<HN?aNm0&U!$k&"/
;9NXjYGO"m0&U!$k&"/;9r918e<k9k?aN Web
IDS N=.}!KD$Fb@7F$^9#
PCA&b<I
Web IDS O"Web 5<P<GBT9k,WO"j^;s#Web IDS O@(*K
BT5l"m0&U!$krlY@1I_hj^9#
¶ [9H+iNWa,"i<`r/9kH",:=N[9H+iNWarhj~_^9#3
lKhj"3Nhj~^l?psr,O7"70KAc<&U!$kG7,N70KAc
<rjA9k3H,G-^9#70KAc<rj0G,O9k}!KD$FO"131Z<8
NXWeb 6b$YsHN,OYr2H7F/@5$#^?"7,N Web 6b70KAc
<NjA}!""k$OE$ Web 70KAc<N|n}!KD$FO"133Z<8N
XWeb 6b70KAc<NICH|nYr2H7F/@5$#
¶ spJ7[oNtr)B7^9#[9HNCjN;CHrHi9FCI H7FjAG-^
9# Web IDS ,Hi9FCI&[9H+iWaru1hkH"3liNWaNkLH7
F8.5lk"i<`O9YF^_5l^9#3N^_O"Hi9FCI&MCHo</
I}T,kHbG9-cs&=UH&'"rHQ9klgKr)A^9#3NU#<Ac
<Khj"?/N6N"i<`,|n5l^9# 135Z<8NXHi9FCI&70KA
c<NIC^?O|nYr2H7F/@5$#
¶ ,ON?aK-?9kT3J"/F#SF#<N?$W ("i<H"Yp"^?O=N>
}) rXj7^9#\YO"135Z<8NXT3J"/F#SF#<N?$WNXjYr2
H7F/@5$#
¶ 9-cs9Y-T3J[9HN1LrD=K7^9#\YO"134Z<8NXT3J[9H
NIC^?O|nYr2H7F/@5$#
~VH&K}85l?N1rxQ9kh&K Web IDS r409k3H,G-^9#\YO"
136Z<8NX7-$MH:jMN40Yr2H7F/@5$#
115Z<8N^18 O"Web 5<P<"Web IDS"*hS Tivoli Enterprise Console (TEC) 5
<P<NVNG<?N.lr(7?bNG9#
114 P<8gs 3 jj<9 8
������ Web ����Web IDS O"J<N Web 5<P<G"/~!N$YsHrbK?<9k3H,G-^9#
= 17. Web IDS ,5]<H9k Web 5<P<
Web IDS ,5]<H9k Web 5<P< m0&U!$k&U)<^CH
Windows 79F`"AIX"*hS Linux G
Apache Web 5<P<
CLF "/;9&m0&U!$k&U)<^CH
Windows NT"AIX"Solaris"*hS Linux eN
Lotus Domino Server
CLF "/;9&m0&U!$k&U)<^CH
Windows NT"AIX"Solaris"*hS Linux eN
IBM HTTPD Server
CLF "/;9&m0&U!$k&U)<^CH
Windows NT"AIX"*hS Solaris eN Tivoli
Policy Director WebSeal Server
CLF "/;9&m0&U!$k&U)<^CH
Windows NT"AIX"Solaris"*hS Linux P~N
iPlanet Web Server Enterprise Edition (J0N
Netscape Enterprise Server) P<8gs 4.1
CLF "/;9&m0&U!$k&U)<^CH"
^?O+9?^$:5l?"/;9&m0&U!
$k&U)<^CH
Microsoft Internet Information Server (IIS) for
Windows NT
J<NU)<^CH:
¶ W3C H%U)<^CH (W3C)
¶ Internet Information Server (IIS)
¶ *<Ws&G<?Y<9&3M/F#SF#<
(ODBC)
¶ National Center for Supercomputing Applications
(NCSA)
,WK~8F"H+N Web 5<P<r=.9k,W,"j^9 (124Z<8NXWeb 5<P
<&"/;9&m0&U!$kN=.Yr2H)#?H(P"W3C H%U)<^CHr Web
^ 18. Web 5<P<+i Web IDS rP37F TEC 5<P<Kjk^GNG<?N.l
115Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
IDS GHQ9kKO"VExtended Property (H%WmQF#<)W&#sI&GCjN*W7g
sr*r9k,W,"j^9 (jgKD$FO"125Z<8NXMicrosoft Internet Information
Server N=.Yr2H7F/@5$)#
Perl ���Web IDS rHQ9kKO"5]<H5lkFWiCHU)<`QN Perl NP$Jj<[[U
!$k,,WG9# Risk Manager KO",\N Perl [[U!$k,^^lF$^9#
Risk Manager Perl [[U!$kKO"Risk Manager EIF HN$s?<U'<9rs!9k
Perl b8e<k (rmadpm.pm) b^^lF$^9#GU)kHMO"3N!=r Web IDS H
&KHQ9kh&KJCF$^9#
^?"m0&U!$k&"@W?<rHQ7F$YsH&5<P<K$YsHrw.7"jX
h}rT&3HbG-^9#
CLF ��&��1���)��Web 5<P<O""/;9&m0&U!$kGWarIW7F$^9#Web 5<P<O"W
ar"/;9&m0&U!$kKw.7^9#Web 5<P<KhCFn.5lk"/;9&
m0&U!$kKO"Web 5<P<,8.9ku7psKC(F"Web 5<P<K]9H5
l?Wa,^^l^9#Web IDS O"Web 5<P<N"/;9&m0&U!$krI_hj
^9#
Web 5<P<K~8F""/;9&m0`\OCjNU)<^CHrHQ7FU)<^CH
_j5l^9#GblL*JU)<^CHN 1 DO"Apache Server *hS iPlanet Web
Server (J0N Netscape Enterprise Server) ,HQ9k"&Lm0&U)<^CH (CLF) G
9# Web IDS O"3liNU)<^CHr5]<H7F$^9#
Web IDS O"&Lm0&U)<^CH (CLF) m0&U!$kr=8rO7^9#CLF OL
o"7)KO CLF H7Fn.5lF$J$U)<^CHKP7F!=7^9#m0`\NG
iNt,, CLF K`r7F$klg"Web IDS O"GeK"kICU#<kIr5k7^
9#
"/;9&m0&U!$k&U)<^CHrXj9kKO"Web 5<P<r57$U)<^
CHK=.7J1lPJj^;s#
m0&U)<^CHrm0&U!$kKH_~_"-qM-<r=.-<KXj9klg"
Web IDS O=NpsrHQ7F7,m0&U!$k&U)<^CHr>A7^9#
-qM^?O3asHMrXj7J$lg"Web IDS ,m0`\r,%9kNKHQ9k5
,==K`r7F$J$FWaO"Yp$YsHrz-/37^9#?H(P"PCA&b<
INBTfK"m0&U)<^CHrm0&U!$kNGiNTH7Fq-~` Web 5<P
<b"j^9#3l,88kH"m0`\, CLF K`r7F$J$NG" Web IDS OJ<
N$YsHr8.7^9#
ALERT :parser(readAccessLog)==><line1>:Malformed line in the logfile. the other tests skipped.
sig.nefarious ��3<:���)��Risk Manager N sig.nefarious U!$kO"Web 6bN70KAc<r]I7^9#Web
IDS O"3NU!$krHQ7F Web 5<P<rbK?<7"6b,J$+I&+r4Y^
9#
116 P<8gs 3 jj<9 8
$s9H<keNGU)kHN sig.nefarious U!$kO"J<NljK"j^9#
Windows 79F`:
Tivoli¥lcf¥bin¥w32-ix86¥RISKMGR¥adapters¥etc¥
AIX 79F`:
/opt/Tivoli/lcf/bin/aix4-r1/RISKMGR/adapters/etc/
Solaris 79F`:
/opt/Tivoli/lcf/bin/solaris2/RISKMGR/adapters/etc/
Linux 79F`:
/opt/Tivoli/lcf/bin/linux/RISKMGR/adapters/etc/
H+N70KAc<&U!$krn.9kKO"Risk Manager N$s9H<k~Ks!5l
?GU)kHN70KAc<&U!$kr3T<9k+"70KAc<&U!$kNG7P<
8gsrJ<N Tivoli Support Web 5$H+i@&sm<I7F/@5$#
http://www.tivoli.com/support/secure_download_bridge.html.
webids.cfg =.U!$krT87F"m<I9k70KAc<&U!$kN7,NQ9*h
S>0rXj9k,W,"j^9#_j9k,WN"kMO signatureFilePath_value= G9#
70KAc<rn.9kKO"Perl N5,==NN1,,WG9#70KAc<&U!$kr
n.^?OQ99kH-O"J<Np\k<kK>CF/@5$#
¶ PC/"CWQK"5NGU)kHN sig.nefarious U!$kr3T<7F>0rQ97
^9#
¶ webids.cfg =.U!$krT87F"7,N70KAc<&U!$kN04$~Q9rX
9h&K7^9#?H(P"!Nh&K7^9#
signatureFilePath_value = ¥Fully_Qualified_Path¥new_filename
¶ /i9O"/i9&XC@<H70KAc<Nj9HG=.9k,W,"j^9#
¶ F70KAc<rL9NTKV-^9#
¶ 70KAc<NTKO"!N`\r^a^9#
1. Perl N5,===8G=5l?70KAc<
2. 6bN>0r=9F-9H&9Hjs0
3. 79F`e@Y ID (,+CF$klg)
4. CVE "k$O Bugtraq JIN79F`e@YNps;
¶ e-N 4 DN`\O"4 DNsKV+l^9#J<Kcr(7^9#
(?i)showcode¥.asp showcode.asp [CAN-1999-0737] [CVE]
¶ 7,N70KAc<rjA9kH-O"70KAc<>NltH7F]sI-f (#) rH
Q7J$G/@5$#]sI-fhjbeNF-9HO5k5l^9#
¶ ]sI-f (#) G+O7J$T"[engine= G#l/F#V"^?O [class= G#l/F
#VO"70KAc<G"kH+J5l^9#
¶ Web IDS O"uNTr5k7^9#
117Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
¶ 1lN/i9>O"3liN/i9,[Jk(s8sK"klgKBjHQD=G9#/
i9>O"F(s8s&;/7gsbGO"G-G"k,W,"j^9#
¶ Web IDS ,sp9k/i9O 1 D@1G"k?a"`wN6b70KAc<O1lN/
i9K~l^9 (?H(P"#tN79F`e@ cgi Wm0i`O1l/i9K~l^
9)#
¶ [class= G#l/F#VO"!N [engine= ^?O [class= G#l/F#V,PF/k^
G"U!$kNfr<}~KI_hil^9#
¶ ;_3ms (;) GQia<?<r,%7^9#
sig.nefarious U!$kKOgJ;/7gs,"j"F;/7gsK70KAc<,~CF$
^9 (/i9H7FjA5lF$^9)#3NU!$kGHQ5lk;/7gsO"a$s&(
s8sKP~7F$^9#
�����9�0�
3N(s8sO"m0&U!$kNI_}rX(7"BT9k,ON?$Wr=L7^9#T
3"/F#SF#<NcH7FO"CjN8zr 16 JtG(s3<I9k3H,s2il^
9#
Q<5<&(s8sO"a=CI"9Hjs0"*hSWmH3kr>A9kF9HrBT7
F"J<NT3 URL "/F#SF#<r!P7^9#
¶ m0&l3<INU#<kI,gn7F$kJINm0`\NT,JJU)<^CH#
¶ |~psN}r^?Ora,T=
¶ uN URL Wa
¶ 57/J$ URL A0
¶ URL WaGHQ5lF$k5zJ 16 Jt(s3<I
¶ HqWaGHQ5lF$k5zJ 16 Jt(s3<I
¶ URL WaGHQ5lF$kT3 16 Jt3<I
¶ HqWaGHQ5lF$kT3 16 Jt3<I
3liN/i9OjAQ_G9#/i9rIC^?O|n9k3HOG-^;s#
/i9&XC@<NA0O"!NH*jG9#
[class=classname; level1=count1; level2=count2; k=decay_param]
J<N/i9&Qia<?<@1,Q9D=G9#
¶ level1=count1;
¶ level2=count2;
¶ k=decay_param
Q<5<&(s8sN/i9&Qia<?<r409k}!KD$FO" 136Z<8NX7-
$MH:jMN40Yr2H7F/@5$#
118 P<8gs 3 jj<9 8
�����9�0�
Q?<s&(s8sO"m0&U!$k`\NXj7?U#<kINfG6b70KAc<r
!w7^9#Q?<s&(s8s,!w9kU#<kIN?$WNcO"!NH*jG9#
¶ url
¶ status
¶ query
¶ method
/i9&XC@<NA0O"!NH*jG9#
[class=classname; field=fieldname ; level1=count1;level2=count2; k=decay_param]
3N(s8sO"Q<5<&(s8sH1MK"m0`\KP7FF9HrBT7^9#F9
HGYp,/;il?lg"J<N@rN+ak?aKICNF9HrBT9k3H,G-^
9#
¶ T3JWaNHqU#<kINfKT3J`\b"k+I&+
¶ T3JWa,.y7?+I&+
¶ T3JWaK 16 Jt(s3<I (16 J3<I) ,^^lF$k+I&+
kgF9HNlgN/i9&XC@<NA0O"!NH*jG9#
[class=classname; field=field; requires=class; level1=count1;level2=count2; k=decay_param]
G7N/~!NrT&KO"7?K/+5l?6b*hS79F`Ne@r"3NU!$kN
70KAc<&j9HKIC7F/@5$#?i+N;-ejF#<DNNG<?Y<9rH
Q7F"j|*K77$6br4YFIW7F/@5$#
Web IDS Q?<s&(s8sr=.9kKO" sig.nefarious U!$kNQ?<s&(s8
s&;/7gsrT87^9#=.?9/O"!NH*jG9#
¶ 133Z<8NXWeb 6b70KAc<NICH|nY
¶ 132Z<8NX70KAc<&/i9NICH|nY
¶ 136Z<8NX7-$MH:jMN40Y
¶ 133Z<8NXQ?<s&F9HNkgH\Y=Y
suspicion 9�0�suspicion (s8sO"T3G"kH+J5l?[9HrHiC/7^9# Web IDS ,Yp
^?O"i<Hr/9k6xHJkWar"k[9H,w.7?lgO"=N[9H>r
sig.nefarious U!$kKIC7F"3NCjN[9HNHiC/rQ39k3H,G-^
9#
/i9&XC@<NA0O"!NH*jG9#
[class=suspiciousHosts; printLvl=level]
Web IDS r=.9kKO"sig.nefarious U!$kN suspicion (s8s&;/7gsrT
87^9#=.?9/O"!NH*jG9#
¶ 134Z<8NXT3J[9HNIC^?O|nY
119Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
¶ 135Z<8NXT3J"/F#SF#<N?$WNXjY
*��9�0�
[9HNCjN;CHrHi9FCI H7FjAG-^9#Hi9FCI&[9H+iWa
ru1hC?H-K8.5lk"i<`O9YF^_5l^9#3N^_O"Hi9FCI&
MCHo</I}T,9-cs&=UH&'"rkHbGHQ9klgKr)A^9#?/N
6N"i<`O|n5l^9#
70KAc<NCjN;CHrHi9FCIH7FjA9k3H,G-^9#5^6^J6b
r!P9kKO"6b70KAc<NFQ-rD=JBjb/7^9#7+7"6b70KA
c<NFQ-NYg$rb/7a.kH"6"i<`,/05lk3H,"j^9#Hi9
H&(s8srHQ9kH"6"i<`Ntr:i93H,G-^9#^:""k70KAc
<rHi9FCIKG-kH=G7^9#!K"6"i<`Ntr:i9?aK3N70KA
c<rIC7^9#
/i9&XC@<NA0O"!NH*jG9#
[class=classname; field=fieldname; cancels=class]
J<Kcr(7^9#
[class=trustedSig; field=url; cancels=all]/cgi-bin/fortune/cgi-bin/here
Web IDS r=.9kKO"sig.nefarious U!$kNHi9H&(s8s&;/7gsrT
87^9#=.?9/O"135Z<8NXHi9FCI&70KAc<NIC^?O|nYG
9#
�"+��9�0�
9-CW&(s8sO"Hi9H&(s8sH`w7F$^9#9-CW9k70KAc<N
CjN;CHr (5,==H7F) jA7^9#Web IDS O"3NQ?<sKlW9kWaO
lZh}7^;s#9-CW&(s8sHHi9H&(s8sNc$Oo:+G9,"EWG
9#Hi9H&(s8sGO"lW7?H-K""i<HNCjN/i9rhjC970KA
c<rjA7^9#9-CW&(s8sGO"70KAc<,lW7Fb"WaKP7FO?
bBT5l^;s#GU)kHGO"Web IDS O"gif *hS jpg N$a<8KP9kWa
Oh}7^;s#3liNU!$kO6bN=<9KOJiJ$+iG9#J<Kcr(7^
9#
[class=pictures; field=url]¥.gif$ gif¥.jpg$ jpg
Web IDS ������� TEC ��6b,!P5lkH"Web IDS O$YsHr8.7"J<N$:l+rHQ7F=N$Ys
Hr TME "@W?<Kwj^9#
¶ ,ZJm.s0!= (UNIX syslog ^?O Windows NT Event Log "@W?<N$:l
+)
¶ Risk Manager EIF HN$s?<U'<9rs!7F$k Perl b8e<k
Tivoli $YsH&5<P<O=N$YsHrjXh}7"=lir0k<W=7F"MCHo
</N;-ejF#<u7r=9J1J^r=(7^9#jXWm;9O"79F`N;-e
120 P<8gs 3 jj<9 8
jF#<KHCFEWJ$YsHrb$EgYlYkG=(7"=lKX"psrJiJA0
G^akh&K9kNKr)A^9#jXrBT9kH"k@rY}9kNK=,Jps,#
tN=<9+is;ilF$k3H,N'5lkNG"mC?"i<`N/8(bc<7^
9#Risk Manager $YsHjXN\YKD$FO"57Z<8NXRisk Manager Server
CorrelationYr2H7F/@5$#
Web IDS �� Risk Manager Event Integration FacilityWeb IDS NGU)kHN$s9H<k&79F`O"Risk Manager EIF rHQ7F Web
IDS N$YsHr Risk Manager 5<P<Kw.9kh&K"Web IDS r;CH"CW7^
9# Web IDS , Risk Manager EIF rHQ7F Risk Manager 5<P<K$YsHrw.9
kh&KXj9kKO"webids.cfg K librmad_value=1 r_j7^9#
^?"Web IDS N$YsHr*Zl<F#s0&79F`Nm0Kw.9kh&"Web IDS
r=.9k3HbG-^9# Web IDS ,=N$YsHr*Zl<F#s0&79F`Nm0
Kw.9kh&KXj9kKO"webids.cfg K librmad_value=0 r_j7^9#
UNIX 79F`$YsHO"syslog Kw.5l^9#79F`&m0+i Web IDS N$YsHrj
P7F"=lir Risk Manager 5<P<Kw.9kKO"TEC m0&U!$k&"
@W?<rHQ7^9#
Windows 79F`$YsHO"$YsH&m0Kwil^9#79F`&m0+i Web IDS N$Ys
HrjP7F"=lir Risk Manager 5<P<Kw.9kKO"TEC Windows N
$YsH&m0&"@W?<rHQ7^9#
1��������������1���)�����&����[HsIN Web 5<P<O"Xj7?~V,Pa9kHLNm0&U!$kKZjX(kh
&K918e<k9k3H,G-^9 (?H(P 1 |K 1 s)# Web IDS O"*;;:K7
,Nm0&U!$kKZjX(k3HbG-^9# webids.cfg bNQtrT87F"m0&
U!$krXj7F/@5$#
filePattern_value-zJm0&U!$kr+U1k?aKHQ9k5,==r Web IDS KXj7^
9# Web IDS O"3NQ?<sKlW9kG7NQ9U!$krHQ7^9#
filePath_valuem0&U!$k,8_7F$kG#l/Hj<rXj7^9#
fileMatch_value
1 m<k*<P<&m0&5]<HrHQD=K7^9#
0 m<k*<P<&m0&5]<HrHQTDK7^9# Web IDS O"
filePattern_value H filePath_value *hSEMr5k7^9#
?H(P"UNIX 79F`eN Apache Nlg"!Nh&KJj^9#
filePattern_value = access_log.*filePath_value = /usr/local/apache/logsfileMatch_value = 1
121Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
-i *W7gsrU1F3^sITGXj5l?U!$kO" webids.cfg GXj5l?Mr*
<P<i$I7^9#?@7"3Nps,=.U!$kGXj5lF$klgO"3^sIT
GU!$k>r@(*KXj9k,WO"j^;s#
Web IDS ������Web IDS H=N0sroN=JO"Tivoli N(sI]$sH^?O Tivoli J0N79F`K
$s9H<k9k3H,G-^9#*Zl<F#s0&79F`Nm0*hSX"9k TEC
"@W?<rHQ7F$YsHr TEC K>w9k=j,J$lgO"Web IDS H=N0s
ro (Risk Manager Perl H Risk Manager EIF r^`) N$s9H<kN\YKD$F"33Z
<8NXRisk Manager N$s9H<kYr2H7F/@5$#
Web �������� Web IDS ���Web IDS KO"Web IDS N*W7gsr_j*hS=.9k?aN=.U!$k
webids.cfg ,QU5lF$^9#3N=.U!$kKO"Risk Manager Web IDS ,5]<
H9k Web 5<P<4HK;/7gs,^^lF$^9#
m: =.9k Web 5<P<N?$WKgC?"=.U!$kN57$;/7gsrT89k
h&K7F/@5$#
GU)kHGO"&Lm0&U)<^CH (CLF) rHQ9k Web 5<P<QN=.KJC
F$^9#GU)kHNU)<^CHG"k CLF +iLNm0&U!$k&U)<^CHK
Q99kKO" CLF `\r3asH=7"=.9k Web 5<P<N?$WQN=.U!$
kN57$;/7gsr+U1F/@5$#^?"]sI-f (#) r|n7F"=N;/7g
sNTN3asH=rr|7F/@5$#
Web IDS =.U!$krT87F"J<N3HrT&3H,G-^9#
¶ Risk Manager "@W?<&i$Vij<&U!$kXN04$~Q9rXj9k#
¶ -p *W7gs,HQ5lF$klgO"$YsHr TME "@W?< (UNIX syslog +
Windows NT Event Log "@W?<NIAi+)"^?O Risk Manager EIF K>w9k}
!rXj9k#
¶ Web 5<P<Nm0&U!$k=8rXj9k#
¶ 70KAc<&U!$kN04$~Q9*hS>0rXj9k#
¶ Web IDS ,I_hk"/;9&m0&U!$kNU)<^CH"D^j"CLF +io&
9k+ CLF K>&+rXj9k#
¶ (i<P}9F<HasHrs!9k#
¶ u1~lD=J|UA0rXj9k#
¶ -q=.rjA9k#
¶ -<QtH Web 5<P<N-RQlrhZk?aKHQ9kF-9H8zrjA9k#
¶ |n9k0tF-9HrjA9k#
=.U!$krQ99k}!N\YKD$FO" 128Z<8NXWeb IDS =.U!$kNT
8Yr2H7F/@5$#
122 P<8gs 3 jj<9 8
Risk Manager EIF �������� Web IDS ���Web IDS NGU)kHN=.GO"Web IDS N$YsHO Risk Manager EIF Kw.5l"
!K"Risk Manager EIF , Web IDS N$YsHr Risk Manager 5<P<Kw.7^9#
Web IDS N$YsHr Risk Manager TEC N$YsHK,ZK^CTs09kKO"Web
IDS U)<^CH&U!$krHQ9kh& Risk Manager EIF r+9?^$:9k,W,"
j^9#
m: Unix 79F`K WebIDS r=.9klgO=N0K"Risk Manager ND-9/jWH
K"J<NQ9rIC7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Web IDS N$YsHr^CW9kh&K Risk Manager EIF r=.9kKO"webids.fmt U
!$kr Risk Manager EIF rmad.fmt U)<^CH&U!$kNGeKIC7^9#ICe
N rmad.fmt U!$krHQ7F"/i9jA9F<HasH&U!$k (.cds) r=.7^
9# rmad.cds U!$kr=.9kKO"!Nh&K7^9#
1. !Nh&K7F"webids.fmt r rmad.fmt NGeKIC7^9#
Windows 79F`Nlg:
webids.fmt >> rmad.fmt
UNIX 79F`Nlg:
cp webids.fmt >> rmad.fmt
Windows *hS Unix NIAiN79F`Nlgb"Risk Manager EIF O webids.fmt U
!$krHQ7^9#
2. riskmgr_gencds 3^sIrBT7F"/i9jA9F<HasH&U!$k (.cds) rF
n.7^9#
riskmgr_gencds rmad.fmt >rmad.cds
3. Web IDS ,$s9H<k5lF$k79F`K"975l? rmad.cds U!$krF[V
7^9#
Web IDS H;Q9k?aK"ACF rHQ7F rmad.cds r979k}!KD$FO"49Z<
8NXACF rHQ7? Risk Manager "@W?<N=.*hS[[Yr2H7F/@5$#
TEC ������������� Web IDS ���Web IDS N$YsHr*Zl<F#s0&79F`Nm0 (Unix NlgO syslog"Windows
NlgO Event Log) Kw.9kh& Web IDS r=.9k3H,G-^9#3Nb<IG
Web IDS r=.9kKO"J<N9FCWrBT7^9#
1. webids.cfg K librmad_value=0 r_j7^9#
2. TEC m0&U!$k&"@W?< (^?O Windows NlgO TEC $YsH&m0&"
@W?<) , Web IDS 79F`K$s9H<k5lF$k3HrN'7^9#
3. Web IDS U)<^CH&U!$kr TEC "@W?<NU)<^CH&U!$k
(tecad_logfile.fmt ^?O tecad_nt.fmt) NGeKIC7^9#
UNIX 79F`&m0&U!$k&"@W?<:
webids.fmt
123Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
Windows 79F`&$YsH&m0&"@W?<:
webids.nt.fmt
4. /i9jA9F<HasH&U!$k (.cds) rFn.7^9#!Nh&K~O7^9#
UNIX 79F`Nlg:
../bin/logfile_gencds ../etc/tecad_logfile.fmt >../etc/tecad_logfile.cds
Windows 79F`Nlg:
¥bin¥nt_gencds ...¥etc¥tecad_nt.fmt > ..¥etc¥tecad_nt.cds
5. Web IDS *hS TEC "@W?<,$s9H<k5lF$k79F`K"975l?
tecad_logfile.cds ^?O tecad_nt.cds U!$krF[V7^9#
Web �������&��1���)�����Web IDS rHQ9k0K Web 5<P<N"/;9&m0&U!$kr=.7J1lPJj
^;s# Web 5<P<K~8F"=.?9/KO!NbN,^^l^9#
¶ J<N Web 5<P<r CLF G=.9k
v Windows NT"AIX"Solaris"^?O Linux K Apache Web Server r=.9k
v Windows NT"AIX"Solaris"^?O Linux 79F`K IBM Lotus Domino Server r=
.9k
v Windows NT"AIX"Solaris"^?O Linux 79F`K IBM HTTPD (WebSphere)
Server r=.9k
v Windows NT"AIX"Solaris"^?O Linux 79F`K Tivoli WebSeal (Policy
Director) r=.9k
¶ Windows NT"AIX"Solaris"^?O Linux 79F`K iPlanet Web Server (Netscape
Enterprise Server) r=.9k
¶ J<NU!$k&U)<^CHG Microsoft Internet Information Server r=.9k
v W3C
v IIS
v NCSA
v ODBC
��1��� �!+����� Web �������
CLF rHQ9k"/;9&m0&U!$krn.9k Web 5<P<O"!NH*jG9#
¶ Windows NT"AIX"^?O Solaris 79F`eN IBM Lotus Domino Server
¶ Windows NT"AIX"^?O Solaris 79F`eN"IBM WebSphere ,HQ9k IBM
HTTPD (WebSphere) Server
¶ Windows NT"AIX"^?O Solaris 79F`eN Tivoli WebSeal (Policy Director) Server
¶ Apache Web 5<P<
Netscape iPlanet Web Server GO"CLF rHQ7F"&Lm0&U)<^CHPOr8.9
k3H,G-^9#=.KX9k\YJb@KD$FO"125Z<8NXiPlanet Web Server
(Netscape Enterprise Server) N=.Yr2H7F/@5$#
124 P<8gs 3 jj<9 8
Tivoli WebSeal (Policy Director) Server ���
WebSeal GO"Wa"jU!i< (js/5Z<8N URL)"*hS(<8'sHNm0&l
3<Ir1lNU!$kK]I9k3H,G-^9#?@7"Web IDS ,}r9kNO"W
am0&l3<IN_G9#WebSeal r=.7"Wam0&l3<Ir"jU!i<ps*h
S(<8'sHpsHOLNU!$kK]I9kH"U!$k&Q9"*hS 3 o`Nm0
psr]I9kljN>0r"WebSeal =.U!$kN wand ;/7gsGXj9k3H,
G-^9#
iPlanet Web Server (Netscape Enterprise Server) ���
iPlanet Web Server (0HO Netscape Enterprise Server) r=.9kKO"J<Nh&K7^
9#
1. /*/netscape/server4 G#l/Hj<K"k startconsole.sh 9/jWH&U!$krB
T7^9#3N9/jWH&U!$kKhj""I_K9Hl<?<ND<k, Netscape
Web Vi&6<G+O7^9#
2. =NZ<8NetK"k VServers (5<P<)W?VN VSelect a Server (5<P<N
*r)WaKe<+i"=.7?$ Web 5<P<r*r7^9#
3. VManage (I})Wr/jC/7F"77$ Web Z<8rm<I7^9#
4. VStatus (u7)Wr/jC/7^9#
5. VLogging Preferences (m.s0_j)Wr/jC/7F""/;9&m0=.Z<8r
=(7^9#
6. VDomain Names (Ia$s>)Wr*r7F"l3<IN?$Wr_j7^9#
7. VUse Common Logfile Format (&Lm0&U!$k&U)<^CHrHQ9k)Wr*
r7FU)<^CHN?$Wr_j7^9#
GU)kHN"/;9&m0&U!$k>H=NLVO"!NH*jG9#
/*/netscape/server4/https-hostname.domain.com/logs/access
Microsoft Internet Information Server ���
Microsoft Internet Information Server (IIS) G WebIDS rHQ9kKO"7,Nm0&U!$
krn.;:K 1 DNm0&U!$krHQ9kh&K IIS r=.9k,W,"j^9#J
<NjgO"1 DN"/;9&m0&U!$krHQ9kh&K IIS r=.9k}!r(7
?bNG9#
1. Microsoft I}3s=<kG Web 5<P<N>0r&/jC/7^9#
2. VProperties (WmQF#)Wr*r7"VWebSiteW?Vr*r7^9#
3. m.s0&;/7gsGVProperties (WmQF#)Wr*r7^9#
4. Vlog period (m0|V)WrVunlimited file size (U!$k&5$:r)B7J$)WKQ97^9#
J<NjgK>&H"IIS Om0r9oCW"&H;:K"18U!$kK]BJ/q-~_
^9#
IIS N W3C H%U)<^CHr=.9kKO" Windows NVExtended Property (H%Wm
QF#<)WN*W7gsNG.B,WJ;CHr*r9k,W,"j^9# (IIS ,s!9
125Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
k"National Center for Supercomputing Applications (NCSA) JIN>NU)<^CHKO
VExtended Property (H%WmQF#<)W*W7gsrs!9k,WO"j^;s#)
W3C U)<^CHQNVH%WmQF#W&#sI&+i"!N*W7gsN;CHr*r
7J1lPJj^;s#
¶ Date (|U)
¶ Time (~o)
¶ Client IP address (/i$"sH IP "Il9)
¶ Method (a=CI)
¶ URI stem (URI l4)
¶ URI query (URI Hq)
¶ Bytes sent (w.P$Ht)
¶ HTTP status (HTTP u7)
¶ Protocol version (WmH3kGVf)
Cookie d Server Port (5<P<&]<H) JINUC*J*W7gsr*r9kH"Web
IDS O"3liN*W7gsKX9kpsr Risk Manager EIF ^?O Windows Event Log
"@W?<Kw.9k0K|n7^9#3lir logPattern ^?O-qjAG ignore K_j
7F/@5$#
H%WmQF#<N04Jj9Hr=(9kKO"J<Nh&K7^9#
1. VMicrosoft Personal WebServerW→V$s?<MCH 5<S9 ^M<8cWNgK/
jC/7^9#
2. 3s=<k+i V{jN Web 5$HWr*r7^9#
3. ,WK~8F"3sTe<?<&[9HN"$3sr8+7^9#
4. VWmQF#W→V"/F#VJm0A0WNgK/jC/7^9#
5. V"/F#VJm0A0(Active Log Format)W+iVW3C Extended Logfile FormatWr*r7^9#
6. VWmQF# (Properties)W→VH%WmQF# (Extended Properties)W?0NgK/
jC/7^9#
*r7?*W7gsO"m0&U!$kK3asHTH7FPO5l^9#?H(P"!Nh
&KPO5l^9#
#Fields: date time c-ip cs-method cs-uri-stem cs-uri-query sc-statussc-bytes cs-version
WmQF#<NG.B,WJ*W7gsr*r7J$H"Web IDS ,(i<NUi0r)F
^9#!K"Web IDS O"gn7F$k*W7gsHm0&U!$kbGNTVfrj9H
7F"!N$YsHr8.7^9#
ALERT :parser(readAccessLog)==>nnnn:Malformed line in the log file.the other tests skipped.
1MK"f<6<>NH%WmQF#<,*r5lF$J$lg"MO hyphen (-) K_j5
l^9#
IIS 5<P<,n.9km0&U!$kO"YYMMDD U)<^CH (?H(P ex000530.log)
GG#l/Hj<K]I5l^9#
126 P<8gs 3 jj<9 8
c:¥winnt¥system¥logfiles¥w3svc1¥exYYMMDD.log
National Computer Security Association (NCSA) U)<^CHrHQ9klg"m0&U!$
kN>0O ncYYMMDD.log HJj^9#
Web IDS ������������Web 5<P<O""/;9&m0&U!$kKWaHu7psrw.7^9# Web IDS
O"Web 5<P<N"/;9&m0&U!$krI_hj^9#
J<K"04Jm0`\Ncr(7^9#
some.host.org - - [03/May/2001:03:42:23 + 0000] "GET /cgi-bin/test-cgiHTTP/1.1" 500 345
"/;9&m0&U!$kN`\KO"J<NbN,^^l^9#
¶ WaN/.5HJC?[9HN>0 (?H(P"some.host.org)#
¶ f<6<KX9kps (~jD=Jlg)#
¶ m0&(sHj<,-?5l?|U#
¶ Waps#WaO"URL bN[9H>K3/psG9#?H(P"WapsO!Nh&K
Jj^9#
"GET /cgi-bin/test-cgi HTTP/1.1"
¶ u73<I#5oG"k3Hr(9u73<IO"2nn G9# 4nn ^?O 5nn H$&u
73<IO"(i<r=7^9#
¶ >w5l?P$Ht#
Risk Manager O"Web IDS NEv-!:QNU!$k&;CHrs!7F$^9#!:QN
U!$kOJ<NH*jG9#
¶ test.log
¶ test.result
¶ test.results.evt (Windows 79F`)
¶ test.syslog (UNIX 79F`)
Windows 79F`GO"kLr=(9kKO"$YsH&Se<"<rHQ7F/@5$#
3liNU!$krHQ7F!:rT&lg"=NkLr3s=<kK=(9k+"U!$k
> (?H(P"test.myresult) rXj7F=3KkLrwk3H,G-^9#
test.log U!$krBT9kKO"!N3^sIr~O7F"3s=<kK=(5lkkL
rN'7F/@5$#
webids.bat -i test.log
!:kLpsrU!$k (?H(P"test.myresult) Kq-~`KO"!N3^sIr~O7^
9#
webids -i test.log > test.myresult
127Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
J<K"test.results NbFNlcr(7^9#
# 956066584_1some.host.org - - [03/May/2001:03:42:23 +0000] "GET /cgi-bin/test-cgi HTTP/1.1" 500 345WARNING : pattern(serverError) ==> 5xxWARNING : pattern(cgi) ==> test-cgiALERT : pattern(cgi) ==> class 'cgi': lvl=1.00 >= 1!DECODED :REQUEST : GET /cgi-bin/test-cgi HTTP/1.1HOST/USR: some.host.org - -STATUS : 500BYTES : 345METHOD : GETURL : /cgi-bin/test-cgiQUERY :VERSION : 1.1DATE : 03/May/2001:03:42:23 +0000-------------------------------------------
�����3N;/7gsGO"Web IDS QN"@W?<N?9/KD$Fb@7^9#
Web IDS ���)�����=.U!$kNT8r+O9k0K"122Z<8NXWeb 5<P<KP9k Web IDS N=
.YK"k5Wr4w/@5$#
webids.cfg =.U!$kOT8D=JF-9H&U!$kG"j"Web IDS ,T/7F$k
D-r+9?^$:9k3H,G-^9#
3N=.U!$kKO"Risk Manager Web IDS ,5]<H9k Web 5<P<QN;/7g
s,^^lF$^9#
U!$kbNQtO$s9H<kfK_j5lkNG"LoO=lirQ99k,WO"j^
;s#J<N;/7gsGO"U!$kbNQtrj9H7^9#
m: =.9k Web 5<P<N?$WK:v9k;/7gsrT87F/@5$#
TEC $+&�0�������1�*�������
Web IDS O wbindmsg Wm0i`rHQ7F"Q95l?aC;<8rh@7^9#
webids.cfg U!$kbN path_value Qia<?<O"3NWm0i`NLVrXj7^9#
path_value Qia<?<O"Web IDS N$s9H<k*hS;CH"CWfK"+0*K!
Nh&K_j5l^9#
path_value = path
33G path O"wbindmsg Wm0i`XN04$~Q9LVG9# wbindmsg Wm0i`O"Risk Manager EIF H&K$s9H<k5l^9#
1/�������
FqQlJ0N@lU!$krHQ7F$klgO"National Language Service (NLS) NQ9
r_j7F"m1<kr_j9k,W,"j^9#GU)kHN NLS NQ9O"Web IDS
N$s9H<k*hS;CH"CW&Wm7<8c<KhCF+0*K_j5l^9#
nlsPath_value Qia<?<O"+0*K!Nh&K_j5l^9#
nls_Path_value = nlspath
128 P<8gs 3 jj<9 8
33G nlspath O"Web IDS NaC;<8&+?m0&U!$k webids.cat XN04$~
Q9LVG9#?H(P"nlsPath_value O!Nh&K_j5l^9#
nlsPath_value = x:¥webids¥%L¥%N.cat
3NH-"x: OIi$V8zG9#@lQt (%L) *hSaC;<8&+?m0&U!$k
>Qt (%N.cat) OBT~Krh5l^9#
%L H %N O"g8zGJ1lPJj^;s#
*�;*������
Web IDS O"Risk Manager EIF Perl $s?<U'<9rHQ7F Risk Manager 5<P<K
$YsHw.9klg" webids.cfg bN librmadPath_value Qia<?<KX"U1ilF
$kMrHQ7Fi$Vij<r+U1^9#3NQia<?<O"Web IDS N$s9H<
k*hS;CH"CW&Wm7<8c<KhCF+0*K_j5l^9#?H(P"Web IDS
, Windows K$s9H<k5lF$klgO"J<NQia<?<,_j5l^9#
librmad_value=1librmadPath_value=x:¥Program Files¥Tivoli¥RISKMGR¥bin
33G librmad_value=1 O"Web IDS ,=N$YsHr Risk Manager EIF Kwk3Hr
(7" librmadPath_value O"Risk Manager EIF H&K$s9H<k5l?,\Ni$V
ij<XNQ9rXj7F$^9#
sig.nefarious ��3<:���)��������
Risk Manager N sig.nefarious U!$kO"Web 6bN70KAc<r]I7^9#Web
IDS O"3NU!$krHQ7F Web 5<P<rbK?<7"6b,J$+I&+r4Y^
9#sig.nefarious U!$kN\YKD$FO" 116Z<8NXsig.nefarious 70KAc<&
U!$kYr2H7F/@5$#
m: Risk Manager H&Ks!5lF$k*j8JkN sig.nefarious U!$kOT87J$
G/@5$#3NU!$kr3T<7">0rQ97F"=N3T<rT87F/@5
$#
webids.cfg =.U!$krT87F"m<I9k70KAc<&U!$kNQ9H>0rX
j7^9#?H(P"!Nh&K7^9#
signatureFilePath_value = Path¥SignaturesFileName
Path¥SignaturesFileName OJ<N$:l+G9#
¶ GU)kHN sig.nefarious U!$kN04$~Q9>HU!$k>#
¶ Risk Manager H&Ks!5lF$k sig.nefarious U!$kr3T<7">0rQ97
F+i"=N3T<rT89k3HKhCFH+Kn.7?70KAc<&U!$kXN
04$~Q9#J<Kcr(7^9#
signatureFilePath_value = g:¥webids¥sig.mysignatures
sig.nefarious 70KAc<&U!$kNG7P<8gsr@&sm<I9kKO"J<N
Tivoli Risk Manager N Web 5$Hr4w/@5$#
http://www.tivoli.com/support/secure_download_bridge.html
129Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
�������
*;9k^GN(i<NtrXj7^9#(i<HO"=|7?U)<^CHHlW7F$J
$"/;9&m0&U!$kN(sHj<rU#7^9#
exit_value = n
(i<uV,/87?i$D*;9kN+rXj9kKO"J<NM+i*r7^9#
0 *;7^;s#
1 1 s\N(i<NeK*;7^9#
n Xj7?stN(i< (=|7?U)<^CHHlW7J$"/;9&m0&U!$
kN(sHj<) NeK*;7^9#"/;9&m0&U!$kN(i<tO"
(2**53)-1 (= 9007199254740991) r6(k3HOG-^;s#
Web IDS ���G<bs^?O Windows NT 5<S9H7F)Ae2ilk>N Risk Manager "@W?<
HO[Jj"Web IDS O Perl 9/jWH&U!$krBT9k3HKhCF)Ae2^9#
Web IDS , Apache Web 5<P<rbK?<9kH-KO"Apache Web 5<P<,+0*
K Web IDS r)Ae2^9#
Windows ������ Web IDS ���
Windows 79F`G Web IDS r+O9kKO"J<N=8rHQ7^9#
webids.bat [-etdvh -i input_file -c configuration_file]
*W7gsO=l>lJ<NH*jG9#
-e psr Windows Application Event Log ^?O Risk Manager EIF Kq-~_
^9#
-h Web IDS KX9kXkWpsr=(7^9#
-t "/;9&m0&U!$k+iN97rj"k?$`GT&3HrXj7^
9#
-d GPC0psrq-~_^9#Wm0i`O8`POK (STDOUT) q-~_
rT$^9,"=NeG3lrU!$kK>w9k3H,G-^9#
-v P<8gspsrPO7^9#
-i input_file "/;9&m0&U!$kN04$~Q9H>0rXj7^9#
-c configuration_file
=.U!$kN04$~Q9H>0rXj7^9#GU)kHOJ<NH*j
G9#
%RMADHOME%¥etc¥webids.cfg
?H(P"Windows 2000 G Web IDS r+O7"=lK Web 5<P<N"/;9&m0
(webserver.accesslog) rI_hi;"=NPOr TEC $YsH&m0&"@W?<Kw.9
kKO"J<NTr~O7^9#
webids.bat -e -i webserver.accesslog
130 P<8gs 3 jj<9 8
UNIX ������ Web IDS ���
UNIX 79F`G Web IDS r+O9kKO"J<N=8rHQ7^9#
webids [-etdvh -i input_file -c configuration_file]
*W7gsO=l>lJ<NH*jG9#
-e psr syslog ^?O Risk Manager EIF Kq-~_^9#
-h Web IDS KX9kXkWpsr=(7^9#
-t "/;9&m0&U!$k+iN97rj"k?$`GT&3HrXj7^
9#
-d GPC0psrq-~_^9#Wm0i`O8`POK (STDOUT) q-~_
rT$^9,"=NeG3lrU!$kK>w9k3H,G-^9#
-v P<8gspsrPO7^9#
-i input_file "/;9&m0&U!$kN04$~Q9H>0rXj7^9#
-c configuration_file
=.U!$kN04$~Q9H>0rXj7^9#GU)kHOJ<NH*j
G9#
$RMADHOME/etc/webids.cfg
?H(P"UNIX G Web IDS r+O7"=lK Web 5<P<N"/;9&m0
(webserver.accesslog) rI_hi;"=NPOr TEC $YsH&m0&"@W?<Kw.9
kKO"J<NTr~O7^9#
webids -e -i webserver.accesslog
m: Unix 79F`G Web IDS rBT9k0K"Risk Manager ND-9/jWHK"J<N
Q9rIC7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Web �������Web IDS O"!:9k6b,h/NilF$kbN+I&+r(7^9#J<K"hj~^
l?psNcr(7^9#
956066584_1some.host.org - - [03/May/2001:03:42:23 +0000] "GET /cgi-bin/test-cgi
HTTP/1.1" 500 345WARNING : pattern(serverError) ==> 5xxWARNING : pattern(cgi) ==> test-cgiALERT : pattern(cgi) ==> class 'cgi': lvl=1.00 >= 1!DECODED :REQUEST : GET /cgi-bin/test-cgi HTTP/1.1HOST/USR: some.host.org - -STATUS : 500BYTES : 345METHOD : GETURL : /cgi-bin/test-cgiQUERY :VERSION : 1.1DATE : 03/May/2001:03:42:23 +0000-------------------------------------------
131Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
Web IDS O""k[9H+iw.5l?Wa,6xHJCF"i<`,P5lkH"=N[
9H+iNWarhj~_^9#33Ghj~s@psreG,O7F"77$70KAc<
^?O70KAc<N/i9r70KAc<&G<?Y<9 (sig.nefarious U!$k) bG
jA9k+I&+hj9k3H,G-^9#
G<?Y<9bG!P5lJ$6bO"4/$U+lJ$^^KJCF7^&D=-,"j^
9#N1Y<9&79F`GO"G<?Y<9Nj|*J97,,WG9#
G7N/~!NrT&KO"7?K/+5l?6b*hS79F`Ne@r" sig.nefarious
U!$kbN70KAc<&j9HKIC7F/@5$#3N\*N?aK]}5lF$k;
-ejF#<DNNG<?Y<9rHQ7F"77$6brj|*K!$7"IW7F/@5
$#
J<K"=Nh&JG<?Y<9Ncr 2 D(7^9#
¶ Bugtraq Web 5$H: http://www.securityfocus.com
¶ Common Vulnerabilities Enumeration (CVE) N Web 5$H: http://www.cve.mitre.org
3Nhj~^l?psrjnHG,O7F"djrhN?aKHkY-"/7gsr=G7J
1lPJj^;s#
��3<:���*�������sig.nefarious U!$kN(s8s&Q?<s&;/7gsKO"70KAc<N0k<W
(/i9) ,"j"3liOm0&(sHj<NU#<kIbG6b70KAc<NQ?<sr
57^9#1l"/;9OYpH7Fsp5l^9#
77$/i9rn.9k]KO"U#<kI>r/i9jANltH7FXj9k,W,"j
^9#
Web 6b70KAc<N/i9rIC^?O|n9kKO"J<Nh&K7^9#
1. sig.nefarious N ENGINE PATTERN ;/7gsK\j^9#
2. /i9rIC9k?aK"J<r3NU!$kKIC7^9#
a. [class=classname; field=fieldname; level1=count1;level2=count2; k=decay_param]
Qia<?<O=l>lJ<NH*jG9#
class=classname
Q?<s&(s8sbGXj5lF$k70KAc<NG->G9#
field=fieldname 70KAc<rM-go;J1lPJiJ$U#<kIG9#Q?<
s&(s8sN-zU#<kIO"host"method"url"status"query G
9#
level1=count1 \YO"136Z<8NXlYk&+&s?<N40Yr2H7F/@5
$#
level2=count2 \YO"136Z<8NXlYk&+&s?<N40Yr2H7F/@5
$#
k=decay_param \YO"137Z<8NX:j+&s?<N40Yr2H7F/@5$#
132 P<8gs 3 jj<9 8
,:77$70KAc<N/i9rb@9k3asHTrIC7F/@5$#F3as
HTO"]sI-f (#) G+O7J1lPJj^;s#
3. 70KAc<N{8N/i9r|n9kKO"|n9k70KAc<N/i9rjA7F
$kTro|7^9#
4. U!$kr]I7F/m<:7^9#
?H(P"!Nh&K7^9#
[class=directory; field=url; level1=2; level2=1; k=1000]# Some servers are sensitive to directory tricks like specifying /./# in the path name./\.\.//\.\
Web ����3<:�������Web 6b70KAc<rIC^?O|n9kKO"J<Nh&K7^9#
1. sig.nefarious U!$krT87^9#
2. 3NU!$kN ENGINE PATTERN ;/7gsK\j^9#
3. ,ZJ/i9&;/7gsr+U1^9 (?H(P"[class=cgi; field=url;)#
4. J<N$:l+ 1 DrBT7^9#
a. !Nh&J 4 sN70KAc<TrIC7F"77$70KAc<rIC7^9#
# CVE-1999-0067, Bugtraq ID 629, input validation errorphf phf [CVE-1999-0067] CVE
77$70KAc<rb@9k3asHT (]sI-f (#) GO^j^9) rIC7F
/@5$#Bugtraq ID Vf (,+CF$klg)"CVE ID Vf (,+CF$klg)"
*hS70KAc<NJ1Jb@r~O7^9#
b. {8N Web 6b70KAc<r|n9kKO"|n9k70KAc<rjA7F$k
Tro|7^9#
5. U!$kr]I7F/m<:7^9#
��������������sig.nefarious U!$kNQ?<s&(s8s&;/7gsKO"m0&(sHj<NU#<
kIbG6b70KAc<r5970KAc<N0k<W (/i9) ,^^lF$^9#
^?"3N(s8sOm0&U!$kN(sHj<&U#<kIN$:l+KP7FYpd"
i<H,P5l?~KTolkUC*JkgF9HrBT7^9#?H(P"Ypd"i<H
,P5l?eO"6bru1d9$ cgi Wm0i`KP9kWa,5oK0;7F$k+I
&+rN'9k?aK"UC*JF9HrBT9k3H,G-^9#
=N?aKO"requires=class 0-rQ$FF9Hrkg7"\Y=7^9#3N0-O"
Web IDS ,3liNF9HrBT9k0K""i<HrP7?/i9rdjP7^9#-z
J/i9O"sig.nefarious U!$kNQ<5<&(s8s"*hSQ?<s&(s8sN;
/7gsK09k/i9G9#J<O=NcG9#
requires=pattern(cgi)requires=parser(suspiciousHexCodesUrl)requires=parser(suspiciousHexCodesQuery)
133Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
requires=pattern(cgi)|pattern(directory)requires=(pattern(cgi)|pattern(directory))&(parser
(suspiciousHexCodesUrl)|parser(suspiciousHexCodesQuery))
classname O"/i9>NV<k0r(7^9#gLrHQ7FV<k0r0k<W=7^
9#requires=class 0-r~O9k]K-zJV<ki;RO!NH*jG9#
| := OR& := AND! := NOT
kgF9HrjA^?O\Y=9kKO"J<Nh&K7^9#
1. sig.nefarious U!$krT87^9#
2. 3NU!$kN ENGINE PATTERN ;/7gsK\j^9#
3. J<N$:l+ 1 DrBT7^9#
a. !NU)<^CHK>CF"77$F9HNH_go;r 1 TKIC9k#
[class=classname; field=fieldname ; requires=class; level1=count1;level2=count2; k=decay_param]
,:3N77$/i9KD$Fb@9k3asHTrIC7F/@5$#F3asHT
O"]sI-f (#) G+O7J1lPJj^;s#
b. level1="level2="k= NMrIC^?OQ99k#\YKD$FO"136Z<8NX7
-$MH:jMN40Yr2H7F/@5$#
c. |n7?${8N70KAc<N/i9KX"9kTro|9k3HKhCF"=N/
i9r|n9k#
4. U!$kr]I7F/m<:7^9#
���5������"��.jG-J$T3J[9Hr1L9k3H,G-^9#[9H,T3JWarw.7F$kH
=G7?i" Web 5<P<N[9H>^?O IP "Il9r sig.nefarious U!$kKI
C7F/@5$#
Web IDS O[9H>r.8zGfS7^9#T3J(s8sbNWa*hS/i9>NfN
[9H>O"fS,Tolk0K.8zKQ95l^9#
a A z ^GN8z"0 A 9 ^GNtz"Tj*I (.)"*hS@C7e (-) N_rHQ7F
/@5$#
T3J[9HNj9HK IP "Il9rIC9kKO"!Nh&JTrIC7^9#
9.37.47.192 # suspicious host
"k$O"=N[9H>KP~9kTr!Nh&K.8zGIC7^9#
possible.attack.org # suspicious host
3NTO/i9&XC@<N<KIC7^9#U)<^CHO!NH*jG9#
[class=suspiciousHosts; printLvl=level]
Qia<?<O=l>lJ<NH*jG9#
134 P<8gs 3 jj<9 8
class= 3lO"suspicion (s8sGXj5l?T3J[9HNG->G9#
printLvl= u.9kWaN?$WrXj7^9#-zJWaN?$WO"
all"alerts"warnings G9#\YKD$FO"XT3J"/F#SF#<N?
$WNXjYr2H7F/@5$#
T3J[9Hr|n9kKO"sig.nefarious U!$krT87F"=N[9HN[9H>^
?O IP "Il9,^^lkTr|n7^9#
�������-����������-?*hS,O9kT3J"/F#SF#<N?$W ("i<H^?OYp"k$O=N>})
rXj9k3H,G-^9#
/i9&XC@<NA0O"!NH*jG9#
[class=suspiciousHosts; printLvl=level]
u.9kWaN?$WrQ99kKO"printLvl= KLNl]<H&lYkrXj7^9#-
zJl]<H&lYkO!NH*jG9#
all GiNYpNeN9YFNWa,sp5l^9#
warnings YpH"i<H,sp5l^9#
alerts "i<H@1,sp5l^9#
*��+����3<:������"��i|$s9H<kNe"iaF Web IDS r+O9kH-K"?tN$YsH,$YsH&3
s=<kK>w5lF$k3H,"j^9#3liN/~!N$YsHNJ+KO"6N"i
<`,^^lF$klg,"j^9#"k70KAc<,.jG-kbNG"kH=G7?l
gO"=N70KAc<rHi9H&(s8sKIC7F"6N"i<`Ntr:i93H,
G-^9#
/i9&XC@<NA0O"!NH*jG9#
[class=classname; field=fieldname; cancels=class]
Qia<?<O=l>lJ<NH*jG9#
class=classname
Hi9H&(s8sGXj5lF$k70KAc<&/i9NG->G9#
field=fieldname
70KAc<rM-go;J1lPJiJ$U#<kIG9#Hi9H&(s8sN
-zJU#<kIO"host" method" url" query G9#
cancels=class
Xj5l?/i9KlW9k70KAc<,!P5lkH"Yp^?O"i<HOs
p5l^;s (hjC5l^9)#hjC5lk/i9N-zJ-<o<IO"J<N
H*jG9#
all lW9k"i<HHYpr9YFhjC7^9#
engine_name(class_name)Xj5l?(s8s>*hS/i9>KlW9k"i<HHYprhjC7^
9#
135Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
engine_name(class_name),engine_name(class_name)(s8s>H/i9>r 1 D:D=l>l3s^ (,) GhZC?j9HNf
G"=l>lN>0KlW9k"i<HHYprhjC7^9#
$/D+Ncr(7^9#
[class=trustedHosts; field=host; cancels=all]friendly\.computer\.org
[class=linuxDistr; field=url; cancels=pattern(cgi),pattern(file)]|\xlinus/mirro/linux
�����������Risk Manager Web IDS O"YpH"i<HH$&"2 DN?$WN"i<`rhL7F$^
9#YpO"i<HhjbEgY,c$bNH+J5l"Lo TEC $YsH&3s=<kK
sp5l^;s#18?$WNYp,ljNstJeP5lkH"=NYpO"i<HKQo
j^9#?H(P""koN Web 5<P<6bO"1lN[9H+i/.5l?'ZWa,
+jV7:T9kJI"18T3JWa,ljNstJeFk5lFO8aF"i<HKJj
^9#
J<N/i9&Qia<?<r409k3HKhCF"Yp,"i<HKJk^GN.5rX
j9kh&K Web IDS r=.9k3H,G-^9#
¶ level1
¶ level2
¶ k
u.5lk"i<H,?9.?j/J9.?j9klgO"/i9&Qia<?<r409k
3HrM87F/@5$#/i9&Qia<?<r409kKO"sig.nefarious U!$kf
N Web IDS Q<5<HQ?<s&(s8sN;/7gsrT87^9#
Web 6b70KAc<Npsr409kKO"J<Nh&K7^9#
1. sig.nefarious U!$krPC/"CW7^9#
2. sig.nefarious U!$krT87^9#
3. U!$kN ENGINE PATTERN ;/7gsK\j^9#
4. level1="level2="k= NMr407F"lYk*hS:jpsr407^9#\YO"
XlYk&+&s?<N40Y^?O 137Z<8NX:j+&s?<N40Yr2H7F
/@5$#
5. 77$Mrb@9klgO"3asHTrIC7^9#F3asHTO"]sI-f (#)
GO^CF$J1lPJj^;s#
6. U!$kr]I7F/m<:7^9#
����76������
Risk Manager Web IDS O"1l?$WNT3JWaNtr"Xj7?7-$MlYkr6(
k^G+&sH7^9#7-$Mr6(kH"Web IDS O"i<Hr/T7^9#Xj*h
S40G-k7-$MlYkO"!NH*jG9#
level1=count1
1lNIa$sN1l$YsH&/i9&?$WNT3JWaNt# level1 MKO"
level2 NMJeNMrXj9k,W,"j^9#
136 P<8gs 3 jj<9 8
level2=count2
1lN[9HN1l$YsH&/i9&?$WNT3JWaNt#
HQ9k7-$MO"1lIa$s+1l[9H+KhCF[Jj^9#33GO"
www.austin.tivoli.com H$&[9H>rHQ7^9#
¶ Ia$sO level1 N7-$M tivoli.com rHQ7^9#
¶ [9H>N=N>Nt,O level2 N7-$M www *hS austin rHQ7^9#
level1 ^?O level2 NQia<?<Mr409kKO"7-$MrjA9k?aN Web IDS
ASCII F-9H&U!$k sig.nefarious U!$krT87^9#U!$krQ99kK
O"F-9H&(G#?<rHQ7^9#iaF3NU!$krT89klgO"T8rOa
k0K"*j8JkNU!$kN3T<rhCF/@5$#
��76������
Web IDS O"!P7?T3J$YsHNtr+&sH9k@1GO"j^;s#3lO"G
eNT3J$YsHNeK!P5lk5oJWabM8K~l^9#3N?aK"+&s?<
,:jXtH7F$sWjasH5lF$^9#
(:jXtO Risk Manager TEC Correlation GbHQ5l^9#3lO"7-$MrQ99k
3HKhCFV\*K409k3H,G-^9#)
T3JWa,'15lkH"P~9k:jXt Q NM, 1 D}(kH1~K"=l,!N
x0K>CF>A5l^9#
Q = Qn+ n11+2
- rk
F`*hSQia<?<O=l>lJ<NH*jG9#
Q(n) n s\NT3JWaNeN:jXtNM#
Q(n+1) 77$:jXtNM (n+1 s\NT3JWaNeNM)#
∆r GeNT3JWaNeKu.5l?5oJWaNt#
k :j(rXj7^9#
:jXtN0nKFA9kNO"2 DNQia<?< ∆r H k G9#
¶ 5oJWaNt (∆r) ,g-1lPg-$[I":jXtNMO.5/Jj^9#3N0
nO"1l[9H+i5oJWa,?tu.5lkH"?H(3N[9H,anKT3J
Warw.7F$?H7Fb"=N[9HrT3J[9HHO+J5J$h&K9k3H
r[j7F$^9#
¶ :jQia<?< (k) ,.51lP.5$[I"5oJ$YsH,u.5lk]N:jX
tNMOhj./:/7^9#3NQia<?<KhCF"anNT3J$YsHruC
9k.YrXjG-^9#
?H(P"k=100 G"klg"100 DN5oJWa,u.5lkH":jXt Q NMO
2 ,N 1 KJj^9#
137Risk Manager f<6<:&,$I
8.W
ebIn
trusio
nD
etection
:jXtN0nO"sig.nefarious U!$kbN/i9&XC@<TK"k k :jQia<
?<r4a9k3HKhCF40G-^9#
138 P<8gs 3 jj<9 8
Cisco Secure IDS ������
3NOKO"J<Nps,^^lF$^9#
¶ X5WY
¶ 141Z<8NXTEC CorrelationY
¶ 33Z<8NXRisk Manager N$s9H<kY
¶ 143Z<8NXTEC ?9/Y
Cisco Secure IDS 6b70KAc<Nj9HKD$FO"289Z<8NXCisco Secure IDS 6
b70KAc<Yr2H7F/@5$#
Cisco Secure IDS aC;<8Nj9HKD$FO"259Z<8NXCisco Secure IDS NaC;
<8Yr2H7F/@5$#
��Risk Manager KO"Adapter for Cisco Secure IDS ,^^lF$^9#3lO"Cisco Secure
Intrusion Detection System (Cisco Secure IDS H7FbNilF$^9) KhCF8.5l?
$YsHr Tivoli Enterprise Console (TEC) N$YsHK^CW7^9#$YsHO"J<N
Cisco Secure IDS ;s5<+ihj~`3H,G-^9#
Cisco Secure IDS 4210 ;s5<
3N;s5<O"MCHo</r#G9k$5'N"/F#SF#<r!P9k"M
CHo</&;-ejF#<!oG9#3lO"45Mbps D-r5]<H7F$^
9#
Cisco Secure IDS 4230 ;s5<
3N;s5<O"MCHo</r#G9k$5'N"/F#SF#<r!P9k"M
CHo</&;-ejF#<!oG9#3lO"100Mbps D-r5]<H7F$^
9#
Cisco Catalyst 6000 U!_j<N/~!Nb8e<k
Cisco Catalyst 6000 IDS Module O"Cisco Catalyst 6000 b.ZjX(!oK$s9
H<k9k3HNG-k=UH&'"&3s]<MsHG9#3Nb8e<kO"Z
jX(!=H;-ejF#<!=r1lN!oK}g9k3HKhj"$5'N-U
r}C?"/F#SF#<N6b!PrT$^9#
Cisco Secure IDS QN Risk Manager "@W?<O"J<N*Zl<F#s0&79F`G5
]<H5lF$^9#
¶ 129 MB JeNabj<rk\7? Service Pack 6.0 rHQ9k Windows NT 4.0
¶ 128 MB JeNabj<rk\7? 500 MHz Wm;C5<rHQ9k Windows 2000
9
139Risk Manager f<6<:&,$I
9.C
iscoS
ecure
IDS
���
��
�
¶ 128 MB JeNabj<rk\7? Sun Solaris 2.6"2.7"*hS 2.8
v Solaris libCrun QCA
v Solaris 2.6 QCA # 105591-09
v Solaris 2.7 QCA # 106327-08
v Solaris 2.8 QCA # 108434-01
m: QCAr$s9H<k7F+i"Cisco SDK r$s9H<k9k0K"^7srjV
<H9k,W,"j^9#
¶ Linux (Intel) Kernel 2.2.16"Libc 6"*hS 128 MB JeNabj<
¶ Cisco Secure IDS KO"m.s0*hSG<?Y<9&9Hl<8QK"1 GB NG#9
/&9Z<9rN]9k3Hr*+a7^9#
¶ QU)<^s9eN}3Khj";s5<H3s=<kO=l>lLN3sTe<?<K
$s9H<k9k,W,"j^9#
Cisco Secure IDS NI-easF<7gsO"!N Web 5$H+i~j9k3H,G-^
9#
http://www.cisco.com
&������Cisco Secure /~!N79F` (J0N NetRanger) O"MCHo</K*1k5vD"/F
#SF#<r!P7"sp7"*;5;kh&_W5l?"kH,ONj"k?$`/~!N
79F`G9# Cisco Secure IDS QN"@W?<O"+RNMCHo</,bt=<9^?
O0t=<9+iN6bru1F$k+I&+rNk,WN"kkHGHQ5l^9# Cisco
Secure IDS QN"@W?<KO"J<Nh&Jbe`3s]<MsH,^^lF$^9#
¶ ;s5< - MCHo</r5N7"IP MCHo</&HiU#C/rh}7F"EWJ
;-ejF#<&$YsHr Director K>w9kMCHo</uV#
^ 19. Cisco Secure IDS QN"@W?<N^
140 P<8gs 3 jj<9 8
¶ G#l/?< - 1 D^?O#tN;s5<rbK?<7F",6MCHo</VN;-e
jF#<rI}9kf{3s=<k#
¶ ]j7<&^M<8c< - b& 1 DN3s=<k=.#
¶ ]9H&*U#9 - WmWi(?j<\3Y<9NWmH3krHQ9k Cisco Secure
IDS ^?O NetRanger 5<S9NL.eNr@#
TEC CorrelationCisco Secure IDS O"MCHo</eN"/F#SF#<rbK?<7"=lr=[5lk6
bN{NNQ?<s&70KAc< HM-go;^9# Cisco Secure IDS ;s5<OlW9
kbNr+U1kH"79F`&m0KaC;<8rq-~_^9#Cisco Secure IDS QN
Risk Manager "@W?<O"=.U!$krHQ7F"=N$YsHr$YsH&5<P<
Kw.7^9#
Risk Manager O Cisco Secure IDS $YsHH">N?$WN;s5<+iu1hC?=N>
N$YsHNjXr4Y" Risk Manager "I_K9Hl<?<,/~!N$YsH4NrD
.G-kh&K7^9#
Cisco Secure IDS ����������������Cisco Secure IDS QN"@W?<O"HQ7F$k79F`NG-N$s9H<k}!rHQ
7F$s9H<k9k3H,G-^9#$s9H<kNjgKD$FO"39Z<8NXG-N
$s9H<kKhk Risk Manager 3s]<MsHN$s9H<kYr2H7F/@5$#
m: Unix 79F`K Cisco Secure IDS QN Risk Manager r=.9k0K"Risk Manager
ND-9/jWHK"J<NQ9rIC7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Unix *hS Linux G"Cisco Secure IDS QN"@W?<,HQ9k Cisco Secure IDS
DataFeed 3s]<MsHr$s9H<k9kH"79F`eK*<Ws&Q9o<Ir}D
″netrangr″ f<6<&"+&sH,n.5l^9# Cisco Secure IDS QN"@W?<r$s
9H<k7?eKO""I_K9Hl<?<NQ9o<IrHQ7F"3N"+&sHr]n
9k3Hr*+a7^9#
Risk Manager EIF ���������� Cisco Secure IDS ����������
Cisco Secure IDS QN"@W?<NGU)kHN=.GO"Cisco Secure IDS N$YsHO
Risk Manager EIF Kw.5l"!K"3N Risk Manager EIF , Cisco Secure IDS N$Ys
Hr Risk Manager 5<P<Kw.7^9# Cisco Secure IDS N$YsHr Risk Manager
TEC N$YsHK,ZK^CTs09kKO" Cisco Secure IDS QN"@W?<NU!$k
rHQ9kh& Risk Manager EIF r+9?^$:9k,W,"j^9#
Cisco Secure IDS N$YsHr^CW9kh&K Risk Manager EIF r=.9kKO"
csids.fmt U!$kr Risk Manager EIF N rmad.fmt U)<^CH&U!$kNGeKIC
7^9#ICeN rmad.fmt U!$krHQ7F"/i9jA9F<HasH&U!$k
(.cds) r=.7^9# rmad.cds U!$kr=.9kKO"J<N9FCWrBT7^9#
1. csids.fmt r rmad.fmt U!$kNGeKIC7^9#
Windows 79F`Nlg:
cat csids.fmt >> rmad.fmt
141Risk Manager f<6<:&,$I
9.C
iscoS
ecure
IDS
���
��
�
UNIX 79F`Nlg:
cp csids.fmt >> rmad.fmt
Windows *hS Unix NIAiN79F`Nlgb"Risk Manager EIF O csids.fmt U
!$krHQ7^9#
2. riskmgr_gencds 3^sIrBT7F".cds U!$krFn.7^9#
riskmgr_gencds rmad.fmt >rmad.cds
3. 975l? rmad.cds U!$kr"Cisco Secure IDS QN"@W?<,$s9H<k5l
F$k79F`KF[V7^9#
Cisco Secure IDS Q"@W?<GHQ9k?aK""@W?<=.!=rHQ7F rmad.cds
r979k}!N\YKD$FO" 49Z<8NXACF rHQ7? Risk Manager "@W?<
N=.*hS[[Yr2H7F/@5$#
Cisco Secure IDS DataFeed '���(�����������Cisco Secure IDS ���������
J<N9FCWrBT7F"Cisco Secure IDS QN"@W?<KP7F Cisco Secure IDS
DataFeed 3s]<MsHr=.7^9# csidsDataFeed 3s]<MsHO"Cisco Secure IDS
QN"@W?<H3N;s5<NVNL.$s?<U'<9G9#
Cisco Secure IDS ;s5<N=.O",:m<+k&3s]<MsHr=.9k0KToJ1
lPJj^;s#
1. csidsDataFeed 3^sIGHQ9k;s5<N IP HICpsrhj7^9#3NpsO
9GK;s5<K=.5lF$kO:G9#psO"Director ^?O Policy Manager N$
:l+N;s5<=.D<k+ih@9k3H,G-^9#
2. !Nh&K7F csidsDataFeed 3^sIrBT7";s5<N[9HKX9kpsrX
j7^9#
csidsDataFeed cfg_remote add-ip IP_Address[-po po_number][-on orgname][-oi orgnumber]]-hn host_name][-hi n][-hb nnn]
3. !Nh&K7F csidsDataFeed 3^sIrBT7"m<+k&"@W?<N[9HKX
9kpsrXj7^9#
csidsDataFeed cfg_local update[-po po_number][-on orgname][-oi orgnumber]]-hn host_name][-hi n]
ACF rHQ9kH"Risk Manager 5<P<+iU!$kr=.9k3H,G-^9#=Nb
@KD$FO"49Z<8NXACF rHQ7? Risk Manager "@W?<N=.*hS[[Y
r2H7F/@5$#
142 P<8gs 3 jj<9 8
��>3���������3N;/7gsGO Tivoli "I_K9Hl<?<,"Cisco Secure IDS QN Risk Manager
"@W?<KP7FBT9k?9/rb@7^9#
Cisco Secure IDS ��������=.,0;7?i"Risk Manager TEC ?9/rHQ7F Cisco Secure IDS QN"@W?<
r+O7^9#XCisco Secure IDS "@W?<N+OYNb@r2H9k+""k$Oj0G
"@W?<r+O9klgO"!NH*j~O7F/@5$#
Linux 79F`Nlg:
/etc/rc.d/init.d rma_csids-init start
Solaris 79F`Nlg:
/etc/init.d/rma_csids-init start
Windows 79F`Nlg:
netstart rma_csids
Cisco Secure IDS ����������79F`,FO09kH"Risk Manager O"oK"Cisco Secure IDS QN"@W?<rG<
bsH7F+O9kh&K;CH"CW7^9# Cisco Secure IDS QN"@W?<rj0G
d_9kKO"!Nh&K~O7^9#
Linux 79F`Nlg:
/etc/rc.d/init.d rma_csids-init stop
Solaris 79F`Nlg:
/etc/init.d/rma_csids-init stop
Windows 79F`Nlg:
net stop rma_csids
TEC ���Risk Manager KO"Tasks for Enterprise Risk Management H$&H+N?9/&i$Vij
<,"j^9#Risk Manager O"3N?9/&i$Vij<r"TEC-Region H$&GU)k
HN TEC ]j7<&j<8gsK$s9H<k7^9#TEC ?9/rBT9k0K",
:""@W?<r(sI]$sHeK$s9H<k7F/@5$#
Risk Manager O"Cisco Secure IDS Q"@W?<KP7FJ<N TEC ?9/rs!7^
9#
¶ Start_Cisco_Secure_IDS_Adapter
¶ Stop_Cisco_Secure_IDS_Adapter
¶ Configure_Cisco_Datafeed
Cisco Secure IDS ��������Cisco Secure IDS QN"@W?<r+O9kKO"Risk Manager TEC ?9/rHQ9k3H
,G-^9#
143Risk Manager f<6<:&,$I
9.C
iscoS
ecure
IDS
���
��
�
TEC ?9/rHQ7F Cisco Secure IDS QN"@W?<r+O9kKO"J<Nh&K7^
9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&iYkNU$
? TEC ?9/&i$Vij<r/jC/7^9#
2. Start_Cisco_Secure_IDS_Adapter TEC ?9/r/jC/7^9#
Cisco Secure IDS ��������Cisco Secure IDS QN"@W?<rd_9kKO"Risk Manager TEC ?9/rHQ9k3H
,G-^9#
TEC ?9/rHQ7F Cisco Secure IDS QN"@W?<rd_9kKO"J<Nh&K7^
9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&iYkNU$
? TEC ?9/&i$Vij<r/jC/7^9#
2. Stop_Cisco_Secure_IDS_Adapter TEC ?9/r/jC/7^9#
Cisco Secure IDS DataFeed ���3N?9/O";s5<H Cisco Secure IDS QN Risk Manager "@W?<HNVNL.r
;CH"CW7^9#TEC ?9/rBT9k0K",:""@W?<r(sI]$sHeK
$s9H<k7F/@5$#
TEC ?9/rHQ7F Cisco Secure IDS QN"@W?<K DataFeed r=.9kKO"!N
h&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&iYkNU$
? TEC ?9/&i$Vij<r/jC/7^9#
2. Configure_Cisco_DataFeed TEC ?9/r/jC/7^9#
Cisco Secure IDS ���������9*����"@W?<KVP9&(i<WaC;<8^?O\3X"N(i<,=(5l?lgO"J<
N3^sIrHQ7F"=N(i<r/j"7F/@5$#
Unix �� Linux ����:% cd $NETRANGER/bin% csidsDataFeed stop% removeSemas
JeN3^sIrBT7?eG"J<N3^sIrHQ7F" %NETRANGER%/tmp *hS
%NETRANGER%/tmp/queues G#l/Hj<bNU!$kr9YFo|7^9#
% cd $NETRANGER/tmp% rm *.*% cd queues% rm *.*
Windows ����:% cd %NETRANGER%¥bin% csidsDataFeed stop% cd %NETRANGER%¥tmp
144 P<8gs 3 jj<9 8
JeN3^sIrBT7?eG"J<N3^sIrHQ7F" %NETRANGER%¥tmp *hS
%NETRANGER%¥tmp¥queues G#l/Hj<bNU!$kr9YFo|7^9#
% del *.*% cd queues% del *.*
145Risk Manager f<6<:&,$I
9.C
iscoS
ecure
IDS
���
��
�
146 P<8gs 3 jj<9 8
ISS RealSecure ������
3NOGO"J<N@KD$Fb@7^9#
¶ X5WY
¶ 149Z<8NXTEC CorrelationY
¶ 149Z<8NXSNMP HiCWY
¶ 149Z<8NXISS RealSecure Q"@W?<N$s9H<k*hS=.Y
¶ 152Z<8NXISS RealSecure Q"@W?<NI}Y
Internet Security Systems RealSecure (ISS RealSecure) N6b70KAc<Nj9HKD$F
O"297Z<8NXISS RealSecure 6b70KAc<Yr2H7F/@5$#
SNMP "@W?<N\YKD$FO"VTivoli Enterprise Console "@W?<&,$IWN
10 Or2H7F/@5$#
ISS RealSecure =JKX9kpsO"!N Web 5$H+i~j9k3H,G-^9#
http://www.iss.net
��Internet Security Systems (ISS) O"}g5l?/~!NWiCHU)<`G"k ISS
RealSecure rs!7^9# ISS RealSecure O8`"Wm<ArHQ7F"MCHo</&H
iU#C/H[9H&m0&(sHj<r"{NN6ba=CI^?O=[5lk6ba=C
IHfS7^9# ISS RealSecure O"?/NMCHo</*hS79F`I}"Wj1<7
gsH}g9k3H,G-^9#
ISS RealSecure P<8gs 5.5 ^?O 6.0 ;s5<O"MCHo</&Y<9N6bd79
F`&(<8'sHN6br!P9kH"SNMP HiCWrw.7^9#3liN SNMP H
iCW, Windows 79F`^?O UNIX 79F`K>\w.5lkh&K"ISS RealSecure
r=.9k3H,G-^9#w.hN79F`OLo Tivoli ^?O Tivoli J0ND-N(s
I]$sHeK"j"=3G Tivoli SNMP "@W?<rBT7F$^9#
ISS RealSecure QN Risk Manager O"Tivoli SNMP "@W?<r=.9kU!$k+i.
j"3lKhj ISS RealSecure $YsHrhj~_$YsH&5<P<K>w7FjXrT
$^9#U!$kO!NH*jG9#
¶ tecad_snmp.cds
¶ tecad_snmp.oid
10
147Risk Manager f<6<:&,$I
10.IS
SR
ealSecu
re���
��
�
ISS RealSecure Q"@W?<NU!$kO"TEC SNMP "@W?<N"k(sI]$sHK
"j^9#
!N^O"ISS RealSecure QN Risk Manager "@W?<H$YsH&5<P<VNbe`N
X8r(7F$^9#
&������ISS RealSecure bK?<&Qia<?<O"?MJMCHo</uVdU#<Ac<&3s]
<MsHKgo;F409k3H,G-^9#3liNQia<?<rf{3s=<k+i=
.9k3H,G-^9#
ISS RealSecure =JKOJ<Nb8e<k,"j^9#
^ 20. ISS RealSecure Q"@W?<N^
148 P<8gs 3 jj<9 8
¶ MCHo</&Q1CHr}89k(s8s
¶ 1 D^?O#tN(s8srbK?<9k^M<8c<
¶ 79F`&m0rbK?<9k79F`&(<8'sH
GbNQU)<^s9rB=9k?aKO"F(s8s4HKlQ3sTe<?<rHQ7"
1 fNf{3sTe<?<G^M<8c<rBT7F/@5$#
Tivoli Risk Manager 5<P< 3.8 $s9H<k&QC1<8KO" SNMP "@W?<r
=.7F ISS RealSecure "i<`r Tivoli Enterprise Console (TEC) $YsHK^CW9k
?aKHQ9k" Risk Manager .cds"*hS .oid =.U!$k,^^lF$^9#U!$k
O!NljK$s9H<k5l^9#
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.oid
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
SNMP *+�Risk Manager N tecad_snmp.cds U!$krHQ7F SNMP "@W?<r=.9kH"
SNMP "@W?<O SNMP HiCWN!N 2 DN+F4j<r!P7^9#3liN6b
O"ISS RealSecure ;s5<NMCHo</&(<8'sH,bK?<7^9#
¶ MCHo</&Y<9N6b
MCHo</KP7FC(ilk6b#
297Z<8NXMCHo</6b70KAc<YO"=_ Risk Manager Khj5]<H5
lkMCHo</&Y<9N6bKD$FN ISS RealSecure SNMP $YsHr(7^
9#
¶ 5<P<&(<8'sH6b
MCHo</GOJ/"D9N[9HK~1FC(ilk6b#
299Z<8NX79F`6b70KAc<YO"=_ Risk Manager Khj5]<H5lk
79F`&(<8'sH6bKD$FN ISS RealSecure SNMP $YsHr(7^9#
TEC CorrelationTEC SNMP "@W?<O"Windows NT eGBT7F$k ISS RealSecure Management
Console +iw.5lk SNMP HiCWr'17^9#SNMP "@W?<,3liN SNMP
$YsHr TEC $YsHK^CW9kH" TEC $YsHO$YsH&5<P<Kw.5l
F"X"U1,Tol^9#
ISS RealSecure ����������������$s9H<kN}!KD$FO"33Z<8NXRisk Manager N$s9H<kYr2H7F/
@5$#
ISS RealSecure ���������/~!N$YsHr SNMP $YsHH7Fw.9kh&K ISS RealSecure ;s5<r=.
9k3H,G-^9#ISS RealSecure ;s5<r=.9kKO"]j7<&U!$kr+9?
^$:7"$YsHQYr_j7^9#
149Risk Manager f<6<:&,$I
10.IS
SR
ealSecu
re���
��
�
m: UNIX 79F`G ISS RealSecure QN Risk Manager "@W?<r=.9k0K" Risk
Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
ISS RealSecure r=N$s9H<kljG=.7?j"^?O=N=.U!$krT87"
Tivoli Adapter Configuration Facility (ACF) rHQ7F:v9kU)<^CH&U!$kr[
[*hS,Q9k3H,G-^9#\YO"49Z<8NXACF rHQ7? Risk Manager "
@W?<N=.*hS[[Yr2H7F/@5$#
1. ,WK~8F"ISS RealSecure Q"@W?<N/i9jA9F<HasH (.cds) U!$k
tecad_snmp.cds rT87^9# ISS RealSecure Q"@W?<O"3NU!$kbNTW
J(sHj<r*r7F3asH=9k3HKhCF409k3H,G-^9#
2. tecad_snmp.cds *hS tecad_snmp.oid U!$kr,Q7F"Tivoli Management
Enterprise (TME) "@W?<r=.7^9#
����������ISS RealSecure N+9?^$:D=J]j7<&U!$kKhj"HQD=J IDS 70KA
c<HHQT=J IDS 70KAc<rXj9k3H,G-^9#^?"F70KAc<Nl
WKP9k79F`N?~b1L7^9#ISS RealSecure ]j7<&(G#?<rHQ7F"
7,N]j7<Nn.^?O{8]j7<N97rT$^9#3lKhj"$YsH&G<?
Y<9 (logdb) K-?9k70KAc<rXj7^9#3s=<kN ISS RealSecure $Ys
H&G<?Y<9K]I5lk$YsHO"ISS RealSecure QN"@W?<,h}9k$Ys
HKBil^9#
!P!=rn.7"IP "Il9r ISS RealSecure Q"@W?<N IP "Il9K_j9k}
!KD$FO"ISS RealSecure qAr2H7F/@5$#^?"ISS RealSecure Q"@W?<
N tecad_snmp.cds U!$kKhCF5]<H5lkF$YsH4HK"~zr TEC SNMP
"@W?< (HiCWu.&) N IP "Il9K_j9k}!KD$FNb@b2H7F/@
5$#
���������F ISS RealSecure !P!=4HK"!P!=Nm0K]I5lk$YsH,3s=<kN$
YsH&G<?Y<9K>w5lkQYrGg=7F/@5$#QYrGg=9k3HKhC
F"TEC $YsH&3s=<kK*1k$YsHNj"k?$`-?,~15l^9#
QYrGg=9k}!KD$FO"ISS RealSecure NqAr2H7F/@5$#d)5lk_
jO"1 DNm0K]I5lkGg-?t, 5000"G<?Y<91|be`@, 1%"5i
K0*G<?Y<9&"CWm<IN*rG9#
TEC SNMP ��������Risk Manager KO"5]<H5lkWiCHU)<`NU!$krHQ7F" TEC SNMP
"@W?<&U!$k (tecad_snmp.cds *hS tecad_snmp.oid) r979k?aNWmU!
$k,s!5lF$^9#
ISS RealSecure Q SNMP WmU!$krBT9k0K"TEC SNMP "@W?<&U!$k
NPC/"CW&3T<rn.7F/@5$#3NWmU!$kO SNMP "@W?<rd_
7"(sI]$sHeN TEC U!$kr ISS RealSecure ,s!9kU!$kKV-9(
F" SNMP "@W?<rFO07^9#
150 P<8gs 3 jj<9 8
J<N9FCWK>CF"TEC SNMP "@W?<, ISS RealSecure "i<`r Risk
Manager K>w9kh&K=.7^9#
1. "I_K9Hl<?<N TME G9/HCWG"GU)kHN TEC Nhr(9
VTEC-Region (TEC Nh)W"$3sr@Vk/jC/7^9#
2. VProfiles for Enterprise Risk Management (Enterprise Risk Management NWmU!$k)WWmU!$k&"$3sr@Vk/jC/7F"VProfile Manager (WmU!$
k&^M<8c<)W&#sI&r=(7^9#
3. VSNMP Adapter for ISS RealSecure (ISS RealSecure Q SNMP "@W?<)W"$3sr@Vk/jC/7F"VAdapter Configuration Profile ("@W?<=.WmU!$
k)W&#sI&r*<Ws7^9#
4. VAdd Entry ((sHj<NIC)Wr/jC/7^9#
5. "@W?<&?$WK:v9k tecad_snmp r*r7"VSelect & Close (*r & /m<:)Wr/jC/7^9#
6. VEdit Adapter Configuration ("@W?<=.NT8)W&#sI&G"VDistribution ([[)Wr/jC/7F"U!$kN[[j9Hr=(7^9#
GU)kHN[[Q9O"Risk Manager ,s!9k SNMP U!$kGOJ/"TEC
SNMP U!$krX7F$^9#[[=<9r Risk Manager P<8gsrX9h&KQ
99k}!"^? TEC P<8gsH Risk Manager P<8gsr^<89k}!KD$
FO"Tivoli qAr2H7F/@5$#
,:"[[j9HK"Risk Manager ,s!9k tecad_snmp.cds *hS tecad_snmp.oid
U!$k"^?O Risk Manager U!$kH^<85l?U!$kr~lF/@5$#
7. B]NU!$k*hSQ9rT89kKO"!Nh&K7^9#
¶ [[9kU!$kN>0r@Vk/jC/7^9#
¶ yf (=) N#K"kU)k@<&\?sr/jC/7FQ9r_j7^9#Q9O!
Nh&KJj^9#
$BINDIR/../generic_unix/RISKMGR/ACF_REP/
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
8. Q9N_jr]I9klgO"A'C/^</r*r7^9#
9. VSave & Close (]I & /m<:)Wr/jC/7^9#
UNIX �� Tivoli ��� SNMP ������&+�+�ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli SNMP "@W
?<rHQ7^9#ISS RealSecure Q"@W?<r{K;CH"CW7F"klgO" Cisco
k<?<Q"@W?<KD$F3Njgr+jV9,WO"j^;s#
Tivoli SNMP "@W?<N$s9H<k}!N04Jb@O"VTivoli Enterprise Console "
@W?<&,$IWr2H7F/@5$#=NeG"4HQN*Zl<F#s0&79F`,
Q1CHr TEC $YsH&5<P<KP)XjG-k3HrN'7F/@5$#
Tivoli J0ND-G SNMP "@W?<r;CH"CW9kKO"J<Nh&K7^9#
151Risk Manager f<6<:&,$I
10.IS
SR
ealSecu
re���
��
�
1. SNMP "@W?<r$s9H<k7^9#?H(P"packadd rHQ7F" SNMP "@
W?<r Solaris 79F`N /test/riskmgr/snmp/ G#l/Hj<K$s9H<k7^
9# 42Z<8NXSolaris 79F`K*1k"@W?<N$s9H<kYr2H7F/@
5$#
2. SNMP "@W?<r$s9H<k7?G#l/Hj<K\07^9#
cd /test/riskmgr/snmp/etc
3. tecad_snmp.conf =.U!$krT87" ServerLocation r^`Tr57^9#
4. 3NTr!Nh&KQ97^9#
ServerLocation=1.2.3.4
1.2.3.4 O"TEC $YsH&5<P<N IP "Il9r(7^9#
5. $YsH&5<P<, Windows NT 79F`G"klgd" Tivoli J0N SNMP "@
W?<rHQ7F$klgO"!NTbIC7^9#
ServerPort=5529
6. SNMP HiCWru.9kh&K"/etc/services U!$kbN!N(sHj<rQ97
^9# /etc/services U!$kK!NTrIC7^9#
snmp-trap 162/tcpsnmp-trap 162/udp
7. TEC $YsH&5<P<N tecad_snmp.cds U!$k*hS tecad_snmp.oid U!$k
r"T8*hSF9H,Qs@ Risk Manager ,s!9kU!$kHV-9(^9#
ISS RealSecure ���������Tivoli "I_K9Hl<?<O"ISS RealSecure Q"@W?<KD$F"3N;/7gsGb
@9knHrBT7^9#
SNMP ��������ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli SNMP "@W
?<rHQ7^9#ISS RealSecure Q SNMP "@W?<r+O9klgO" Cisco k<?<
QN SNMP "@W?<b+O9k3HKJj^9#
Tivoli SNMP "@W?<&=UH&'"r$s9H<k7?G#l/Hj<K\07^9#W
iCHU)<`LNGU)kHNLVO!NH*jG9#
Windows 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net start tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<r+O9k
3HbG-^9#
AIX:
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris:
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
152 P<8gs 3 jj<9 8
SNMP ��������ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli SNMP "@W
?<rHQ7^9# ISS RealSecure Q SNMP "@W?<rd_9klgO" Cisco k<?
<QN SNMP "@W?<bd_9k3HKJj^9#
Tivoli SNMP "@W?<&=UH&'"r$s9H<k7?G#l/Hj<K\07^9#W
iCHU)<`LNGU)kHNLVO!NH*jG9#
Windows 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net stop tecsnmpadapter
AIX 79F`:
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris 79F`:
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
153Risk Manager f<6<:&,$I
10.IS
SR
ealSecu
re���
��
�
154 P<8gs 3 jj<9 8
Cisco ����������
3NOGO"J<N@KD$Fb@7^9#
¶ XCisco k<?<N5WY
¶ 156Z<8NXTEC CorrelationY
¶ 157Z<8NXCisco k<?<Q"@W?<N$s9H<kY
¶ 160Z<8NXCisco k<?<NI}Y
¶ 161Z<8NXCisco k<?<NHiCWY
Cisco k<?<NHiCWKX9kqAO"Cisco N Web 5$HK"j^9# MIB"HiC
W"OID"*hS=N>NpsKD$FO"!N Cisco Web 5$Hr2H7F/@5$#
http://www.cisco.com
^?"VTivoli Enterprise Console "@W?<&,$IWN SNMP "@W?<KX9kOb2
H7F/@5$#
Cisco �������Cisco k<?<OHiCWr!P7F SNMP $YsHr8.7^9#SNMP $YsHO"
Windows 79F`^?O UNIX 79F`N$:l+K>\w.9k3H,G-^9#w.h
N79F`OLo Tivoli ^?O Tivoli J0ND-N(sI]$sHeK"j"=3G Tivoli
SNMP "@W?<rBT7F$^9#
Cisco k<?<QN Risk Manager O"Tivoli SNMP "@W?<r=.9kU!$k+i.
j"3lKhj Cisco k<?<&$YsHrhj~_$YsH&5<P<K>w7FjXr
T$^9#U!$kO!NH*jG9#
¶ tecad_snmp.cds
¶ tecad_snmp.oid
Cisco k<?<Q"@W?<NU!$kO"TEC SNMP "@W?<,"k(sI]$sHK
"j^9#
11
155Risk Manager f<6<:&,$I
11.C
isco�
��
������
�
TEC CorrelationTivoli Enterprise Console (TEC) SNMP "@W?<O Cisco k<?<KhCFw.5lk
SNMP HiCWr'17F"=liN SNMP $YsHr TEC $YsHK^CW7^9#
SNMP "@W?<O TEC $YsHr$YsH&5<P<Kw.7F"X"U1rT$^9#
Risk Manager O Cisco k<?<&$YsHr">N?$WN;s5<+iw.5lk=N>
N$YsHHX"U1"Risk Manager "I_K9Hl<?<,/~!N$YsH4NrD.
G-kh&K7^9#
SNMP X"/i9O" sensor_abstract.baroc U!$k*hS riskmgr.baroc U!$kN
/i9KhCF[Jj^9#crouter_snmp.baroc U!$kKO Cisco k<?<QN/i9N
I8*,^^lF$^9#
^ 21. Cisco k<?<Q"@W?<N^
156 P<8gs 3 jj<9 8
Cisco ����������������Tivoli Risk Manager 3.8 $s9H<k&QC1<8KO" Cisco k<?<Q"@W?<G
"@W?<=.!= (ACF) rHQD=J$s9H<k&5]<H,^^lF$^9#3NQ
C1<8KO"Cisco k<?<Q"@W?<N crouter_snmp.baroc U!$k"jXk<k"
*hS prolog U!$kb^^lF$^9#5iK"TEC SNMP "@W?<r=.9k?a
N/i9jA9F<HasH (.cds) *hS .oid U!$kb^^lF$^9#$s9H<k
e"U!$kO!NG#l/Hj<KV+l^9#
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.oid
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
HiCW+NKHiCWN8.5lk~oO^^l^;s#^?"SNMP "@W?<KO?
$`&9?sWrh@9k?aN$s?<U'<9,"j^;s#\7/O"VTivoli
Enterprise Console "@W?<&,$IWr2H7F/@5$#
��������$s9H<kN0K"VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"
WoKX9kG7psHG7N$s9H<kpsrN'7F/@5$#
m: UNIX 79F`G Cisco k<?<QN Risk Manager "@W?<r=.9kKO" Risk
Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
4HQNWiCHU)<`QN Tivoli SNMP "@W?<r$s9H<k9k0K"Cisco k
<?<r$s9H<k7F*+J1lPJj^;s# SNMP "@W?<O"Windows 79F
`^?O UNIX 79F`K$s9H<k9k3H,G-^9#$s9H<k}!KD$F
O"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
TEC $YsH&5<P<KO"@W?<r$s9H<k7J$G/@5$#=NeojK"
=liN"@W?<r$YsH&5<P<+i[[7F/@5$#
Risk Manager U0NWmU!$krHCF"@W?<r[[9klg" ACF r$s9H<
k7J1lPJj^;s#ACF N\YKD$FO"49Z<8NXACF rHQ7? Risk
Manager "@W?<N=.*hS[[Yr2H7F/@5$#
Risk Manager H&Ks!5lF$k Cisco k<?<Q"@W?<O" tecad_snmp.cds *h
S tecad_snmp.oid U!$kG=.5l^9#3liO"SNMP "@W?<, Cisco k<?
<N SNMP HiCWr TEC $YsHKQ99kh&=.9k?aK,WJU!$kG9#
Tivoli D-G Cisco k<?<Q"@W?<r$s9H<k7"=.9kKO"J<N?9/
rBT7^9#
��������+�79F`NG-J$s9H<k&Wm0i`rHQ7F" Cisco k<?<Q"@W?<r$
s9H<k9k3H,G-^9#\7/O"33Z<8NXRisk Manager N$s9H<kYr
2H7F/@5$#
!N$:l+rT$^9#
157Risk Manager f<6<:&,$I
11.C
isco�
��
������
�
1. ,WK~8F"Cisco k<?<Q"@W?<N/i9jA9F<HasH (.cds) U!$k
tecad_snmp.cds rT87^9#Cisco k<?<Q"@W?<O"3NU!$kbN(sH
j<r*r7F3asH=9k3HKhCF409k3H,G-^9#
2. tecad_snmp.cds *hS tecad_snmp.oid U!$kr,Q7F"TME "@W?<r=.7
^9#
Cisco �������������i|$s9H<k=.,*oC?i"Cisco k<?<Q"@W?<r=.7^9#
1. ,WK~8F"Cisco k<?<&HiCWr SNMP $YsHH7F UNIX Kw.9kh
&K=.7^9# 159Z<8NXCisco k<?<N;CH"CWYr2H7F/@5$#
2. ,WK~8F"TEC SNMP "@W?<, Cisco k<?<&"i<`r Risk Manager K
>w9kh&K=.7^9#159Z<8NXUNIX QN Tivoli J0N SNMP "@W?<N
;CH"CWYr2H7F/@5$#
TEC SNMP ��������Risk Manager KO"TEC SNMP "@W?<&U!$k (tecad_snmp.cds *hS
tecad_snmp.oid) r979k?aNWmU!$k,s!5lF$^9#
Cisco k<?<Q SNMP "@W?<NWmU!$krBT9k0K"TEC SNMP "@W?
<&U!$kNPC/"CW&3T<rn.7F/@5$#3NWmU!$kO SNMP "@
W?<rd_7"(sI]$sHeN TEC U!$kr Risk Manager ,s!9kU!$kK
V-9(F" SNMP "@W?<rFO07^9#
J<N9FCWK>CF"TEC SNMP "@W?<, Cisco k<?<&"i<`r Risk
Manager K>w9kh&K=.7^9#
1. "I_K9Hl<?<N TME G9/HCWG"GU)kHN TEC Nhr(9
VTEC-Region (TEC Nh)W"$3sr@Vk/jC/7^9#
2. VProfiles for Enterprise Risk Management (Enterprise Risk Management NWmU!$k)WWmU!$k&"$3sr@Vk/jC/7F"VProfile Manager (WmU!$
k&^M<8c<)W&#sI&r=(7^9#
3. VSNMP Adapter for Cisco Router (Cisco k<?<Q SNMP "@W?<)WWmU!$k&"$3sr@Vk/jC/7F"VAdapter Configuration Profile ("@W?<=.W
mU!$k)W&#sI&r*<Ws7^9#
4. VAdd Entry ((sHj<NIC)Wr/jC/7^9#
5. "@W?<&?$WK:v9k tecad_snmp r*r7"VSelect & Close (*r & /m<:)Wr/jC/7^9#
6. VEdit Adapter Configuration ("@W?<=.NT8)W&#sI&G"VDistribution ([[)Wr/jC/7F"U!$kN[[j9Hr=(7^9#
GU)kHN[[Q9O"Risk Manager ,s!9k SNMP U!$kGOJ/"TEC
SNMP U!$krX7F$^9#[[=<9r Risk Manager P<8gsrX9h&KQ
99k}!"^? TEC P<8gsH Risk Manager P<8gsr^<89k}!KD$
FO" Tivoli qAr2H7F/@5$#
,:"[[j9HK"Risk Manager ,s!9k tecad_snmp.cds *hS tecad_snmp.oid
U!$k"^?O Risk Manager U!$kH^<85l?U!$kr~lF/@5$#
158 P<8gs 3 jj<9 8
7. B]NU!$k*hSQ9rT89kKO"!Nh&K7^9#
¶ WmU!$krHQ7F[[9kj9HbNU!$kr@Vk/jC/7^9#
¶ yf (=) N#K"kU)k@<&\?sr/jC/7FQ9r_j7^9#Q9O!
Nh&KJj^9#
hostname/usr/local/Tivoli/bin/generic_unix/RISKMGR/ACF_REP/
¶ Q9N_jr]I9klgO"A'C/^</r*r7^9#
8. VSave & Close (]8 & /m<:)W\?sr/jC/7^9#
Cisco �����&+�+�;CH"CWrOak0K"Cisco k<?<K SNMP "@W?<,$s9H<k5lF$k
^7sXNP),"k+I&+rN'7F/@5$#
Cisco k<?<QK Risk Manager "@W?<rHQ9kh& Cisco k<?<r;CH"CW
9kKO"!Nh&K7^9#
1. Cisco k<?<r$s9H<k7?^7sK Telnet Gm0$s7F"secret 3^sIr/T7^9#
2. config 3^sIr/T7^9#
3. !Nh&K~O7^9#
snmp-server host 5.6.7.8
5.6.7.8 O"SNMP "@W?<r$s9H<k7?^7sN IP "Il9G9#
4. !Nh&K~O7^9#
snmp-server enable traps
5. SNMP "@W?<,$s9H<k5lF$k^7sKX"7? SNMP 3_eKF#<>
r MyCommun K_j9kKO"!Nh&K~O7^9#
snmp-server community MyCommun
6. exit 3^sIr 2 Y/T7F";C7gsrD8^9#
UNIX �� Tivoli ��� SNMP ������&+�+�Internet Security Systems RealSecure (ISS RealSecure) Q"@W?<H Cisco k<?<Q"@
W?<OIAib Tivoli SNMP "@W?<rHQ7^9#?H(P"ISS RealSecure Q"@
W?<r{K;CH"CW7F"klgO" Cisco k<?<Q"@W?<KD$F3Njg
r+jV9,WO"j^;s#
Tivoli SNMP "@W?<N$s9H<k}!Nb@O"VTivoli Enterprise Console "@W?
<&,$IWr2H7F/@5$#=NeG"4HQN*Zl<F#s0&79F`,Q1C
Hr TEC $YsH&5<P<KP)XjG-k3HrN'7F/@5$#
Tivoli J0ND-G SNMP "@W?<r;CH"CW9kKO"J<Nh&K7^9#
1. SNMP "@W?<r$s9H<k7^9#?H(P"SNMP "@W?<r AIX ^7sN
/test/riskmgr/snmp/ G#l/Hj<K$s9H<k9k3H,G-^9#
2. SNMP "@W?<r$s9H<k7?G#l/Hj<K\07^9#
cd /test/riskmgr/snmp/etc
159Risk Manager f<6<:&,$I
11.C
isco�
��
������
�
3. tecad_snmp.conf =.U!$krT87" ServerLocation r^`Tr57^9#
4. 3NTr!Nh&KQ97^9#
ServerLocation=1.2.3.4
1.2.3.4 O"TEC $YsH&5<P<N IP "Il9r(7^9#
5. $YsH&5<P<, Windows NT 79F`G"klgd" Tivoli J0N SNMP "@
W?<rHQ7F$klgO"!NTbIC7^9#
ServerPort=5529
6. /etc/services U!$kK!NTrIC7^9#
snmp-trap 162/tcpsnmp-trap 162/udp
7. TEC $YsH&5<P<N tecad_snmp.cds U!$k*hS tecad_snmp.oid U!$k
r"T8*hSF9H,Qs@U!$kHV-9(^9#
Cisco �������3N;/7gsGO"Cisco k<?<Q"@W?<KD$FN?9/rb@7^9#
SNMP ��������Internet Security System (ISS) RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIA
ib Tivoli SNMP "@W?<rHQ7^9# ISS RealSecure Q SNMP "@W?<r+O9
klgO" Cisco k<?<QN SNMP "@W?<b+O9k3HKJj^9#
SNMP "@W?<rj0G+O9kKO"Tivoli SNMP "@W?<&=UH&'"r$s9
H<k7?G#l/Hj<K\07^9#WiCHU)<`LNGU)kHNLVO!NH*
jG9#
Windows NT 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net start tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<r+O9k
3HbG-^9#
AIX 79F`:
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris 79F`:
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
SNMP ��������ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli SNMP "@W
?<rHQ7^9#ISS RealSecure Q SNMP "@W?<rd_9klgO" Cisco k<?<
QN SNMP "@W?<bd_9k3HKJj^9#
SNMP "@W?<r+0*Kd_9kH"Cisco k<?<Q"@W?<bd_7^9#3l
O"2 DN"@W?<,&LNU!$k tecad_snmp.cds H tecad_snmp.oid r&Q7F$k
?aG9#
160 P<8gs 3 jj<9 8
SNMP "@W?<rj0Gd_9kKO"Tivoli SNMP "@W?<&=UH&'"r$s9
H<k7?G#l/Hj<K\07^9#WiCHU)<`LNGU)kHNLVO!NH*
jG9#
Windows NT 79F`:
%LCFROOT%¥bin¥w32-ix86¥tme¥tec¥adapters¥bin¥net stop tecsnmpadapter
Windows NT NlgO"V3sHm<k QMkWrHQ7F SNMP "@W?<rd_9k
3HbG-^9#
AIX 79F`:
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris 79F`:
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
SNMP ��2����ISS RealSecure Q"@W?<H Cisco k<?<Q"@W?<OIAib Tivoli SNMP "@W
?<rHQ7^9#ISS RealSecure Q SNMP G<bsrd_9klgO" Cisco k<?<
QN SNMP G<bsbd_9k3HKJj^9#
SNMP G<bsrd_9kKO"J<Nh&K7^9#
1. SNMP G<bsN ID r+U1kKO"!Nh&K~O7^9#
ps -ef | grep snmpd
2. 33G"pid , SNMP G<bsN ID NlgO"!Nh&K~O7^9#
kill -9 pid
�����������Tivoli J0ND-GO"$YsHr$YsH&5<P<K>w9kh&K tecad_snmp.conf
=.U!$krT87^9#
3NU!$krT89kKO"J<Nh&K7^9#
1. TEC SNMP "@W?<r$s9H<k7? /etc G#l/Hj<K\07^9#
2. tecad_snmp.conf U!$krT87F"!N(sHj<rQ97^9#
ServerLocation=ip_address
ip_address O$YsH&5<P<N IP "Il9G9#
UNIX ��-���)�����SNMP HiCWru.9kh&K"UNIX /etc/services U!$kbN!N(sHj<rQ
97^9#
snmp-trap 162/tcp # snmp monitor trap portsnmp-trap 162/udp # snmp monitor trap port
Cisco �����*+�SNMP TEC "@W?<O SNMP P<8gs 1 NHiCWrh}7^9#
161Risk Manager f<6<:&,$I
11.C
isco�
��
������
�
Cisco �������*+�J<Nj9HO"$YsH&5<P<K>w5lk Risk Manager $YsHr8.9k"Cisco
G-NHiCWr(7?bNG9#
(s?<Wi$: HiCWN?$W
1.3.6.1.4.1.9.2.11.1 logonIntruder
1.3.6.1.4.1.437.1.1.3 logonIntruder
1.3.6.1.4.1.437.1.1.3 broadcastStorm
1.3.6.1.4.1.9 reload
1.3.6.1.4.1.9 tcpConnectionClose
���*+�J<Nj9HO"FoN+F4j< (=."H]m8<"]<H"k<HQ9JI) K09k
HiCWr(7?bNG9#
1.3.6.1.4.1.9.9.43.2 ciscoConfigManEvent
1.3.6.1.4.1.9.5 sysConfigChangeTrap
1.3.6.1.2.1.47.2 entConfigChange
1.3.6.1.2.1.17 newRoot
1.3.6.1.2.1.17 topologyChange
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnNewRoot
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnTopologyChange
1.3.6.1.4.1.9.2.11.1 ipAddressChange
1.3.6.1.4.1.437.1.1.3 ipAddressChange
1.3.6.1.4.1.9.5.14.1.1 ciscoEsStackCfgChange
1.3.6.1.4.1.9.5.14.4 ciscoEsPortStrNFwdEntry
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANNewRoot
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANTopologyChange
���� SNMP ����*+�J<Nj9HO"lL*J SNMP 'Zc2HiCWN+F4j<K09kHiCWr(7?
bNG9#
1.3.6.1.2.1.11 authenticationFailure
162 P<8gs 3 jj<9 8
Cisco Secure PIX Firewall ������
3NOGO"J<N@KD$Fb@7^9#
¶ XCisco Secure PIX Firewall N5WY
¶ 165Z<8NXU!$"&)<kI}$YsHY
¶ 167Z<8NXCisco Secure PIX Firewall Q"@W?<N$s9H<k*hS=.Y
¶ 169Z<8NXTEC ?9/Y
Cisco Secure PIX Firewall NI-easF<7gsO"!N Web 5$H+i~j9k3H,
G-^9#
http://www.cisco.com
Cisco Secure PIX Firewall ���Cisco Private Internet Exchange (PIX) Firewall P<8gs 5.1.2 O";-ejF#<&]j7
<XNQ9*hS;-ejF#<&]j7<KP7Fn_il?6br!P7F-?9k"T
NNU!$"&)<kG9# Risk Manager KO Tivoli Logfile "@W?< (UNIX Q) *h
S Windows Event Log "@W?< (Windows NT Q) N?aNH%!=,"j^9#
\qGO"J<NQlrHQ7F$^9#
¶ Tivoli Logfile "@W?< (UNIX Q) *hS Windows Event Log "@W?< (Windows
NT Q) NH%!=HO" Cisco Secure PIX Firewall QN"@W?<N3Hr$$^9#
¶ Cisco Secure PIX Firewall O"Risk Manager ;s5<N3Hr$$^9#
Cisco Secure PIX Firewall Q"@W?<O" Tivoli Logfile "@W?<&U)<^CH&U!
$k*hS Windows Event Log "@W?<&U)<^CH&U!$k (=l>l"pix.fmt
*hS pix_nt.fmt) G=.5lF$^9# Risk Manager O3liNU)<^CH&U!$
krHQ7F"TME "@W?<r=.7^9#=N TME "@W?<O Cisco Secure PIX
Firewall ;s5<Kw.5l?$YsHrhj~sG"8.5lkm0&aC;<8r TEC
$YsHK^CW7^9#
Cisco Secure PIX Firewall Q"@W?<O" Cisco Secure PIX Firewall ;s5<,m0&a
C;<8rw.9kh&K=.5lF$k[9HKos7^9#3N[9HO"UNIX 79F
`^?O Windows 79F`&[9HN$:l+G9# Windows 79F`&[9HXNm.
s0KO Cisco PIX Firewall Syslog Server (PFSS) ,,WG9#
Risk Manager O";s5<Nm0&aC;<8EgYr TEC $YsHEgYK!Nh&K
^CW7^9#
12
163Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
Cisco Secure PIX Firewallm0&aC;<8EgY
TEC $YsHEgY
7 GPC0
HARMLESS6 ps
5 LN
4 Yp WARNING
3 (i< MINOR
2 /jF#+kCRITICAL
1 "i<H
0 [^ FATAL
&������Cisco Secure PIX Firewall Model 506 ;s5<O"=Np\=UH&'"H7FNFQ*Zl
<F#s0&79F`r}?J$NG"MCHo</!o H+J93H,G-^9#3N;
s5<O"bK?<*hS"<+$VQKm0&aC;<8rjb<H&[9HKw.9kh
&K=.7J1lPJj^;s# Tivoli Management Enterprise (TME) "@W?<H%!=O
3Njb<H&[9HK$s9H<k7^9# Risk Manager H%!=rHQ9k3HKh
j"TME "@W?<Oe. Cisco Secure PIX Firewall m0&aC;<8rbK?<7^9#
UNIX 79F`GO"m0&aC;<8O Tivoli Logfile "@W?<G"k syslogd K]I5
l^9# Windows 79F`GO"3liNm0&aC;<8O Cisco PIX Firewall Syslog
Server K]I5l^9#
=Nm0&aC;<8, Risk Manager H%U)<^CH&U!$kNU)<^CH&9F<
HasHHlW9kH" TME "@W?<O=Nm0&aC;<8+iEWJpsr}87"
=lr Risk Manager $YsHH7F$YsH&5<P<K>w7^9#
PFSS O Cisco Secure PIX Firewall Model 506 KO07F$^;s#3lO Cisco Web 5$
H+i@&sm<I9k,W,"j^9# PFSS N@&sm<I"$s9H<k"*hS=
.N}!KD$FO"VInstallation Guide for the Cisco Secure PIX Firewall Version 5.1Wr
2H7F/@5$#
m: Cisco PIX Firewall Syslog Server (PFSS) rHQ9klgO"Windows NT Service Pack 6
r$s9H<k9k3Hr*+a7^9#
TEC CorrelationCisco Secure PIX Firewall O"Tivoli Logfile "@W?< (*hS syslogd) (UNIX Q)"
Windows Event Log "@W?< (*hS PFSS) (Windows NT) rHQ7F$YsHr8.7
^9# TME "@W?<O"Windows NT"AIX"^?O Solaris eN Cisco Secure PIX
Firewall KhCFw.5lkU!$"&)<kX"N$YsHr'17^9# Cisco Secure
PIX Firewall Q"@W?<O"3liN$YsHr TEC $YsHX^CW7^9# Risk
Manager U)<^CH&U!$kOU!$"&)<k&$YsHr Risk Manager $YsHK
^CW7"$YsH&5<P<O3N Risk Manager $YsHHNX"U1rT$^9#
Risk Manager O"pix.baroc U!$kr$YsH&5<P<eK$s9H<k7^9#3N
BAROC U!$kKhCF"$YsH&5<P<O"u.9k Cisco Secure PIX Firewall $
YsHr'17Fh}9k3H,G-^9#Cisco Secure PIX Firewall $YsHO!N 2 D
N+F4j<K,1il^9#
¶ /~X"
164 P<8gs 3 jj<9 8
¶ s/~X"
Risk Manager O/~X"$YsHr RM_IDSEvent /i9KjA7"s/~X"$YsHr
RM_MiscEvent /i9KjA7^9#
�)��6 �������U!$"&)<kKhj"btMCHo</r]n7"/~KP7F"i<Hr/9k3H,
G-^9#U!$"&)<kO"U!$"&)<kX"N$YsHr"$/D+N[Jk+F
4j<K,1Fl]<H7^9#U!$"&)<kX"N$YsHKO"!NbN,"j^
9#
¶ 'ZN:T
¶ vDN:T
¶ \3Nq]
¶ MCHo</&"Il9Q9 (NAT) *hS]<H&"Il9Q9 (PAT) Nc2
TEC ����9�0������TEC k<k&(s8sO"!N 3 DN0-Km\7F=Gr<7^9#
¶ =<9 IP "Il9
¶ 8h IP "Il9
¶ 6bN70KAc<
U!$"&)<kOlLKm0&aC;<8KOU!$"&)<k&;s5<N[9H IP "
Il9rq-~_^;s,"~^"m0&aC;<8KU!$"&)<kN$s?<U'<9
>,=lk3H,"j^9# UNIX GO"Tivoli Logfile "@W?< (syslogd) ,"aC;<
8Nh,K=Nm0&aC;<8w.&N IP "Il9r+0*KUC7^9# Windows G
O"3lrT&h&K PFSS r=.9k3HOG-^;s#
Windows NT QN Cisco Secure PIX Firewall Q"@W?<Nlg"rm_SensorHostname 0
-*hS rm_SensorIPAddr 0-O" Cisco Secure PIX Firewall ;s5<N[9H>H IP
"Il9GOJ/"Risk Manager "@W?<H PFSS ,BT7F$k[9HN[9H>H IP
"Il9K_j5lF$^9# Windows NT QN Cisco Secure PIX Firewall Q"@W?<
O";s5<+iN3li 2 DNEgJpsK"/;9G-J$?a"!K,ZJpsG"
k Risk Manager "@W?<H PFSS ,BT7F$k[9HN[9H>rHQ7F3liN0
-r_j7^9#D^j"$YsH&5<P<K;s5<psH7F>w5lkpsO"B]
KO Risk Manager "@W?<N[9HpsH$&3HKJj^9#
Gg 10 N Cisco Secure PIX Firewall ;s5<+im0&aC;<8ru.9kh&K PFSS
r=.9k3H,G-^9#3N=.GO"3N 10 DN Cisco Secure PIX Firewall ;s5
<+i/.5lk$YsHO9YF"1 DN;s5<+iN$YsHH7F=(5l^9#
UNIX 79F`Nlg"rm_SensorIPAddr 0-O"syslogd 9Hjs0N 2 V\NMG"k
Cisco Secure PIX Firewall ;s5<N IP "Il9K_j5l^9#^?"Cisco Secure PIX
Firewall ;s5<N[9H>bHQG-J$?a" rm_SensorHostname 0-OM N/A K_j5l"3liN 2 DNX"MO UNIX QN Cisco Secure PIX Firewall Q"@W?<G
lS-,]?lk3HKJj^9#
165Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
UNIX H Windows NT 79F`NIAiNlgKb"Cisco Secure PIX Firewall ,""?C
+<N[9H>d6bN?<2CHKX9kpsru.9k3HO"j^;s#U!$"&)
<kO IP X (Q1CH) U#k?<G"k?a"IP "Il9@1,HQG-k#lNG<?
G9#U#k?<O"6bKX87F$k[9H IP "Il9eN>0kC/"CWKD$F
N[jrT$^;s (^?"BTN?aN?$`"&Hbhj^;s)#3N?aK"Cisco
Secure PIX Firewall QN"@W?<O rm_SourceHostname H rm_DestinationHostnameNIAib_j7^;s#3liN$YsH0-O"GU)kHM N/A N^^G9#
PIX Firewall "@W?<O"rm_SourceIPAddr H rm_DestinationIPAddr (?/NlgIA
i+ 1 D) NG<?,9Hjs0bG-zJlg"3N_jrT$^9#
[HsIN Cisco Secure PIX Firewall m0&aC;<8KO IP "Il9,^^lF$^9
,"8`6b70KAc<O^^lF$^;s#3lO"U!$"&)<k,3N70KAc
<NP=r,:7b6bH7F=G9ko1GOJ$?aG9#
����������� Cisco Secure PIX Firewall ��3<:�
[HsIN Cisco Secure PIX Firewall m0&l3<IKO IP "Il9,"j^9,"8`
*J6b70KAc<O"j^;s#/~X"N Cisco Secure PIX Firewall m0&aC;<
8KX7F" Risk Manager GO"70KAc<H7F!N9Hjs0,s!5l^9#
fw_conn_deny \3,]'5l?#
fw_pkt_modified Cisco Secure PIX Firewall O]4N?aKQ1CHrQ97?#
fw_xlate_deny MCHo</&"Il9Q9 (NAT) ^?O]<H&"Il9Q9
(PAT) N:TKhj"Q1CH,|n5l?#
fw_tunn_deny HsMkNEf=^?OEf=r|,]'5l?#
fw_acl_deny "/;9&0k<WvDN:TKhj"Q1CH,|n5l?#
fw_auth_deny 'ZN:TKhj"Q1CH,|n5l?#
fw_ipsec HsMkbN IPSEC VPN $YsHN'Z,:T7?D=-,"k#
������������ Cisco Secure PIX Firewall ��3<:�
/~r1L7J$ Cisco Secure PIX Firewall $YsHKD$FO" Cisco Secure PIX
Firewall Q"@W?<, RM_MiscEvent +iI87?/i9K$YsHrw.7^9#Cisco
Secure PIX Firewall Q"@W?<O"s/~X" Nm0&aC;<8r!Nh&K3<I=
7^9#
fw_pixfw_signature Cisco Secure PIX Firewall catchall 70KAc<#
fw_snmp 7sWk&MCHo</I}WmH3k (SNMP) $YsH#
fw_conn_permit \3,vD5l^7?#
fw_xlate_permit MCHo</&"Il9Q9 (NAT) ^?O]<H&"Il9Q9
(PAT) ,5oG"k#
fw_failover "kU!$"&)<k+i=NPC/"CWXNU'$k*<P< (b
DQ-!=) ,/87?#
fw_authentication 'Z$YsH#
fw_routing U!$"&)<kK*1kk<F#s0dj#
fw_configuration U!$"&)<kN=.NQ9^?O=lKX9kdj#
fw_internal U!$"&)<kK*1kbt(i<#
166 P<8gs 3 jj<9 8
Cisco Secure PIX Firewall ����������������3N;/7gsGO"$s9H<k*hS=.KX9kM8v`KD$Fb@7^9#
Cisco Secure PIX Firewall����������������$s9H<kN0K"VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"
WoKX9kG7psHG7N$s9H<kpsrN'7F/@5$#
Cisco Secure PIX Firewall ;s5<O"Cisco Secure PIX Firewall QN"@W?<r$s9H
<k9k0K$s9H<k7F*+J1lPJj^;s#
^?"4HQNWiCHU)<`QN TME "@W?<b$s9H<k7J1lPJj^;
s#$s9H<k}!KD$FO"VTivoli Enterprise Console "@W?<&,$IWr2H
7F/@5$#
TEC $YsH&5<P<eKO"@W?<r$s9H<k7J$G/@5$#=Neoj
K""@W?<r TEC $YsH&5<P<+i[[7F/@5$#
Risk Manager ,s!9kWmU!$krHQ7F"@W?<r[[9klg""@W?<=
.!= (ACF) r$s9H<k9k,W,"j^9#ACF N\YKD$FO"49Z<8N
XACF rHQ7? Risk Manager "@W?<N=.*hS[[Yr2H7F/@5$#
Cisco Secure PIX Firewall N TEC ?9/,BT7F$k79F`H1879F`K" Risk
Manager Perl Support r$s9H<k7F*+J1lPJj^;s#
"@W?<O"Tivoli D-N Tivoli (sI]$sH+"Tivoli J0NN<IK$s9H<k
G-^9#
m: UNIX 79F`G Cisco Secure IDS QN Risk Manager "@W?<r=.9kKO"
Risk Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Cisco Secure PIX Firewall ���������Tivoli D-G Cisco Secure PIX Firewall Q"@W?<r=.9kKO"!N?9/rBT7
^9#
1. ,WK~8F"Cisco Secure PIX Firewall Q"@W?<NU)<^CH&U!$krT8
7^9#Cisco Secure PIX Firewall Q"@W?<O"3NU)<^CH&U!$kbN(
sHj<r*r7F3asH=9k3HKhCF40G-^9#
UNIX 79F`pix.fmt
Windows 79F`pix_nt.fmt
2. Risk Manager "@W?<NU)<^CH&U!$kr Tivoli U)<^CH&U!$kH
^<87" 47Z<8NXRisk Manager H TME "@W?<NU)<^CH&U!$kN
kgYNX(K>CF"/i9jA9F<HasH (.cds) U!$kr8.7^9#
UNIX 79F`pix.fmt U!$kr{8N tecad_logfile.fmt U!$kN<KIC7F/@5
$#
167Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
Windows 79F`pix_nt.fmt U!$kr{8N tecad_nt.fmt U!$kN<KIC7F/@5$#
3. :vNU!$kr,Q7^9#
UNIX 79F`:pix.fmt
Windows 79F`:pix_nt.fmt
ACF rHQ9klgO"49Z<8NXACF rHQ7? Risk Manager "@W?<N=.*h
S[[Yr2H7F/@5$#
Cisco Secure PIX Firewall ����������!� ���Cisco Secure PIX Firewall QN"@W?<rHQ9klgO" PIX $YsHr Risk Manager
Event Integration Facility s!Nm<+k TCP/IP ]<HKk<F#s09kh&" TEC
Logfile "@W?< (^?O Windows Event Log "@W?<) r=.9k3Hr*+a7^
9#3lKhj"PIX $YsH, Risk Manager EIF NWs(s8sKhCFh}5l^9#
!NjgK>$"PIX $YsHrm<+k TCP/IP ]<HKk<F#s07F/@5$#
1. s TME P<8gsN UNIX Logfile "@W?<"^?Os TME P<8gsN Windows
Event Log "@W?<,$s9H<k5lF$k3HrN'7^9#
2. Risk Manager EIF ,$s9H<k5lF$k3HrN'7^9#
3. PIX U)<^CH&U!$k pix.fmt rHQ9kh& UNIX Logfile "@W?<r=.9
k+"pix_nt.fmt U)<^CH&U!$krHQ9kh& Windows Event Log "@W?
<r=.7^9#
4. Risk Manager EIF K"/;97F Logfile "@W?< (^?O Windows Event Log "@
W?<) H1879F`GBT9kh& UNIX Logfile "@W?<r=.7^9#3N=
.KO""@W?<N=.U!$k (tecad_logfile.conf ^?O tecad_win.conf) K!N 2 D
NQia<?<r_j7^9#
ServerLocation=localhostServerPort=5529
5. s TME P<8gsN Risk Manager EIF rHQ9klgO" EIF =.U!$k
(rmad.conf) K!NQia<?<r_j7^9#
ServerLocation=tecserver (where tecserver is the hostname of TEC ���� in your environment)ServerPort=5529 (or 0 if the server is a Unix server)
m: TME P<8gsN Risk Manager EIF Nlg"3liNQia<?<r_j9k,WO
"j^;s#
Cisco Secure PIX Firewall ���i|$s9H<kH ACF =.NeO"J<N9FCWrBT7F Cisco Secure PIX Firewall
r=.7^9#
1. Configure_PIX_Firewall_Logging TEC ?9/rHQ7F"Cisco Secure PIX Firewall ;
s5<N$YsHN-?}!r=.7^9#b@KD$FO"172Z<8NX;s5<&m
.s0=.NQ9Yr2H7F/@5$#
168 P<8gs 3 jj<9 8
2. Cisco Secure PIX Firewall Q"@W?<rHQ9k0K";s5<Km0*s7F"/m
C/_jr!Nh&K=.7^9#
clock set hh:mm:ss month day year
3. Windows Event Log "@W?<rHQ9klgO"=.U!$k tecad_nt.conf rT8
7^9#\7/O"174Z<8NX=.U!$kNT8Yr2H7F/@5$#
4. TME "@W?<rd_7FFO07"=.NQ9r-zK7^9#
TEC ���
m: Cisco Secure PIX Firewall N TEC ?9/O"AIX *hS Solaris NWiCHU)<`G
N_HQD=G9#
Risk Manager O"Cisco Secure PIX Firewall KP7FJ<N TEC ?9/rs!7^9#
¶ Configure_PIX_Firewall_Access O";s5<&"/;9=.rQ97^9#
¶ Show_PIX_Firewall_Configuration O";s5<N=.psr=(7^9#
¶ Configure_PIX_Firewall_Logging O";s5<Nm.s0=.rQ97^9#
Cisco Secure PIX Firewall TEC ����������Cisco Secure PIX Firewall TEC ?9/rBT9k0K"J<N@rN'7F/@5$#
¶ Cisco Secure PIX Firewall N TEC ?9/,BT7F$k79F`H1879F`K"
Risk Manager Perl Support r$s9H<k7F*+J1lPJj^;s#Risk Manager
N=J CD KO"AIX *hS Solaris eN Cisco Secure PIX Firewall Q"@W?<KP
7F Risk Manager ,s!9k?9/K,WJ Perl 5]<H,^^lF$^9#
¶ TEC N"I_K9Hl<?<O";s5<N IP "Il9";s5<NQ9o<I"*h
S;s5<N enable Q9o<IrNCF*+J1lPJj^;s#3lOC"3^sI
r;s5<eGBT9k"Brh@9k?aK,WG9#^?";-e"&MCHo</
+i;s5<Nbt$s?<U'<9K telnet Gm0$s9kKOvD,,WG9#3l
OU!$"&)<kN"I_K9Hl<?<KhCFj0G?(il^9#
¶ U!$"&)<kN"I_K9Hl<?<O"TEC "I_K9Hl<?<K3N 2 DN
Q9o<IrNi;k3HKhCF" TEC ?9/KP9kG**J)f"r}D3HK
Jj^9#U!$"&)<kN"I_K9Hl<?<O"Q9o<IrQ97F TEC "
I_K9Hl<?<NU!$"&)<k!=r|n9k3H,G-^9#U!$"&)<
kN"I_K9Hl<?<O",WJQ9o<IrO90K" TEC "I_K9Hl<?
<,=N5$HN;-ejF#<&]j7<r=,K}r7F$k+I&+N'7J1l
PJj^;s#G**K"U!$"&)<kN"I_K9Hl<?<OU!$"&)<k
Km0$s9k?aN!=r]}7F*-" TEC "I_K9Hl<?<, TEC ?9/
rp7F/T7?T,WJ3^sIrK~7^9# TEC "I_K9Hl<?<,Q9o
<IrQ97FU!$"&)<k&"I_K9Hl<?<rmC/"&H9k3HOG-
^;s#
��4�����������Q9o<IrO8a"=.3^sIO?9/rBT9k[9H+i Cisco Secure PIX Firewall
;s5<^G @(*K Aoj^9#Q9o<I,Ef=5l?j]4-,!:5l?j9k
3HOJ$?a" TEC ?9/rBT7F$k[9HH Cisco Secure PIX Firewall ;s5<
NVKO Virtual Private Network (VPN) HsMkrjA7Fh0=5;F/@5$# VPN
169Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
HsMkNjA*hSh0=N\YKD$FO"VConfiguration Guide for the Cisco Secure
PIX Firewall Version 5.1Wr2H7F/@5$#
&������&������3N TEC ?9/Khj"\3rVmC/^?OsVmC/=9k?aN;s5<N=.rQ
97^9# TEC ?9/rBT9k0K",:""@W?<r(sI]$sHeK$s9H<
k7F/@5$#
;s5<&"/;9=.rQ99kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Configure_PIX_Firewall_Access TEC ?9/r*r7^9#
3. ?9/G-NQia<?<r_j7^9#_jG-kQia<?<O!NH*jG9#
IP address (IP "Il9) "/;9=.rQ97?$ Cisco Secure PIX Firewall ;s5<N IP
"Il9rXj7^9#3NQia<?<O,\G9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet Q
9o<IrXj7^9#3NQia<?<O,\G9#
Configuration (enable)
password (=.
(enable) Q9o<I)
Cisco Secure PIX Firewall ;s5<N=.rQ99k3Hr'D9k
enable Q9o<IrXj7^9#3NQia<?<O,\G9#
Action ("/7gs) 3NQia<?<O,\G9#J<N;s5<&"/7gsNf+i
"/7gsr 1 DXj7^9#
¶ 7,N]'NIC
¶ {8N]'N|n
DjNQia<?<,"J0KIC7?]'NQia<?<H5N
KlW9kh&K7J1lPJj^;s#
¶ =TN Cisco Secure PIX Firewall "/;9=.N=(
3NQia<?<O" Cisco Secure PIX Firewall N"/;9&j
9H""/;9&0k<W"*hSEf=^CW,=(5l^9#
3liO"eN"/7gsN?aN,ZJ"/;9&j9Hr1L
9k?aKHQG-^9#
3NGU)kHMO7,]'NICG9#3NQia<?<O,\G
9#
Access list ("/;9&j
9H)
]'rIC^?O|n9k Cisco Secure PIX Firewall ;s5<N"/
;9&j9HrXj7^9#
"/;9&j9H,{K8_7F$klgO"Show access ("/;9N=() rXj7F3NQia<?<rHQ9k3HKhCF",Z
J"/;9&j9Hr*r7F/@5$#
"/;9&j9H,8_7F$J$lgO"77$"/;9&j9H
,n.5l^9,"3lO$s?<U'<9^?OEf=^CWKO
P$sI5l^;s# Cisco Secure PIX Firewall ;s5<GP$sI
rj0GBT7J1lPJj^;s#P$sI,0;9k^G"Hi
U#C/O]'5l^;s#
3NQia<?<O,\G9#
170 P<8gs 3 jj<9 8
Protocol (WmH3k) ]'"/7gsN IP WmH3krXj7^9#
Cisco Secure PIX Firewall ;s5<,5]<H9k IP WmH3kVf
(c"6) ^?O IP WmH3k&jFik> (c"tcp) rXjG-^
9#
3NQia<?<rVis/N^^K7F*/H"IP WmH3k
(TCP"UDP"ICMP) O]'5l^9#
3NQia<?<O*W7gsG9#
Source IP address (=<9
IP "Il9)
]'"/7gsN=<9 IP "Il9rXj7^9#
3NQia<?<O"1l[9HH7FXj9k+" source IPaddress mask (=<9 IP "Il9&^9/) Qia<?<rHQ7
F$klgO"5VMCHo</H7FXj9k3H,G-^9#
CjN IP "Il9KP7Fwu.5lkQ1CHr]'9klg
O"3N?9/rFYBT7F"Cisco Secure PIX Firewall ;s5<
N"/;9=.K 2 D\N]'X(rIC7F/@5$#
3NQia<?<rVis/K7F*/H"9YFN=<9 IP "I
l9+i8h IP "Il9XNQ1CH,]'5l^9#
3NQia<?<O*W7gsG9#
Source IP address mask
(=<9 IP "Il9&^
9/)
]'"/7gsN=<9 IP "Il9&^9/rXj7^9#
5VMCHo</4Nr 1 DN=<9H7F]'9kKO"5VMC
Ho</N IP "Il9&^9/ (c"255.255.255.240) rXj7^
9#
3NQia<?<rVis/N^^K7F"source IP address (=<9 IP "Il9) Qia<?<rXj9klg"=<9 IP "Il9
O1l[9Hr(9bNH[j5l^9#
3NQia<?<O*W7gsG9#
Destination IP
address (8h IP "Il
9)
]'"/7gsN8h IP "Il9rXj7^9#
3N8h IP "Il9O"1l[9HH7FXj9k+" destinationIP address mask (8h IP "Il9&^9/) Qia<?<rHQ
7F$klgO"5VMCHo</H7FXj9k3H,G-^9#
CjN IP "Il9KP7Fwu.5lkQ1CHr]'9klg
O"3N?9/rFYBT7F"Cisco Secure PIX Firewall ;s5<
N"/;9=.K 2 D\N]'X(rIC7F/@5$#
3NQia<?<rVis/K7F*/H"=<9 IP "Il9+i
9YFN8h IP "Il9XNQ1CH,]'5l^9#3NQia
<?<O*W7gsG9#
Destination port (8h]<
H)
]'"/7gsN8h]<HrXj7^9#
]'"/7gsN=<9&]<HrXj9k3HOG-^;s#
Cisco Secure PIX Firewall ;s5<,5]<H9k]<HVf (c"
80) ^?O]<H&jFik> (c"www) rXjG-^9#
3NQia<?<O*W7gsG9#
171Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
&����������;s5<N=_N=.r=(9kKO"3N TEC ?9/rHQ7^9#3N?9/rHQ7
F"5$HN;-ejF#<&]j7<,57/$sWjasH5lF$k+I&+r!:9
k3H,G-^9# TEC ?9/rBT9k0K",:""@W?<r(sI]$sHeK$
s9H<k7F/@5$#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Show_PIX_Firewall_Configuration r/jC/7^9#
3. ?9/G-NQia<?<r_j7^9#!NQia<?<,9YF,WG9#
IP address (IP "Il9) =.r=(7?$ Cisco Secure PIX Firewall ;s5<N IP "Il9
rXj7^9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet Q
9o<IG9#
Configuration (enable)
password (=.
(enable) Q9o<I)
Cisco Secure PIX Firewall ;s5<N=.NQ9r'D9k enable Q
9o<IG9#
Show configuration (=.
N=()
Cisco Secure PIX Firewall ;s5<N=TN=.r=(9kKO"
VYes (O$)Wr*r7^9#POKO"P<8gs"=."abj
<&VmC/"$s?<U'<9"Wm;9"U'$k*<P<,^
^l^9#
Show connections (\3N
=()
Cisco Secure PIX Firewall ;s5<GN=TN"/F#V\3r=(
7?$lgO"VYes (O$)Wr/jC/7^9#
Show user
authentications (f<6<
'ZN=()
Cisco Secure PIX Firewall ;s5<GN=Tf<6<N'Z*hSv
Dr=(9kKO"VYes (O$)Wr*r7^9#
Show telnets (Telnet N=
()
Cisco Secure PIX Firewall ;s5<XN=TN telnet ;C7gs (3
N;s5<rP39k;C7gsGOJ$) r=(9kKO"VYes(O$)Wr*r7^9#3Nj9HO"m0$s7F$k Cisco Secure
PIX Firewall "I_K9Hl<?<G=.5l^9#3lKO"3N
TEC ?9/N telnet ;C7gsb^^l^9#
&����1?�������3N TEC ?9/rHQ7F"U!$"&)<kr77$ Risk Manager ;s5<H7FH_
~`h&K;s5<Nm.s0=.rQ99k3H,G-^9# TEC ?9/rBT9k0
K",:""@W?<r(sI]$sHeK$s9H<k7F/@5$#
Cisco Secure PIX Firewall m.s0r=.9kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Configure_PIX_Firewall_Logging r*r7^9#
3. ?9/G-NQia<?<r_j7^9#Qia<?<OJ<NH*jG9#
172 P<8gs 3 jj<9 8
IP address (IP "Il9) m.s0=.rQ97?$ Cisco Secure PIX Firewall ;s5<N IP
"Il9rXj7^9#
3NQia<?<O,\G9#
Telnet password
(Telnet Q9o<I)
Cisco Secure PIX Firewall ;s5<XN"/;9r'D9k telnet Q
9o<IrXj7^9#
3NQia<?<O,\G9#
Configuration (enable)
password (=.
(enable) Q9o<I)
Cisco Secure PIX Firewall ;s5<N=.rQ99k3Hr'D9k
enable Q9o<IrXj7^9#
3NQia<?<O,\G9#
Logging host
interface name (m.s
0&[9H&$s?<U
'<9>)
Cisco Secure PIX Firewall ,m0&5<P<QKHQ9k$s?<U
'<9N>0rXj7^9#
Cisco Secure PIX Firewall Q"@W?<O"m0&5<P<NaC;
<8rbK?<7F"=lir$YsH&5<P<K>w7^9#
3NGU)kHMO inside G9#3NQia<?<O*W7gsG
9#
Logging host IP
address (m.s0&[9H
IP "Il9)
Cisco Secure PIX Firewall Q"@W?<,bK?<7F$km0&5
<P<N IP "Il9rXj7^9#
3NQia<?<O*W7gsG9#
Logging trap level (m.s
0&HiCW&lYk)
m0&5<P<Kw.5l"=Ne Cisco Secure PIX Firewall Q"
@W?<+i$YsH&5<P<Kw.5lkm0&aC;<8Nl
YkrXj7^9#
~OG<?O9Hjs0 (c"errors) ^?OtM (c"3) GXj7
^9#
3NGU)kHMO errors G9#3NQia<?<O*W7gsG
9#
Logging facility (m.s0
!=)
m0&aC;<8HloKw.9k syslog !=VfrXj7^9#
3NGU)kHMO 20 G9#3lO"LOCAL4 !=Km0&aC
;<8rw.9k?aNlYk, 20 G"k3Hr(7^9#
3NQia<?<O*W7gsG9#
Logging enabled (m.s0
HQD=)
VYes (O$)Wr*r9kH"Cisco Secure PIX Firewall ;s5<K
*1km.s0rHQD=K7^9#
VNo ($$()Wr*r9kH"m.s0rHQTDK7^9#m
0&aC;<8,m0&5<P<Kw.5l?j"Cisco Secure PIX
Firewall Q"@W?<KhCF$YsH&5<P<K>w5lk3H
O"j^;s#
3NGU)kHMO VYes (O$)WG9#3NQia<?<O,\
G9#
Cisco Secure PIX Firewall ���Cisco Secure PIX Firewall QN"@W?<GO"!N?9/rT&3H,G-^9#
173Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
���������1�1?����
Risk Manager U0N TEC ?9/rH&3HKC(F"m0&aC;<8r TME "@W?
<Kw.9kh&"j0G Cisco Secure PIX Firewall r=.9k3H,G-^9#TME "@
W?<O" UNIX ^7sGT07F$k Tivoli Logfile "@W?< (syslogd) +" Cisco PIX
Firewall Server (PFSS) rT07F$k Windows NT ^7sN$:l+KJj^9#
Cisco Secure PIX Firewall r=.7F"m.s0rBTG-kh&K9k,W,"j^9#m
0&aC;<8O" Risk Manager G!=/=7? Tivoli Logfile "@W?<rBT7F$k
[9HKw.9kh&K7F/@5$#
Cisco Secure PIX Firewall =.3^sIH=l>lNb@O"!NH*jG9#
logging on m0-?hN[9HK~1Fm0&aC;<8Nw
.r+O7^9#
logging host [if_name] ip_addr m0&aC;<8Nw.hN[9HrXj7^9#
TME "@W?<^?O Cisco Secure PIX Firewall
Q"@W?<,T09k[9HK_j7F/@5
$#
logging trap level Cisco Secure PIX Firewall Q"@W?<,"EgY
3 ((i<) N$YsHrEgY 0 ([^vV) K<
2F>w9kh&K9kKO" level r 3 K_j
7^9#
logging facility facility m0&aC;<8ru1hk syslog 5<P<!=
rXj7^9#m0&aC;<8r LOCAL4 !=
Xw.9kKO"lYkr 20 KXj7^9#
timestamp logging w.5lkFm0&aC;<8K?$`&9?sW
MrU1k3HrXj7^9#3N3^sIr/T
9klgO" clock set 3^sIb/T9k,W
,"j^9#
no logging message log_id Cisco Secure PIX Firewall K*1kD9Nm0&a
C;<8r^)7^9# %PIX-6-302010 r^)9
klg"log_id r 302010 KXj7^9#
3N3^sIO*W7gsG9#
clock set hh:mm:ss month day year Cisco Secure PIX Firewall N/mC/_jGOnH
|rlYK_jG-^9," Cisco Secure PIX
Firewall Q"@W?<GOnr_j7F+i|r_
j7^9#
���)�����
Windows Event Log "@W?<rH&lg"tecad_nt.conf U!$krT87"!N`\r
IC7^9#F-9HO9YF"U!$kbN 1 TKIC7F/@5$#33GOZ<8b
K}^kh&"(sHj<r#tTK,1F$^9#
LogSources=pfss_install_dir¥monday.log,pfss_install_dir¥tuesday.log,pfss_install_dir¥wednesday.log,pfss_install_dir¥thursday.log,pfss_install_dir¥friday.log,pfss_install_dir¥saturday.log,pfss_install_dir¥sunday.log
5iK"!N`\rLNTKIC7^9#
PollInterval=1
174 P<8gs 3 jj<9 8
����*�;*�������
?9/&i$Vij<O"Cisco Secure PIX Firewall Q"@W?<N$s9H<k~K+0*
Kn.5lP?5l^9#7+7"Tivoli wtll 3^sIrH&H" Tivoli ]j7<&j<8
gsbK?9/&i$Vij<rP?9k3H,G-^9#
?9/&i$Vij<rj0Gn.9kKO"wtll 3^sIrH$"?9/rn.9k]j7
<&j<8gsrXj7^9#
Windows 79F`:
wtll -r -p TEC-Region -P $CPP_LOCATION%BINDIR$¥RISKMGR¥corr¥tasks¥rmt_tasks.tll -P
UNIX 79F`:
wtll -r -p TEC-Region -P $CPP_LOCATION$BINDIR/RISKMGR/corr/tasks/rmt_tasks.tll -P
33G"CPP_LOCATION H BINDIR O" cpp WjWm;C5<HG#l/Hj<XNB]
NQ9NLVG9#3NLVK"=l>lN$YsH&5<P<&P$Jj<,~lil^
9#5iK".dsl U!$kb .tll U!$kH18G#l/Hj<KJ1lPJj^;s#
!NLVK cpp Wm0i`r$s9H<k9kh&K7F/@5$ (^?O=UH&js/
rs!)#
/usr/ccs/lib/cpp
^?O"cpp 3^sI,8_9kG#l/Hj<r"79F` PATH D-QtXIC7^
9#
175Risk Manager f<6<:&,$I
12.C
iscoS
ecure
PIX
Firew
all�����
�
176 P<8gs 3 jj<9 8
Check Point FireWall-1 ������
3NOGO"J<N@KD$Fb@7^9#
¶ XCheck Point FireWall-1 Q"@W?<N5WY
¶ 179Z<8NXCheck Point FireWall-1 Q"@W?<N$s9H<k*hS=.Y
¶ 185Z<8NXCheck Point FireWall-1 "@W?<NI}Y
Check Point FireWall-1 aC;<8KD$FO"254Z<8NXCheck Point FireWall-1 NaC
;<8Yr2H7F/@5$#
Check Point FireWall-1 Q"@W?<Nb@GHQ9kQlO"Check Point FireWall-1 =JK
*1kQlG9#
Check Point Software Technologies OPSEC SDK N\YKD$FO"!N Web 5$Hr2H
7F/@5$#
http://www.checkpoint.com/opsec/cp_products/opsec_sdk.html ^?O
http://www.checkpoint.com/opsecsdk
Check Point FireWall-1 ���������Risk Manager KO"Check Point FireWall-1 Q"@W?<,U07F$^9#3N"@W?<
O"TNN Check Point FireWall-1 =J,8.9kU!$"&)<k/~!N"i<`r"$
YsH&5<P<X>w5lk$YsHK^CW7^9#
U!$"&)<kO"/~KP9k"i<Hr/9k?a@1GJ/"btMCHo</N]
nKr)Dh&K_W5lF$^9#U!$"&)<kO"U!$"&)<kX"N$YsH
r"$/D+N[Jk+F4j<K,1Fl]<H7^9#U!$"&)<kX"N$YsH
KO"!NbN,"j^9#
¶ 'ZN:T
¶ vDN:T
¶ \3Nq]
¶ MCHo</&"Il9Q9 (NAT)/ ]<H&"Il9Q9 (PAT) NQ9c2
Check Point FireWall-1 Q"@W?<O" Check Point Open Platform for Secure Enterprise
Connectivity (OPSEC) 5<P<H Event Logging API (LEA) rH$"U!$"&)<kN"
i<Hr8.7^9#
Check Point FireWall-1 Q"@W?<O Risk Manager Event Integration Facility (EIF) rHQ
7F"$YsHr$YsH&5<P<K>w7FjXrT&+" Tivoli Enterprise Console
13
177Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
(TEC) 79F`&m0&"@W?<K>w9k3H,G-^9# Check Point FireWall-1 Q"
@W?<O";s5<,hj~`U!$"&)<k&$YsHr$YsH&3s=<kKw.
7" Risk Manager "I_K9Hl<?<,2HG-kh&K7^9#
&������Check Point FireWall-1 Nu7&-!=N*+2G" Check Point FireWall-1 rHC?"/F
#V\3O"MCHo</^?O2<H&'$c2N/8~Gbh7F:olk3H,"j^
;s#
Check Point FireWall-1 =JO"J<rT$^9#
¶ VPN-1/FireWall-1 +i"j"k?$`&m0psHR9Hj<&m0psrB4J}!G
hjP7^9#
¶ ;-ejF#<&$YsHN,OHl]<HrT$^9#
¶ Risk Manager JIN(s?<Wi$:&$YsHI}79F`H}gG-^9#
�)��6 ���� LEA ��
U!$"&)<kN;-ejF#<&]j7<KO" FW1_lea \3ru1~lk?aNk<
k,,WG9#!N$:l+N\3?$WG VPN-1/FireWall-1 H\39k3H,G-^9#
¶ /j"\3
¶ 'Z\3
¶ Secure Sockets Layer (SSL) rHCFEf=5l?\3
�)��6 �������
Risk Manager KO"l"NU!$"&)<k&$YsHjA,"j" Risk Manager O3l
ir+0*K$YsH&5<P<Xm<I7^9#3N$YsHjA2KO"U!$"&)<
k/~NB]N!P@1GJ/"U!$"&)<k&=UH&'"N?QNl]<Hb^^l
^9#
Risk Manager GO"FQNU!$"&)<k&$YsH&/i9r cpfw.baroc U!$kG
s!7^9#3lO"Tivoli Risk Manager Server QC1<8H&K$s9H<k5l^
9#
IN"Wj1<7gs^?OU!$"&)<k=Jb"3liN Risk Manager U!$"&)
<k&$YsH&/i9rHCF""i<Hr Risk Manager Xw.9k3H,G-^9#
�)��6 ������
/~!N$YsHO"U!$"&)<kKBu5lF$k;-ejF#<&]j7<HX"7
F$^9#U!$"&)<k&;-ejF#<&]j7<KO"U!$"&)<kGvD^?
Oq]9kh&=.7?P],^^lF$^9#U!$"&)<kN"I_K9Hl<?<O
3lrQ9G-^9# Check Point FireWall-1 QN Risk Manager "@W?<O"!N?$W
NU!$"&)<k&$YsHr8.7^9#
)f$YsH:CPFW_Control
178 P<8gs 3 jj<9 8
f<6<'Z$YsH:CPFW_Auth_Deny
CPFW_Auth_Permit
Internet Control Message Protocol (ICMP) $YsH:CPFW_ICMP_Deny
CPFW_ICMP_Permit
5<S9&$YsH:CPFW_Service_Deny
CPFW_Service_Permit
CPFW_FTP_Deny
CPFW_FTP_Permit
CPFW_HTTP_Deny
CPFW_HTTP_Permit
CPFW_Telnet_Deny
CPFW_Telnet_Permit
CPFW_Login_Deny
CPFW_Login_Permit
Risk Manager ����� Check Point FireWall-1 �*�����
GU)kHGO"Risk Manager O"EgY0-, WARNING N Risk Manager $YsHK
Check Point FireWall-1 "i<`r^CW7"EgY0-, HARMLESS N Risk Manager $
YsHK)fpsr^CW7^9#3N_jO" cpfw.baroc U!$kGQ99k3H,G-
^9#
Check Point FireWall-1 ����������������3N;/7gsGO"Check Point FireWall-1 Q"@W?<N$s9H<k*hS=.}!K
D$Fb@7^9#
Check Point FireWall-1 Q"@W?<r$s9H<k9k0K" Check Point FireWall-1 =J
r$s9H<k7^9#Check Point FireWall-1 Q"@W?<N$s9H<k}!KD$F
O"33Z<8NXRisk Manager N$s9H<kYr2H7F/@5$#
Check Point FireWall-1 ���3N;/7gsGO"=.fKT89kU!$kKD$Fb@7^9#
m: UNIX 79F`G Check Point FireWall-1 QN Risk Manager "@W?<r=.9kK
O" Risk Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Risk Manager EIF �������� Check Point FireWall-1 ���������
Check Point FireWall-1 Q"@W?<NGU)kH=.GO"$YsHr Risk Manager EIF
Kw.7^9# Risk Manager EIF O"@W?<N$YsHr Risk Manager Server Xw.7
179Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
^9#"@W?<N$YsHr57/ Risk Manager TEC $YsHK^CW9kKO" Risk
Manager EIF r+9?^$:7F"Check Point FireWall-1 Q"@W?<NU)<^CH&U
!$krHQ9k,W,"j^9#
Risk Manager EIF , Check Point FireWall-1 $YsHK^CW9kh&=.9kKO"
cpfw.fmt U!$kr Risk Manager EIF rmad.fmt U)<^CH&U!$kNGeKIC7^
9#ICeN rmad.fmt U!$krHQ7F"/i9jA9F<HasH (.cds) U!$kr
=.7^9# rmad.cds U!$kr=.9kKO"!Nh&K7^9#
1. csids.fmt r rmad.fmt U!$kNGeKIC7^9#
Windows 79F`:
cat cpfw.fmt >> rmad.fmt
UNIX 79F`:
cp cpfw.fmt >> rmad.fmt
Risk Manager EIF O"Windows 79F`H Unix 79F`$:lNlgb cpfw.fmt r
HQ7^9#
2. riskmgr_gencds 3^sIrBT7F".cds U!$krFn.7^9#
riskmgr_gencds rmad.fmt >rmad.cds
3. 977? rmad.cds U!$kr"Check Point FireWall-1 Q"@W?<,$s9H<k5l
F$k79F`KF[V7^9#
"@W?<=.!=Khj Check Point FireWall-1 GHQ9kh& rmad.cds U!$kr=.
9k}!KD$FO"49Z<8NXACF rHQ7? Risk Manager "@W?<N=.*hS
[[Yr2H7F/@5$#
���)��Check Point FireWall-1 Q"@W?<KX"7?=.U!$kKO"!NbN,"j^9#
¶ Check Point FireWall-1 5<P<=.U!$k
¶ Check Point FireWall-1 QN Risk Manager "@W?<=.U!$k
Check Point FireWall-1 �������)��
Check Point fwopsec.conf =.U!$kO" Check Point VPN-1/FireWall-1 ,>N OPSEC
"Wj1<7gsHL.9k}!r_j9kU!$"&)<k&5<P<=.U!$krjA
7^9#
fwopsec.conf U!$kO"U!$"&)<k&=UH&'"rBT7F$k^7sN
$FWDIR/conf/ G#l/Hj<K"j^9#FWDIR OU!$"&)<k&=UH&'",$s
9H<k5lF$kG#l/Hj<G9#
Check Point FireWall-1 ����������)��
Check Point FireWall-1 Q"@W?<N rma_cpfw.conf =.U!$kGO"GU)kHG!N
bF,Xj5lF$^9#
lea_server ip 127.0.0.1lea_server auth_port 18184lea_server auth_type ssl_opseclea_server auth_type auth_opsec
180 P<8gs 3 jj<9 8
3N=.U!$kOQ97J1lPJj^;s#3NU!$kNQ9}!O" fwopsec.conf
U!$"&)<k&5<P<=.U!$kNQ9}!K~8FQoj^9#\YJ=.Nb@
O"179Z<8NXCheck Point FireWall-1 N=.Yr2H7F/@5$#
Check Point FireWall-1 *hS Check Point FireWall-1 Q"@W?<r=.9kKO"!Nh
&K7^9#
1. Check Point FireWall-1 r OPSEC 5<P<H7F=.7^9#XOPSEC 5<P<H7F
N Check Point FireWall-1 N=.Yr2H7F/@5$#
2. OPSEC /i$"sHr=.7^9#182Z<8NXOPSEC /i$"sHH7FN Check
Point "@W?<N=.Yr2H7F/@5$#
3. SAM 5<P<r=.7^9#183Z<8NXSAM 5<P<N=.Yr2H7F/@5
$#
4. Check Point FireWall-1 Q"@W?<r OPSEC 5<P<K\37^9#183Z<8N
XOPSEC 5<P<XN Check Point "@W?<N\3Yr2H7F/@5$#
5. Check Point Policy Editor rHQ7F"!N3HrT$^9#
¶ U!$"&)<k&;-ejF#<&]j7<K FW1_lea \3ru1~lkk<kr
^a^9#
¶ MCHo</&"Il9Q9 (NAT) rHQD=K7^9#
X(KD$FO"VCheck Point VPN-1/Firewall-1 Administration GuideWN;-ejF#
<&]j7<&k<k&Y<9*hS NAT N;/7gsr2H7F/@5$#
Tivoli J0ND-Gb"39Z<8NXG-N$s9H<kKhk Risk Manager 3s]<Ms
HN$s9H<kYNX(K>CF/@5$#
OPSEC ������ � Check Point FireWall-1 ���Oak0K"VCheck Point VPN-1/FireWall-1 Administration GuideWr2H7F/@5$#
FireWall-1 r OPSEC 5<P<H7F=.9kKO" fwopsec.conf =.U!$krQ97^
9#
fwopsec.conf U!$krQ97?e" OPSEC 5<P<rd_7FO07F"Q9r-zK
9k,W,"j^9#
Check Point FireWall-1 Q Risk Manager "@W?<N rma_cpfw U!$kGO"5<P<>
O lea_server KJj^9#
?H(P"]<H 18184 G LEA /i$"sHHL.7"5<P<H/i$"sHHNVN
\3r'Z*hSEf=9klgO"!Nh&K~O7^9#
lea_server auth_port 18184lea_server auth_type ssl_opsec
fwopsec.conf G OPSEC /i$"sHHN\3rjA9kKO"N)9k\3N?$WK~
8F"!N$:l+N=8U)<^CHrH$^9#
/j"\3Nlg"!Nh&K~O7^9#
lea_server port port_number
181Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
'Z\3Nlg"!Nh&K~O7^9#
lea_server auth_port port_numberlea_server auth_type auth_opsec
'ZHEf=NJ5l?\3Nlg"!Nh&K~O7^9#
lea_server auth_port port_numberlea_server auth_type ssl_opsec
OPSEC �*����� � Check Point ��������Risk Manager "Wj1<7gsN rma_cpfw.conf =.U!$krHCF"OPSEC r/i$
"sHH7F=.9klg"!Nh&K7^9#
1. !Nh&K~O7"=.U!$kG OPSEC 5<P<HN/i$"sH\3rjA7^
9#
Windows NT 79F`:
%RMADHOME%¥RISKMGR¥adapters¥etc¥rma_cpfw.conf
UNIX 79F`:
$RMADHOME/RISKMGR/adapters/etc/rma_cpfw.conf
2. 5<P<, OPSEC 5<P<H183sTe<?<eK"klg"k<WPC/&$s?
<U'<9r 127.0.0.1 HXj7^9#
3. !N$:l+N3^sIr~O7^9#
/j"\3Nlg"!Nh&K~O7^9#
lea_server ip ip_addresslea_server port port_number
'Z\3Nlg"!Nh&K~O7^9#
lea_server ip ip_addresslea_server auth_port port_numberlea_server auth_type auth_opsec
Ef=5l?\3Nlg"!Nh&K~O7^9#
lea_server ip ip_addresslea_server auth_port port_numberlea_server auth_type ssl_opsec
c:
/j"\3 ('Z5lF*i:Ef=5lF$J$\3) rH$"]<H 18184 G IP "Il
9 143.193.22.5 K"k LEA 5<P<HL.9kKO"!Nh&K~O7^9#
lea_server ip 143.193.22.5lea_server port 18184
'Z5lF$J$\3rH$"]<H 18184 G IP "Il9 143.193.22.5 K"k LEA 5<
P<HL.9kKO"!Nh&K~O7^9#
lea_server ip 143.193.22.5lea_server auth_port 18184lea_server auth_type auth_opsec
182 P<8gs 3 jj<9 8
'ZQ_GEf=5l? SSL Y<9N\3rH$"]<H 18184 G IP "Il9
143.193.22.5 K"k LEA 5<P<HL.9kKO"!Nh&K~O7^9#
lea_server ip 142.193.22.5lea_server auth_port 18184lea_server auth_type ssl_opsec
SAM �������Check Point FireWall-1 ?9/rT&KO"SAM 5<P<N=.rT&,W,"j^9#!
N TEC ?9/O" Check Point FireWall-1 Q"@W?<HX"7F*j" Risk Manager K
U07F$^9#
¶ CheckPoint_FW-1_by_IP_Address
¶ CheckPoint_FW-1_by_Source_and_Destination
3liN?9/GO"/i$"sHWar SAM 5<P<Xw.9k3HKhj" OPSEC
Suspicious Activity Monitoring (SAM) API rH&3H,G-^9#
SAM 5<P<=.N\YKD$FO"OPSEC NqAr2H7F/@5$# SAM 5<P<
r=.7?e"SAM 5<P<=.psr!NU!$kK3T<7^9#
Windows NT 79F`:
%RMADHOME%¥etc¥rma_cpfw.conf
Solaris 79F`:
$RMADHOME/etc/rma_cpfw.conf
?H(P"!NH*jG9#
sam_server ip 127.0.0.1sam_server auth_port 18183sam_server auth_type auth_opsec
OPSEC ����� Check Point �������'Z-<rjA9k?aK"OPSEC "Wj1<7gsr"^:5<P<GBT7"!K/i
$"sHGBT7J1lPJj^;s#
Risk Manager KO"Check Point FireWall-1 [[QC1<8QN Risk Manager "@W?<G
HQ9k opsec_putkey Wm0i`,"j^9# Risk Manager GO"3NU!$kO!N
LVK$s9H<k5l^9#
Windows 79F`:
%RMADHOME%¥bin
UNIX 79F`:
$RMADHOME/bin
2 DN^7s (machine1 H machine2) ,"kH7^9#GiN^7s (machine1) ,U!$"
&)<k&G<bsrBT7^9#b& 1 DN^7s (machine2) GO"Risk Manager
CheckPoint FireWall-1 "@W?<rBT7^9#U!$"&)<k&G<bs*hS Risk
Manager CheckPoint FireWall-1 "@W?<r&K18^7seGBT9k3H,G-^9#
1. Check Point FireWall-1 5<P<G"!N$:l+N3^sIr~O7^9#
183Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
'Z\3Nlg"!Nh&K~O7^9#
fw putkey -opsec machine2
SSL \3Nlg"!Nh&K~O7^9#
fw putkey -opsec -ssl machine2
2. 'Z-<psN~O,aail?i"=Npsr~O7^9#3N-<O"Gc 6 8zG
9#
3. !N$:l+N3^sIr~O7F"2 V\N5<P<^?O/i$"sH (machine2) r
=.7^9#
'Z\3Nlg"!Nh&K~O7^9#
opsec_putkey machine1
Ef=5l?\3Nlg"!Nh&K~O7^9#
opsec_putkey -ssl machine1
4. 'Z-<psN~O,aail?i"2 N9FCWG~O7?NH18psr~O7^
9#-<O"5<P<^?O/i$"sH machine1 GHC?NH18-<r"5<P<
^?O/i$"sH machine2 GbH&,W,"j^9#
Check Point ;s5<O"-<psr authkeys.C U!$kK]I7^9#3NU!$k
O"$OPSECDIR G#l/Hj<K"j^9#
Windows 79F`:
%RMADHOME%¥etc
UNIX 79F`:
$RMADHOME/etc
5. 3 DJeN5<P<^?O/i$"sHr=.9klg (machine3...machineN)" machine2
GHC?jgr+jV7^9,"\3NH4HKLDN'Z-<rH$^9#
?H(P" machine1 , machine2 H machine3 N>}HL.9klg" machine1 H
machine2 HN\3G 1 DN-<rH$" machine1 H machine3 HN\3GLN-<rH
$^9#
=.r0;7?i"Risk Manager TEC ?9/rHCF"@W?<r+O7^9#\YO"
186Z<8NXWindows NT GN+OY^?O186Z<8NXSolaris GN+OYr2H7F/
@5$#
�������� Check Point FireWall-1 �*�����������
jA5l? Check Point FireWall-1 ]j7<KO"]j7<,/05l?lgKTolkh}
rXj7?_j,^^l^9#3N_jO"HiC/ HFPl^9#
5]<H5lkHiC/H"3l,"i<`H+J5lk+I&+KD$FO"!NH*jG
9#
184 P<8gs 3 jj<9 8
= 18. Check Point FireWall-1 Khj5]<H5lkHiC/
HiC/ $s?<;WH*hSh}
Long J7
Short J7
Account J7
Alert "j
Mail "j
SNMP "j
User "j
Alert"Mail"SNMP"^?O User K]j7<r_j9kH"3l, Risk Manager 5<P<
Khj$s?<;WH5lh}5l^9# Long"Short"*hS Account HiC/O"$s?
<;WH5l:h}OTol^;s#
?@7 Alert"Mail"SNMP"*hS User HiC/Om0Kq-~^l" Check Point m
0&Se<"<Khj=(9k3H,G-^9#
GU)kHrQ99kKO"!Nh&K7^9#
1. Check Point FireWall-1 Policy Editor rHQ7F"U!$"&)<k&k<k&Y<9NH
iC-s0psr Alert"Mail"SNMP Trap"^?O UserDefined KQ97^9#
Short"Long"^?O Account K_j9kH"5k5lh}5l^;s#
2. U!$"&)<k&^7sKk<k&Y<9rFBTMj7^9#
Check Point FireWall-1 ��������3N;/7gsGO"TEC N?9/*hSBT,D=Jj03^sIKD$Fb@7^9#
TEC ���TEC ?9/rH&H"Xj5l?j9/KP~9k3H,G-^9#6bKPh9k]"N
'5l?j9/KP7FacK?~7J$h&K7F/@5$#?H(P"6bK?~9k?
aK"a^CFQ1CH&U#k?<&k<krajKh0=5;F7^&3H,"k+b7
l^;s#=Nl}G"=N?~O/~T,;-ejF#<&]j7<rsrG-J$[I=
,JbNK7F/@5$# Risk Manager NU!$"&)<k&$YsHrbK?<9k3H
Khj";-ejF#<&]j7<r409k3H,G-^9#
Risk Manager N?9/&i$Vij<N?9/rH&3HKhj"U!$"&)<k&$Y
sHrhVG-^9#
Risk Manager KO"Tasks for Enterprise Risk Management H$&H+N?9/&i$Vij
<,"j^9#Risk Manager O"3N?9/&i$Vij<r"TEC-Region H$&GU)k
HN TEC ]j7<&j<8gsK$s9H<k7^9#
Risk Manager O"Check Point FireWall-1 Q"@W?<KP7FJ<N TEC ?9/rs!7
^9#
¶ Start_CheckPoint_FW-1_Adapter_on_Windows_NT
¶ Start_CheckPoint_FW-1_Adapter_on_Solaris
185Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
¶ Start_CheckPoint_FW-1_Adapter_on_Solaris
¶ CheckPoint_FW-1_by_IP_Address
¶ CheckPoint_FW-1_by_Source_and_Destination
¶ Stop_CheckPoint_FW-1_Adapter_on_Windows_NT
¶ Stop_CheckPoint_FW-1_Adapter_on_Solaris
¶ Stop_CheckPoint_FW-1_Adapter_on_Solaris
TEC �����$��Check Point FireWall-1 Q"@W?<,$s9H<k5lF*j"?9/rBT9k(sI]
$sH,=.Q_G"k3HrN'7F/@5$#
Windows NT ����Check Point FireWall-1 Q"@W?<r+O9kKO"!Nh&K7^9#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"=_N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
2. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
3. Start_CheckPoint_FW-1_Adapter_on_Windows_NT TEC ?9/r/jC/7"Risk
Manager "@W?<r+O7^9#
Solaris ����Check Point FireWall-1 Q"@W?<r+O9kKO"!Nh&K7^9#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"{8N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
2. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
3. Start_CheckPoint_FW-1_Adapter_on_Solaris r/jC/7F" Risk Manager "@W
?<r+O7^9#
Linux ����Check Point FireWall-1 Q"@W?<r+O9kKO"!Nh&K7^9#
1. Check Point FireWall-1 Q"@W?<r+O9k0K"{8N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
2. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
3. Start_CheckPoint_FW-1_Adapter_on_Linux r/jC/7F" Risk Manager "@W?
<r+O7^9#
IP ���������SAM /i$"sHWar SAM 5<P<Kw.9kKO"!Nh&K7^9#
186 P<8gs 3 jj<9 8
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. CheckPoint_FW-1_by_IP_Address r/jC/7^9#
3. OPSEC SAM 5<P<N"/7gsKjv9k"BT=jN"/7gsr*r7^9#
m: OPSEC SAM 5<P<N NOTIFY "/7gsrXj9klg"VFkWQia<?
<rH$^9#
CheckPoint_FW-1_by_IP_Address ?9/rXj9kH"CjN IP "Il9~1KXj7?
SAM "/7gs,+O5l^9#=N IP "Il9,"\3N=<9"8h""k$O=
<9H8hN>}JN+rXj9k3H,G-^9#
IP WmH3kKO"!NbN,"j^9#
1 : ICMP ($s?<MCH&3sHm<k&aC;<8&WmH3k)
2 : IGMP ($s?<MCH&0k<WI}WmH3k)
3 : GGP (2<H&'$VWmH3k -- HQ9Y-GO"j^;s)
6 : TCP (Aw)fWmH3k)
12 : PUP
17 : UDP (f<6<&G<?0i`&WmH3k)
22 : IDP ($s?<MCH&G<?0i`&WmH3k)
77 : sx0N Net Disk Protocol
255 : $C) IP Q1CH
4. ,WK~8F"!Nm0&*W7gsNf+i",WH9km0*hS"i<HNH_g
o;r*r7^9#
\Ym0 "i<H
\Ym0 "i<HJ7
Wsm0 "i<H
Wsm0 "i<HJ7
m0J7"i<HJ7
5. U!$"&)<k&[9H&^7sN!Npsrj;CH7^9#
3N"/7gs,~;9k^G
NCt
GU)kHMO 0 G9#<mO""/7gsN~;,J$3
Hr(7^9#
IP "Il9N?$W !N*rh,"j^9#
¶ =<9
¶ 8h
¶ =<9^?O8h
IP "Il9 GU)kHMO 0.0.0.0 G9#
6. VSet & Execute (_j & BT)Wr/jC/7"SAM 5<P<XN SAM /i$"s
HWaNw.r+O7^9#
@�������!� ������SAM /i$"sHWar SAM 5<P<Kw.9kKO"!Nh&K7^9#
187Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. CheckPoint_FW-1_by_Source_and_Destination r/jC/7^9#
3. OPSEC SAM 5<P<N"/7gsKjv9k"BT=jN"/7gsr*r7^9#
m: OPSEC SAM 5<P<N NOTIFY "/7gsrXj9klg"VFkWQia<?
<rH$^9#
SAM 5<P<N
"/7gs>
TEC ?9/N"/7gs>
"/7gs
WATCH Fk IPaddr HNVGN\3nTO9YF"
Xj5l?m.s0&lYkGm0-?
5l^9#
INHIBIT X_ IPaddr HNVGN\3nTO9YFX
_5l"Xj5l?m.s0&lYkG
m0-?5l^9#
INHIBITCLOSE X_7F/m<: VX_WNH-H1MG9," IPaddrHNVK\3,"kH"=liN\3,
/m<:5l^9#3N"/7gs&?
9/XNQia<?<O"hjC9?9
/NQia<?<H18GJ1lPJj
^;s (~;O|/)#
CANCELWATCH FkNhjC7 CjN VFkW^?O VLNW"/7
gsNzLrhjC7^9#
CANCELINHIBIT X_NhjC7 VX_W"^?O VX_7F/m<
:W"/7gsNzLrhjC7^9#
VX_7F/m<:WG/m<:5lk
\3,"klg"=liN\3OFN)
5l^;s#3N?9/XNQia<?
<O"hjC9?9/NQia<?<H
18GJ1lPJj^;s (?$`"&
HO|/)#
CANCELALL 9YFhjC7 0N"/7gsr9YFhjC7^9#
4. !Nm0&*W7gsNf+i",WH9km0*hS"i<HNH_go;r*r7^
9#
\Ym0 "i<H
\Ym0 "i<HJ7
Wsm0 "i<H
Wsm0 "i<HJ7
m0J7"i<HJ7
5. ,WK~8F"U!$"&)<k&[9H&^7sN!Npsrj;CH7^9#
3N"/7gs,~;9k^GNCt 0 A 300 C^GNMr~O7^9#GU)kHMO 0G9#<mO""/7gsN~;,J$3Hr(7^
9#
=<9 IP "Il9 GU)kHMO 0.0.0.0 G9#
188 P<8gs 3 jj<9 8
8h IP "Il9 GU)kHMO 0.0.0.0 G9#
3N TEC ?9/rFSP9H-N8h
]<H
GU)kHMO 8080 G9#
IP WmH3k GU)kHMO TCP G9#
TCP"ICMP"IGMP"GGP"PUP"UDP"IDP" Net Disk
Protocol"^?O$C) IP Q1CHr^`*r`\G
9#
6. VSet & Execute (_j & BT)Wr/jC/7"SAM 5<P<XN SAM /i$"s
HWaNw.r+O7^9#
Windows NT ����������Windows NT G Check Point FireWall-1 Q"@W?<rd_9kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Stop_CheckPoint_Firewall_Adapter_on_Windows_NT r/jC/7F""@W?<r
d_7^9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
Solaris ����������Solaris eG Risk Manager U0N TEC ?9/rHCF Check Point FireWall-1 Q"@W?<
rd_9kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Stop_CheckPoint_Firewall_Adapter_on_Solaris r/jC/7F""@W?<rd_7
^9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
Linux ����������Solaris eG Risk Manager U0N TEC ?9/rHCF Check Point FireWall-1 Q"@W?<
rd_9kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Stop_CheckPoint_Firewall_Adapter_on_Linux r/jC/7F""@W?<rd_7^
9#
3. Check Point FireWall-1 Q"@W?<rFO09k0K"=_N Check Point FireWall-1
logfile (sHj<rQ<87^9# Check Point FireWall-1 Log Viewer G"VFile (U!$k)W"VPurge (|n)WNgK/jC/7^9#
189Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
����Check Point FireWall-1 QN"@W?<KD$FO"!N`nrj0GT&3H,G-^9#
Check Point FireWall-1 ��2����Solaris eG Check Point FireWall-1 Q"@W?<NG<bsrj0GFO09kKO"!N
H*j~O7^9#
/etc/init.d/rma_cpfw-init start
Windows NT eG Check Point FireWall-1 Q"@W?<N5<S9rj0GFO09kK
O"!NH*j~O7^9#
net start rma_cpfw
Linux eG Check Point FireWall-1 Q"@W?<NG<bsrj0GFO09kKO"!NH
*j~O7^9#
/etc/rc.d/rma_cpfw-init start
Check Point FireWall-1 ��2����Solaris eG Check Point FireWall-1 Q"@W?<NG<bsrj0Gd_9kKO"!NH
*j~O7^9#
/etc/init.d/rma_cpfw-init stop
Windows NT eG Check Point FireWall-1 Q"@W?<N5<S9rj0GFO09kK
O"!NH*j~O7^9#
net stop rma_cpfw
Linux eG Check Point FireWall-1 Q"@W?<NG<bsrj0Gd_9kKO"!NH*
j~O7^9#
/etc/rc.d/rma_cpfw-init stop
9*���Windows NT O"/87?9YFN(i<r Windows NT Event Viewer Kw.7^9#
Solaris O"(i<r SYSLOG G<bsKw.7^9#
Check Point FireWall-1 1��$+&�0���jX(s8sNk<kO"hjr<9]K!N 3 DN0-rM87^9#
¶ =<9 IP "Il9
¶ 8h IP "Il9
¶ 6bN70KAc<
Risk Manager U!$"&)<k&"@W?<N9?<?<&;CHGO"U!$"&)<
k&;s5<N70KAc<O"IAiN"@W?<Gb18G9# Cisco Secure PIX
Firewall Q"@W?<KO"EgYVf,"j^9# Check Point FireWall-1 Q"@W?<K
O"EgYVf,"j^;s#=Neoj"]j7<Nk<kK/~"i<H,djvFil
^9#
190 P<8gs 3 jj<9 8
Risk Manager O" Risk Manager NEgY0- WARNING K Check Point FireWall-1 N"i
<Hr^CW7")fpsr HARMLESS K^CW7^9#3N_jO"cpfw.baroc U!$
kG_j9k3H,G-^9#
�����1��$+&�0[HsIN Check Point FireWall-1 m0&l3<IKO IP "Il9,"j^9,"8`*J
6b70KAc<O"j^;s#/~X"N Check Point FireWall-1 m0&aC;<8KX7
F" Risk Manager GO"70KAc<H7F!N9Hjs0,s!5l^9#
fw_conn_deny \3,q]5l^7?#
fw_conn_permit \3,vD5l^7?#
fw_auth_deny f<6<O\3rq]5l^7?#
fw_auth_perint f<6<O\3rvD5l^7?#
�������1��$+&�0/~X"J0N Check Point FireWall-1 m0&aC;<8KX7F" Risk Manager GO"7
0KAc<H7F!N9Hjs0,s!5l^9#
fw_control Check Point =.Q9Nlg#
fw_log_switch Check Point m0&U!$kNZjX(^?OQ9Nlg#
fw_log_eof Check Point m0&U!$kN*;Nlg#
�)��6 ������/~X"/i9 RM_Service *hS=N5V/i9 RM_ICMP"^?Os/~/i9
RM_MiscEvent (^?O=N>}) KD$F"cpfw.baroc U!$kKO"EgYlYkr^
a"U!$"&)<kG-NU#<kIr_j9k3H,G-^9#
U!$"&)<kX"NG<?0-KO"!NbN,"j^9#
0- b@ -zJM
cpfw_action U!$"&)<k>ol
k"/7gs#
Check Point N"/7gsKO"!Nb
N,"j^9#
drop
reject
accept
control (ctl)
=N>
cpfw_additional_info 0-K_j5lF$J$=N
>N Check Point ps#
cpfw_alert Check Point "i<HN?$
W#
![alert]
![userauthalert]
cpfw_ifdir $s?<U'<9N}~# inbound
outbound
191Risk Manager f<6<:&,$I
13.C
heck
Po
int
FireW
all-1�����
�
0- b@ -zJM
cpfw_ifname $s?<U'<9N>0# ether ($<5MCH)
token (H</sjs0)
fddi (U!$P<,6G<?
&$s?<U'<9)
ppp (point-to-point
WmH3k)
atm (s1|
Awb<I)
cpfw_len Q1CH&5$: (P$H
t)#
cpfw_lognum U!$"&)<k&m0&U
!$kK^^lkl3<IN
TVf#
Check Point m0&U!$kNTVf#
cpfw_protocol WmH3k# !N\3WmH3kMN$:l+rdj
vF^9#
TCP
UDP
ICMP
=N>
cpfw_reason ;-ejF#<&"i<HN
Check Point N}3#
cpfw_rule ;-ejF#<&"i<Hr
/85;? Check Point ]
j7<&k<kNVf#
cpfw_type Check Point N$YsH&?
$W#
$YsHN?$WKO"!NbN,"j
^9#
control
alert
user
cpfw_user ;-ejF#<&"i<Hr
z-/37?f<6<#
Risk Manager O" Risk Manager NEgY0- WARNING K Check Point FireWall-1 N"i
<Hr^CW7")fpsr HARMLESS K^CW7^9#
192 P<8gs 3 jj<9 8
Host Intrusion Detection ������
3NOGO"J<N@KD$Fb@7^9#
¶ XHost IDS Q Risk Manager "@W?<N5WY
¶ XTEC CorrelationY
¶ 194Z<8NXHost IDS Q"@W?<N$s9H<k*hS=.Y
¶ 196Z<8NXTEC ?9/Y
Host IDS � Risk Manager ��������Risk Manager KO"Host Intrusion Detection (Host IDS) Q"@W?<,"j^9#3lKh
j"]n5l?*Zl<F#s0&79F`N!=r;J&3HJ/"=N*Zl<F#s
0&79F`K"@W?<r8+7"p\*Zl<F#s0&79F`N;-ejF#<r/
=9k3H,G-^9#
Host IDS Q Risk Manager "@W?<O"Windows 79F`^?O UNIX 79F`G!P
5l-?5l?$YsHr Tivoli Enterprise Console (TEC) $YsHH^CW7^9# Host
IDS Q Risk Manager "@W?<O"UNIX 79F`NlgKO Tivoli Logfile "@W?<
(syslogd)" Windows 79F`NlgKO Windows Event Log "@W?<rHQ7F$Ys
Hr TEC 5<P<Kw.7^9#
Host IDS Q Risk Manager "@W?<O"Tivoli Logfile "@W?<r=.9k?aNWiC
HU)<`G-NU)<^CH&U!$k+i.j"3lKhj"*Zl<F#s0&79F
`,-?7?$YsHrhj~_"$YsH&5<P<K>w7FjXrT$^9#
Host IDS Q"@W?<O":vN Tivoli Management Enterprise (TME) "@W?<,$s9
H<k5lF$k79F`K"j^9#
TEC CorrelationHost IDS Q"@W?<O"*Zl<F#s0&79F`KhCF-?5lk"/F#SF#
<rFk9k?a"*Zl<F#s0&79F`rbK?<7^9#$YsH,/89kH"
*Zl<F#s0&79F`O79F`&m0KaC;<8rq-~_^9#
Host IDS "@W?<O"!P5l"3liN79F`&m0Kq-~^l?$YsHr"
Tivoli Logfile "@W?<rHCF Risk Manager $YsHKQ97^9#=Ne"$YsH
O$YsH&5<P<Kw.5lFjX,Tol^9#
:v9k Tivoli "@W?<r=.7^9#
14
193Risk Manager f<6<:&,$I
14.H
ost
Intru
sion
Detectio
n�����
�
Windows 79F`Windows Event Log "@W?<r=.7F"Risk Manager U0NU)<^CH&U
!$k os_nt.fmt K\R5lF$k$YsHr^akh&K7^9#
AIX 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Risk Manager U0NU)<^CH&
U!$k os_aix.fmt K\R5lF$k$YsHr^akh&K7^9#
Solaris 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Risk Manager U0NU)<^CH&
U!$k os_solaris.fmt K\R5lF$k$YsHr^akh&K7^9#
RedHat 79F`Tivoli Logfile "@W?< (syslogd) r=.7F"Risk Manager U0NU)<^CH&
U!$k os_linux.fmt K\R5lF$k$YsHr^akh&K7^9#
Risk Manager O"*Zl<F#s0&79F`&$YsHH>N Risk Manager "@W?<
KhCF!P5lk$YsHrjX5;""I_K9Hl<?<,/~!N$YsHr4N*
KD.G-kh&K7^9#
Host IDS ����������������3N;/7gsNjgK>CF"Host IDS Q"@W?<N$s9H<k*hS=.rT$^
9#
�������Tivoli Risk Manager Server 3.8 $s9H<k&QC1<8KO" Host IDS Q"@W?<
K,WJU!$k,^^lF$^9#
VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"WoKX9kG7ps
HG7N$s9H<kpsrN'7F/@5$#
FWiCHU)<`N TME "@W?<r$s9H<k7F*+J1lPJj^;s#$s9
H<k}!KD$FO"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5
$#
��������+�
TEC $YsH&5<P<eKO"@W?<r$s9H<k7J$G/@5$#=Neoj
K""@W?<r TEC $YsH&5<P<+i[[7F/@5$#Risk Manager U0NW
mU!$krHCF"@W?<r[[9klg""@W?<=.!= (ACF) r$s9H<k
7J1lPJj^;s#"@W?<r$s9H<kG-kNO"(sI]$sH+s Tivoli
N<I@1G9#s Tivoli N<IHO"Tivoli I}j<8gs (TMR) N(sI]$sH7
FjA5lF$J$/i$"sHN3HG9#
Host IDS Q"@W?<O"Tivoli D-N Tivoli (sI]$sH+" Tivoli J0NN<IK
$s9H<kG-^9#
194 P<8gs 3 jj<9 8
Host IDS ���$s9H<ke"U!$kO!NljKV+l^9#
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds
BINDIR O"$YsH&5<P<&P$Jj<,8_9kG#l/Hj<G9#
3N*j8JkNU)<^CH&U!$krQ99k0K"PC/"CW&3T<rn.7F
/@5$#
m: UNIX 79F`G Host Intrusion Detection QN Risk Manager "@W?<r=.9kK
O" Risk Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Tivoli D-G Host IDS Q"@W?<r=.9kKO"!N9FCWrT$^9#
1. U)<^CH&U!$kN`\r*r7F3asH=7"Host IDS Q"@W?<r407
^9# Host IDS Q"@W?<NU)<^CH&U!$krT87^9#
2. Risk Manager "@W?<NU)<^CH&U!$kr Tivoli U)<^CH&U!$kH
^<87" 47Z<8NXRisk Manager H TME "@W?<NU)<^CH&U!$kN
kgYNX(K>CF"/i9jA9F<HasH (.cds) U!$kr8.7^9#
AIX 79F`os_aix.fmt U!$kr{8N tecad_logfile.fmt U!$kNGeKIC7^9#
Solaris 79F`os_solaris.fmt U!$kr{8N tecad_logfile.fmt U!$kNGeKIC7^
9#
Windows 79F`os_nt.fmt U!$kr{8N tecad_nt.fmt U!$kNGeKIC7^9#
Linux os_linux.fmt U!$kr{8N tecad_logfile.fmt U!$kNGeKIC7^
9#
3. $YsH&5<P<GU)<^CH&U!$kr^<8^?Okg7?e" Tivoli "@W
?<=.!= (ACF) rHQ7",ZJU)<^CH&U!$kr[[7F,Q7^9#\
7/O"49Z<8NXACF rHQ7? Risk Manager "@W?<N=.*hS[[Yr2
H7F/@5$#
4. TME "@W?<Kgo;F"!N$:l+rBT7^9#
¶ Windows 79F`Nlg"os_nt.fmt U!$kr,Q7F Windows Event Log "@
W?<r=.9k#
¶ os_aix.fmt U!$kr,Q9k3HKhj" AIX QN Tivoli Logfile "@W?<
(syslogd) r=.9k#
¶ os_solaris.fmt U!$kr,Q9k3HKhj" Solaris QN Tivoli Logfile "@W
?< (syslogd) r=.9k#
¶ Linux Nlg"os_linux.fmt U!$kr,Q7F Tivoli Logfile "@W?< (syslogd)
r=.9k#
195Risk Manager f<6<:&,$I
14.H
ost
Intru
sion
Detectio
n�����
�
ACF rHCF Host IDS Q"@W?<r$s9H<k7F=.9kH""@W?<O+0*
K+O5l^9#=lJeN=.O,W"j^;s,"4HQND-KX8NJ$`\r3a
sH=9k3HKhj" Host IDS Q"@W?<r*sG409k3HOD=G9#Q9rC
(k0K"*j8JkNU)<^CH&U!$kNPC/"CW&3T<rn.9kh&K7
^9#
Risk Manager O"Risk Manager r;CH"CW9kH-K"$YsH&5<P<K"k$Y
sHjAr+0*Km<I7^9#Host IDS Q"@W?<N$YsHO" os.baroc U!$
kGjA5lF$^9#
TEC ���TEC ?9/rH&H"Windows 79F`N(sI]$sHGN;-ejF#<&$YsHN
F:rHQD=KbHQTDKbG-^9# Risk Manager KU09k>N TEC ?9/Nj
9HKD$FO"107Z<8NXRisk Manager TEC N?9/Yr2H7F/@5$#
Windows 79F`Nlg"79F`N*Zl<F#s0&79F`KU09kI}D<k (f
<6< ^M<8c) rH$"79F`G;-ejF#<&$YsHrhj~`+I&+r)
f9k3H,G-^9#
3liN TEC ?9/GO"TEC ?9/rBT7F_k0K" rmt_ntaudit.exe BTD=W
m0i`r(sI]$sHK[[9k,W,"j^9#3NWm0i`r[[9kH-KO"
Risk Manager KU09k Tivoli Windows Host IDS WmU!$kN?9/&WmU!$kr
HQ7F/@5$#
196 P<8gs 3 jj<9 8
McAfee Alert Manager ������
3NOGO"J<N@KD$Fb@7^9#
¶ XMcAfee Alert Manager Q"@W?<N5WY
¶ 201Z<8NXMcAfee Alert Manager Q"@W?<N$s9H<k*hS=.Y
McAfee Alert Manager ���������Risk Manager KO"McAfee AntiVirus Scanning =JKhj8.5l"McAfee Alert Manager
KhCF}85l?"i<`r TEC $YsHH^CTs09k McAfee Alert Manager QN
"@W?<,^^lF$^9#
3N"@W?<O"MCHo</G McAfee Alert Manager (Anti-Virus Scanning =JN
McAfee Active Virus Defense (AVD) 9$<HNltH7Fs!5lk) rHQ7F$klg
K$s9H<k,D=G9#
&������McAfee Alert Manager O"&#k9N!P"&#k9jAU!$kN97"*hS=N>N
EW$YsHK~z7F McAfee AntiVirus 9-cs=JKhCF8.5l?"i<H&aC
;<8Nf{}8]$sHHJj^9# Risk Manager Event Log "@W?<O"3liN"
i<Hr Windows "Wj1<7gs&$YsH&m0+iI_hj" Tivoli Enterprise
Console (TEC) $YsHH^CW7^9#
Alert Manager O"McAfee NetShield (Windows NT *hS Windows 2000 Q) *hS
McAfee WebShield SMTP (Windows NT *hS Windows 2000 Q) KU07F$^9#
McAfee Alert Manager O"!N McAfee AntiVirus (sHj<&]$sH&9-cJ<Khj
8.5lk"i<H&aC;<8r}87^9#
VirusScanG9/HCWN"sA&#k9&9-cs*hS|n!=rs!7^9# java "W
lCH*hS ActiveX 3sHm<kNG9/HCW&9-cs"E a<k&9-c
s"@&sm<I&U#k?<"$s?<MCH&U#k?<r5]<H7^9#
VirusScan WirelessQ<=Jk&G#8?k&"79?sH&"sA&#k9&9-cs*hS|n!=
rs!7^9#
NetShield5<P<&lYkN"sA&#k9&9-cs*hS|n!=rs!7^9#
15
197Risk Manager f<6<:&,$I
15.M
cAfee
Alert
Man
ager
�����
�
GroupShieldLotus Domino *hS Microsoft Exchange 0k<W&'"&5<P<QN"sA&#
k9&9-cs*hS|n!=rs!7^9#
WebShieldSMTP 2<H&'$QN"sA&#k9&9-cs*hS!=rs!7^9#
McAfee Alert Manager KO"&#k9&9-cs&(s8s+iu.7?"i<H&aC;
<8,=9&#k9&9-cs&$YsHr"I_K9Hl<?<KLN9k?aNaC;<
8s0N}!,$/D+s!5lF$^9#GU)kHH7F" Alert Manager ,$s9H<
k5lF$k Alert Manager Server N Windows $YsH&m0K-?r9k}!,"j^
9#3N79F`O"\qf Alert Manager Server HFPl^9#
McAfee Alert Manager KO McAfee NetShield ,PsIk5lF*j"lL*K 2 DN3s
]<MsHO&K 1 DN5<P<K$s9H<k5l^9#bK?<P]HJk McAfee
NetShield "/F#SF#<NcH7F"&#k9jAU!$kN97d"&#k9&9-c
s&(s8sN"CW0l<I,"j^9#
McAfee Alert Manager *hS McAfee Active Virus Defense 9$<H=JNqAO"J<r
O8aH9k Network Associates, Inc. N Web 5$H+i~j9k3H,G-^9#
http://www.mcafeeb2b.com or http://www.nai.com.
198 P<8gs 3 jj<9 8
��������
McAfee Alert Manager QN Risk Manager "@W?<KO"TEC Windows Event Log "@W
?<*hS TEC "@W?<N5]<H&U!$k,^^l^9#3lO!N79F`G5]
<H5l^9#
¶ Windows NT Server
¶ Windows 2000 Server
¶ Windows 2000 Advanced Server
TEC Windows Event Log "@W?<O" Windows "Wj1<7gs&$YsH&m0Kq
-~^l? McAfee Alert Manager &#k9&9-cs&$YsHrhj~_^9# McAfee
Alert Manager O"u1hC?&#k9&9-cs&$YsHr Windows $YsH&m0K
-?7^9 (GU)kH)#
^ 22. McAfee Alert Manager Q"@W?<N3s]<MsH
199Risk Manager f<6<:&,$I
15.M
cAfee
Alert
Man
ager
�����
�
Risk Manager "@W?<&U)<^CH&U!$k rmmac.fmt O"!N3HrT$^9#
¶ $YsH&m0+iI_hk McAfee Alert Manager aC;<8NU)<^CHrjA7
^9#
¶ FaC;<8H TEC $YsH&/i9N^CAs0rT$^9#
¶ aC;<8Npsr"TEC 5<P<,1LD=J$YsHKU)<^CH7^9#
Risk Manager KO BAROC U!$k rmvirus.baroc b^^lF$^9#3lO McAfee
Alert Manager "i<H&aC;<8+in.5lk&#k9I}$YsH&/i9rjA7
^9#3NU!$kO"Risk Manager 5<P< 3.8 $s9H<k&QC1<8NltH7F
$s9H<k5l" TEC k<k&Y<9NltH7F+0*Km<I5l^9#
3liN$YsH&/i9O"&#k9!Pd=N>N McAfee AntiVirus =JN`n$Ys
H (&#k9jAU!$kd&#k9&9-cs&(s8sN97JI) r=7^9#3li
N$YsH&/i9OFQ/i9G"j">N"sA&#k9=JKhk$YsHjAKHQ
9k3H,G-^9#
McAfee Alert Manager �� McAfee NetShield �*��$+&�0
Risk Manager O"McAfee Alert Manager *hS McAfee NetShield Khj8.5l?aC;
<8rhj~_^9#
McAfee Alert Manager GO"9YFN McAfee AntiVirus (sHj<&]$sH&9-cJ<
GHQ5lk"i<H&aC;<8N&L;CH,s!5l^9# McAfee Alert Manager a
C;<8&f<F#jF#<rHQ7F"3liaC;<8N=(*hSQ9,D=G9#
mU:aC;<8NQ9O5EKTCF/@5$#aC;<8O"=JbNu7r?G7F$^9#
aC;<8rQ99k3HKhj"aC;<8,]9H5lk6xHJC?\vNuVr#7
F7^&lg,"j^9#
McAfee Alert Manager P<8gs 4.5 KU09k Risk Manager O"Alert Manager aC;<
8Np\;CHr5]<H7^9#aC;<8NU)<^CHrQ97?lgO"Q9,?G
5lkh&"@W?<&U)<^CH&U!$k rmmac.fmt b979k,W,"j^9#
McAfee Alert Manager rHQ9k3HKhj"D9NaC;<8rHQD= / HQTDK7
?j"EgY4HK-?9kaC;<8r*r9k3H,G-^9#
Risk Manager GO"McAfee NetShield 4.5 Khj8.5lkaC;<8NltN;CHb5
]<H7^9#3liNaC;<8O"McAfee NetShield &#k9&9-cs&3s]<M
sHKX"9kEWJ"/F#SF#<r=7^9#
aC;<8Nj9HKD$FO"301Z<8NXMcAfee Alert Manager *hS McAfee
NetShield "i<H&aC;<8Yr2H7F/@5$#
TEC CorrelationTEC Event Log "@W?<O"McAfee "sA&#k9&9-cs=JKhj8.5l"
Alert Manager Server K>w5lk"i<H&aC;<8r'17^9# McAfee Alert
200 P<8gs 3 jj<9 8
Manager Q"@W?<O"3liN$YsHr TEC $YsHX^CW7^9#$YsHO$
YsH&5<P<Xw.5lFjX,Tol^9#
"sA&#k9&$YsHO9YF"riskmgr.baroc *hS sensor_abstract.baroc GjA
5lF$k Risk Manager $YsH&/i9KpE/bNG9#
McAfee Alert Manager ����������������McAfee Alert Manager Q Risk Manager "@W?<O"Windows Server G5]<H5l^
9#
�������McAfee Alert Manager Q Risk Manager "@W?<r$s9H<k9k0K"!N9FCW
rTCF/@5$#
1. VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"Wo*hS$s9H
<kKX9kpsrN'7F/@5$#
2. McAfee Alert Manager Q"@W?<r$s9H<k9k0K McAfee Alert Manager =J
r$s9H<k9k,W,"j^9# McAfee Alert Manager N$s9H<kO"McAfee
NetShield ^?O WebShield =JN$s9H<kNltH7FTol^9#$s9H<k
NjgO"3li=JNI-easF<7gsr2H7F/@5$#
3. McAfee Alert Manager "@W?<r$s9H<k9k0K TME "@W?<r$s9H<
k9k,W,"j^9#$s9H<k}!KD$FO"VTivoli Enterprise Console "@W
?<&,$IWr2H7F/@5$#
m: UNIX 79F`GO McAfee Alert Manager QN Risk Manager "@W?<r=.9k0
K" Risk Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Tivoli 9�����������������
Risk Manager "@W?<&U)<^CH&U!$kH Windows Event Log "@W?<&U)
<^CH&U!$krkg9k0K" Windows "Wj1<7gs&$YsH&m0+iIN
McAfee "i<H&aC;<8rhj~`+r*r9k3H,G-^9#3lKO"rmmac.fmt
U!$kND9NaC;<8&U)<^CHjAr*r7FT87^9#jgKD$FO"
VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
Tivoli D-G McAfee Alert Manager Q"@W?<r$s9H<k7=.9kKO"J<N?
9/rBT7^9#
1. 47Z<8NXRisk Manager H TME "@W?<NU)<^CH&U!$kNkgYNjg
K>$"Risk Manager "@W?<&U)<^CH&U!$kH TME "@W?<&U)<
^CH&U!$krkg7^9# Tivoli Windows Event Log "@W?<rHQ9klg
O"rmmac.fmt U!$kr{8N tecad_win.fmt U!$kNGeKIC7^9#
2. Tivoli "@W?<=.!= (ACF) rHQ7"U)<^CH=."CDS"*hS70KAc
<&U!$kr=.7F" Tivoli (sI]$sHK[[7^9#49Z<8NXACF rH
Q7? Risk Manager "@W?<N=.*hS[[Yr2H7F/@5$#
201Risk Manager f<6<:&,$I
15.M
cAfee
Alert
Man
ager
�����
�
� Tivoli .��������������
McAfee Alert Manager "@W?<O"s Tivoli N<IXN$s9H<k*hS=.bD=G
9#s Tivoli N<IHO"Tivoli I}j<8gs (TMR) N(sI]$sH7FjA5lF
$J$/i$"sHN3HG9# 39Z<8NXG-N$s9H<kKhk Risk Manager 3
s]<MsHN$s9H<kY*hSVTivoli Enterprise Console "@W?<&,$IWr2
H7F/@5$#
Windows 2000 ��� McAfee Alert Manager �����������
McAfee Alert Manager P<8gs 4.5 r Windows 2000 79F`GBT7?lg"1lN&
#k9&9-cs&"/7gsd&#k9!Pu7r-R7?E#9k$YsH&l3<I,
#tN Windows $YsH&m0Kq-~^l^9# Windows Event Log "@W?<O"G
U)kHG9YFN Windows $YsH&m0+i$YsHrhj~_^9#3lKhj"=
l>lN&#k9&9-cs&"/7gsd&#k9!Pu74HK"#tNE#9k Risk
Manager $YsH, TEC 5<P<Kwilk3HKJj^9#3Nu7rr1k?a""W
j1<7gs";-ejF#<"*hS79F`&$YsH&m0N_rbK?<9kh&"
Windows Event Log "@W?<r=.7F/@5$#3lO"!N$:l+N}!KhjT
$^9#
¶ "@W?<=.U!$k tecad_win.conf K!N"@W?<G-N-<o<IrIC9
k#
WINEVENTLOGS=ApplicationLog, SecurityLog, SystemLog
¶ 3^sIT+i Event Log "@W?<rO09k]K -L rXj9k#
tecad_win.exe -L ApplicationLog SecurityLog SystemLog
Windows Event Log "@W?<GG#l/Hj<"DNS 5<P<"^?OU!$k#=5<
P<&$YsH&m0bbK?<9klgO" Risk Manager r5]<H9k"@W?<H1
~KICN"@W?<rBT9k3H,G-^9##tN Event Log "@W?<rBT9k
}!KD$FO"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
202 P<8gs 3 jj<9 8
Norton AntiVirus ������
3NOGO"J<N@KD$Fb@7^9#
¶ XNorton AntiVirus Q"@W?<N5WY
¶ 205Z<8NXNorton AntiVirus Q Risk Manager "@W?<N$s9H<k*hS=.Y
Norton AntiVirus ���������Risk Manager KO"Norton AntiVirus =JKhj8.5l?"i<`r TEC $YsHK^C
W9k?aN Norton AntiVirus Q"@W?<,^^lF$^9#
&������Symantec Norton AntiVirus Corporate Edition 7.0 ^?O 7.5 =JO"-AJ ActiveX 3<I
d Java "WlCH"5iKOHm$NZOJIrI."$s?<MCH&5<U#s~N]
nrT$^9#3lKhj"#(J&#k9KP7FG"CFb"5]<H5lF$kWiC
HU)<`Gj"k?$`N]n,Tol^9#
Norton AntiVirus N$YsHKD$FO"Symantec Web 5$HK-\5lF$^9#!N
Web 5$Hr2H7F/@5$#
http://service1/symantec.com/SUPPORT/nav.nsf/
VNorton AntiVirus Corporate Edition Event IDs ExplainedWKX9kpsr~j9k3H,G
-^9#
16
203Risk Manager f<6<:&,$I
16.N
orto
nA
ntiV
irus
���
��
�
��������
Norton AntiVirus QN Risk Manager "@W?<KO"TEC Windows Event Log "@W?<
*hS TEC "@W?<N5]<H&U!$k,^^l^9#
3lO!N79F`G5]<H5l^9#
¶ Windows NT
¶ Windows 2000
TEC Windows Event Log "@W?<O" Windows "Wj1<7gs&$YsH&m0Kq
-~^l? Norton AntiVirus &#k9&9-cs&$YsHrhj~_^9# Norton
AntiVirus O"GU)kHG&#k9&9-cs&$YsHr$YsH&m0K-?7^9#
Risk Manager "@W?<&U)<^CH&U!$k rmnav.fmt O"!N3HrT$^9#
^ 23. Norton AntiVirus Q"@W?<+iNG<?&Um<
204 P<8gs 3 jj<9 8
¶ $YsH&m0+iI_hk Norton AntiVirus aC;<8NU)<^CHrjA7^9#
¶ FaC;<8H TEC $YsH&/i9N^CAs0rT$^9#
¶ aC;<8Npsr"TEC 5<P<,1LD=J$YsHKU)<^CH7^9#
3NU!$kO TEC "@W?<H&K"Norton AntiVirus 5<P<H18WiCHU)<`
K$s9H<k5l^9#
Risk Manager KO BAROC U!$k rmvirus.baroc b^^lF$^9#3lO Norton
AntiVirus "i<H&aC;<8+in.5lk&#k9I}$YsH&/i9rjA7^
9#3NU!$kO"Risk Manager Server N$s9H<kfK$s9H<k5l" TEC k
<k&Y<9NltH7F+0*Km<I5l^9#
3liN$YsH&/i9O"&#k9!Pd=N>N Norton AntiVirus =JN`n$Ys
H (&#k9jAU!$kd&#k9&9-cs&(s8sN97JI) r=7^9#3N$
YsH&/i9OFQ/i9G"j">N"sA&#k9=JKhk$YsHjAKHQ9k
3H,G-^9#
Norton AntiVirus ���Risk Manager O"Norton AntiVirus P<8gs 7.0 ^?O 7.5 Ks!5lk$YsH&aC
;<8r5]<H7^9#$YsH ID VfKhj1L5lk!N Norton AntiVirus $Ys
HO" Risk Manager rmnav.fmt U)<^CH&U!$kKhCFhj~^l^9#
$YsHVf $YsHNEgY 88?3H
2 LN &#k9&9-cs,0;7^7?#
3 LN &#k9&9-cs,+O7^7?#
5 Yp 6wU!$k,+U+j^7?#
6 Yp CjNU!$kr+/H-K"(i<,/87^7?#
7 LN &#k9jANm<I,Tol^7?#
13 LN Norton AntiVirus 5<S9,7cCH@&s5l^9#
14 LN Norton AntiVirus 5<S9,+O5l^9#
16 LN jAN97,@&sm<I5l^9#
21 (i< &#k9&9-cs,GAZil^7?#
TEC CorrelationTivoli Event Log "@W?<O"Norton AntiVirus Khj8.5lk&#k9X"$YsHr
'17^9# Norton AntiVirus Q"@W?<O"3liN$YsHr TEC $YsHX^C
W7^9#!$G"$YsH&5<P<Xw.5lFjX5;il^9#
"sA&#k9&$YsHO9YF"riskmgr.baroc *hS sensor_abstract.baroc GjA
5lF$k Risk Manager $YsH&/i9KpE/bNG9#
Norton AntiVirus � Risk Manager ���������������
3N;/7gsGO"Norton AntiVirus Q Risk Manager "@W?<N$s9H<k*hS=
.}!KD$Fb@7^9#
205Risk Manager f<6<:&,$I
16.N
orto
nA
ntiV
irus
���
��
�
�������Norton AntiVirus Q Risk Manager "@W?<r$s9H<k9k0K"!N9FCWrTC
F/@5$#
1. VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"WoKX9kpsH
$s9H<kpsrN'7F/@5$#
2. Norton AntiVirus Q Risk Manager "@W?<r$s9H<k9k0K"Symantec Norton
AntiVirus =Jr$s9H<k7^9#=JKX9kb@K>CF/@5$#
3. Norton AntiVirus Q"@W?<r$s9H<k9k0K"HQ9kWiCHU)<`QN
TME "@W?<r$s9H<k7^9#$s9H<kNX(KD$FO"VTivoli
Enterprise Console "@W?<&,$IWr2H7F/@5$#
m: UNIX 79F`GO Norton AntiVirus QN Risk Manager "@W?<r=.9k0K"
Risk Manager D-9/jWHK!NQ9rXj7F/@5$#
. /etc/Tivoli/rma_eif_env.sh
Tivoli 9�����������������Risk Manager "@W?<&U)<^CH&U!$kH Windows Event Log "@W?<&U)
<^CH&U!$krkg9k0K" Windows "Wj1<7gs&$YsH&m0+iIN
Norton AntiVirus $YsHrhj~`+r*r9k3H,G-^9#3lKO"rmnav.fmt U
)<^CH&U!$kKjA5l?D9NaC;<8&U)<^CHjAr*r7FT87^
9#\7/O"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
Tivoli D-G Norton AntiVirus Q"@W?<r$s9H<k7=.9kKO"J<N?9/
rBT7^9#
1. Risk Manager "@W?<&U)<^CH&U!$kH TME "@W?<&U)<^CH&
U!$krkg7^9#\7/O"47Z<8NXRisk Manager H TME "@W?<NU)
<^CH&U!$kNkgYr2H7F/@5$#Tivoli Windows Event Log "@W?<
rHQ9klgO" rmnav.fmt U!$kNbFr{8N tecad_win.fmt U!$kK^<
87^9#
2. Tivoli "@W?<=.!= (ACF) rHQ7"U)<^CH"=."CDS"*hS70KA
c<&U!$kr=.7F" Tivoli (sI]$sHK[[7^9#49Z<8NXACF r
HQ7? Risk Manager "@W?<N=.*hS[[Yr2H7F/@5$#
� Tivoli .��������������Norton AntiVirus Q"@W?<O"s Tivoli N<IXN$s9H<k*hS=.bD=G
9#s Tivoli N<IHO"Tivoli I}j<8gs (TMR) N(sI]$sH7FjA5lF
$J$/i$"sHN3HG9# 39Z<8NXG-N$s9H<kKhk Risk Manager 3
s]<MsHN$s9H<kY*hSVTivoli Enterprise Console "@W?<&,$IWr2
H7F/@5$#
Windows 2000 ��� Norton AntiVirus �����������Norton AntiVirus P<8gs 7.5 r Windows 2000 79F`GBT7?lg"1lN&#k
9&9-cs&"/7gsd&#k9!Pu7r-R7?E#9k$YsH&l3<I,#t
N Windows $YsH&m0Kq-~^l^9# Windows Event Log "@W?<O"GU)
kHG9YFN Windows $YsH&m0+i$YsHrhj~_^9#3lKhj"=l>
lN&#k9&9-cs&"/7gsd&#k9!Pu74HK"#tNE#9k Risk
Manager $YsH, TEC 5<P<Kwilk3HKJj^9#
206 P<8gs 3 jj<9 8
3Nu7rr1k?a""Wj1<7gs";-ejF#<"*hS79F`&$YsH&m
0N_rbK?<9kh&" Windows Event Log "@W?<r=.7F/@5$#3lO"
!N$:l+N}!KhjT$^9#
¶ "@W?<=.U!$k tecad_win.conf K!N"@W?<G-N-<o<IrIC9
k#
WINEVENTLOGS=ApplicationLog, SecurityLog, SystemLog
¶ 3^sIT+i Event Log "@W?<rO09k]K -L rXj9k#
tecad_win.exe -L ApplicationLog SecurityLog SystemLog
Windows Event Log "@W?<GG#l/Hj<"DNS 5<P<"^?OU!$k#=5<
P<&$YsH&m0bbK?<9klgO" Risk Manager r5]<H9k"@W?<H1
~KICN"@W?<rBT9k3H,G-^9##tN Event Log "@W?<rBT9k
}!KD$FO"VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
207Risk Manager f<6<:&,$I
16.N
orto
nA
ntiV
irus
���
��
�
208 P<8gs 3 jj<9 8
Network IDS
3NOGO"Network Intrusion Detection System KD$Fb@7^9#Network Intrusion
Detection System (Network IDS) O"MCHo</&Y<9N/~!N79F`G9#\ON
bFO"!NH*jG9#
¶ XNetwork IDS N5WY
¶ 210Z<8NXNetwork IDSTEC CorrelationY
¶ 212Z<8NXNetwork Intrusion Detection System N$s9H<k*hS=.Y
¶ 213Z<8NXRisk Manager TEC ?9/Y
¶ 216Z<8NXnids 3^sIY
¶ 218Z<8NXNetwork IDS 6b70KAc<Y
Network IDS N6b70KAc<O 307Z<8NXNetwork IDS 6b70KAc<YKj9
H7^9#Network IDS aC;<8O 237Z<8NXNetwork Intrusion Detection System Na
C;<8YK-\7^9#
Network IDS ���Network IDS OMCHo</&HiU#C/r listen 7F"9-csdB]N/~6bJI
-UN"k"/F#SF#<N'urTA^9#Lo"Network IDS O"U!$"&)<kN
90b&+0&N1lNlQ^7sGT/7"$s?<MCH+ie.9k/~nTrFk7
^9# Network IDS O"UNIX 79F`eGT/7^9#
Network IDS O"i<`r8.7F"3lr Tivoli Management Enterprise (TME) "@W?<
K]9H7^9#3lO UNIX 79F`QN Tivoli Logfile "@W?< (syslogd) G9#
Network IDS U)<^CH&U!$k (nids.fmt) O"Tivoli Logfile "@W?<r=.7F"
Logfile "@W?<,3liN"i<`r TEC $YsHK^CWG-kh&K7^9#
Network IDS O"Tivoli Logfile "@W?<H18(sI]$sHKos7^9#
Network IDS O(?b<IGBT7F"MCHo</eN9YFNN<IVHNHiU#C/
rFk9k3H,G-^9# Network IDS O"CjN5<P<eGN_BT9k3HKhj
s(?b<IGBT9k3HbG-^9#3lKhj"=N5<P<r8hH9kHiU#C
/N_rFk7^9#s(?b<IO"1lNN<I+iNHiU#C/rFk9kN,TD
=^?Os=B*G"k9$CA&MCHo</d6b.MCHo</K*$Fr)A^9#
17
209Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
Network IDSTEC CorrelationNetwork IDS O"MCHo</eN"/F#SF#<rbK?<7"=lr=[5lk6bN
{NNQ?<s (70KAc<) HM-go;^9#Network IDS OlW9kbNr+U1k
H"79F`&m0KaC;<8rq-~_^9# Tivoli Logfile "@W?<O"$YsHr
$YsH&5<P<Kw.7^9#
Risk Manager O Network IDS $YsHr">N?$WN;s5<+iw.5lk=N>N$
YsHHX"U1" Risk Manager "I_K9Hl<?<,/~!N$YsH4NrD.G-
kh&K7^9#
^ 24. Network Intrusion Detection System N^
210 P<8gs 3 jj<9 8
Network IDS �*�Network IDS Gsp5lk"i<HKO"!Nps,^^l^9#
¶ G-N1LVf
¶ EgYlYk
¶ F-9H-R
Network IDS O1L (ID) VfrHQ7F"i<Hr1L7+,1^9# ID VfO"
Common Vulnerability Entry (CVE) VfKOP~7F$^;s#3lO"Network IDS OHe
-J0N;-ejF#<dj (=.(i<"PC/&I""9-csKs0JI) KD$Fb
F9H7"FQ-N"kAG6br'17h&H9k?aG9#
?H(P"Network IDS KO"lL*JPCU!<&*<P<Um<&G<?r!P9k?a
N 3 DN70KAc<,"j^9#3liN*<P<Um<&70KAc<O"t4KZV
CVE G-NPCU!<&*<P<Um<6br-cCA7^9# Network IDS O"iaF!
P7 CVE KOP?5lF$J$70KAc<G"CFbFQN70KAc<H7F7$"$
+JkPCU!<&*<P<Um<Gb-cCAG-kh&K7F$^9#70KAc<,F
Q*G"k3H+i"Network IDS GO6b5lF$kPCU!<&*<P<Um<NHe-
r5NKhL9k3HOG-^;s#
[HsINlg"X"9kHe-r5NK1L9khjO"6b,TolF$k3HrNBK
Nk3HN},EWG9#
CVE (sHj<K5NKP~7J$ Network IDS 70KAc<QK"Network IDS GO"
l]<H&9Hjs0Nh,K CVE 2H ID ,U$F$^9#=l>lN CVE ID N\Y
KD$FO"!r2H7F/@5$#
http://csrc.nist.gov/icat
Network IDS OEgYlYkr0tMH7FXj7^9#<m (0) Oj9/NEgY,c$
3Hr(7"M,}(kKDl"hjEgJu7r=7^9#
"i<HNF-9H-RO""i<Hr+F4j<=9k-<o<IG+O5l^9#"i<
HN+F4j<O!NH*jG9#
-<o<I b@
CVE CVE G<?Y<9Kj9H5lkG-NHe-#
ALERT CVE Kj9H5lF$J$FQN6b#
DOS {NN5<S9826b#
SCAN 6b0N4:r(9HiU#C/&Q?<s#
CONFIG ;-ejF#<X"N=.(i<rHQ7h&H9kn_#
AUTH 6br(9D=-,"k'ZN:T#
BACKDOOR {NNPC/&I"&Wm0i`VHNHiU#C/#
STEALTH {NN9Fk96bK*$FlL*JHiU#C/#
Network IDS GO"!N 2 DN+F4j<N!P,Tol^9#
H_~_"i<H
H_~_"i<HO"Network IDS KhCF;C7gs^?OQ1CH&G<?K*
211Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
1k1cJQ?<sr5w9k@1GO!PG-J$u7r7$^9#3liN"i
<HGO"WmH3kbN9F<HUkj_nQr4Y?j"#tN;C7gsKO
CF,OrT&,W,"j^9# Network IDS KO"3liNF9H,O<I3<
G#s05lF$^9#3lrQ99k3HOG-^;s#
Network IDS O"3liNH_~_"i<HNPO9Hjs0*hSEgYlYkr
ids.msg U!$kKXj7F$^9#
70KAc<&Y<9N"i<H
70KAc<&Y<9N"i<HNlg" Network IDS OjjNWmH3k&lY
kK*1kQ1CH^?O;C7gs&G<?&9Hj<`bNXjQ?<sr!P
7^9# Network IDS O"3li70KAc<NQ?<s""i<HN%hgL"
*hSPOaC;<8r ids.rules U!$kKXj7F$^9#
Risk Manager N ids.rules U!$kO Tivoli Support Web 5$HGj|*K975lF*
j"3NU!$krG7N70KAc<&U!$kKV-9(k3H,G-^9#\7/O"
214Z<8NX70KAc<&U!$kN97Yr2H7F/@5$#
Network Intrusion Detection System ����������Network IDS r$s9H<k9kKO"$s9H<kK3$F"=.rT&,W,"j^9#
Network Intrusion Detection Option ��������+/�0Network Intrusion Detection System =JKO"CD NeLG#l/Hj<K$s9H<k&Q
C1<8,^^lF$^9#3lKO!N$s9H<k&b8e<k,^^l^9#
¶ Network Intrusion Detection Option 3.8
3NQC1<8KO"Network IDS ,^^l^9#^?"!N Network IDS *hS Risk
Manager correlation $YsH&5<P<&U!$kb^^l^9#
v correlation k<k&U!$k"prolog U!$k"*hS=.U!$k
v Logfile "@W?<=.QNU)<^CH&U!$k
v GU)kHN=.U!$k
m: Network IDS BAROC U!$k (nids.baroc) O"Tivoli $s9H<k&QC1<8K^^
l^9#
3NQC1<8r"Tivoli D-N(sI]$sHK$s9H<k7^9#s Tivoli D-K$
s9H<k9klgO"79F`NM$F#VN$s9H<k&Wm0i`rHQ7^9#
s Tivoli D-XN Risk Manager N$s9H<k}!KD$FO"VTivoli Risk Manager f
<6<:&,$IWr2H7F/@5$#
��������$s9H<kN0K"VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'"
WoKX9kG7psHG7N$s9H<kpsrN'7F/@5$#
nids.fmt U!$kKhj TME "@W?<r=.9k0K"Network IDS ;s5<r$s9
H<k9k,W,"j^9#
212 P<8gs 3 jj<9 8
Tivoli Logfile ,$s9H<kQ_G"k,W,"j^9#$s9H<kNX(KD$FO"
VTivoli Enterprise Console "@W?<&,$IWr2H7F/@5$#
Network IDS Q"@W?<O"Tivoli (sI]$sH^?Os Tivoli N<IK$s9H<k
9k3H,G-^9#
Network IDS ���Network IDS r=.9kKO"!N9FCWrT$^9#
����+�Network IDS N=.O"m<+kK"^?O"@W?<=.!= (ACF) rHQ7FT&3H
,G-^9#
¶ ,WK~8F ids.cfg =.U!$krT87^9#f{Nm1<7gsG=.rT&lg
O"ACF rHQ7FU!$krF[[7F/@5$#
¶ 975l?70KAc<&U!$k,HQD=JlgO",WK~8F"70KAc<&
U!$k (ids.rules) rV-9(F977^9#b@KD$FO"214Z<8NX70K
Ac<&U!$kN97Yr2H7F/@5$#
¶ =.,0;7?e"Risk Manager Ks!5lk Tivoli Enterprise Console (TEC) ?9/r
HQ7F"Network IDS rO07^9# XNetwork IDS "@W?<N+OYr2H7F
/@5$#
Risk Manager TEC ���Risk Manager KO"Tasks for Enterprise Risk Management H$&H+N?9/&i$Vij
<,"j^9#Risk Manager O"3N?9/&i$Vij<r"TEC-Region H$&GU)k
HN TEC ]j7<&j<8gsK$s9H<k7^9#
Network IDS TEC ���Risk Manager KO"Network IDS rO0 / d_9k?aN TEC ?9/,^^lF$^9#
Network IDS ��������
Network IDS r+O9kKO"!Nh&K7^9#
1. MCHo</&$s?<U'<9+iQ1CHrI_hkKO"k<HH7F Network
IDS rBT9k,W,"j^9#@sW&U!$k+iI_hklgO"k<H"BO,
W"j^;s#
2. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
3. Start_NIDS_Adapter TEC ?9/r/jC/7^9#
Network IDS ��������
Network IDS rd_9kKO"!Nh&K7^9#
1. Tivoli G9/HCWG"Tasks for Enterprise Risk Management H$&?$HkNTEC ?9/&i$Vij<r/jC/7^9#
2. Stop_NIDS_Adapter TEC ?9/r/jC/7^9#
213Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
Network IDS ���Tivoli "I_K9Hl<?<O"J<N?9/rT$^9#
nids '!����� Network IDS �����Network IDS N$s9H<kKhj"Inittab U!$kKO"79F`N/0~K Network
IDS r+0*KO09k?aNT,IC5l^9#$s9H<k&Wm0i`O"Lo"!N
h&K rc V<H~9/jWH, Network IDS r+0*KO09kh&;CH"CWrT$
^9#
cd /usr/opt/Tivoli/nids; ./nids -q -d
F`\O"!NH*jG9#
-q E_b<IrXj7^9#8`POK"i<HOwil^;s#GU)kH&b<I
GO"8`POK"i<H,u~5l^9#
-d Wm;9rG<bsH7FBT7J$h&Xj7^9#G<bsH7FBT7J$3
HKhj"init G<bs, Network IDS Wm;9rbK?<7"Wm;9,:T7?
lgKOWm;9rFO07^9#
��������Network IDS N$s9H<kKhj"Inittab U!$kKO"Network IDS r+0*KO0
9k?aNT,IC5l^9#
Network IDS r+0*KO07J$h&K9kKO"Inittab U!$kfNTNh,K3ms
(:) rU1F"O0?ar3asH=7^9#
��3<:���)�����Risk Manager N Network IDS 70KAc<&U!$kO""/;9)f5l? Tivoli
Support Web 5$HGj|*K975lF$^9#
Tivoli D-N70KAc<&U!$krV-9(kKO"!Nh&K7^9#
1. ids.rules *hS=N>,WJU!$kr!N Tivoli Support Web 5$H+i@&sm<
I7^9#
http://www.tivoli.com/support/secure_download_bridge.html
2. ACF rHQ7F77$P<8gsN70KAc<&U!$kr[[7"lP<8gsNU
!$krV-9(^9#
s Tivoli D-G70KAc<&U!$krV-9(kKO"!Nh&K7^9#
1. !N9/jWH&U!$krBT7F"Network IDS G<bsrd_7^9#
stopnids
2. ids.rules *hS=N>,WJU!$kr!N Tivoli Support Web 5$H+i@&sm<
I7^9#
http://www.tivoli.com/support/secure_download_bridge.html
3. !N9/jWH&U!$krBT7F"Network IDS G<bsrFO07^9#
startnids
214 P<8gs 3 jj<9 8
Network IDS �*������1?��Network IDS GO""i<H*hSm.s0psr!N 3 DNLVKwk3H,G-^9#
¶ Syslog
¶ m<+k&U!$k
¶ 3s=<k (8`POrWm;9KHQ)
a$sN ids.cfg =.U!$kK"3^sITK*1k3li8hN*rrXj9k3H,
G-^9# ids.cfg U!$kO"GU)kHNm.s0&m1<7gsr_j7^9#GU
)kHGO"m0psO$YsH&3s=<kKN_wil^9#
Network IDS O ids.cfg U!$kKGU)kHrXj7^9,"GU)kHNXjrQ99
k3H,G-^9#3lKO"3^sITG nids -y *W7gsrXj7F syslog POr/
)"^?O nids -q *W7gsKhj3s=<kPOr*UK7^9# Risk Manager G
O"LoO3liN9$CArXj7FPOr syslog Kwkh&K7" Network IDS G
/usr G#l/Hj<Kn.5lkU!$kN5$:,}C9k3HNJ$h&K7F$^
9#
GU)kHGO"m0psO syslog KN_wil^9#
�� ���%����9YFNMCHo</&$s?<U'<9,(?b<IN*Zl<7gsr5]<H9ko1
GO"j^;s#CK"ltN ISA *hSl0N PCMCIA H</sjs0&+<IGO(
?b<IKhk5Nr5]<H7^;s#O<I&'",(?b<IN*Zl<7gsr5]
<H9k+I&+rF9H9kKO" tcpdump rBT7F"m<+k&[9HVGNdj
HjGOJ$Q1CH"^?^kA-c9H"k$OVm<I-c9HGOJ$Q1CHr!
P7^9#
IP ������Network IDS ,QC7VlQN$s?<U'<9G listen 9kHXxJlg,"j^9#3
N$s?<U'<9O"Q1CHr>w7J$;0asHGODkHJiJ$$s?<U'<
9rU#7^9#QC7VlQN$s?<U'<9NcH7FO"$s?<U'<9,0t
(U!$"&)<k0) ;0asHKQC7VK\35lF*j"h 2 N$s?<U'<9,
bt;0asHG"/F#VJuVG Network IDS "i<HrU!$"&)<kbN Risk
Manager Kspr9ku7,"j^9#
Network IDS rQC7V&$s?<U'<9eGBT9kKO"$s?<U'<9r"CW&
b<IQK=.9k,W,"j^9,"$s?<MCH&WmH3k (IP) "Il9Odjv
F^;s#
ifconfig up 3^sIrHQ7F"IP "Il9NXjrJ,7F/@5$#$s?<U'<
9,"CW&b<IG"kVO"MCHo</GN IP "Il9ps,J$?a"Q1CH>
wOTol^;s# Network IDS O"@&suVN$s?<U'<9GO listen 7^;s#
5�����Network IDS O"Risk Manager Kwilk"i<HK";s5<&[9HN IP "Il9"
*hS04$~5l?[9H> (c"host.company.com) rH_~_^9#04$~5l?[
9H>O"Risk Manager K*$F"i<HN=<9>rG-NbNH9keGEWHJj^
9# Network IDS ,04$~[9H>rh@G-kh&K9kKO"m<+kNj>kP<
215Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
,04$~>r gethostbyaddr( ) HqKa9h&=.9k,W,"j^9#Lo
O"/etc/hosts U!$kbNm<+k&[9HKP7=.rT$^9 (eX*KIa$s&
M<`&79F` (DNS) ^?OMCHo</ps5<S9 (NIS) KhkbNG"klgG
b)#\YKD$FO"resolver man Z<8r2H7F/@5$#
nids '!��Network IDS rj0GO0"^?O=N>*W7gsrHQ9kKO"!N=8G nids 3^
sIrHQ7^9#
nids [-a]
[-c config_filename]
[-d]
[-f filename]
[-i interface]
[-m msgfile]
[-o outfile]
[-q]
[-y]
[-r sigfile ]
[-s char]
[-v value]
[-M size]
[-K]
[-P]
[-S num_packets]
[-R]
[-T]
[-V]
F`\O"!NH*jG9#
-a $<5MCH^?OH</sjs0&HiU#C/NaG#"&"/;9)f
(MAC) "Il9r=(7^9#GU)kHO OFF G9#Lo"Network IDS
O=<9H8hN$s?<MCH&WmH3k (IP) lYkN"Il9ru~
7^9#3N*W7gsKhj"MAC (*}lYkN"Il9) Nu~,IC
5l^9#
-c config_filename
eX=.U!$k>rXj7^9#GU)kH>O ./ids.cfg G9#
-d Wm;9rG<bsH7FBT7J$h&Xj7^9#G<bsH7FBT7
J$3HKhj"init G<bs, Network IDS Wm;9rbK?<7"Wm
;9,:T7?lgKOWm;9rFO07^9#
-f filename Network IDS ,"MCHo</N5NGOJ/"U!$k+iG<?rI_
hlkh&K7^9# Network IDS O"8`PON tcpdump U!$k"^
?O nids -o *W7gsG@sW7?Q1CHrI_hk3H,G-^9#
=NeG"3liNU!$kr/~70KAc<QKh}7^9#
-i interface HQ9k$s?<U'<9rXj7^9#GU)kHO"GiNsk<WPC
216 P<8gs 3 jj<9 8
/&$s?<U'<9G9# Network IDS O"k<WPC/&$s?<U'
<9"*hS$<5MCH^?OH</sjs0&$s?<U'<9G listen
9k3H,G-^9#[9HK#tN$s?<U'<9,"klg"bK?<
P]NFMCHo</&$s?<U'<9KD- 1 D:D"#t3T<N
Network IDS rBT9k3H,G-^9#
-m msgfile eXN"i<H&aC;<8&U!$krXj7^9#GU)kHNaC;<
8&U!$kO ./ids.msg G9# ids.msg U!$kO"H_~_"i<HQ
NPOaC;<8&9Hjs0rs!7^9# Network IDS GO"70KA
c<&Y<9N"i<HQNaC;<8&9Hjs0, ids.rules U!$k
Ks!5l^9," ids.rules U!$krT89k3HOG-^;s#
-o outfile Q1CH&m0&U!$k>rXj7^9#GU)kHGO"Q1CHNm.
s0rT$^;s#e+i nids -f *W7gsrHQ7FQ1CH&m0&
U!$krh}9k3H,G-^9#
-q E_b<IrXj7^9#8`PO (stdout) K"i<HOwil^;s#G
U)kH&b<IGO"8`POK"i<H,u~5l^9#
-y syslog b<IrXj7^9#3Nb<IKhCF"i<HO syslog Kwil
^9#GU)kHGO""i<HO syslog Kwil^;s#Risk Manager N
LoNQ!GO" ids.cfg U!$kKhj""i<Hr syslog Kwkh&
Xj7^9# ids.cfg KXj5l?0nKhj"GU)kHN"/7gsr
Q97^9#"i<Hr syslog KwiJ$h&K9kKO"ids.cfg U!$
krQ99k,W,"j^9#
-r sigfile eXNk<k&U!$k>rXj7^9#GU)kHNk<k&U!$kO"
ids.rules"^?O ids.cfg U!$kGXj5l?U!$kG9#k<k&U
!$kO"DQN70KAc<&Y<9N"i<H&k<krXj7"POa
C;<8NXjbT$^9#
-s char "i<HNU#<kIhZj8zrXj7^9 (c"\n \t \0x0a JI)#G
U)kHNhZj8zO \n G9#
-v value 3s=<kK"i<Hr=(7^9 (>= value)#GU)kHO 0 G"Network
IDS O"i<Hr=(7^9#QKK9-csKs0,TolkMCHo<
/K*1k;s5<Nlg"3NMrb/_j7"cj9/N"i<HNLr
:i93H,G-^9#
-M size $s?<U'<9NGg>wfKCH (MTU) rXj7^9#GU)kHO
1500 MTU G9#
-K Network IDS r kill ^?OG<bs&Wm;9NBTrd_7"*;7^
9#
-P s(?b<IGBTr7^9#GU)kHO"(?b<IGNBTG9#Lo
O Network IDS rlQN^7sGBT7"MCHo</&HiU#C/r(
?b<IG9-cs7^9#^?"Network IDS rB05<P<eGs(?
b<IGBT9k3HbG-^9#3Nlg"Network IDS Om<+k&[
9HVHNQ1CHN_r!:7^9#s(?b<IGBT9k3HKhj"
Network IDS GOm<+k&[9HK++km<I,g}Ko:5l^9#
-S num_packets
BTfNGP$9}Wr=(7^9#GU)kHGO"}WOTol^;s#
217Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
-R Network IDS G<bs&Wm;9rFO07^9#Network IDS Wm;9,
G<bsH7FBT5lF$klg" nids -R 3^sIrFYBT9kH
Network IDS G<bs&Wm;9,FO05l" 2 V\N nids 3^sI,*;7^9#
-T GU)kHMGOH</sjs0&b<Ir/)7J$?a"H</sjs0
h}N/)KHQ7^9#Lo"Network IDS O$s?<U'<9,H</
sjs0G"k+I&+r+0*K=L7^9#lgKhCFO"3l,!P
5lJ$lg,"j^9#3NlgO"3N*W7gsrHQ7Fh}r/)
7^9#
-V Network IDS P<8gs*hS|UpsN=(KHQ7^9#
Network IDS ����3<:�Network IDS O ID VfrHQ7F"i<HrlU*K1L7^9#3liNVfO"
Common Vulnerability Entry (CVE) VfKOP~7F$^;s#3lO"Network IDS OHe
-J0N;-ejF#<dj (=.(i<"PC/&I""^?O9-csKs0) KD$F
bF9H7"G-k@1FQ-N"kAG6br'17h&H9k?aG9# CVE (sHj
<K5NKP~7J$ Network IDS 70KAc<KD$F Network IDS GO"l]<H&
9Hjs0Nh,K CVE 2H ID ,U$F$^9#
=l>lN CVE ID N\YKD$FO"!r2H7F/@5$#
http://csrc.nist.gov/icat/vulnerabilities/CVE_IDnumber.
Network IDS OEgYlYkr0tMH7FXj7^9#<m (0) Oj9/NEgY,c$
3Hr(7"M,}(kKDl"hjEgJu7r=7^9#
Network IDS GO"H_~_"i<HH70KAc<&Y<9N 2 DN+F4j<N!P,
Tol^9#
�%%�*�H_~_"i<HO";C7gs^?OQ1CH&G<?K*1k1cJQ?<sN!Pr5
w9k3HGO!PG-J$u7r7$^9#3liN"i<HGO"WmH3kbN9F<
HUkj_nQr4Y?j"#tN;C7gsK*hS,OrT&,W,"j^9#3liN
F9HO"Q99k3HOG-^;s#
Network IDS O"3liNH_~_"i<HNPO9Hjs0*hSEgYlYkr ids.msg
U!$kKXj7F$^9#
H_~_"i<HNj9HKD$FO"307Z<8NXNetwork IDS H_~_"i<HYr2
H7F/@5$#
��3<:�������*�70KAc<&Y<9N"i<HNlg" Network IDS OjjNWmH3k&lYkK*1
kQ1CH^?O;C7gs&G<?&9Hj<`bNXjQ?<sr!P7^9# Network
IDS O"3li70KAc<NQ?<s""i<HN%hgL"*hSPOaC;<8r
ids.rules U!$kKXj7F$^9#
218 P<8gs 3 jj<9 8
70KAc<&Y<9N"i<HNj9HKD$FO"309Z<8NX70KAc<&Y<9
N"i<HYr2H7F/@5$#
219Risk Manager f<6<:&,$I
17.N
etwo
rkID
S
220 P<8gs 3 jj<9 8
Tivoli Decision Support
3NOGO"J<N@KD$Fb@7^9#
¶ Tivoli Decision Support for Enterprise Risk Management N5W
¶ $s9H<k*hS=.ps
¶ BTG-kjgNj9H
Tivoli Decision Support for Enterprise Risk Management ���Risk Manager N Tivoli Decision Support for Enterprise Risk Management 3s]<MsHO"
Tivoli $YsH&3s=<k (TEC) Ksp5l? Risk Manager $YsHKX9kzrps
r8s7Fs!7^9#
Tivoli Decision Support for Enterprise Risk Management rHQ7F"!NvArT&3H,G
-^9#
¶ $YsH&G<?Y<9+iN;-ejF#<&$YsH&G<?N}8N+0=
¶ zr$YsH("9~"T</&\je<`"$YsH&?$W"*hS$YsHN=<
9KX9kAdNsz
¶ #!5N^AA0GNzrpsN=(
Tivoli Decision Support for Enterprise Risk Management O"9YFN"@W?<G!=7^
9#
psO"@0iU^?OF-9H&l]<HrHQ7F=(5l^9#!NcO"Tivoli
Decision Support N@0iUr(7^9#
18
221Risk Manager f<6<:&,$I
18.T
ivoli
Decisio
nS
up
po
rt
Tivoli Decision Support for Enterprise Risk Management KD$FO"LNqAGb@7F$^
9#xQD=JqANU)<^CH*hSLVKD$FO"XTivoli Decision Support for
Enterprise Risk Management qAYr2H7F/@5$#VTivoli Decision Support for
Enterprise Risk Management jj<9&N<HWKO"J<NbF,-\5lF$^9#
¶ Tivoli Decision Support for Enterprise Risk Management N5W
¶ $s9H<kps ($s9H<kWo"$s9H<kjg"*hSF$s9H<kjgJ
I)
¶ TEC G<?Y<9XN"/;9}!d"l]<HN8.}!JIN`njg
¶ HiVk7e<F#s0ps*hSdjNsp}!
¶ T@J=UH&'"c2")B"*hSPh!Nb@
¶ G<?&=<9"Enterprise Risk Management "<+$V&F<Vk"*hS Tivoli
Decision Support =J$s?<U'<9N!=Nb@ (+F4j<"HTC/"*hSS
e<r^`)
Tivoli Decision Support for Enterprise Risk Management ��Risk Manager CD K^^lkVTivoli Decision Support for Enterprise Risk ManagementWG
O"Tivoli Decision Support for Enterprise Risk Management KD$Fb@7F$^9#
Tivoli Decision Support P<8gs 2.1.1 KX9k04JpsO"!NqAK"j^9#
¶ Tivoli Decision Support Installation Guide"GC32-0438
¶ Tivoli Decision Support Administrator Guide"GC32-0437
¶ Tivoli Decision Support User’s Guide"GC32-0436
^ 25. Tivoli Decision Support @0iUNc
222 P<8gs 3 jj<9 8
Tivoli Decison Support ������$s9H<k9k0K"VTivoli Risk Manager jj<9&N<HWr2H7F"=UH&'
"Wo*hS Risk Manager KX9kG7ps (Tivoli Decision Support for Enterprise Risk
Management r^`) r4YF/@5$#
Tivoli Decision Support for Enterprise Risk Management r$s9H<k9kKO"J<Nh&
K7^9#
1. Tivoli Risk Manager CD r CD-ROM Ii$VK^~7^9#
2. Tivoli Decision Support $s9H<k&QC1<8r^`G#l/Hj<KQ97^9#
cd x:\tds_guide
x: O4HQN CD-ROM Ii$VG9#
3. Windows InstallShield Wm0i`r/09kKO"!NH*j~O7^9#
setup
4. InstallShield Wm0i`NX(K>CF"$s9H<kr0;7^9#
Tivoli Decision Support for Enterprise Risk Management ���!N}!KX9k=.jgKD$FO"VTivoli Decision Support for Enterprise Risk
ManagementWr2H7F/@5$#
¶ *<Ws&G<?Y<9&3M/F#SF#< (ODBC) G<?&=<9\3N;CH"C
W"*hS ODBC Ii$P<&$s9H<kN!:
¶ TEC $YsH&G<?Y<9K*1k"<+$V&F<Vk"Se<"*hSHj,<N
n.#\7/O"XRISK Manager TEC G<?Y<9K*1k"<+$V&F<Vk"S
e<"*hSHj,<Nn.Yr2H7F/@5$#
¶ &Q=<9&U!$k&Q9N=.
¶ Enterprise Risk Management ,$IN$s9H<k*hS$s]<H
¶ G<?&=<9NdjvF*hS!:
¶ TEC ?9/rHQ7?$YsH&"<+$VN918e<k#?9/KD$FO"109Z
<8NX$YsHr"<+$V9k?aN TEC ?9/Yr2H7F/@5$#
RISK Manager TEC �����������7�;���;��-#���������
"<+$V&F<Vk"Se<"*hSHj,<rn.9k0K"G<?Y<9,}C9kG
<?&\je<`KP7=,J5$:G"k3HrN'7^9#=NeG"!N SQL Wm7
<8c<rT$" Oracle"DB2"*hS Sybase G<?Y<9QN"<+$V&F<Vk"S
e<"*hSHj,<rn.7^9#
1. SQL Wm7<8c<&U!$kr+U1^9#3liNU!$kO"
TDS_Share¥Util¥Tivoli Decision Support for Enterprise Risk Management (TDS_Share
O"Tivoli G#l/Hj<I}Wm0i`GjA5l?&QG<?&U!$k&Q9r=
9) K"j^9#^?"3liNU!$kO"Risk Manager Unix 5<P<&79F`N
223Risk Manager f<6<:&,$I
18.T
ivoli
Decisio
nS
up
po
rt
$BINDIR/RISKMGR/corr/sql G#l/Hj<"^?O Risk Manager Windows 5<P<&
79F`N %BINDIR%¥RISKMGR¥corr¥sql G#l/Hj<Kb"j^9#
2. TEC G<?Y<9,"k79F`eG"SQL Wm7<8c<&U!$krBT7^9#
m: ,WK~8F"Wm7<8c<&U!$kr TEC 79F`K3T<7F+iBT7
^9#
3. Oracle Nlg"!Nh&K~O7^9#
sqlplus userid/password @ service_name @ tds_rm_tec_t_arc.ora.sqlsqlplus userid/password @ service_name @ tds_rm_tec_v_evt.ora.sqlsqlplus userid/password @ service_name @ tds_rm_upd_trigger.ora.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9#GU)kHMO tec G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#GU)kHMO tectec G9#
service_name
Oracle /i$"sH=.Wm0i`GjA5l? Oracle G<?Y<9NMCH&
5<S9> (″Net8 Assistant″"″Net8 Configuration Assistant″"^?O ″Net8 Easy
Configuration″)""k$O/i$"sHN
%ORACLE_HOME%¥NETWORK¥ADMIN¥TNSNAMES.ORA U!$kNF`\r1L9k>0r
=7^9#
DB2 Nlg"!Nh&K~O7^9#
db2 connect to tec user userid using passworddb2 -t -f tds_rm_tec_t_arc.DB2.sqldb2 -t -f tds_rm_tec_v_evt.DB2.sqldb2 -t -f tds_rm_upd_trigger.DB2.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9# UNIX NlgNGU)kHMO"
db2inst1 G9# Windows NT NGU)kHMO" db2admin G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#
Sybase Nlg"!Nh&K~O7^9#
isql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_t_arc.syb.sqlisql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_v_evt.syb.sqlisql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_upd_trigger.syb.sql
F`\O"!NH*jG9#
userid G<?Y<9&f<6< ID r=7^9#GU)kHMO tec G9#
password
G<?Y<9Nf<6<&Q9o<Ir=7^9#GU)kHMO tectec G9#
server DSEDIT /i$"sH=.Wm0i`GjA5l? Sybase G<?Y<9N5<P
<>"^?O/i$"sHN Sybase $s?<U'<9&U!$k
%SYBASE%¥INI¥SQL.INI NF`\r1L9k>0r=7^9#
224 P<8gs 3 jj<9 8
m: G<?Y<9>"f<6< ID"*hSQ9o<IO"WiCHU)<`*hSD-K
G-NbNG9#\YKD$FO"79F`&"I_K9Hl<?<K*d$go;
/@5$#
Tivoli Decision Support for Enterprise Risk Management ������
J<N}!KD$FO"Decision Support for Enterprise Risk Management NqAr2H7F/
@5$#
¶ Enterprise Risk Management ,$INHQ
¶ l]<HN8.
¶ l]<H8.N918e<k
¶ HiVk7e<F#s0
¶ (i<h}
225Risk Manager f<6<:&,$I
18.T
ivoli
Decisio
nS
up
po
rt
226 P<8gs 3 jj<9 8
Risk Manager �$+&�0
3NU?GO"Risk Manager G=(5lkaC;<8rj9H7^9#aC;<8KO"
HRMAAnnnnS H$&A0NVf,U1ilF$^9#
HRM Risk Manager NaC;<8G"k3Hr(7^9#
AA aC;<8r/T7? Risk Manager N3s]<MsHr(7^9#
CI Cisco Secure IDS
NI Network Intrusion Detection System (Network IDS)
nnnn CjNaC;<8Vfr(7^9#
S EgYlYkr(7^9#
Vf,U1ilF$J$aC;<8O"=lr/T7?3s]<MsH4HK"kU!YCH
gKBYF$^9#
Risk Manager ���$+&�0Vf,U1ilF$J$J<N Risk Manager jXaC;<8,=(5lklg,"j^9#
=.U!$k riskmgr_hosts.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_host()
riskmgr_hosts.pro U!$kbN set_host Rt,5zG9#
79F`NhV: [9H&U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_hosts.pro U!$kbN:v9F<HasHr$57F/@5$#!K"
rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5
$#
=.U!$k riskmgr_host.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
A
227Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
¶ rm_ErrMethod = set_trusted_host( )
riskmgr_host.pro U!$kbN set_trusted_host Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_host.pro U!$kbN:v9F<HasHr$57F/@5$#!K"
rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5
$#
=.U!$k riskmgr_host.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_sensor( )
riskmgr_host.pro U!$kbN set_sensor Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_host.pro U!$kbN:v9F<HasHr$57F/@5$#!K"
rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5
$#
=.U!$k riskmgr_host.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = downgrade_sensor_creation( )
riskmgr_host.pro U!$kbN set_downgrade_sensor_creation Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_host.pro U!$kbN:v9F<HasHr$57F/@5$#!K"
rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5
$#
=.U!$k riskmgr_host.pro Nh}fK(i<#rm_ErrFile = ’riskmgr_hosts.pro’ rm_ErrLine = ’unknown’rm_ErrMethod = set_ignore_sensor_creation( )#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = ignore_sensor_creation( )
riskmgr_host.pro U!$kbN set_ignore_sensor_creation Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
228 P<8gs 3 jj<9 8
f<6<NhV: riskmgr_host.pro U!$kbN:v9F<HasHr$57F/@5$#!K"
rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5
$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_hosts.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_forward_tec( )
riskmgr_parameters.pro U!$kbN set_forward_tec Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_thresholds.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_thresholds.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_threshold( )
riskmgr_thresholds.pro U!$kbN set_threshold Rt,5zG9#
79F`NhV: U!/H_jO Risk Manager NjXh}KOH_~^l^;s#Risk Manager jX
O"%^7/J$FAru1klg,"j^9#
f<6<NhV: riskmgr_thresholds.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_timestamp_jitter( )
riskmgr_parameters.pro U!$kbN set_timestamp_jitter Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#GU)kH,HQ5l
^9#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
229Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_situation_expiration( )
riskmgr_parameters.pro U!$kbN set_situation_expiration Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_situation_cleanup_interval( )
riskmgr_parameters.pro U!$kbN set_situation_cleanup_interval Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_interface_refresh( )
riskmgr_parameters.pro U!$kbN set_interface_refresh Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
230 P<8gs 3 jj<9 8
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_forward_interval( )
riskmgr_parameters.pro U!$kbN set_forward_interval Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_decay_value( )
riskmgr_parameters.pro U!$kbN set_decay_value Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_ratio_down( )
riskmgr_parameters.pro U!$kbN set_ratio_down Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
231Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_ratio_up( )
riskmgr_parameters.pro U!$kbN set_ratio_up Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_storm_events( )
riskmgr_parameters.pro U!$kbN set_storm_events Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_linked_events( )
riskmgr_parameters.pro U!$kbN set_linked_events Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
232 P<8gs 3 jj<9 8
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_duplicate_events( )
riskmgr_parameters.pro U!$kbN set_duplicate_events Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_parameters.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_parameters.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_duplicate_events( )
riskmgr_parameters.pro U!$kbN set_duplicate_events Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: riskmgr_parameters.pro U!$kbN:v9F<HasHr$57F/@5$#!
K"rmcorr.cfg -reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/
@5$#
=.U!$k riskmgr_categories.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_categories.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = set_category_name( )
=.U!$kbN set_category_name Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: =.U!$kbN:v9F<HasHr$57F/@5$#!K"rmcorr.cfg-reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5$#
233Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
=.U!$k riskmgr_categories.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_categories.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = category_assign( )
=.U!$kbN category_assign Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: =.U!$kbN:v9F<HasHr$57F/@5$#!K"rmcorr.cfg-reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5$#
=.U!$k riskmgr_categories.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_categories.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = category_assign_super( )
=.U!$kbN category_assign_super Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: =.U!$kbN:v9F<HasHr$57F/@5$#!K"rmcorr.cfg-reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5$#
=.U!$k riskmgr_categories.pro Nh}fK(i<#
EgY: MINOR
b@:¶ rm_ErrFile = ’riskmgr_categories.pro’
¶ rm_ErrLine = ’unknown’
¶ rm_ErrMethod = attribute_map ( )
=.U!$kbN attribute_map Rt,5zG9#
79F`NhV: U!/HO Risk Manager NjXh}KOH_~^l^;s#
f<6<NhV: =.U!$kbN:v9F<HasHr$57F/@5$#!K"rmcorr.cfg-reconfig 3^sIrBT7F"=N$5r^aF$YsH&5<P<rFO07F/@5$#
Prolog U!$k,m<I5l^;sG7?#*.wic U!$k,8_7F$k+N'7F/@5$#
EgY: FATAL
b@:¶ rm_ErrFile = ’boot.rls’
¶ rm_ErrLine = nnnn
¶ rm_ErrMethod = Rule start_RM_boot
Risk Manager k<k,5oKm<I5l^;sG7?#
79F`NhV: Risk Manager jX,:T7^7?#
234 P<8gs 3 jj<9 8
f<6<NhV: Risk Manager 5<P<,5oK$s9H<k5lF$k3HrN'7F/@5$#
/i9 class_name N?$`&9?sWH7FN date_reception K"=|7J$U)<kPC/,/87^7?#
EgY: FATAL
b@:¶ rm_ErrFile = ’normalization.rls’
¶ rm_ErrMethod = Rule process_timestamp
¶ Timestamp: value
¶ TimestampFmt value
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
hostname 0-G1L5lk";s5<+iN$YsH,"5zJ?$`&9?sWrw.7^7?#
79F`NhV: Risk Manager NjXQK"=_~o,$YsHKdjvFil^9#
f<6<NhV: "@W?<rA'C/7F/@5$#
/i9 class_name KD$FN;s5<ps,5zG9#
EgY: FATAL
b@:¶ rm_ErrFile = ’normalization.rls’
¶ rm_ErrMethod = Rule process_sensor_info
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
Risk Manager jX,h}G-J$;s5<G"$YsH,/87^7?#
79F`NhV: 3N(i<&aC;<8,8.5l^9#$YsHOjXh}KOH_~^l^;
s#
f<6<NhV: "@W?<rA'C/7F/@5$#
/i9 class_name N$YsHN/i9&+F4j<rh}G-^;sG7?#
EgY: FATAL
b@:¶ rm_ErrFile = ’normalization.rls’
¶ rm_ErrMethod = Rule process_class_categories
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
u.5l?$YsHr"Risk Manager jXNltH7Fh}9k3H,G-^;s#
79F`NhV: 3N(i<&aC;<8,8.5l^9#=N6xHJC?$YsHO"jXh}K
OH_~^l^;s#
f<6<NhV: Risk Manager N=.U!$krA'C/7F/@5$#
235Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
/i9 class_name N RM_SensorEvent Nh}fK(i<#
EgY: FATAL
b@:¶ rm_ErrFile = ’normalization.rls’
¶ rm_ErrMethod = Rule process__ids_srcdst
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
u.5l?$YsHKO"Risk Manager jXKH_~`@1N=,Jps,"j^;s#
79F`NhV: 3N(i<&aC;<8,8.5l^9#=N6xHJC?$YsHO"jXh}K
OH_~^l^;s#
f<6<NhV: Risk Manager N=.U!$krA'C/7F/@5$#
/i9 class_name N$C)N$YsHNh}fK(i<#
EgY: FATAL
b@:¶ rm_ErrFile = ’sensorevent.rls’
¶ rm_ErrMethod = Rule process__raw_events
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
$YsHr Risk Manager jXNltH7Fh}G-^;sG7?#
79F`NhV: =N6xHJC?$YsHO"jXh}KOH_~^l^;s#
f<6<NhV: 5]<HN?aNm<+kNjgK>CF/@5$#
r9$YsHNh}fK(i<#;s5<N?$W: host_name IPaddr#
EgY: FATAL
b@:¶ rm_ErrFile = ’sensorevent.rls’
¶ rm_ErrMethod = Rule process_external_situation
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
LN TEC ^?O Risk Manager 5<P<G/87?r9$YsHr5oKh}G-^;sG7?#
79F`NhV: r9psO"TEC ^?O Risk Manager 5<P<NjXKOH_~^l^;s#
f<6<NhV: 5]<HN?aNm<+kNjgK>CF/@5$#
236 P<8gs 3 jj<9 8
Network Intrusion Detection System �$+&�0Network IDS N`nfK"J<NaC;<8,/89k3H,"j^9#
HRMNI10002E [9HXN=1CHrn.G-^;sG7?: hostname#
b@: "i<HNm.s0N\*Gjb<H&[9HKP7F=1CHNN)rnT7F$kVK"(
i<,/87^7?#
f<6<NhV: P]N[9Hr ping 7F/@5$#
HRMNI10003E jb<H&[9HK\3G-^;sG7?#(i<&3<I: error number#
b@: "i<HNh}-?rHk\*Gjb<H&[9HXN\3rnT7F"(i<,/87^7
?#
f<6<NhV: [9HXNP)rA'C/7F/@5$#\3(i<&3<IN\YKD$FO"H
Q7F$k*Zl<F#s0&79F`NI-easF<7gsr2H7F/@5$#P]N[9Hr
ping 7F/@5$#
HRMNI10004E [9HXG<?rw.fK(i<: hostname#
b@: "i<HNm.s0N\*Gjb<H&[9HXNG<?Nw.rnT7F$kVK"(i<,
/87^7?#
f<6<NhV: [9HXNP)rA'C/7F/@5$#P]N[9Hr ping 7F/@5$#
HRMNI10006E U!$k - file name: T - line number: 70KAc< - signature text +O~o,"j^;s#
b@: NIDS N=.O0U!$k ids.cfg K+O~oNjA,"j^;s#
f<6<NhV: NIDS =JrF$s9H<k7Fdjr{57F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10007E U!$k - file name: T - line number: 70KAc< - signature text *;~o,"j^;s#
f<6<NhV: NIDS =JrF$s9H<k7Fdjr{57F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10009E ;Ql<?<,Xj5lF$^;s#
b@: 79F`&;Ql<?<,_j5lF$J$+"!P5l^;sG7?#
f<6<NhV: 79F`NGU)kHN;Ql<?<r"3^sIT"^?O NIDS N=.O0U!
$k ids.cfg G_j7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
237Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10011E (i<&U!$k,Xj5lF$^;s#
b@: NIDS "i<HNGU)kHNm0&U!$kH7FNU!$k,Xj5lF$^;sG7?#
f<6<NhV: 79F`NGU)kHNm0&U!$kr"3^sIT"^?O NIDS N=.O0U
!$k ids.cfg G_j7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10012E -zJ[9H&"Il9 address GO"j^;s#
b@: mC?[9H&"Il9N_jM,!P5l^7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN[9H&"Il9N_jMr!:7F/@5
$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10013E "Il9,Xj5lF$^;s#
b@: [9H&"Il9NXj,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN[9H&"Il9N_jMr!:7F/@5
$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10014E -zJMCHo</&"Il9 address GO"j^;s#
b@: MCHo</&"Il9NXj,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bNMCHo</&"Il9N_jMr!:7F
/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10016E -zJ^9/ address mask GO"j^;s#
b@: mC?MCHo</&^9/N_jM,!P5l^7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bNMCHo</&^9/N_jMr!:7F/
@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10017E ^9/,Xj5lF$^;s#
b@: MCHo</&^9/NXj,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bNMCHo</&^9/N_jMr!:7F/
@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
238 P<8gs 3 jj<9 8
HRMNI10018E maxbyte_entropy M,Xj5lF$^;s#
b@: NOCRYPT 70KAc<&G#l/F#VKP7F maxbyte_entropy M,!P5l^;sG7
?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN MAXBYTE_ENTROPY N_jMr!:7F
/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10019E minbyte_entropy M,Xj5lF$^;s#
b@: CRYPT 70KAc<&G#l/F#VKP7F minbyte_entropy M,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN MINBYTE_ENTROPY N_jMr!:7F
/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10020E maxbit_entropy M,Xj5lF$^;s#
b@: NOCRYPT 70KAc<&G#l/F#VKP7F maxbit_entropy M,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN MAXBIT_ENTROPY N_jMr!:7F/
@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10021E minbit_entropy M,Xj5lF$^;s#
b@: CRYPT 70KAc<&G#l/F#VKP7F minbit_entropy M,!P5l^;sG7?#
f<6<NhV: NIDS N=.O0U!$k ids.cfg bN MINBIT_ENTROPY N_jMr!:7F/
@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10023E abj<dj6j(i<,/3j^7?#
b@: =.Nm<Ih}fK"abj<dj6j(i<,/87^7?#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10024E U!$k - file name: T - line number: 70KAc< - signature text MU#<kI,,WG9#
b@: ids.msg U!$kNm<IfN=8rO(i<G9#
f<6<NhV: NIDS =JrF$s9H<k7Fdjr{57F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
239Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10025E U!$k - file name: T - line number: 70KAc< - signature text MSG U#<kI,,WG9#
b@: =.U!$kNi|=fN=8rO(i<G9#
f<6<NhV: NIDS =JrF$s9H<k7Fdjr{57F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10026E U!$k - file name: T - line number: 70KAc< - signature text MSG ,,WG9#
b@: =.U!$kNi|=fN=8rO(i<G9#
f<6<NhV: NIDS =JrF$s9H<k7Fdjr{57F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10030E U!$k - file name: T - line number: 70KAc< - signature text MAXPACKET M,,WG9#
b@: ;C7gs&70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN;C7gs&70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10031E U!$k - file name: T - line number: 70KAc< - signature text RPC 5<S9,,WG9#
b@: RPC 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10032E U!$k - file name: T - line number: 70KAc< - signature text T@N RPC 5<S9: 5<S9
ID#
b@: RPC 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10034E U!$k - file name: T - line number: 70KAc< - signature text SECURITY M,,WG9#
b@: IP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN IP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10035E U!$k - file name: T - line number: 70KAc< - signature text T@N IP *W7gs: IP
option#
b@: IP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN IP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
240 P<8gs 3 jj<9 8
HRMNI10037E U!$k - file name: T - line number: 70KAc< - signature text MIN/MAX M,,WG9#
b@: IP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN IP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10039E U!$k - file name: T - line number: 70KAc< - signature text T@N FRAG *W7gs:fragmenation option#
b@: IP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN IP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10042E U!$k - file name: T - line number: 70KAc< - signature text FAIL M,,WG9#
b@: IP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN IP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10044E U!$k - file name: T - line number: 70KAc< - signature text T@N TCP *W7gs: TCP
option#
b@: TCP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN TCP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10046E U!$k - file name: T - line number: 70KAc< - signature text H</s,,WG9#
b@: ICMP 70KAc<Nm<IfK(i<,/87^7?#
f<6<NhV: ids.rules bN ICMP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10047E U!$k - file name: T - line number: 70KAc< - signature text =sQ_H</s: H</sO
number hjbg-/J1lPJj^;s: ,\: number#
b@: 70KAc<N=8rOfK"-zJH</s,!P5l^;sG7?#
f<6<NhV: ids.rules bN ICMP 70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
241Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10050E U!$k - file name: T - line number: 70KAc< - signature text TIJ AUTH l3<I#
b@: 'ZKX"9k"/;9)fj9H (ACL) Nh}fK"(i<,/87^7?#
f<6<NhV: ids.rules bN'ZX"N ACL N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10052E U!$k - file name: T - line number: 70KAc< - signature text SRCDST U#<kI,,WG
9#
b@: ;C7gs&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN;C7gs&70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10053E U!$k - file name: T - line number: 70KAc< - signature text USER/PASSWD/AUTHFAIL H</s,,WG9#
b@: ;C7gs&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN;C7gs&70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10055E U!$k - file name: T - line number: 70KAc< - signature text H</s,,WG9#
b@: 70KAc<Nh}fK"lL(i<,/87^7?#
f<6<NhV: ids.rules bN70KAc<N=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10056E U!$k - file name: T - line number: 70KAc< - signature text abj<T-#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10059E U!$k - file name: T - line number: 70KAc< - signature text PROC Vf,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
242 P<8gs 3 jj<9 8
HRMNI10061E U!$k - file name: T - line number: 70KAc< - signature text H</s QNabj<rdj6
jfK(i<#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10062E U!$k - file name: T - line number: 70KAc< - signature text ^&sH&70KAc<,,WG
9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10065E U!$k - file name: T - line number: 70KAc< - signature text HOST ^?O DIR H</s,,
WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10066E U!$k - file name: T - line number: 70KAc< - signature text FILE H</s,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10067E U!$k - file name: T - line number: 70KAc< - signature text FILE ,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10068E U!$k - file name: T - line number: 70KAc< - signature text UID M,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
243Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10069E U!$k - file name: T - line number: 70KAc< - signature text GID M,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10070E U!$k - file name: T - line number: 70KAc< - signature text MODE M,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10071E U!$k - file name: T - line number: 70KAc< - signature text sigfname ,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10075E U!$k - file name: T - line number: 70KAc< - signature text MH</s,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10076E U!$k - file name: T - line number: 70KAc< - signature text NFS >,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10077E U!$k - file name: T - line number: 70KAc< - signature text NFS U#<kI,,WG9#
b@: RPC 5<S9&70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: ids.rules bN RPC 5<S9&70KAc<NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10079E U!$k - file name: T - line number: 70KAc< - signature text ALLOW/NOTIFY H</s,,
WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
244 P<8gs 3 jj<9 8
HRMNI10080E U!$k - file name: T - line number: 70KAc< - signature text SRC/SRCDST H</s,,WG
9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10081E U!$k - file name: T - line number: 70KAc< - signature text TIME ^?O HOST/NET U#<
kI,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10082E U!$k - file name: T - line number: 70KAc< - signature text TIME ^?O HOST U#<kI
,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10083E U!$k - file name: T - line number: 70KAc< - signature text "Il9,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10084E IP "Il9 ,$jAG9 - ids.cfg r4YF/@5$#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10085E U!$k - file name: T - line number: 70KAc< - signature text 57/J$[9H&"Il9 IP
address#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
245Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10086E U!$k - file name: T - line number: 70KAc< - signature text MCHo</&"Il9,,WG
9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10087E IP "Il9 ,jA5lF$^;s - ids.cfg r4YF/@5$#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10088E U!$k - file name: T - line number: 70KAc< - signature text 57/J$MCHo</&"Il
9 Network address#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10089E U!$k - file name: T - line number: 70KAc< - signature text ^9/,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10090E U!$k - file name: T - line number: 70KAc< - signature text 57/J$MCHo</&^9/
network mask#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10091E U!$k - file name: T - line number: 70KAc< - signature text
HOST/NET/PEAK/OFFPEAK/ANY/NEVER H</s,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
246 P<8gs 3 jj<9 8
HRMNI10092E U!$k - file name: T - line number: 70KAc< - signature text TOKEN U#<kI,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10093E U!$k - file name: T - line number: 70KAc< - signature text =sQ_H</s: H</sO
> number GJ1lPJj^;s#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10095E U!$k - file name: T - line number: 70KAc< - signature text M,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10096E U!$k - file name: T - line number: 70KAc< - signature text VALUE|TOKEN H</s,,W
G9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10097E U!$k - file name: T - line number: 70KAc< - signature text ASCII ^?O TCPDUMP H<
/s,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10098E U!$k - file name: T - line number: 70KAc< - signature text RAW|SESSION|TCPDUMP H<
/s,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
247Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10099E U!$k - file name: T - line number: 70KAc< - signature text FILECHOST H</s,,WG
9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10100E [9H&"Il9,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10101E ]<HVf,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10106E CONSOLE|SYSLOG|PATH|HOST ,,WG9#
b@: EVENT ^?O LOG N=.G<?Nh}fK(i<,/87^7?#
f<6<NhV: EVENT *hS LOG h}G#l/F#VN=8r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10109E T@NG<?&js/&?$W hex device type"decimal device type r!P7^7?#
b@: 79F`,T@NuV?$Wr!P7^7?#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10110E 79F`, FDDI QK=.5lF$^;s#
b@: 4HQN=UH&'"NP<8gsO"FDDI "@W?<r5]<H7F$^;s#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10111E getIPFrag Gbt(i<#
b@: IP Ui0asHNh}fK(i<,/87^7?#
79F`NhV: NIDS ,d_7"FO07^9#
248 P<8gs 3 jj<9 8
HRMNI10112E Total packets: packets Dru. packets Dr|n: dg: =_: ratio gW: overall ratio: C: interval in
seconds (: dropped per second#
b@: Q1CHN9k<WCH}Wrsp7^9#
HRMNI10114E 79F`, PPP QK=.5lF$^;s#
b@: 4HQN=UH&'"NP<8gsO"PPP r5]<H7F$^;s#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10115E 79F`, RAW IP QK=.5lF$^;s#
b@: 4HQN=UH&'"NP<8gsO"RAW IP h}r5]<H7F$^;s#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10116E 79F`, SLIP QK=.5lF$^;s#
b@: 4HQN=UH&'"NP<8gsO"SLIP r5]<H7F$^;s#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10157E *W7gs -option name O5]<H5l^;s#
b@: mC?3^sIT*W7gs,!P5l^7?#
f<6<NhV: =JNI-easF<7gsG57$HQ!r4Yk+"’-h’ *W7gsrXj7F
/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10158E PID U!$kKq-~a^;s: file name#
b@: NIDS O Wm;9 ID U!$krn.9k3H,G-^;s#
f<6<NhV: $s9H<k&G#l/Hj<NU!$kvDr!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10159E =.U!$krm<IfK(i<: file name#
b@: O0=.U!$kNm<IfK(i<,/87^7?#
f<6<NhV: U!$kvDr!:9k+"NIDS =JrF$s9H<k7F"djr$57F/@
5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
249Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10160E 70KAc<&U!$krm<IfK(i<: file name#
b@: 70KAc<&U!$kNm<IfK(i<,/87^7?#
f<6<NhV: U!$kvDr!:9k+"NIDS =JrF$s9H<k7F"djr$57F/@
5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10161E aC;<8&U!$krm<IfK(i<: file name#
b@: aC;<8&U!$kNm<IfK(i<,/87^7?#
f<6<NhV: U!$kvDr!:9k+"NIDS =JrF$s9H<k7F"djr$57F/@
5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10163E Wm;9 - root H7FBT9k,W,"j^9#
b@: NIDS h}N+OrnT7^7?,"=,J"B,"j^;s#
f<6<NhV: root H7Fm0*s7"NIDS Wm;9rFO07F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10166E PID U!$kr*<WsG-^;s: file name#
b@: NIDS r kill 7h&H7^7?,"Wm;9 ID r=LG-^;sG7?#
HRMNI10167E PID U!$krI_hl^;s: file name#
b@: NIDS r kill 7h&H7^7?,"Wm;9 ID r=LG-^;sG7?#
HRMNI10171E :T7^7?: -zJ70JkGO"j^;s#
b@: mC?70JkG NIDS r kill 7h&H7^7?#
HRMNI10172E :T7^7?: PID ,+U+j^;sG7?#
b@: mC? PID G NIDS r kill 7h&H7^7?#
HRMNI10173E :T7^7?: "/;9"NdjG9#’root’ H7Fdj>7F/@5$#
b@: T=,J"/;9"G NIDS r kill 7h&H7^7?#
HRMNI10174E :T7^7?: T@Nc2G9#
b@: NID r kill 7h&H7F(i<,/87^7?#}33<Ir=L9k3H,G-^;s#
f<6<NhV: dj>7F/@5$#
250 P<8gs 3 jj<9 8
HRMNI10175E !N NIDS PID ,5zG9: number#
b@: mC? PID G NIDS r kill 7h&H7^7?#
HRMNI10176E !NU!$kr*<WsfK(i<,/87^7?: file name#
b@: 5V8'/H&U!$kr*<Ws7h&H7F(i<,/87^7?#
f<6<NhV: "/;9vDr!:7"dj>7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10177E !NU!$krI_hjfK(i<,/87^7?: file name#
b@: P]NU!$krI_hjfK(i<,/87^7?#
f<6<NhV: "/;9vDr!:7"dj>7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10179E U!$k - file name: T - line number: 70KAc< - signature text SRCDST U#<kI,,WG
9#
b@: ACL r=8rOfK(i<,/87^7?#
f<6<NhV: SRC *hS DST U#<kINHQ!rN'7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10180E U!$k - file name: T - line number: 70KAc< - signature text SERVICE U#<kI,,WG
9#
b@: SMB 70KAc<Nh}fK(i<,/87^7?#
f<6<NhV: SERVICE G#l/F#VNHQ!,,ZG"k3HrN'7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10181E U!$k - file name: T - line number: 70KAc< - signature text ACL H</s,,WG9#
b@: 5]<H5lF$k70KAc< ACL Nh}fK(i<,/87^7?#
f<6<NhV: 5]<H5lF$k ACL NHQ!r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10182E Xj7?"@W?<OxQT=G9#
b@: 3^sITGXj5l?"@W?<,HQT=G9#
f<6<NhV: ifconfig -a rHQ7F"HQD=J"@W?<rN'7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
251Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMNI10184E $s9H<ke"/F#SF#<G /etc/inittab N97K:T#
b@: +0Fn.!=rs!9k?aK /etc/inittab U!$kr977h&H7^7?,:T7^7?#
f<6<NhV: NIDS N$s9H<kK root ,HQ5lF$k3HrN'7F/@5
$#/etc/inittab KP9k"/;9vDr!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10185E "s$s9H<ke"/F#SF#<G /etc/inittab N97K:T#
b@: $s9H<k&Wm7<8c<fKIC5l?`\r|n9k?aK /etc/inittab U!$kr97
7h&H7^7?,:T7^7?#
f<6<NhV: NIDS N"s$s9H<kK root ,HQ5lF$k3HrN'7F/@5
$#/etc/inittab KP9k"/;9vDr!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10186E F"*H_~_U!$k : U!$k %1$s#
b@: ids.rules KH_~^l?U!$kN<5r6(F$^9#
f<6<NhV: 70KAc<&k<krFT.7F"F"*H_~_r|n7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10187E T,ZJ0G9: %1$s#
b@: 5,==NQ<5<,"0r>A9k3H,G-^;sG7?#
f<6<NhV: ids.rules U!$kbN9YFN REGEX `\r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10188E Q?<srh}fK(i<#
b@: ids.rules G!P5l?5,==rh}fK"NIDS ,(i<r!P7^7?#
f<6<NhV: ids.rules U!$kbN9YFN REGEX `\r!:7F/@5$#
79F`NhV: NIDS Oi|=G-^;sG7?#Wm0i`Od_7^7?#
HRMNI10189E %1$d P$HNabj<rdj6l^;s#
b@: IP Ui0asHNh}fK"abj<dj6j(i<,/87^7?#
79F`NhV: NIDS ,d_7"FO07^9#
252 P<8gs 3 jj<9 8
������$+&�0
HRMIN0011E 3N3^sIrBT9kKO"Tivoli D-G,ZJI}P]N<IN"I_K9Hl<?<QNm0$
sr_j7J1lPJj^;s#
b@: 3N(i<,/89kNO"Tivoli D-r_j7F$J+C?lg"^?O"s$s9H<kN
BT"Br}CF$J$lgK"I}P]N<I+i Risk Manager 5<P< (RISKMGR_CORR) ^?
O Risk Manager Perl 5]<H (RISKMGR_PERL) r"s$s9H<k7h&H7?H-G9#
79F`NhV: h}Od_7^9#
f<6<NhV: setup_env.sh 9/jWHrHQ7F"Tivoli D-r=.7F/@5$#,:""s$
s9H<kN?aN Tivoli "I_K9Hl<?<"Br}Dm0$s<GBT7F/@5$#
HRMIN0012E =.U!$k filename rQia<?< parameter_name NMG979k3H,G-^;s#
b@: (5l?Qia<?<NMG"=.U!$kr979k3H,G-^;sG7?#3NdjNG
bD=-Nb$6xH7FO"U!$kr979k?aK=,J9Z<9,U!$k&79F`KJ
$"^?OU!$kvDKdj,"k3H,M(il^9#
79F`NhV: h}Od_7^9#
f<6<NhV: djr9YF{57"3^sIrBT7>7F/@5$#
HRMIN0013E !NU!$krn.G-^;s: file_name
b@: $s9H<kfKn.5lk=.U!$krn.G-^;sG7?#3NdjNGbD=-Nb
$6xH7FO"U!$krn.9k?aK=,J9Z<9,U!$k&79F`KJ$"^?OU!
$kvDKdj,"k3H,M(il^9#
79F`NhV: h}Od_7^9#
f<6<NhV: U!$k&79F`X"Ndjr9YF{57"$s9H<krdj>7F/@5
$#
HRMIN0014E !NG<bsr+O9k?aN /etc/inittab KP7F`\rICG-^;s: executable_name
b@: BTD=r+O9k?aN`\r inittab K^~9k3H,G-^;sG7?#
79F`NhV: h}Od_7^9#
f<6<NhV: djr9YF{57"$s9H<k7>7F/@5$#
HRMIN0016E !NG<bsrd_G-^;s: executable_name
b@: G<bsOd_7^;sG7?#
f<6<NhV: G<bs,^@BT7F$klgKO"kill 3^sIrBT7F"Wm;9rd_7
F/@5$#
253Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMIN0017E =.U!$krPC/"CWG-^;s: filename
b@: F$s9H<kfK"(5l?=.U!$kNf<6<N=T3T<r]IG-^;sG7?#
3NdjNGbD=-Nb$6xH7FO"U!$krn.9k?aK=,J9Z<9,U!$k&7
9F`KJ$"^?OU!$kvDKdj,"k3H,M(il^9#
79F`NhV: h}Od_7^9#
f<6<NhV: djr{57"$s9H<k7>7F/@5$#
HRMIN0018E =.U!$k filename rU!$kN]IQ_P<8gsGV-9(G-^;s#
b@: Risk Manager Event Integration Facility NF$s9H<k~NGeK"rmad.conf *hS
rmad_summary.rules =.U!$kN]IQ_P<8gsr RISKMGR/etc G#l/Hj<K3T<7h&
H7^7?#3lOBTG-^;sG7?#
79F`NhV: $s9H<kO0;7^9#
f<6<NhV: RISKMGR/etc G#l/Hj<bNXj5l?U!$kH"RISKMGR/etc/backup G#l
/Hj<bNU!$kN3T<r=(7F/@5$#U!$k,[JCF$?j"PC/"CW&G#
l/Hj<bNU!$krHQ9klgKO"HQ9kU!$kr (,WK~8F>0rQ97F)
RISKMGR/etc G#l/Hj<K3T<7F/@5$#
HRMIN0019E 7s\jC/&js/ filename r RMEIF G<bsN TME P<8gsKn.G-^;s#
b@: Wm0i`O"RISKMGR/bin/tme bNU!$krX97s\jC/&js/r RISKMGR/bin Kn
.9k3H,G-^;sG7?#
79F`NhV: $s9H<kO0;7^9#
f<6<NhV: {NNdjr9YF{57"!K rmeif_cfg 3^sIrBT7F TME ^?O TME
J0N RMEIF =.r_j7^9#
HRMIN0020E 7s\jC/&js/ filename r RMEIF G<bsNs TME P<8gsKn.G-^;s#
b@: Wm0i`O"RISKMGR/bin/nontme bNU!$krX9"7s\jC/&js/r RISKMGR/bin
Kn.9k3H,G-^;sG7?#
79F`NhV: $s9H<kO0;7^9#
f<6<NhV: {NNdjr9YF{57"!K rmeif_cfg 3^sIrBT7F TME ^?O TME
J0N RMEIF =.r_j7^9#
Check Point FireWall-1 �$+&�0
HRMCP0001E Risk Manager Event Integration Facility ,$YsHrh}G-^;sG7?#
b@: Risk Manager Event Integration Facility O=.5lF$J$D=-,"j^9#
f<6<NhV: Risk Manager Event Integration Facility rF=.7F/@5$#
254 P<8gs 3 jj<9 8
HRMCP0002E Risk Manager Event Integration Facility i$Vij<rm<IG-^;sG7?#
b@: Risk Manager Event Integration Facility N&Qi$Vij<,+U+j^;sG7?#
f<6<NhV: Risk Manager Event Integration Facility rF$s9H<k7F/@5$#
HRMCP0003E message#
b@: OPSEC G-N(i<&aC;<8G9#
HRMCP0004E message1: message2#
b@: OPSEC G-N(i<&aC;<8G9#
HRMCP0005E NT $YsH&m0r*<WsG-^;sG7?#
b@: T@G+D=|7J$"@W?<&(i<G9#
f<6<NhV: "@W?<rF$s9H<k7"F=.7F/@5$#
HRMCP0006E Windows NT l89Hj<bN variable name r_jf#
b@: "@W?<O"Windows l89Hj<K7,N`\rn.G-^;sG7?#
f<6<NhV: "@W?<,"I_K9Hl<?<"Br}CF$k3HrN'7F/@5$#
HRMCP0007E message1 3<I: message2
b@: T@G+D=|7J$"@W?<&(i<G9#
f<6<NhV: "@W?<rF$s9H<k7"F=.7F/@5$#
HRMCP0009E adapter name XNQ9r57^7?,+U+j^;sG7?#
b@: "@W?<O+,+HNLVr+U1k3H,G-^;sG7?#
f<6<NhV: "@W?<rF$s9H<k7F/@5$#
HRMCP0010E 5<S9r$s9H<kG-^;sG7?: adapter name#
b@: "@W?<,"+,+Hr Windows 5<S9H7F$s9H<k9k3H,G-^;sG7
?#
f<6<NhV: rma_cpfw -r rBT7F"=lr5<S9H7F|n7F/@5$#
HRMCP0014E 5<S9r|nG-^;s: adapter name#
b@: "@W?<,"+,+Hr Windows 5<S9H7F|n9k3H,G-^;sG7?#"@W
?<O=_ Windows 5<S9H7F$s9H<k5lF$J$D=-,"j^9#
f<6<NhV: "@W?<, Windows 5<S9N3sHm<k&QMkKj9H5lF$k+N'
7F/@5$#
255Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMCP0026E --debug ^?O -d *W7gs, 2 sJeXj5l^7?#
b@: --debug ^?O -d *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCP0027E --event-output ^?O -e *W7gs, 2 sJeXj5l^7?#
b@: --event-output ^?O -e *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCP0028E --warning-output ^?O -w *W7gs, 2 sJeXj5l^7?#
b@: --warning-output ^?O -w *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCP0029E --install-service ^?O -i *W7gs, 2 sJeXj5l^7?#
b@: --install-service ^?O -i *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCP0030E --remove-service ^?O -r *W7gs, 2 sJeXj5l^7?#
b@: --remove-service ^?O -r *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCP0031E *W7gsT@: option letter
b@: T@N3^sIT*W7gs,Xj5l^7?#
f<6<NhV: rma_cpfw --help ^?O -h rBT7F"3^sITN*W7gsr=(7F/@5
$#
HRMCP0034E OPSEC 5<P<HNL.,:ol^7?#\3rFnTf...
b@: OPSEC 5<P<HNL.,:ol?+"N)5lF$^;s#
f<6<NhV: OPSEC 5<P<,BT7F*j"MCHo</\3,0n7F$k3HrN'7F
/@5$#
HRMCP0035E Risk Manager Event Integration Facility 7s\krrhG-^;sG7?#
b@: Risk Manager Event Integration Facility N&Qi$Vij<,+U+j^;sG7?#
f<6<NhV: Risk Manager Event Integration Facility rF$s9H<k7F/@5$#
256 P<8gs 3 jj<9 8
Check Point FireWall-1 ����$+&�0
HRMSM0001E SAM ;C7gs,:T7^7?#m<+k SAM 5<P<K\3G-^;s#
b@: CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,"SAM 5<P<HNL.
rN)G-^;sG7?#
f<6<NhV: ?9/rdj>7F/@5$#:T,+jV7/89klgO"SAM 5<P<N=
.r!:7F/@5$#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
HRMSM0004E SAM /i$"sH&Wm;9,:T7^7?#
b@: CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,:T7^7?#
f<6<NhV: ?9/rdj>7F/@5$#:T,+jV7/89klgO"SAM 5<P<N=
.r!:7F/@5$#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
HRMSM0006E parameter rrhG-^;s#
b@: CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$#
HRMSM0007E OPSEC (i<O error code G9#
b@: OPSEC (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k
?9/,"BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
HRMSM0008E =|7J$ SAM u7G9#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
257Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMSM0009E OPSEC i|=,:T7^7?#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
HRMSM0010E /i$"sH&(sF#F#<Nn.,:T7^7?#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
HRMSM0011E 5<P<&(sF#F#<Nn.,:T7^7?#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
HRMSM0012E SAM ;C7gsNi|=,:T7^7?#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
HRMSM0013E Wa (SAM request) ,:T7^7?#
b@: (i<,/87??aK"CheckPoint FireWall-1 N SAM $s?<U'<9rHQ9k?9/,
BTK:T7^7?#
79F`NhV: ?9/OWa5l?3^sIrBTG-^;s#
f<6<NhV: ?9/rdj>7F/@5$#CheckPoint FireWall-1 SAM 5<P<r!:7F/@
5$# CheckPoint FireWall-1 OPSEC NI-easF<7gsr4YF/@5$#
258 P<8gs 3 jj<9 8
HRMSM0016E RMADHOME ,D-bK_j5lF$^;s#
b@: ,WJD-Qt,jA5lF$J$NG"?9/rBT9k3H,G-^;s#
79F`NhV: ?9/O:T7^9#
f<6<NhV: FAru1k^7seN Risk Manager $s9H<k&79F`r!:7F/@5
$#
HRMSM0017E rma_cpfw.conf K"/;9G-^;s#
b@: =.U!$kK"/;9G-J$NG"?9/rBT9k3H,G-^;s#
79F`NhV: ?9/O:T7^9#
f<6<NhV: FAru1k^7seN Risk Manager $s9H<k&79F`r!:7F/@5
$#
HRMSM0018E SAM 5<P<=.,0;7F$^;s#
b@: =.U!$kK"/;9G-J$NG"?9/rBT9k3H,G-^;s#
79F`NhV: ?9/O:T7^9#
f<6<NhV: FAru1k^7seN Risk Manager $s9H<k&79F`r!:7F/@5
$#
Cisco Secure IDS �$+&�0
HRMCI0001E Risk Manager Event Integration Facility ,$YsHrh}G-^;sG7?#
b@: Risk Manager Event Integration Facility O=.5lF$J$D=-,"j^9#
f<6<NhV: Risk Manager Event Integration Facility rF=.7F/@5$#
HRMCI0002E Risk Manager Event Integration Facility i$Vij<rm<IG-^;sG7?#
b@: Risk Manager Event Integration Facility N&Qi$Vij<,+U+j^;sG7?#
f<6<NhV: Risk Manager Event Integration Facility rF$s9H<k7F/@5$#
HRMCI0003E error number P??$`"&H#
b@: Cisco Datafeed 3s]<MsH,"f{N Cisco Secure IDS Communication Service +i~zr
u1hk3H,G-^;sG7?#
f<6<NhV: 3Njb<H&Wm;9HNL.Kdj,"klg,"j^9#
259Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMCI0004E error number BT7F$^;s#
b@: Cisco IDS DataFeed 3s]<MsH,$s9H<k5lF$^;s#
f<6<NhV: Cisco DataFeed 3s]<MsHr$s9H<k7F/@5$#
HRMCI0005E error number i|=Q_G9#
b@: Cisco IDS DataFeed O9GKi|=5lF$^9#
f<6<NhV: "@W?<rFO07F/@5$#>KaC;<8,J$+"79F`&(i<&m
0r4YF/@5$#
HRMCI0006E error number i|=:T#
b@: "@W?<O Cisco IDS DataFeed 3s]<MsHNi|=K:T7F$^9#
f<6<NhV: "@W?<rFO07F/@5$#>KaC;<8,J$+"79F`&(i<&m
0r4YF/@5$#
HRMCI0007E error number LN"Wj1<7gs,BTfG9#
b@: 2 f\N"@W?<^?O?+>N Cisco IDS DataFeed "Wj1<7gs,BTfG9#
f<6<NhV: rma_csids-init stop rBT7"b&l}N"@W?<rd_7F/@5$#dj,
+jV7/89klgO"csidsDataFeed stop -f rBT7" DataFeed/var G#l/Hj<+i9YFN
U!$kr|n7F/@5$#
HRMCI0008E error number T@#
b@: T@N(i<&3<IG9#
HRMCI0010E i|=K:T7^7?#
b@: "@W?<O Cisco DataFeed 3s]<MsHNi|=K:T7F$^9#
f<6<NhV: "@W?<rFO07F/@5$#>KaC;<8,J$+"79F`&(i<&m
0r4YF/@5$#
HRMCI0021E --debug ^?O -d *W7gs, 2 sJeXj5l^7?#
b@: --debug ^?O -d *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCI0022E --event-output ^?O -e *W7gs, 2 sJeXj5l^7?#
b@: --event-output ^?O -e *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
260 P<8gs 3 jj<9 8
HRMCI0023E --warning-output ^?O -w *W7gs, 2 sJeXj5l^7?#
b@: --warning-output ^?O -w *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCI0024E *W7gsT@: option letter
b@: T@N3^sIT*W7gs,Xj5l^7?#
f<6<NhV: rma_csids --help ^?O -h rBT7F"3^sIT*W7gsNj9Hr=(7
F/@5$#
HRMCI0025E --install-service ^?O -i *W7gs, 2 sJeXj5l^7?#
b@: --install-service ^?O -i *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCI0026E --remove-service ^?O -r *W7gs, 2 sJeXj5l^7?#
b@: --remove-service ^?O -r *W7gs, 2 sJeXj5l^7?#
f<6<NhV: *W7gsN 2 V\N$s9?s9r|n7F/@5$#
HRMCI0028E Windows NT l89Hj<bN variable name r_jf#
b@: "@W?<O"Windows l89Hj<K7,N`\rn.G-^;sG7?#
f<6<NhV: "@W?<,"I_K9Hl<?<"Br}CF$k3HrN'7F/@5$#
HRMCI0029E 5<S9r$s9H<kG-^;sG7?: adapter name
b@: "@W?<,"+,+Hr Windows 5<S9H7F$s9H<k9k3H,G-^;sG7
?#
f<6<NhV: rma_csids -r rBT7F"=lr5<S9H7F|n7F/@5$#
HRMCI0033E 5<S9r|nG-^;sG7?: adapter name
b@: "@W?<,"+,+Hr Windows 5<S9H7F|n9k3H,G-^;sG7?#"@W
?<O=_ Windows 5<S9H7F$s9H<k5lF$J$D=-,"j^9#
f<6<NhV: "@W?<, Windows 5<S9N3sHm<k&QMkKj9H5lF$k+N'
7F/@5$#
HRMCI0035E adapter name XNQ9r57^7?,+U+j^;sG7?#
b@: "@W?<O+,+HNLVr+U1k3H,G-^;sG7?#
f<6<NhV: "@W?<rF$s9H<k7F/@5$#
261Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMCI0036E adapter name 3<I: error number
b@: T@G+D=|7J$"@W?<&(i<G9#
f<6<NhV: "@W?<rF$s9H<k7"F=.7F/@5$#
HRMCI0037E Risk Manager Event Integration Facility 7s\krrhG-^;sG7?#
b@: "@W?<, Risk Manager Event Integration Facility i$Vij<r+U1k3H,G-^;s
G7?#
f<6<NhV: Risk Manager Event Integration Facility r$s9H<k9k,W,"j^9#
262 P<8gs 3 jj<9 8
Risk Manager �����$+&�0
HRMCO0053E $s9H<kK:T7^7?#
b@: rmcorr_cfg 3^sI,(i<r!P7"0;7?h}r9YFPC/"&H7^7?#
79F`NhV: rmcorr_cfg 3^sIOd_7^9#
f<6<NhV: Qia<?<r!:7"rmcorr_cfg 3^sIrFBT7F/@5$#
HRMCO0056E !N7,k<k&Y<9NQ9rn.G-^;s: path
b@: rmcorr_cfg 3^sI,"Xj5l?G#l/Hj<Kk<k&Y<9rn.G-^;sG7
?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: -zJG#l/Hj<rXj7F rmcorr_cfg 3^sIrFBT7F/@5$#
HRMCO0057E k<k&Y<9 %1$s NQ9O9GKHQfG9#
b@: rmcorr_cfg 3^sI,"Xj5l?G#l/Hj<Kk<k&Y<9rn.G-^;sG7
?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: -zJG#l/Hj<rXj7F"rmcorr_cfg 3^sIrFBT7F/@5$#
HRMCO0059E k<k&Y<9 rulebase O3sQ$k5l^;s#
b@: k<k&Y<9O3sQ$k5l^;s#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: k<k&Y<9,8_7F$klgO"=lr$57F+i Risk Manager Nk<k
r$s9H<k7F/@5$#k<k&Y<9,8_7F$J$lgO"Tivoli 5]<HK"m7F/
@5$#
HRMCO0060E k<k&Y<9 rulebase Nn.K:T7^7?#
b@: rmcorr_cfg 3^sI,"k<k&Y<9rn.9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$#
HRMCO0061E k<k&Y<9 rulebase_from Nk<k&Y<9 rulebase_to XN3T<K:T7^7?#
b@: rmcorr_cfg 3^sIOk<k&Y<9r3T<9k3H,G-^;s#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$#rmcorr_cfg 3^sIrF
BT7F/@5$#
263Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMCO0062E class Nk<k&Y<9 rulebase XN$s]<HK:T7^7?#
b@: 3N/i9O"k<k&Y<9K5oK$s]<H5l^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$# Tivoli D-,57/$s
9H<k5l"T/7F$k3HrN'7F/@5$# rmcorr_cfg 3^sIrFBT7F/@5$#
HRMCO0063E k<k&U!$k rules Nk<k&Y<9 rulebase XN$s]<HK:T7^7?#
b@: k<k&U!$kO"k<k&Y<9K5oK$s]<H5l^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$# Tivoli D-,57/$s
9H<k5l"T/7F$k3HrN'7F/@5$# rmcorr_cfg 3^sIrFBT7F/@5$#
HRMCO0064E G#l/Hj< directory N!wK:T7^7?#
b@: rmcorr_cfg 3^sIO"G#l/Hj<r57P93H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"0;7?h}r9YFPC/"&H7"d_7^9#
f<6<NhV: Risk Manager ,5oK$s9H<k5lF$k+!:7F/@5$#3^sIrFB
T7F/@5$#
HRMCO0067E k<k&Y<9 rulebase Nm<IK:T7^7?#
b@: rmcorr_cfg 3^sIOk<k&Y<9rm<I9k3H,G-^;sG7?#
79F`NhV: k<k&Y<9Om<I5lF$^;s#k<k&Y<9XNQ9OPC/"&H5
l^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$#=8(i<,J$+"
Risk Manager N=.U!$kr!:7F/@5$#c2N\Y,J$+"$BINDIR/RISKMGR/corr G#l
/Hj<bN ptc* (* Otz) r!:7F/@5$#3^sIrFBT7F/@5$#
HRMCO0068E TEC $YsH&5<P<N+OK:T7^7?#
b@: TEC $YsH&5<P<,+O7^;sG7?#
79F`NhV: TEC $YsH&5<P<O"/F#VGO"j^;s#
f<6<NhV: wstartesvr 3^sIrBT7F"TEC $YsH&5<P<r+O7F/@5$#
HRMCO0069E TEC $YsH&5<P<Nd_K:T7^7?#
b@: TEC $YsH&5<P<Od_7^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO TEC $YsH&5<P<rFO07^;s#
f<6<NhV: TEC $YsH&5<P<rd_7F+iO07F/@5$#
264 P<8gs 3 jj<9 8
HRMCO0072E $YsH&=<9 eventsource Nn.K:T7^7?#
b@: rmcorr_cfg 3^sIO"$YsH&=<9rn.9k3H,G-^;sG7?#
79F`NhV: $YsH&=<9On.5l^;s#
f<6<NhV: ,WK~8F"3^sIrFBT7F/@5$#
HRMCO0073E ?9/&i$Vij< libraryname Nn.K:T7^7?#
b@: rmcorr_cfg 3^sIO"?9/&i$Vij<rn.9k3H,G-^;sG7?#
79F`NhV: ?9/&i$Vij<On.5l^;s#
f<6<NhV: Tivoli D-,$s9H<k5lF*j"5oKT/7F$k3HrN'7F/@5
$#79F`K c WjWm;C5< (cpp) ,$s9H<kQ_G"k3HrN'7F/@5$# Unix
79F`GO"rmcorr_cfg 3^sIO c WjWm;C5<H7F /usr/ccs/lib/cpp G#l/Hj<
rHQ7^9# Windows 79F`GO"c WjWm;C5< $BINDIR/tools/cpp.exe ,HQ5l^
9# ’rmcorr_cfg -tasklib’ rHQ7F?9/&i$Vij<rm<I9k3H,G-^9#
HRMCO0075E U!$kK filename "/;9G-^;s#
b@: rmcorr_cfg 3^sIO"(5l?U!$kK"/;99k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIOd_7^9#
f<6<NhV: Tivoli Risk Manager 5<P<,,ZK$s9H<k5lF$k3HrN'7F/@5
$#
HRMCO0076E $YsH&-cC7e&5$:rh@G-^;s#
b@: rmcorr_cfg 3^sIO"$YsH&-cC7e&5$:rhj9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO3NaC;<8r=(7^9#
f<6<NhV: Tivoli D-,57/$s9H<k5l"T/7F$k3HrN'7F/@5$#
wlsesvrcfg 3^sIrHQ7F"$YsH&5<P<N=.rj9H9k3H,G-^9#
HRMCO0077E =Tk<k&Y<9>rh@G-^;s#
b@: rmcorr_cfg ,=TNk<k&Y<9&Q9r=L9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIOd_7^9#
f<6<NhV: Tivoli D-,57/$s9H<k5l"T/7F$k3HrN'7F/@5$# wrb-lscurrb 3^sIrHQ9kH"=TNk<k&Y<9rj9H9k3H,G-^9#
HRMCO0078E =Tk<k&Y<9&Q9r=LG-^;s#
b@: rmcorr_cfg ,=TNk<k&Y<9&Q9r=L9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIOd_7^9#
f<6<NhV: Tivoli D-,57/$s9H<k5l"T/7F$k3HrN'7F/@5$# wrb-lscurrb 3^sIrHQ9kH"=TNk<k&Y<9rj9H9k3H,G-^9#
265Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMCO0079E class Nk<k&Y<9 rulebase +iNo|K:T7^7?#
b@: 3N/i9r"k<k&Y<9+io|9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"k<k&Y<9+ik<k&U!$kro|7^;s#
f<6<NhV: rmcorr_cfg KXj5l?3^sITQia<?<r!:7F/@5$# rmcorr_cfg3^sI,+jV7:T9klgKO" wrb -delrbclass -force 3^sIrHQ7F"k<k&Y<9
ro|9k3H,G-^9#
HRMCO0080E rulefile Nk<k&Y<9 rulebase +iNo|K:T7^7?#
b@: k<k&U!$kr"k<k&Y<9+io|9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"k<k&Y<9+ik<k&U!$kro|7^;s#
f<6<NhV: rmcorr_cfg KXj5l?3^sITQia<?<r!:7F/@5$# rmcorr_cfg3^sI,+jV7:T9klgKO" wrb -delrbrule -force 3^sIrHQ7F"k<k&Y<9
ro|9k3H,G-^9#
HRMCO0081E k<k&Y<9 %1$s No|K:T7^7?#
b@: rmcorr_cfg 3^sI,"k<k&Y<9ro|9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"k<k&Y<9ro|;:Kd_7^9#
f<6<NhV: rmcorr_cfg KXj5l?3^sITQia<?<r!:7F/@5$# wrb -delrb3^sI,+jV7:T9klgKO" rmcorr_cfg 3^sIrHQ7F"k<k&Y<9ro|9k
3H,G-^9#
HRMCO0082E k<k&Y<9 rulebase ro|G-^;s#k<k&Y<9,+U+j^;s#
b@: k<k&Y<9,+U+iJ+C?NG"rmcorr_cfg 3^sIO=lro|9k3H,G-^
;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"k<k&Y<9ro|;:Kd_7^9#
f<6<NhV: {8Nk<k&Y<9rXj7F3^sIrFBT7F/@5$#
HRMCO0085E $YsH&=<9 event_source No|K:T7^7?#
b@: rmcorr_cfg 3^sIO"$YsH&=<9ro|9k3H,G-^;sG7?#
79F`NhV: rmcorr_cfg 3^sIO"$YsH&=<9ro|7^;s#
f<6<NhV: Tivoli D-r!:7",WK~8F3^sIrFBT7F/@5$#FY:T9kl
gKO"wdelsrc 3^sIrHQ7F=N$YsH&=<9r|n7F/@5$#
HRMCO0096E Prolog U!$kN3sQ$kG(i<,/87^7?: filename
b@: prolog U!$kO3sQ$k5l^;sG7?#GbD=-Nb$6xH7FO"=8(i<,
^^lF$k3H,M(il^9#
79F`NhV: rmcorr_cfg 3^sIO"0;7?3^sIr9YFPC/"&H7^9#
f<6<NhV: rmcorr_cfg KO5l?Qia<?<r!:7F/@5$#=8(i<,J$+"
Risk Manager N=.U!$kr!:7F/@5$#c2N\Y,J$+"$BINDIR/RISKMGR/corr G#l
/Hj<bN ptc* (* Otz) r!:7F/@5$#3^sIrFBT7F/@5$#
266 P<8gs 3 jj<9 8
HRMAR0001E (script) ’-r seconds’ *W7gs,,WG9#
b@: ?9/^?O8gV&9/jWHK"-r z-t,"j^;s#9/jWHO"Xj5l?Cth
jbE$$YsH@1r"<+$V7^9#
79F`NhV: Risk Manager NG<?N"<+$VO5oKTol^;s#
f<6<NhV: 9/jWHK -r z-trXj7F/@5$#10 CJeNMrHQ9k,W,"j^
9#
HRMAR0002E (script) INTERP ,_j5lF$^;s#l~G#l/Hj<rhail^;sG7?#
b@: ?9/^?O8gV&9/jWHO"=_N*Zl<F#s0&79F`r=LG-J+C??
aK"l~G#l/Hj<H7FHQ9kG#l/Hj<r=L9k3H,G-^;sG7?#
INTERP D-Qt,*Zl<F#s0&79F`rjA7F$^9#
79F`NhV: Risk Manager NG<?N"<+$VO5oKTol^;s#
f<6<NhV: Tivoli D-,,ZK$s9H<k5l"=.5l"T/7F$k3HrN'7F/@
5$#
HRMAR0003E (script) l~G#l/Hj< dir ,8_7F$^;s#
b@: l~G#l/Hj<,U!$k&79F`K8_7F$J$+"G#l/Hj<GOJ/U!$
kH7F8_7F$^9#
79F`NhV: Risk Manager NG<?N"<+$VO5oKTol^;s#
f<6<NhV: u-G#9/&9Z<9,"k3HrN'7F/@5$#Xj5l?G#l/Hj<
,8_7F$J$lgO"=lrn.7F/@5$#?9/^?O8gVrFBT7F/@5$#
HRMAR0004E (script) ’wgetrim RIM_object’ ,:T7^7?#
b@: ?9/^?O8gV&9/jWH,"Tivoli RDBMS Interface Module (RIM) ^?OXj5l?
RIM *V8'/HK"/;9G-^;sG7?# wgetrim 3^sI+iNaC;<8K\7$b@,
^^lF$klg,"j^9#
79F`NhV: Risk Manager NG<?N"<+$VO5oKTol^;s#
f<6<NhV: Tivoli D-,T/7F*j"RIM N!=rBT9k?aN57$rdHvDr}CF
$k3HrN'7F/@5$#Xj5l? RIM *V8'/H,n.5lF$k3HrN'7F+i"?
9/^?O8gVrFBT7F/@5$#
HRMAR0005E (script) RIM 3^sI&U!$krn.G-^;s: file#
b@: 9/jWHO"(5lF$kU!$krn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager NG<?N"<+$VO5oKTol^;s#
f<6<NhV: Tivoli D-,T/7F*j"u-G#9/&9Z<9,"j"79F`Nl~G#l
/Hj<KP9kq-~_vDr}CF$k3HrN'7F/@5$#?9/^?O8gVrFBT7
F/@5$#
267Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
Web ������$+&�0
HRMWN0001E *rKhk wrimsql XNFSP7K:T7^7?#*;7^9#
b@: G<?Y<9K"/;9G-J+C?+"select NQia<?<,mCF$^7?#
79F`NhV: G<?O"G<?Y<9+ihjP5l^;sG7?#
f<6<NhV: G<?Y<9r!:7"F/K+k&5]<HK"m7F/@5$#
HRMWN0003E l~G#l/Hj<,8_7^;s#*;7^9#
b@: Wm0i`KO"h}N?aNl~G#l/Hj<,,WG9#
79F`NhV: Wm0i`OBT7J$G*;7^7?#
f<6<NhV: Unix WiCHU)<`NlgO /tmp K"Windows WiCHU)<`NlgO
/temp Kl~G#l/Hj<rn.7F/@5$#
Risk Manager Event Integration Facility �$+&�0
HRMRM0008E `n(i<: aC;<8rw.G-^;s#
b@: $YsHr Risk Manager EIF G<bsKw.9k]KlLc2,/87^7?#
79F`NhV: $YsHO Risk Manager EIF G<bsKOw.5l^;sG7?#
f<6<NhV: Risk Manager EIF H TEC =.r!:7"F/K+k&5]<HK"m7F/@5
$#
HRMRM0009E 9Hl<8Ndj6jfKc2#
b@: Risk Manager EIF G<bsG9Hl<8rdj6k]KlLc2,/87^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9
f<6<NhV: O<I&'"H OS =UH&'"N=.rA'C/7F/@5$#
HRMRM0016E &L"@W?<NQ$Wh}K:T7^7?#rc = return code#
b@: Risk Manager EIF G<bsNL.Q$WNI_hj^?Oq-~_K:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0017E &L"@W?<Ni|=K:T7^7?#rc = return code#
b@: Risk Manager EIF G<bsNi|=K:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
268 P<8gs 3 jj<9 8
HRMRM0018E &LG<bsXNQ9NhjK:T7^7?#
b@: Risk Manager EIF G<bsO"$s9H<k&Q9rrh9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.Hl89Hj<`\rA'C/7"F/K+k&5]<HK
"m7F/@5$#
HRMRM0019E D-Qt LCF_DATDIR ,_j5lF$^;s#
b@: Risk Manager EIF G<bs (TME P<8gs) ,"Xj5l?Q9r=L9k3H,G-^;
sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.Hl89Hj<`\rA'C/7"F/K+k&5]<HK
"m7F/@5$#
HRMRM0020E D-Qt NSLPATH ,_j5lF$^;s#
b@: Risk Manager EIF G<bsO"Xj5l?Q9r=L9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.Hl89Hj<`\rA'C/7"F/K+k&5]<HK
"m7F/@5$#
HRMRM0021E uV;^U)<Nn.K:T7^7?#rc = return code#
b@: Risk Manager EIF G<bsO")f;^U)<rn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0022E uV;^U)<N|nK:T7^7?#ERRNO = errno#
b@: Risk Manager EIF G<bs,")f;^U)<r|n9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0023E uV;^U)<Nh@K:T7^7?#ERRNO = errno#
b@: Risk Manager EIF G<bs,")f;^U)<K"/;99k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
269Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMRM0024E uV;^U)<&H</sNh@K:T7^7?#ERRNO = errno#
b@: Risk Manager EIF G<bs,")f;^U)<&H</sK"/;99k3H,G-^;sG7
?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0025E ]<HVf port number r-zJMK_j9k,W,"j^9#
b@: 5zJm<+k&$YsHh}]<HVf,"Risk Manager EIF N=.U!$kKjA5lF$
^9#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: =.U!$kK-zJ]<HVfrXj7F/@5$#
HRMRM0026E m<+k&$YsHh}rWa9k~KO]<HVfr_j9k,W,"j^9#
b@: m<+k&$YsHh}, Risk Manager EIF N=.U!$kKXj5lF$^9,"]<HV
f,jA5lF$^;s#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: =.U!$kK-zJ]<HVfrXj7F/@5$#
HRMRM0027E CDS U!$k [CDS file name] (U!$k [] KjA5lF$k) ,8_7F$^;s#
b@: =.U!$kKjA5lF$k CDS U!$k,8_7F$^;s#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: -zJ .cds U!$kr=.U!$kKXj7F/@5$#
HRMRM0028E CDS U!$krONi|=K:T7^7?#rc = return code#
b@: .cds U!$krOK:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: .cds *hS .fmt U!$k,lW7F$k3HrN'7F/@5$#
HRMRM0029E ServerLocation , [configuration file] U!$kKjA5lF$^;s#
b@: 5<P<&m1<7gs, Risk Manager EIF N=.U!$kKjA5lF$^;s#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: -zJ ServerLocation r Risk Manager EIF =.U!$kKXj7F/@5$#
270 P<8gs 3 jj<9 8
HRMRM0030E &L"@W?<QN=.U!$kNh@K:T7^7?#
b@: Risk Manager EIF G<bs,"=N=.U!$kK"/;99k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: =.U!$k,57$m1<7gsK8_7F$k3HrN'7F/@5$#
HRMRM0031E TEC EIF Ni|=K:T7^7?#aj3<I = return code#
b@: Risk Manager EIF G<bs,"TEC HNL.ri|=9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF *hS TEC N=.r!:7"F/K+k&5]<HK"m7F/
@5$#
HRMRM0032E L.Q$WNn.K:T7^7?#
b@: Risk Manager EIF G<bs,"btNL.Q$Wrn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0033E TEC OsIkNn.K:T7^7?#tec_errno = return code.
b@: Risk Manager EIF G<bs,"TEC L.OsIkrn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF *hS TEC N=.r!:7"F/K+k&5]<HK"m7F/
@5$#
HRMRM0034E I_hjQNL.Q$W pipe name r*<Ws7h&H7F:T7^7?"errno =#
b@: Risk Manager EIF G<bs,"I_hjQNbtL.Q$Wr*<Ws9k3H,G-^;sG
7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0035E q-~_QNL.Q$W pipe name r*<Ws7h&H7F:T7^7?"errno =#
b@: Risk Manager EIF G<bs,"q-~_QNbtL.Q$Wr*<Ws9k3H,G-^;sG
7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
271Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMRM0036E L.Q$W pipe name r*<Ws7h&H7F:T7^7?"errno =#
b@: Risk Manager EIF G<bs,"L.Q$Wrn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0037E aC;<8&?$W*hSaC;<8&5$:NI_hjK:T7^7?#
b@: Risk Manager EIF G<bs,"btNL.Q$W+iaC;<8&?$WrI_hk3H,G-
^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0038E &L"@W?<,aC;<8&G<?NI_hjK:T7^7?#
b@: Risk Manager EIF G<bs,"btNL.Q$W+iaC;<8&G<?rI_hk3H,G-
^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF G<bsrA'C/7"F/K+k&5]<HK"m7F/@5
$#
HRMRM0039E aC;<8NU)<^CH_jK:T7^7?#- aj3<I = return code#
b@: Risk Manager EIF G<bs,"w.5l?aC;<8&G<?rU)<^CH_j9k3H,G
-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0040E CDS U!$k,jA5lF$^;s#$YsHrU)<^CH_jG-^;s#
b@: Risk Manager EIF G<bs,U)<^CH9Y-$YsHru1hj^7?,".cds U!$k,
8_7F$^;s#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF =.rA'C/7".cds U!$k,8_7F$k3H"*hS=N
U!$k, Risk Manager EIF =.U!$kGjA5lF$k3HrN'7F/@5$#
HRMRM0041E *;aC;<8rm<+k&$YsHh}Wm0i`Kw.7h&H7F:T7^7?#
b@: Risk Manager EIF G<bs,"*;aC;<8rm<+k&$YsHh}Wm0i`Kw.9k
3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
272 P<8gs 3 jj<9 8
HRMRM0042E aC;<8NU)<^CH_jK:T7^7?#
b@: Risk Manager EIF G<bs,"$YsHrU)<^CH_j9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0043E U)<^CH_j9ke.G<?,5zG9#
b@: Risk Manager EIF G<bs,"5zJ$YsH&G<?ru1hj^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0044E m<+k&$YsHh}Wm0i`N=1CHNn.K:T7^7?#
b@: Risk Manager EIF G<bs,"L.=1CHNn.K:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0045E m<+k&$YsHh}Wm0i`XN\3K:T7^7?#
b@: Risk Manager EIF G<bs,"L.=1CHHN\3K:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0046E $YsHrm<+k&$YsHh}Wm0i`Kq-~b&H7F:T7^7?#
b@: Risk Manager EIF G<bs,"L.=1CHXNq-~_K:T7^7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0047E $YsHNw.K:T7^7?#rc = return code#
b@: Risk Manager EIF G<bs,"$YsHr TEC Kw.9kH-K(i<NajMru1hj^
7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 r Risk Manager EIF &Qi$Vij
<Ka7^9#
f<6<NhV: Risk Manager EIF *hS TEC N=.r!:7"F/K+k&5]<HK"m7F/
@5$#
273Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMRM0048E uV;^U)<Nn.K:T7^7?"errno = errno#
b@: Risk Manager EIF G<bsO")f;^U)<rn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bsO"aj3<I -1 G*;7^9#
f<6<NhV: Risk Manager EIF N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0049E winsock.dll N+OfK retun code ,a5l^7?#
b@: Risk Manager EIF G<bsO"Windows N=1CHL.rO09k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF G<bs,"WSAStartup +ia5l?aj3<IG*;7^7
?#
f<6<NhV: Risk Manager EIF H OS =.r!:7"F/K+k&5]<HK"m7F/@5
$#
HRMRM0050E GPC0 (s5<S9) b<IGBTfG9#
b@: Risk Manager Observer O"GPC0 (s5<S9) N<IGBTfG9#
HRMRM0051E 5<S9r$s9H<k7F/@5$#
b@: Risk Manager Observer NHQeNh^j8gG9#
HRMRM0052E RMO -r : 5<S9N|n#
b@: Risk Manager Observer NHQeNh^j8gG9#
HRMRM0053E 5<S9r$s9H<kG-^;s: Service name#
b@: Risk Manager Observer 5<S9,$s9H<kK:T7^7?#
79F`NhV: Risk Manager Observer 5<S9O":T7?"Wj1<7gsh}$s?<U'<9
(API) +iNaj3<IG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0054E 5<S9&-<Mr_j7F/@5$#
b@: Risk Manager Observer 5<S9,$s9H<kK:T7^7?#
79F`NhV: Risk Manager Observer 5<S9,":T7? API +iNaj3<IG*;7^9#
f<6<NhV: Risk Manager Observer N=.rA'C/7"F/K+k&5]<HK"m7F/@5
$#
274 P<8gs 3 jj<9 8
HRMRM0055E 5<S9&-<rn.7F/@5$#
b@: Risk Manager Observer 5<S9,"l89Hj<`\rn.9k3H,G-^;sG7?#
79F`NhV: Risk Manager Observer 5<S9O":T7? API +iNaj3<IG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0056E !Ni$Vij<rm<IG-^;s: Library name#
b@: Risk Manager Observer 5<S9O"Java >[^7sN DLL rm<I9k3H,G-^;sG
7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0057E JVM rn.G-^;s#(i<&3<I: return code#
b@: Risk Manager Observer 5<S9O"Java >[^7sN$s9?s9rn.9k3H,G-^;
sG7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0058E /i9 return code ,+U+j^;s#
b@: Risk Manager Observer 5<S9O"RMO /i9r+U1k3H,G-^;sG7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer =.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0059E Java a=CI ID ,+U+j^;s#
b@: Risk Manager Observer 5<S9O RMO /i9bN Main a=CIr+U1k3H,G-^;
sG7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
HRMRM0060E Service name - (i<:
b@: Risk Manager Observer N(i<&9Hjs0G9#
HRMRM0063E Risk Manager Observer r+OG-^;s#
b@: Risk Manager Observer O+O9k3H,G-^;sG7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
275Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMRM0064E Risk Manager Observer rd_G-^;s#
b@: Risk Manager Observer Od_9k3H,G-^;sG7?#
79F`NhV: Risk Manager Observer 5<S9O"<mJ0NajMG*;7^9#
f<6<NhV: Risk Manager Observer N=.r!:7"F/K+k&5]<HK"m7F/@5$#
Risk Manager EIF Observer �$+&�0
HRMJR0003E TVf line number G*;9kk<kN(i<G9#
b@: =N=8,!:5lF$kk<k&U!$kK"k<k,5zKJk6xHJk(i<,^^l
F$^9#
79F`NhV: Risk Manager EIF Nm<+k&$YsHh}(s8sH;Q9kH"k<k&U!$
kO5oK0n7^;s#
f<6<NhV: k<k&U!$kbN(i<r{57F/@5$#
HRMJR0004E k<kN*ojK;_3ms,"j^;s#
b@: =N=8,!:5lF$kk<k&U!$kK";_3ms,^^lF$^;s#k<k&U!
$kO5zG9#
79F`NhV: Risk Manager EIF Nm<+k&$YsHh}(s8sH;Q9kH"k<k&U!$
kO5oK0n7^;s#
f<6<NhV: k<k&U!$kbN(i<r{57F/@5$#
HRMJR0005E k<kNc2: failing rule
b@: j9H5lF$kk<kK"=8(i<,^^lF$^9#
79F`NhV: Risk Manager EIF Nm<+k&$YsHh}(s8sH;Q9kH"k<k&U!$
kO5oK0n7^;s#
f<6<NhV: k<k&U!$kbN(i<r{57F/@5$#
HRMJR0006E U!$k file name ,+U+j^;s#
b@: Wm0i`OU!$kr*<Ws9k3H,G-^;sG7?#
79F`NhV: Risk Manager EIF m<+k&$YsHh}Wm0i`G3Ndj,/87?lg"=
NWm0i`O[o*;7^9#lgKhCFOh},Q39k3H,"j^9,"E#$YsHNo
:OBT5l^;s#
f<6<NhV: U!$k>,57/Wm0i`KO5lF$k3HrN'7F/@5$#
276 P<8gs 3 jj<9 8
HRMJR0007E m<+k&$YsHh}G]<H port number rP$sIG-^;s#
b@: m<+k&$YsHh}Wm0i` (rmo) O"$RMADHOME/etc/rmad.conf =.U!$kG
LocalEventPort H7FXj5l?]<Hr*<Ws9k3H,G-^;s#
79F`NhV: m<+k&$YsHh}Wm0i`O:T7^9#
f<6<NhV: ]<Hr"79F`GHQD=J]<HKQ97F/@5$#
Web IDS �$+&�0
HRMWI0001E U!$k file_name rI_hj`nQK*<WsG-^;s#
b@: Xj5l? Web 5<P<Nm0,+U+j^;sG7?#
f<6<NhV: -zJU!$k>Gdj>7F/@5$#
79F`NhV: U!$k,+U+j^;s#Wm0i`Od_7^7?#
HRMWI0002E Webids N=.U!$kG Risk Manager Event Integration Facility i$Vij<NQ9,57/_
j5lF$^;s#
b@: TEC 5<P<Kpsrw.9k?aK,WJ Risk Manager Event Integeration Facility i$Vi
j<&U!$kr+U1il^;sG7?#
f<6<NhV: =.U!$kbN librmadPath Mr",ZJG#l/Hj<rX9h&KQ97^
9#
79F`NhV: i$Vij<,+U+j^;s#$YsHOw.5l^;s#
HRMWI0005E =.U!$kK variable_name ,,WG9#=.U!$kKIC7",WK~8F"Web 5<P<Nm
0&U!$kKbIC7F/@5$#
b@: Web IDS ,0n9k?aK,WJQt,"=.U!$kK"j^;s#
f<6<NhV: gn7F$kQtr=.U!$kKIC7"=lK,ZJMrdjvFF/@5$#
79F`NhV: Qt,+U+j^;s#Wm0i`Od_7^7?#
HRMWI0006E hZj8zNXj,J$NG|Ur57/rOG-^;s#hZj8zH"|U^?O|Upsr=.
U!$kG407F/@5$#
b@: Web IDS K"|UN57$,d}!r'15;k,W,"j^9#7?,CFhZj8z,,W
KJj^9#
f<6<NhV: date_delim NMr=.U!$kGXj7F/@5$#
79F`NhV: hZj8z,Xj5lF$^;s#|UO57/rO5l^;s#
277Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMWI0007E file_name <line_number> key_name O-z-<GO"j^;s#
b@: -<,'15l^;sG7?#lLK"-zJ-<O ″value″ ^?O ″delim″ G9#
f<6<NhV: -<r-zJM (″value″ ^?O ″delim″) KQ97F/@5$#
79F`NhV: (i<,sp5l^7?,"BTrQ37^9#
HRMWI0008E =.U!$kK dictionary_value ,"j^;s#dictionary_value rIC9k+"G#/7gJj<
J0NbNrHQ9kh&K logPattern_value rQ97F/@5$#
b@: =.U!$kK"Qt dictionary_value ,"j^;s#
f<6<NhV: dictionary_value r=.U!$kKIC7"=lK,ZJMrdjvFF/@5$#
79F`NhV: Qt,+U+j^;s#Wm0i`Od_7^7?#
HRMWI0009E hZj8zrXj7J$H"G#/7gJj<r57/rOG-^;s#=.U!$kbNhZj8
z"G#/7gJj<ps"^?O=N>}r407F/@5$#
b@: =.U!$kGG#/7gJj<MrXj9klgO"G#/7gJj<NhZj8zbXj9
k,W,"j^9#
f<6<NhV: dictionary_delim NMr=.U!$kGXj7F/@5$#
79F`NhV: G#/7gJj<NhZj8z,+U+j^;s#Wm0i`Od_7^7?#
HRMWI0010E !NhZj8zj9HrHQ7FG#/7gJj<r57/rO9k3H,G-^;sG7?: user
specified valid delimiters
b@: Xj5l?hZj8zj9HrHQ7F"Web 5<P<Nm0bNG#/7gJj<`\r,d
9k3H,G-^;s#7?,CF"3NG#/7gJj<`\r}r9k3H,G-^;s#
f<6<NhV: -zJhZj8zj9Hr=.U!$kGXj7F/@5$#
79F`NhV: G#/7gJj<NhZj8z,5zG9#Wm0i`Od_7^7?#
HRMWI0011E CLF N=.U!$kN-<M,6 (false) K_j5lF$^9,"logPattern M,_j5lF$^;
s#=.U!$krT87F"Wm0i`rFO07F/@5$#
b@: m0&U!$k, CLF A0GJ$3H, Web IDS KLN5l^7?," Web IDS O=Nm
0&U!$kNI_hj}rX(5lF$^;s#
f<6<NhV: logPattern_value NMr=.U!$kGXj9k+"m0&U!$k,B]K CLF
A0G"klgO"clf_value r 1 KQ97F/@5$#
79F`NhV: m0&U!$kr}r9k3H,G-^;s#Wm0i`Od_7^7?#
HRMWI0012E hZj8zrXj7J$H"logPattern r57/rOG-^;s#hZj8zH logPattern ^?OlogPattern psr=.U!$kG407F/@5$#
b@: =.U!$kK logPattern MrXj9klgO"logPattern NhZj8zbXj9k,W,"j
^9#
f<6<NhV: logPattern_delim NMr=.U!$kGXj7F/@5$#
79F`NhV: logPattern NhZj8z,+U+j^;s#Wm0i`Od_7^7?#
278 P<8gs 3 jj<9 8
HRMWI0013E !NhZj8zj9HrHQ7F logPattern r57/rO9k3H,G-^;sG7?: user specified
valid delimiters
b@: Xj5l? logPattern hZj8zj9HrHQ7F"logPattern Mr3s]<MsHK,d9k
3H,G-^;sG7?#
f<6<NhV: -zJhZj8zj9Hr=.U!$kGXj7F/@5$#
79F`NhV: logPattern NhZj8z,5zG9#Wm0i`Od_7^7?#
HRMWI0014E !NhZj8zj9HrHQ7F|Ur57/rO9k3H,G-^;sG7?: user specified valid
delimiters
b@: Xj5l?|UNhZj8zj9HrHQ7F"|UMr3s]<MsHK,d9k3H,G-
^;sG7?#
f<6<NhV: -zJhZj8zj9Hr=.U!$kGXj7F/@5$#
79F`NhV: |UNhZj8z,5zG9#Wm0i`Od_7^7?#
HRMWI0015E hZj8zrXj7J$H"~or57/rOG-^;s#hZj8z"~ops"^?O=N>}r
=.U!$kG407F/@5$#
b@: =.U!$kK~oMrXj9klgO"~oNhZj8zbXj9k,W,"j^9#
f<6<NhV: time_delim NMr=.U!$kGXj7F/@5$#
79F`NhV: ~oNhZj8z,+U+j^;sG7?#Wm0i`Od_7^7?#
HRMWI0016E !NhZj8zj9HrHQ7F~or57/rO9k3H,G-^;sG7?: user specified valid
delimiters
b@: Xj5l?~oNhZj8zj9HrHQ7F"~oMr3s]<MsHK,d9k3H,G-
^;sG7?#
f<6<NhV: -zJhZj8zj9Hr=.U!$kGXj7F/@5$#
79F`NhV: ~oNhZj8z,5zG9#Wm0i`Od_7^7?#
HRMWI0017E /i9 ’name’ O9GK ’engine_name’ (s8sKXj5lF$^9#
b@: ?(il?(s8sbNF/i9KO"G-N>0rU1k,W,"j^9#
f<6<NhV: 70KAc<&U!$kbNE#7F$k/i9N 1 DN>0rQ97F/@5$#
79F`NhV: /i9>rE#5;^9#
HRMWI0018E U!$k ’signature_file_name’ K5zJ70KAc< ’signature name’ ,"j^9#1 TKO"2 `\^
?O 4 `\rHQG-^9#
b@: 70KAc<O"Q?<sH>0"^?OQ?<s">0"79F`Ne@ ID *hS79F`
Ne@G<?Y<9N>0N$:l+G=.5lF$^9#7?,CF"Ag&I 2 D^?O 4 DN
U#<kIr}?J$70KAc<O"5zG9#
f<6<NhV: ,WJtNU#<kIr}Dh&K70KAc<rQ97F/@5$#
79F`NhV: 70KAc<,5zG9#Wm0i`Od_7^7?#
279Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMWI0019E 70KAc<&U!$k ’signature_file_name’ K,\/i9 ’engine(class_name)’ ,"j^;s#
b@: Web IDS ,5oK0n9kKO"$/D+N/i9,,WG9#
f<6<NhV: sig.nefarious NPC/"CW&3T<+i",\N/i9r|57F/@5$#
79F`NhV: ,\N/i9,"j^;s#Wm0i`Od_7^7?#
HRMWI0020E (s8s ’engine_name’ N ’class_name’ /i9N70KAc<r>AG-^;s#
b@: 70KAc<&U!$kGjA5lF$k70KAc<NQ?<sO"5zJ5,==G9#
f<6<NhV: -zJ5,==KJkh&K70KAc<rQ97",ZK>AG-kh&K7F/
@5$#
79F`NhV: 70KAc<NQ?<s,5zG9#Wm0i`Od_7^7?#
HRMWI0021E /i9 ’class_name’ N,\Qia<?< ’parameter_name’ K5zJ=8,"j^9#
b@: CjN/i9NQia<?<,mCF$^9#
f<6<NhV: =N(s8s^?O/i9KG-N=8K`r9kh&"Qia<?<rQ97F/
@5$ (3asHrIsG/@5$)#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0022E 70KAc<&U!$k ’signature_file_name’ K5zJ(s8s> ’engine_name’ ,+U+j^7?#
b@: (s8s>O"skip"parser"pattern"trust"*hS suspicion N$:lGb"j^;s#
f<6<NhV: 9YFN/i9H70KAc<r"s!5lF$k(s8sN 1 DKjA7F/@5
$#
79F`NhV: (s8s>,5zG9#Wm0i`Od_7^7?#
HRMWI0023E 70KAc<&U!$k ’signature_file_name’ G suspicion (s8sK5zJ printLvl ’print_level’ ,Xj5l^7?#
b@: printLvl O"all"warnings"^?O alerts N$:l+GJ1lPJj^;s#
f<6<NhV: printLvl r3li 3 DN-zJMNbN 1 DK_j7F/@5$#
79F`NhV: printLvl ,5zG9#Wm0i`Od_7^7?#
HRMWI0024E 70KAc<&U!$k ’%2$s’ G suspicion (s8sK5zJQia<?< ’%1$s’ ,Xj5l^
7?#
b@: suspicion (s8sNQia<?<,mCF$^9#=8,mCF$k+"Qia<?<,
printLvl (#lN-zJQia<?<) GO"j^;s#
f<6<NhV: Qia<?<H7F printLvl N_r}Dh&K(s8srXj7F/@5$#
79F`NhV: Wm0i`Od_7^7?#
280 P<8gs 3 jj<9 8
HRMWI0025E (s8s ’engine_name’ O"70KAc<&U!$k ’ signature_file_name’ bN>,JQia<?<r
u1~l^;s#
b@: 3N(s8sjAOQia<?<ru1hj^;s#7?,CF"33GjA5lF$kbNO
9YFU#,"j^;s#Qia<?<ru1hkNO"suspicion (s8s@1G9#
f<6<NhV: 3N(s8sNQia<?<r|n7F/@5$#
79F`NhV: (s8sNQia<?<,5zG9#Wm0i`Od_7^7?#
HRMWI0026E 70KAc<&U!$k ’signature_file_name’.printLvl bG"suspicion (s8s ’suspicion’ KprintLvl ,Xj5lF$^;s#
b@: Qia<?< printLvl r suspicion (s8sKXj9k,W,"j^9#
f<6<NhV: (s8sKQia<?< printLvl rXj7F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0027E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ Klevel1"level2"^?O k Qia<?<,Xj5lF$J$+""k$O5zG9#
b@: level1"level2"*hS k Qia<?<O"/i9jA4HK57/Xj9k,W,"j^9#3
Nlg"=liNQia<?<,Xj5lF$J$+"=NjA,mCF$^9#
f<6<NhV: T,ZJM,J$+"3NCjN/i9NQia<?<r,O7F/@5$#
79F`NhV: Qia<?<,T,ZG9#Wm0i`Od_7^7?#
HRMWI0028E 3N70KAc<&U!$k ’signature_file_name’ bN(s8s ’engine_name’ N/i9 ’class_name’ Nlevel1 O level2 hjg-/J1lPJj^;s#
b@: Level1 O"Level2 J<G9#D^j"V[9H4HWN"i<H,8.5lk?SK"i9J
VIa$s4HWN"i<Hb8.5lk3HrU#7^9#
f<6<NhV: Level1 r Level2 hjb$/i+g-/_j7F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0029E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ K"5
zJ level1"level2"^?O k z-t,Xj5l^7?#
b@: level1"level2"*hS k Qia<?<O"/i9jA4HK57/Xj9k,W,"j^9#3
NlgO"=liNQia<?<NjA,mCF$^9#
f<6<NhV: T,ZJM,J$+"3NCjN/i9NQia<?<r,O7F/@5$#
79F`NhV: Qia<?<,T,ZG9#Wm0i`Od_7^7?#
281Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
HRMWI0030E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ KU#<kI&Qia<?<,"j^;s#
b@: U#<kI&Qia<?<O"3N/i9bN70KAc<KM-go;kH-K"m0`\N
INt,r+k+rXj7^9#U#<kI&Qia<?<,J$lgKO"Web IDS OI3r+lP
h$N+,o+j^;s#
f<6<NhV: /i9NQia<?<H7FU#<kI>rXj7^9#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0031E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ K"5
zJU#<kI> ’field_name’ ,Xj5l^7?#
b@: U#<kI>Ou1~lD=JMN 1 DGO"j^;s#7?,CF"U#<kI>O Web
IDS KHCFO4/U#,"j^;s#
f<6<NhV: U#<kINMr"″url″ JINu1~lD=JMK_j7F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0032E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ K"5
zJro ’operator’ ,Xj5l^7?#
b@: ’!’ ^?O ’=’ J0Nro,Xj5l^7?#
f<6<NhV: ror,O7"=lr,ZG-zJi;RKQ97F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0033E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ Kcancel Qia<?<,Xj5lF$^;s#
b@: trust (s8sbN/i9KO"5zK9k$YsHN/i9rXj9k cancel Qia<?<,
,WG9#
f<6<NhV: Web IDS ,"3N/i9NM-go;NkL"IN$YsHr5zK9kN+,o+
kh&K" cancel Qia<?<rXj7F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0034E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ Ncancel Qia<?<K"5zJ/i9> ’cancelled_class_name’ ,Xj5l^7?#
b@: cancel Qia<?<,U#r}DNO"=l,=_8_7F$k/i9rXj7F$klgN_
G9#D0J,i"3N/i9NQia<?<O8_7F$^;s#
f<6<NhV: cancel Qia<?<,"8_7F$k/i9rXj7F$k3HrN'7F/@5
$#
79F`NhV: Wm0i`Od_7^7?#
282 P<8gs 3 jj<9 8
HRMWI0035E 70KAc<&U!$k ’signature_file_name’ G"(s8s ’engine_name’ N/i9 ’class_name’ N,\
Qia<?<K"5zJ/i9> ’required_class_name’ ,Xj5l^7?#
b@: require Qia<?<,U#r}DNO"=l,=_8_7F$k/i9rXj7F$klgN_
G9#D0J,i"3N/i9NQia<?<O8_7F$^;s#
f<6<NhV: require Qia<?<,"8_7F$k/i9rXj7F$k3HrN'7F/@5
$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0036E 5zJ"i<H&G<?=$G9#
b@: "i<H&G<?=$G"kbtN Web IDS =$,ulF$^9#
f<6<NhV: Web IDS rFO07F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0037E (s8s ’engine_name’ N/i9 ’class_name’ NlYk ’which_level’ ,=LG-^;s#
b@: btN Web IDS =$,ulF$^9#
f<6<NhV: Web IDS rFO07F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0038E (s8s ’engine_name’ N/i9 ’class_name’ N K M,=LG-^;s#
b@: btN Web IDS =$,ulF$^9#
f<6<NhV: Web IDS rFO07F/@5$#
79F`NhV: Wm0i`Od_7^7?#
HRMWI0039E "Wj1<7gs&$YsH&m0r*<WsG-^;s#
b@: NT $YsH&m0HNL.Kdj,"j^9#
f<6<NhV: Web IDS rFO07F/@5$#dj,+jV7/89klgKO"79F`rjV
<H7F/@5$#
79F`NhV: L.Kdj,"j^9#Wm0i`Od_7^7?#
HRMWI0040E Risk Manager Event Integration Facility K$YsHrw.G-^;s#
b@: Web IDS KO"RMEIF HNL.Kdj,"j^9#=.K?i+NVc$,"k+"l~*J
djK9.J$+NIAi+G9#
f<6<NhV: aC;<8,lY7+/87J$lgO"?b7J$G/@5$#=lJ0Nlg
O"Web IDS rd_7"3^sITG wrmadmin -restart r~O7F Web IDS rFO07F/@5
$#
79F`NhV: L.Kdj,"j^9#BTOQ37^9#
283Risk Manager f<6<:&,$I
A.
Risk
Man
ager�$+&
�0
284 P<8gs 3 jj<9 8
!�����%�
3NU?GO"Risk Manager N0NP<8gs+i^$0l<7gs9kf<6<Kpsr
s!7^9#
����� ��0%� 3.8 �����������"�+�����Risk Manager "@W?< P<8gs 3.8 JeGHQ5lkU)<^CH&U!$k^?O=
N>N=.U!$kO""@W?<NF$s9H<k^?O"CW0l<IfK"PC/"C
W&G#l/Hj<K]I5l^9#=.U!$kO"!N $RMADHOME/etc/backup G#l/
Hj<K]I5l^9 (RMADHOME O$s9H<k&G#l/Hj<)#
¶ /usr/RISKMGR (AIX Nlg)
¶ /opt/RISKMGR (Solaris *hS Linux Nlg)
¶ %SystemDrive%¥Program Files¥Tivoli¥RISKMGR (Windows NlgNGU)kH)
J<N=.U!$k,]I5l^9#
¶ Risk Manager Event Integration Facility:
$RMADHOME/etc/rmad.conf$RMADHOME/etc/rmad_summary.rules
¶ Web Intrusion Detection System:
$RMADHOME/etc/sig.nefarious$RMADHOME/etc/webids.cfg$RMADHOME/etc/webids.fmt$RMADHOME/etc/webids.nt.fmt
¶ Cisco Secure IDS Q"@W?<:
$RMADHOME/etc/csids.fmt$RMADHOME/etc/csids.nt.fmt
¶ Check Point FireWall-1 Q"@W?<
$RMADHOME/etc/cpfw.fmt$RMADHOME/etc/cpfw.nt.fmt$RMADHOME/etc/rma_cpfw.conf
¶ Risk Manager N5]<H&U!$k:
$RMADHOME/etc/os_aix.fmt$RMADHOME/etc/os_solaris.fmt$RMADHOME/etc/os_nt.fmt$RMADHOME/etc/os_linux.fmt$RMADHOME/etc/pix.fmt$RMADHOME/etc/pix_nt.fmt
B
285Risk Manager f<6<:&,$I
B.!���
��%�
$RMADHOME/etc/rmnav.fmt$RMADHOME/etc/rmmac.fmt$RMADHOME/etc/tecad_snmp.cds$RMADHOME/etc/tecad_snmp.oid
lLK"F$s9H<k^?O"CW0l<IN?aN$s9H<keNh}GO""@W?
<H&K$s9H<k5l?=.U!$kO=N^^D5l^9#=.U!$kN]IQ_P
<8gsrHQ9klgO"=lrPC/"CW&G#l/Hj<+i $RMADHOME/etc G#
l/Hj<K3T<9k3H,G-^9#
F$s9H<k^?O"CW0l<IfK$s9H<k&79F`,"=TP<8gsN
rmad.conf U!$kH rmad_summary.rules U!$kr|57^9,"$s9H<kQ_N
("k$O*j8JkN) P<8gsb]I7^9# Risk Manager OJ<N"/7gsrBT
7F"rmad.conf U!$kH rmad_summary.rules U!$krh}7^9#
¶ U!$k4HK $RMADHOME/etc/File r $RMADHOME/etc/backup/File.orig X\07^
9#
¶ U!$k4HK $RMADHOME/etc/backup/File r $RMADHOME/etc/File K\07^9#
33G"File O"rmad.conf ^?O rmad_summary.rules rX7^9#
Risk Manager ��0%� 3.7 ���� ����������������!�����%�
"@W?<, Risk Manager P<8gs 3.7 rHQ7F9GK (Tivoli QC1<8^?O
TME J0N tar QC1<8N$:l++i) $s9H<k5lF$klgO"P<8gs
3.8 N"@W?<NF$s9H<kh}fK"J<N^$0l<7gsnH,BT5l^9#
AIX *hS Solaris 79F`Nlg:
¶ rma_app_env.sh D-9/jWHbNpsKhCF" 3.7 N$s9H<kNm1<7gs
,h^j^9 (app O"CjN"@W?<r=7"eif"cpfw"nr"web"^?O perl N$
:l+HJj^9)#
¶ f<6<,=.D=JG<?r^`=.U!$k,"PC/"CW&G#l/Hj<
$RMADHOME/etc/backup bN7,N$s9H<k&m1<7gsK3T<5l^9#J<N
"@W?<N=.U!$k,]I5l^9#
v Risk Manager Event Integration Facility
v Web Intrusion Detection System
v Cisco Secure IDS Q"@W?< (J0O NetRanger H7FNilF$^7?)
v Check Point FireWall-1 Q"@W?<
m: J<N Risk Manager N5]<H&U!$kO"P<8gs 3.7 NU!$kNm1<
7gs+iO3T<5l^;s#^?"|nb5l^;s#=liNU!$kNm1
<7gsr=L9k}!,J$+iG9#
v Risk Manager Event Integration Facility:
$RMADHOME/etc/rmad.conf$RMADHOME/etc/rmad_summary.rules
v Web Intrusion Detection System:
286 P<8gs 3 jj<9 8
$RMADHOME/etc/sig.nefarious$RMADHOME/etc/webids.cfg$RMADHOME/etc/webids.fmt$RMADHOME/etc/webids.nt.fmt
v Cisco Secure IDS QN"@W?<:
$RMADHOME/etc/csids.fmt$RMADHOME/etc/csids.nt.fmt
v Check Point FireWall-1 Q"@W?<:
$RMADHOME/etc/cpfw.fmt$RMADHOME/etc/cpfw.nt.fmt$RMADHOME/etc/rma_cpfw.conf
v Risk Manager N5]<H&U!$k:
$RMADHOME/etc/os_aix.fmt$RMADHOME/etc/os_solaris.fmt$RMADHOME/etc/os_nt.fmt$RMADHOME/etc/os_linux.fmt$RMADHOME/etc/pix.fmt$RMADHOME/etc/pix_nt.fmt$RMADHOME/etc/rmnav.fmt$RMADHOME/etc/rmmac.fmt$RMADHOME/etc/tecad_snmp.cds$RMADHOME/etc/tecad_snmp.oid
¶ Risk Manager P<8gs 3.7 $s9H<k&79F`O"3.7 N|n9/jWHrHQ7
F|n5l^9#!K"=N|n9/jWH,o|5l^9#
Windows 79F`Nlg:
Risk Manager 3.7 r|n7F+iP<8gs 3.8 r$s9H<k9k,W,"j^9#J<
K"Risk Manager P<8gs 3.7 N"@W?<r|n9kjgr(7^9#
1. CjND- 3^sIrBT7F"|n9k"@W?<K,WJ Risk Manager NQ9r_
j7^9#qN*J3^sI>O"J<NH*jG9#
¶ %SystemRoot%¥Tivoli¥rma_eif_env.cmd
¶ %SystemRoot%¥Tivoli¥rma_web_env.cmd
¶ %SystemRoot%¥Tivoli¥rma_cpfw_env.cmd
¶ %SystemRoot%¥Tivoli¥rma_nr_env.cmd
¶ %SystemRoot%¥Tivoli¥rma_perl_env.cmd
2. |n 3^sIrBT7^9#qN*J3^sI>O"J<NH*jG9#
¶ rma_eif-remove.cmd
¶ rma_web-remove.cmd
¶ rma_cpfw-remove.cmd
¶ rma_nr-remove.cmd
¶ rma_perl-remove.cmd
3. HQ7?|n3^sIr!Nh&K7Fo|7^9#
del %RMHOME%¥bin¥%INTERP%¥bin¥Command
287Risk Manager f<6<:&,$I
B.!���
��%�
33G"Command O|n9k3^sIN>0G9#
Risk Manager P<8gs 3.7 G$s9H<k5lF$?F"@W?<r|n7?eK"J<
NICN/j<s"CWrBT7^9#
1. %RMADHOME% G#l/Hj<,^@8_7F$klgO"=NG#l/Hj<H=NbFr
J<N3^sIrHQ7F|n7^9#
rmdir /s %RMADHOME%
2. TME *hS TME J0N>}KD$F"J<NU!$kr|n7^9#
del %RMHOME%¥bin¥%INTERP%¥bin¥wbindmsg.exedel %RMHOME%¥bin¥%INTERP%¥bin¥rmenvcrt.exe
3. TME J0Nlg"J<NU!$kr|n7^9#
del %RMHOME%¥msg_cat¥*¥rminst.cat
4. TME Nlg"J<NU!$kr|n7^9#
del %RMHOME%¥generic¥msg_cat¥*¥rminst.cat
P<8gs 3.8 r$s9H<k7?eGO"e-NjgrHQ7F Risk Manager P<8gs
3.7 N$s9H<k&79F`r/j<s"CW7J$G/@5$#P<8gs 3.8 N$s9
H<keKe-NjgrBT9kH"3.8 N$s9H<k&79F`,;}ru1^9#
Risk Manager Server �!�����%�Risk Manager Server N"CW0l<IfK"=.U!$k, $BINDIR/RISKMGR/backup G#
l/Hj<K]I5l^9#]I5lkU!$kO"J<NH*jG9#
¶ 9YFN .pro U!$k
¶ 9YFN .lst U!$k
¶ 9YFN .rls U!$k
¶ 9YFN .baroc U!$k
¶ rmt_tasks.tll U!$k
¶ RISKMGR/ACF_REP G#l/Hj<bK"k9YFN"@W?<N=.U!$k
288 P<8gs 3 jj<9 8
Cisco Secure IDS ����3<:�
J<O"\qNPG~@GHQD=J Cisco Secure IDS $YsHNlwG9#3liO"
Cisco Secure IDS QN Risk Manager "@W?<KhCF@(*KHiCW5l":v9k"
@W?<&l3<IK^CW5l^9#
sig_1000 IP options-Bad Option List
sig_1001 IP options-Record Packet Route
sig_1002 IP options-Timestamp
sig_1003 IP options-Provide s,c,h,tcc
sig_1004 IP options-Loose Source Route
sig_1005 IP options-SATNET ID
sig_1006 IP options-Strict Source Route
sig_1100 IP Fragment Attack
sig_1101 Unknown IP Protocol
sig_1102 Impossible IP Packet
sig_1103 IP Fragments Overlap
sig_1104 IP Localhost Source Spoof
sig_1200 IP Fragmentation Buffer Full
sig_1201 IP Fragment Overlap
sig_1202 IP Fragment Overrun - Datagram Too Long
sig_1203 IP Fragment Overwrite - Data is Overwritten
sig_1204 IP Fragment Missing Initial Fragment
sig_1205 IP Fragment Too Many Datagrams
sig_1206 IP Fragment Too Small
sig_1207 IP Fragment Too Many Frags
sig_1208 IP Fragment Incomplete Datagram
sig_1220 Jolt2 Fragment Reassembly DoS attack NEW
sig_2000 ICMP Echo Reply
sig_2001 ICMP Host Unreachable
sig_2002 ICMP Source Quench
sig_2003 ICMP Redirect
sig_2004 ICMP Echo Request
sig_2005 ICMP Time Exceeded for a Datagram
sig_2006 ICMP Parameter Problem on Datagram
sig_2007 ICMP Timestamp Request
sig_2008 ICMP Timestamp Reply
sig_2009 ICMP Information Request
sig_2010 ICMP Information Reply
sig_2011 ICMP Address Mask Request
C
289Risk Manager f<6<:&,$I
C.
Cisco
Secu
reID
S�
��
�3<:
�
sig_2012 ICMP Address Mask Reply
sig_2100 ICMP Network Sweep w/Echo
sig_2101 ICMP Network Sweep w/Timestamp
sig_2102 ICMP Network Sweep w/Address Mask
sig_2150 Fragmented ICMP Traffic
sig_2151 Large ICMP Traffic
sig_2152 ICMP Flood
sig_2153 Smurf
sig_2154 Ping of Death Attack
sig_3000 TCP Ports
sig_3001 TCP Port Sweep
sig_3002 TCP SYN Port Sweep
sig_3003 TCP Frag SYN Port Sweep
sig_3005 TCP FIN Port Sweep
sig_3006 TCP Frag FIN Port Sweep
sig_3010 TCP High Port Sweep
sig_3011 TCP FIN High Port Sweep
sig_3012 TCP Frag FIN High Port Sweep
sig_3015 TCP Null Port Sweep
sig_3016 TCP Frag Null Port Sweep
sig_3020 TCP SYN FIN Port Sweep
sig_3021 TCP Frag SYN FIN Port Sweep
sig_3030 TCP SYN Host Sweep
sig_3031 TCP FRAG SYN Host Sweep
sig_3032 TCP FIN Host Sweep
sig_3033 TCP FRAG FIN Host Sweep
sig_3034 TCP NULL Host Sweep
sig_3035 TCP FRAG NULL Host Sweep
sig_3036 TCP SYN FIN Host Sweep
sig_3037 TCP FRAG SYN FIN Host Sweep
sig_3038 Fragmented NULL TCP Packet
sig_3039 Fragmented Orphaned FIN packet
sig_3040 NULL TCP Packet
sig_3041 SYN/FIN Packet
sig_3042 Orphaned Fin Packet
sig_3043 Fragmented SYN/FIN Packet
sig_3045 Queso Sweep
sig_3050 Half-open SYN Attack
sig_3100 Smail Attack
sig_3101 Sendmail Invalid Recipient
sig_3102 Sendmail Invalid Sender
sig_3103 Sendmail Reconnaissance
sig_3104 Archaic Sendmail Attacks
sig_3105 Sendmail Decode Alias
sig_3106 Mail Spam
sig_3107 Majordomo Execute Attack
sig_3108 MIME Overflow Bug
sig_3109 Q-Mail Length Crash
290 P<8gs 3 jj<9 8
sig_3110 Suspicious Mail Attachment
sig_3150 FTP Remote Command Execution
sig_3151 FTP SYST Command Attempt
sig_3152 FTP CWD xroot
sig_3153 FTP Improper Address Specified
sig_3154 FTP Improper Port Specified
sig_3155 FTP RETR Pipe Filename Command Execution
sig_3156 FTP STOR Pipe Filename Command Execution
sig_3157 FTP PASV Port Spoof
sig_3200 WWW Phf Attack
sig_3201 WWW General cgi-bin Attack
sig_3202 WWW .url File Requested
sig_3203 WWW .lnk File Requested
sig_3204 WWW .bat File Requested
sig_3205 HTML File Has .url Link
sig_3206 HTML File Has .lnk Link
sig_3207 HTML File Has .bat Link
sig_3208 WWW campas Attack
sig_3209 WWW Glimpse Server Attack
sig_3210 WWW IIS View Source Attack
sig_3211 WWW IIS Hex View Source Attack
sig_3212 WWW NPH-TEST-CGI Attack
sig_3213 WWW TEST-CGI Attack
sig_3214 IIS DOT DOT VIEW Attack
sig_3215 IIS DOT DOT EXECUTE Attack
sig_3216 IIS Dot Dot Crash Attack
sig_3217 WWW php View File Attack
sig_3218 WWW SGI Wrap Attack
sig_3219 WWW PHP Buffer Overflow
sig_3220 IIS Long URL Crash Bug
sig_3221 WWW cgi-viewsource Attack
sig_3222 WWW PHP Log Scripts Read Attack
sig_3223 WWW IRIX cgi-handler Attack
sig_3224 HTTP WebGais
sig_3225 HTTP Gais Websendmail
sig_3226 WWW Webdist Bug
sig_3227 WWW Htmlscript Bug
sig_3228 WWW Performer Bug
sig_3229 Website Win-C-Sample Buffer Overflow
sig_3230 Website Uploader
sig_3231 Novell convert
sig_3232 WWW finger attempt
sig_3233 WWW count-cgi Overflow
sig_3250 TCP Hijack
sig_3251 TCP Hijacking Simplex Mode
sig_3300 NetBIOS OOB Data
sig_3301 NETBIOS Stat
sig_3302 NETBIOS Session Setup Failure
291Risk Manager f<6<:&,$I
C.
Cisco
Secu
reID
S�
��
�3<:
�
sig_3303 Windows Guest Login
sig_3304 Windows Null Account Name
sig_3305 Windows Password File Access
sig_3306 Windows Registry Access
sig_3307 Windows Redbutton Attack
sig_3308 Windows LSARPC Access
sig_3309 Windows SRVSVC Access
sig_3400 Sunkill
sig_3401 Telnet-IFS Match
sig_3450 Finger Bomb
sig_3500 Rlogin -froot Attack
sig_3525 IMAP Authenticate Buffer Overflow
sig_3526 Imap Login Buffer Overflow
sig_3530 Cisco Secure ACS Oversized TACACS+ Attack NEW
sig_3540 Cisco Secure ACS CSAdmin Attack NEW
sig_3550 POP Buffer Overflow
sig_3575 INN Buffer Overflow
sig_3576 INN Control Message Exploit
sig_3600 IOS Telnet Buffer Overflow
sig_3601 IOS Command History Exploit
sig_3602 Cisco IOS Identity
sig_3603 IOS Enable Bypass
sig_3650 SSH RSAREF2 Buffer Overflow
sig_3990 BackOrifice BO2K TCP Non Stealth
sig_3991 BackOrifice BO2K TCP Stealth 1
sig_3992 BackOrifice BO2K TCP Stealth 2
sig_4000 UDP Packet
sig_4001 UDP Port Sweep
sig_4002 UDP Flood
sig_4050 UDP Bomb
sig_4051 Snork
sig_4052 Chargen DoS
sig_4053 Back Orifice
sig_4054 RIP Trace
sig_4055 BackOrifice BO2K UDP
sig_4100 Tftp Passwd File
sig_4150 Ascend Denial of Service
sig_4500 Cisco IOS Embedded SNMP Community Names NEW
sig_4600 IOS UDP Bomb
sig_5034 WWW IIS newdsn attack
sig_5035 HTTP cgi HylaFAX Faxsurvey
sig_5036 WWW Windows Password File Access Attempt
sig_5037 WWW SGI MachineInfo Attack
sig_5038 WWW wwwsql file read Bug
sig_5039 WWW finger attempt
sig_5040 WWW Perl Interpreter Attack
sig_5041 WWW anyform attack
sig_5042 WWW CGI Valid Shell Access
292 P<8gs 3 jj<9 8
sig_5043 WWW Cold Fusion Attack
sig_5044 WWW Webcom.se Guestbook attack
sig_5045 WWW xterm display attack
sig_5046 WWW dumpenv.pl recon
sig_5047 WWW Server Side Include POST attack
sig_5048 WWW IIS BAT EXE attack
sig_5049 WWW IIS showcode.asp access
sig_5050 WWW IIS .htr Overflow Attack
sig_5051 IIS Double Byte Code Page
sig_5052 FrontPage Extensions PWD Open Attempt
sig_5053 FrontPage _vti_bin Directory List Attempt
sig_5054 WWWBoard Password
sig_5055 HTTP Basic Authentication Overflow
sig_5056 WWW Cisco IOS %% DoS
sig_5057 WWW Sambar Samples
sig_5058 WWW info2www Attack
sig_5059 WWW Alibaba Attack
sig_5060 WWW Excite AT-generate.cgi Access
sig_5061 WWW catalog_type.asp Access
sig_5062 WWW classifieds.cgi Attack
sig_5063 WWW dmblparser.exe Access
sig_5064 WWW imagemap.cgi Attack
sig_5065 WWW IRIX infosrch.cgi Attack
sig_5066 WWW man.sh Access
sig_5067 WWW plusmail Attack
sig_5068 WWW formmail.pl Access
sig_5069 WWW whois_raw.cgi Attack
sig_5070 WWW msadcs.dll Access
sig_5071 WWW msacds.dll Attack
sig_5072 WWW bizdb1-search.cgi Attack
sig_5073 WWW EZshopper loadpage.cgi Attack
sig_5074 WWW EZshopper search.cgi Attack
sig_5075 WWW IIS Virtualized UNC Bug
sig_5076 WWW webplus bug
sig_5077 WWW Excite AT-admin.cgi Access
sig_5078 WWW Piranha passwd attack
sig_5079 WWW PCCS MySQL Admin Access
sig_5080 WWW IBM WebSphere Access NEW
sig_5081 WWW WinNT cmd.exe Access NEW
sig_5083 WWW Virtual Vision FTP Browser Access NEW
sig_5084 WWW Alibaba Attack 2 NEW
sig_5085 WWW IIS Source Fragment Access NEW
sig_5086 WWW WEBactive Logfile Access NEW
sig_5087 WWW Sun Java Server Access NEW
sig_5088 WWW Akopia MiniVend Access NEW
sig_5089 WWW Big Brother Directory Access NEW
sig_5090 WWW FrontPage htimage.exe Access NEW
sig_5091 WWW Cart32 Remote Admin Access NEW
293Risk Manager f<6<:&,$I
C.
Cisco
Secu
reID
S�
��
�3<:
�
sig_5092 WWW CGI-World Poll It Access NEW
sig_5093 WWW PHP-Nuke admin.php3 Access NEW
sig_5095 WWW CGI Script Center Account Manager Attack NEW
sig_5096 WWW CGI Script Center Subscribe Me Attack NEW
sig_5097 WWW FrontPage MS-DOS Device Attack NEW
sig_5099 WWW GWScripts News Publisher Access NEW
sig_5100 WWW CGI Center Auction Weaver File Access NEW
sig_5101 WWW CGI Center Auction Weaver Attack NEW
sig_5102 WWW phpPhotoAlbum explorer.php Access NEW
sig_5103 WWW SuSE Apache CGI Source Access NEW
sig_5104 WWW YaBB File Access NEW
sig_5105 WWW Ranson Johnson mailto.cgi Attack NEW
sig_5106 WWW Ranson Johnson mailform.pl Access NEW
sig_5107 WWW Mandrake Linux /perl Access NEW
sig_5108 WWW Netegrity Site Minder Access NEW
sig_5109 WWW Sambar Beta search.dll Access NEW
sig_5110 WWW SuSE Installed Packages Access NEW
sig_5111 WWW Solaris Answerbook 2 Access NEW
sig_5112 WWW Solaris Answerbook 2 Attack NEW
sig_5113 WWW CommuniGate Pro Access NEW
sig_5114 WWW IIS Unicode Attack NEW
sig_6001 Normal SATAN Probe
sig_6002 Heavy SATAN Probe
sig_6050 DNS HINFO Request
sig_6051 DNS Zone Transfer
sig_6052 DNS Zone Transfer from High Port
sig_6053 DNS Request for All Records
sig_6054 DNS Version Request
sig_6055 DNS Inverse Query Buffer Overflow
sig_6056 BIND NXT Buffer Overflow
sig_6057 BIND SIG Buffer Overflow
sig_6100 RPC Port Registration
sig_6101 RPC Port Unregistration
sig_6102 RPC Dump
sig_6103 Proxied RPC Request
sig_6104 RPC Set Spoof
sig_6105 RPC Unset Spoof
sig_6110 RPC RSTATD Sweep
sig_6111 RPC RUSERSD Sweep
sig_6112 RPC NFS Sweep
sig_6113 RPC MOUNTD Sweep
sig_6114 RPC YPPASSWDD Sweep
sig_6115 RPC SELECTION_SVC Sweep
sig_6116 RPC REXD Sweep
sig_6117 RPC STATUS Sweep
sig_6118 RPC ttdb Sweep
sig_6150 ypserv Portmap Request
sig_6151 ypbind Portmap Request
294 P<8gs 3 jj<9 8
sig_6152 yppasswdd Portmap Request
sig_6153 ypupdated Portmap Request
sig_6154 ypxfrd Portmap Request
sig_6155 mountd Portmap Request
sig_6175 rexd Portmap Request
sig_6180 rexd Attempt
sig_6190 statd Buffer Overflow
sig_6191 RPC.tooltalk buffer overflow
sig_6192 RPC mountd Buffer Overflow
sig_6193 RPC CMSD Buffer Overflow
sig_6194 sadmind RPC Buffer Overflow
sig_6195 RPC amd Buffer Overflow
sig_6200 Ident Buffer Overflow
sig_6201 Ident Newline
sig_6202 Ident Improper Request
sig_6250 FTP Authorization Failure
sig_6251 Telnet Authorization Failure
sig_6252 Rlogin Authorization Failure
sig_6253 POP3 Authorization Failure
sig_6255 SMB Authorization Failure
sig_6300 Loki ICMP Tunnelling
sig_6302 General Loki ICMP Tunneling
sig_6500 RingZero Trojan
sig_6501 TFN Client Request
sig_6502 TFN Server Reply
sig_6503 Stacheldraht Client Request
sig_6504 Stacheldraht Server Reply
sig_6505 Trinoo Client Request
sig_6506 Trinoo Server Reply
sig_6507 TFN2K Control Traffic
sig_6508 Mstream Control Traffic
sig_8000/2101 FTP Retrieve Password File
sig_8000/2302 Telnet-/etc/shadow Match
sig_8000/2303 Telnet-+ +
sig_8000/51301 Rlogin-IFS Match
sig_8000/51302 Rlogin-/etc/shadow Match
sig_8000/51303 Rlogin-+ +
sig_10000/1000 IP-Spoof Interface 1
sig_10000/1001 IP-Spoof Interface 2
295Risk Manager f<6<:&,$I
C.
Cisco
Secu
reID
S�
��
�3<:
�
296 P<8gs 3 jj<9 8
ISS RealSecure ����3<:�
J<Nj9HO"=~@G ISS RealSecure Khj SNMP $YsHH7F TEC SNMP "@
W?<Kw.5lk6br(7^9#3li,"=_ TEC SNMP "@W?<KhCF5]<
H5lF$k6b70KAc<G9#
Risk Manager ,5]<H7J$ ISS RealSecure 6bO9YF Catch All /i9K,`5l
^9#
(+4������3<:�HTTP..
HTTP Robots Txt
HTTP NCSA Buffer Overflow
HTTP NT8.3 Filename
HTTP Netscape Space View
HTTP Netscape Page Services
HTTP IE3 URL
HTTP IIS$DATA
HTTP PHF
HTTP UNIX Passwords
HTTP IE BAT
HTTP Nph Test Cgi
HTTP Shells
HTTP Test Cgi
HTTP WebSite Uploader
HTTP Sgi Handler
HTTP WebSite Sample
HTTP IISExAir DoS
HTTP Campas cgi-bin
HTTP HylaFax faxsurvey
HTTP Cold Fusion
HTTP IIS3 Asp Dot
HTTP IIS3 Asp 2e
HTTP WebFinger
HTTP Cachemgr
HTTP MachineInfo
HTTP Count
HTTP SiteCsc Access
HTTP Webgais
D
297Risk Manager f<6<:&,$I
D.
ISS
RealS
ecure
����
3<:
�
HTTP FormMail
HTTP Guestbook
HTTP Websendmail
HTTP Classifieds Post
HTTP Glimpse cgi-bin
HTTP HTMLScript
HTTP Novell Convert
HTTP Novell Files
HTTP PHP Overflow
HTTP Pfdisplay Read
HTTP Pfdisplay Execute
HTTP RegEcho
HTTP RpcNLog
HTTP SCO View-Source
HTTP SGI Wrap
HTTP SGI Webdist
HTTP Verity Search
HTTP Carbo Server
HTTP Info2WWW
HTTP JJ
HTTP Cdomain
ARP Host Down
Portmapper Program Dump Decode
IP HalfScan
Queso Scan
Rlogin -froot
Windows Access Error
Ftp SYST Command Decode
Ftp Root
FSP Detected
Finger User
Port Scan
UDP Port Scan
Kerberos User Snarf
DNS Length Overflow
Echo Denial of Service
Generic Intel Overflow
Mountd Export Decode
Mountd Mnt Decode
Nfs Mknod Check
Perl Fingerd Check
Email Expn
Email Vrfy
Email Vrfy Overflow
Email Helo Overflow
Email Ehlo
Email Pipe
Email Decode
298 P<8gs 3 jj<9 8
Email Debug
Email Wiz
Email Qmail Length
Ident Error
Snmp Activity
Snmp Set
Sun SNMP Backdoor
HP OpenView SNMP Backdoor
Imap User
Imap Password
Imap Overflow
POP Overflow
TearDrop
Land_UDP
Land Denial of Service Attack
Ident User Decoding
Finger Bomb
FTP Bounce
FTP Privileged Bounce Attack
Ping Flood
Smurf
Win IGMP
Windows Out Of Band
Ping Of Death
SYNFlood
IP Protocol Violation
BackOrifice
TrinooDaemon
NetBus_Pro
IPUnknownProtocol
IPFrag
Satan
ISS Scan Check
��������3<:�Login Successful
Logout
Guest
Use Of User Rights
Password change Failed
Password change Successful
Failed login - account locked out
Failed login - account expired
Failed login - bad username or password
Failed login - account disabled
Logon with Admin Privileges
Global group user added
299Risk Manager f<6<:&,$I
D.
ISS
RealS
ecure
����
3<:
�
Global group user removed
Local group changed
Local group created
Local group deleted
Local group user added
Local group user removed
Account policy change
User account changed
User account created
User account deleted
User right granted
User right revoked
Audit log cleared
Audit policy change
User added to local admin group
User admin right granted
Important programs
Privilege service called
Registry autorun changed
Program started
Program exited
Logon process registered
Brute Force login attack
Brute Force login attack Successful
Change password attack
Change password attack Successful
Registry eventlog settings changed
Registry NT security options changed
Failed change of important files
Config-log files deleted
Suspect port scan
Suspicious FTP connection
Suspicious IMAP connection
Suspicious Netstat connection
Suspicious POP3 connection
Suspicious POP2 connection
Suspicious SMTP connection
Suspicious Systat connection
Suspicious Telnet connection
Suspicious Whois connection
Suspicious WWW connection
Suspicious Finger connection
Suspicious Time connection
Suspicious SSH connection
Suspicious Sunrcp connection
Suspect Netbus
300 P<8gs 3 jj<9 8
McAfee Alert Manager �� McAfeeNetShield �*��$+&�0
J<N McAfee Alert Manager *hS NetShield aC;<8O"Risk Manager rmmac.fmt U
)<^CH&U!$kKhjhj~^l^9#
[HsINaC;<8O"Alert Manager $YsH&m0&"i<H G+O7^9#
¶ EgaC;<8:
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#9
-cs&(s8s %ENGINEVERSION% DAT P<8gs %DATVERSION% Khk
!PG9#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#=
_N9-cs&(s8s&P<8gs %ENGINEVERSION% DAT P<8gs
%DATVERSION% GOU!$kN/j<Ks0OG-^;s#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#6
wU!$kro|9k3H,G-^;s#
v J_N9-cs+i %FILENAME% r|09k3H,G-^;s#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#U
!$kXN"/;9,q]5l^7?#9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION% Khk!PG9#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#U
!$krV%NhK\09k3H,G-^;s#9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION% Khk!PG9#
v 79F`&abj<, %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#9-c
s&(s8s&P<8gs %ENGINEVERSION% DAT P<8gs %DATVERSION%
Khk!PG9#
v V<H&l3<I, %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#9-c
s&(s8s&P<8gs %ENGINEVERSION% DAT P<8gs %DATVERSION%
Khk!PG9#
v 6wU!$k,!P5l^7?#9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION%#9-cs&(s8s&P
<8gs %ENGINEVERSION% DAT P<8gs %DATVERSION% Khj6wU!
$k,!P5l"/j<Ks05l^7?#
v P$s@<&*V8'/H,6w7F$^9#
E
301Risk Manager f<6<:&,$I
E.
McA
fee�*
�
�$+&
�0
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#
Heuristics"9-cs&(s8s %ENGINEVERSION% DAT P<8gs
%DATVERSION% Khk!PG9#
v Heuristics KhjU!$k %FILENAME% N %VIRUSNAME% %VIRUSTYPE% 6w
,!P5l^7?#6wU!$kro|9k3H,G-^;s#
v Heuristics KhjU!$k %FILENAME% N %VIRUSNAME% %VIRUSTYPE% 6w
,!P5l"U!$k,V%NhK\05l^7?#9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION% Khk!PG9#
v Heuristics KhjU!$k %FILENAME% N %VIRUSNAME% %VIRUSTYPE% 6w
,!P5l^7?#U!$krV%NhK\09k3H,G-^;s#9-cs&(s
8s&P<8gs %ENGINEVERSION% DAT P<8gs %DATVERSION% Khk
!PG9#
v %VIRUSNAME% %VIRUSTYPE% K6w7?V<H&l3<IN/j<Ks0fK(
i<,/87^7?#9-cs&(s8s&P<8gs %ENGINEVERSION% DAT
P<8gs %DATVERSION% Khk!PG9#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (o>
%MAILSUBJECTLINE%) N:UU!$k %FILENAME% , %VIRUSNAME% K6w
7F$^9#6w7?:UU!$kO"9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION% GO/j<Ks0G-^;
s#U!$kOo|5l^7?#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (CC:
%MAILCCNAME%"o> %MAILSUBJECTLINE%) ,&#k9 %VIRUSNAME% K6
w7F$^9#ERa<kOo|5l^7?#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (o>
%MAILSUBJECTLINE%) N:UU!$k %FILENAME% , %VIRUSNAME% K6w
7F$^9#6w7?:UU!$kO"9-cs&(s8s&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION% GO/j<Ks0G-^;
s#U!$kOo|5lV%5l^7?#
¶ a8c<&aC;<8:
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#9
-cs&(s8s&P<8gs %ENGINEVERSION% DAT P<8gs
%DATVERSION% KhjU!$kN/j<Ks0,5oKTol^7?#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#U
!$kO5oKo|5l^7?#
v Heuristics KhjU!$k %FILENAME% N %VIRUSNAME% %VIRUSTYPE% 6w
,!P5l^7?#U!$kO5oKo|5l^7?#
v 97K:T7^7?#$YsH&m0r2H7F/@5$#
v "CW0l<IK:T7^7?#$YsH&m0r2H7F/@5$#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (CC:
%MAILCCNAME%"o> %MAILSUBJECTLINE%) ,&#k9 %VIRUSNAME% K6
w7F$^9#
v GgiYro,/87F$^9#
302 P<8gs 3 jj<9 8
¶ ^$J<&aC;<8:
v %FILENAME% bG^/m,!P5l^7?#
v %FILENAME% +i^/m,o|5l^7?#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (o>
%MAILSUBJECTLINE%) N:UU!$k %FILENAME% , %VIRUSNAME% K6w
7F$^9#6w7?:UU!$k,/j<Ks05l^7?#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (CC:
%MAILCCNAME%"o> %MAILSUBJECTLINE%) ,&#k9 %VIRUSNAME% K6
w7F$^9#ERa<k,V%5l^7?#
v G#9/&9Z<9Ku-,G-k^Ge.ERa<kO]15l^9#
v Yp - [o*;#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (o>
%MAILSUBJECTLINE%) N:UU!$k %FILENAME% , %VIRUSNAME% K6w
7F$^9#6w7?:UU!$k,/j<Ks05lV%5l^7?#
¶ YpaC;<8:
v J_N9-cs+iU!$k %FILENAME% ,|05l^9#
v U!$k %FILENAME% , %VIRUSNAME% %VIRUSTYPE% K6w7F$^9#6
wU!$kOV%NhK\05l^7?#9-cs&(s8s&P<8gs
%SCANENGINE% DAT P<8gs %DATVERSION% Khk!PG9#
v 9-cs,-cs;k5l^7?#%GMTTIME%
v U!$k %FILENAME% N9-csfK""/F#SF#<&m0&U!$kXN"
/;9G(i<,sp5l^7?#9-cs&(s8s&P<8gsO"
%ENGINEVERSION% DAT P<8gs %DATVERSION% G9#
v U!$k %FILENAME% N9-csfK"abj<dj6j(i<,sp5l^7
?#9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v G#l/Hj<&Q9>,99.^9#Xj5l?LVG9-csG-J$`\,"j
^9#U!$k %FILENAME% N9-csfK(i<,/87^7?#9-cs&(
s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs %DATVERSION% G
9#
v U!$k %FILENAME% r9-csfK"q-~_]nN?aaG#"K"/;9G
-^;sG7?#9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P
<8gs %DATVERSION% G9#
v U!$k %FILENAME% r9-csfK"Xj5l?aG#",+U+j^;sG7
?#9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v U!$k %FILENAME% N9-csfK"5zJ9-cs`\,!P5l^7?#9
-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
303Risk Manager f<6<:&,$I
E.
McA
fee�*
�
�$+&
�0
v U!$k %FILENAME% N9-csfK"U!$k~PO(i<,sp5l^7?#
9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v U!$k %FILENAME% N9-csfK"G#9/~PO(i<,sp5l^7?#
9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v U!$k %FILENAME% N9-csfK"lL79F`&(i<,sp5l^7?#
9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v U!$k %FILENAME% N9-csfK"bt"Wj1<7gs&(i<,sp5l
^7?#9-cs&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v Q9o<I]nU!$k %FILENAME% Nh}fK(i<,!P5l^7?#9-c
s&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v Q9o<I]nU!$k %FILENAME% N9-csrT(^;s#9-cs&(s8
s&P<8gsO"%ENGINEVERSION% DAT P<8gs %DATVERSION% G9#
v %FILENAME% N9-csK~V,++j9.k?a-cs;k5l^7?#9-c
s&(s8s&P<8gsO"%ENGINEVERSION% DAT P<8gs
%DATVERSION% G9#
v %VIRUSNAME% %VIRUSTYPE% K6w7?V<H&l3<Ir/j<Ks07^7
?#9-cs&(s8s&P<8gs %ENGINEVERSION% DAT P<8gs
%DATVERSION% Khk!PG9#
v "i<HNw.fK(i<,/87^7?#
v Xj5l?*W7gs,5zG9#
v 918e<k&?9/r+OG-^;s#
v (i<Khj918e<k&?9/,d_7^7?#
v ?9/,-cs;k5l^7?#
v m0&U!$k %FILENAME% XNq-~_fK(i<,/87^7?#
v abj<dj6j(i<,/87^7?#
v 9-csh}(i<#
v "CW0l<I,-cs;k5l^7?#
v E$ DAT P<8gsrHQ7F$^9#9-cs&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION%#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (o>
%MAILSUBJECTLINE%) Khk3sFsD&U#k?<&k<k %VIRUSNAME% c
?G9#ERa<k,VmC/5lF$^9#
v %MAILFROMNAME% +i %MAILTONAME% "FNERa<k (CC:
%MAILCCNAME%"o> %MAILSUBJECTLINE%) Khk3sFsD&U#k?<&
k<kc?G9#ERa<k,VmC/5lF$^9#
304 P<8gs 3 jj<9 8
v G#9/&9Z<9Ku-,G-??a"e.ERa<kNu.,F+7^7?#
¶ LNaC;<8:
v 9-cs,0;7^7?#6wU!$kO!P5l^;sG7?#9-cs&(s8
s&P<8gsO"%ENGINEVERSION% DAT P<8gs %DATVERSION% G9#
v 5<S9,+O7^7?#
v 5<S9,*;7^7?#
v ?9/,5oK+O7^7?#
v 918e<k&?9/,d_7^7?#
v ?9/,5oKTol^7?#
v *s&"/;9&9-cs,+O7^7?#%GMTTIME%#9-cs&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION%#
v *s&"/;9&9-cs,d_7^7?#9-cs&P<8gs
%ENGINEVERSION% DAT P<8gs %DATVERSION%#
v 9-cs_j %INFO#9-cs&P<8gs %ENGINEVERSION% DAT P<8gs
%DATVERSION%#
v EVENT_SCAN_ENDED
v 97,5oKTol^7?#9-cs&P<8gs %ENGINEVERSION% DAT P<
8gs %DATVERSION%#
v 97,BTfG9#
v 97,-cs;k5l^7?#
v "CW0l<I,BTfG9#
v DAT U!$kN+097Khj"9-cs,-cs;k5l^7?#9-cs&P<
8gs %ENGINEVERSION% DAT P<8gs %DATVERSION%#
v Wm;9,+O7^7?#
v Wm;9,*;7^7?#
v *sG^sI&9-cs,+O7^7?#
v *sG^sI&9-cs,0;7^7?#!P&#k9 %NUMVIRS%"/j<Ks0
%NUMCLEANED%"o| %NUMDELETED%"V% %NUMQUARANTINED%#
9-cs&P<8gs %ENGINEVERSION% DAT P<8gs %DATVERSION%#
v %OS% GBTf#Wm;C5<&7j"kVf %PROCESSORSERIAL% (PIII N_)#
v O0Wa,5oKh}5l^7?#
v 7cCH@&sWa,5oKh}5l^7?#
v %FILENAME% G7, MIB U!$k,HQD=G9#
v Alert Manager 5<S9: Alert Manager 5<S9,+O7^7?#
v Network Associates AutoUpdate ,5oK+O7^7?#
v Network Associates AutoUpdate ,5oKd_7^7?#
305Risk Manager f<6<:&,$I
E.
McA
fee�*
�
�$+&
�0
v 7,P<8gsO"$s9H<kQ_N=JP<8gsH18G9#
v DAT U!$kN %DATVERSION% P<8gsK97fG9#
v NetShield 2000 McShield 5<S9,+O7^7?#%NUMVIRS% &#k9r9-cs
fG9#(s8s&P<8gs: %ENGINEVERSION%"Ii$P<&P<8gs:
%DATVERSION%"(/9Hi&Ii$P<>: %DRIVERNAME%"(/9Hi&Ii
$P<N&#k9&70KAc<Vft: %NUM%"(/9Hi&Ii$P<,!PD
=J&#k9>: %VIRUSNAMES%
306 P<8gs 3 jj<9 8
Network IDS ����3<:�
Network Intrusion Detection System (IDS) O"ID VfrHQ7F6b"i<HrhL7^
9#3liNVfO"Common Vulnerability Entry (CVE) VfKOP~7F$^;s#3l
O"Network IDS OHe-J0N;-ejF#<dj (=.(i<"PC/&I""9-cs
Ks0JI) rF9H9k?aG9#^?"Network IDS O6brG-k@1FQ-N"kA
G'17h&H7^9# CVE (sHj<K5NKP~9k Network IDS 70KAc<KD
$F Network IDS GO"l]<H&9Hjs0Nh,K CVE 2H ID ,U$F$^9#G
-N CVE ID KX9kpsO"http://csrc.nist.gov/icat/vulnerabilities/<CVE-ID> +i~j9k3
H,G-^9#
Network IDS OEgYlYkr0tMH7FXj7^9#<m (0) Oj9/NEg-,c$
3Hr(7"M,}(kKDl"hjEgJu7r=7^9#
"i<HO"=l>l"i<Hr+F4j<=9k-<o<IG+O5l^9#"i<HN+
F4j<O!NH*jG9#
= 19. "i<HN+F4j<
CVE CVE G<?Y<9Kj9H5lkG-NHe-
ALERT CVE G<?Y<9Kj9H5lF$J$FQN6b
DOS {NN5<S9826b
SCAN 6b0N4:r(9HiU#C/&Q?<s
CONFIG ;-ejF#<X"N=.(i<rHQ7h&H9kn_
AUTH 6br(9D=-,"k'ZN:T
BACKDOOR {NNPC/&I"&Wm0i`VHNHiU#C/
STEALTH {NN9Fk96bKD$FlL*JHiU#C/
Network IDS GO"H_~_"i<HH70KAc<&Y<9N 2 DN+F4j<N!P,
Tol^9#
Network IDS �%%�*�H_~_"i<HO";C7gs^?OQ1CH&G<?K*1k1cJQ?<sN!PKh
CF!PG-J$u7r7$^9#3liNu7r!P9kKO"WmH3kbNPCr4Y
k+"#tN;C7gsVG,OrT$^9# Network IDS KO3liNF9H,O<I3
<G#s05lF*j"3lOQ99k3H,G-^;s# Network IDS O"3liNH_
~_"i<HNPO9Hjs0*hSEgYlYkr ids.msg U!$kKXj7F$^9#
F
307Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
J<O"\qNPG~@GHQD=J Network IDS H_~_"i<H&$YsHNlwG
9#3liN$YsHO"Risk Manager Network IDS "@W?<KhCF@(*KHiCW
5l":v9k UNIX syslog $YsH&m0&l3<IK^CW5l^9#
��CVE-1999-0526 AUTH X11 client connected with NULL auth
N/A AUTH - BAD PASSWORD
N/A AUTH - LOGIN FAILURE
N/A AUTH - UNKNOWN USER
N/A AUTH - X11-Connection failed
�+����N/A BACKDOOR - Possible Back Orifice session detected
��CVE-1999-0986 CONFIG - Record Route Packet
N/A CONFIG - Source Routed Packet
��-���CVE-1999-0016 DOS - SRC address is equal to DST address
CVE-1999-0103 DOS - UDP FLOOD
CVE-1999-0116 DOS - SYN FLOOD
CVE-1999-0128 DOS - Oversized Pa
CVE-1999-016 DOS - IPFRAG overlay - possible teardrop
CVE-1999-0153 DOS - OUT-OF-BAND Data.. possible WINNUKE
CVE-1999-0513 DOS - ICMP Flood
N/A DOS - FIN FLOOD
N/A DOS - IP Fragment Length <= 0 - possible DOS
N/A DOS - Possible connection flood
N/A DOS - RST FLOOD
LOKIN/A BACKDOOR - LOKI packet - 2 way stealth channel
308 P<8gs 3 jj<9 8
�N/A SCAN - ICMP - Wide Scan Fast
N/A SCAN - TCP - FIN Scan Slow
N/A SCAN - TCP - FIN Scan
N/A SCAN - TCP - Port Scan Fast
N/A SCAN - TCP - Port Scan Slow
N/A SCAN - TCP - RST Scan Slow
N/A SCAN - TCP - RST Scan
N/A SCAN - TCP - Wide Scan Fast
N/A SCAN - UDP - Port Scan Fast
N/A SCAN - UDP - Port Scan Slow
N/A SCAN - UDP - Wide Scan Fast
N/A SCAN - UDP - Wide Scan Slow
����CVE-2000-0305 STEALTH - Possible IP Frag attack
N/A STEALTH - FRAGMENTED packet in session
N/A STEALTH - Micro Frag detected - possible IDS evasion
N/A STEALTH - Time-To-Live: Changed - possible IDS evasion
��3<:�������*�70KAc<&Y<9N"i<HNlg" Network IDS OjjNWmH3k&lYkK*1
kQ1CH^?O;C7gs&G<?&9Hj<`bNXjQ?<sr!P7^9# Network
IDS O"3li70KAc<NQ?<s""i<HN%hgL"*hSPOaC;<8r
ids.rules U!$kKXj7F$^9#J<O"\qNPG~@GHQD=J Network IDS $
YsHNlwG9#3liO Network IDS Khj@(*KHiCW5l":v9k UNIX
syslog $YsH&m0&l3<IK^CW5l^9#?$W"WmH3k"*hSaC;<8
A0Gpsr(7^9#
���*�
DNSCVE-1999-0166 ALERT Bad request ../.. possible attack
N/A ALERT Attempt to crash mSQL server
309Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
N/A ALERT Bad request /bin/ possible attack
N/A ALERT DNS - Encrypted DATA
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Slammer attack
N/A ALERT create file foo
N/A ALERT iChat Server vulnerability
N/A ALERT write file: .rhosts - data: +
FTPCVE-1999-0080 ALERT site exec bug
CVE-1999-0080 SITE ALERT command
CVE-1999-0095 ALERT DEBUG command attempted
CVE-1999-0095 ALERT Sendmail DEB
CVE-1999-0095 ALERT WIZ command attempted
CVE-1999-0166 ALERT ../.. file attempt
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT Mail Relay Attempted
N/A ALERT Mail being sent to file
N/A ALERT PIPE - bug 2
N/A ALERT PIPE - bug 3
N/A ALERT PIPE - bug
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SMTP help invoked
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT access .rhost or .forward file
N/A ALERT access hosts.equiv file
310 P<8gs 3 jj<9 8
N/A ALERT cannot mail directly to programs
N/A ALERT mail being sent to program
N/A ALERT mail being sent to system
N/A ALERT old sendmail version
N/A APPE (Append) command attempted
N/A Permission Denied Notice
N/A Unsafe CHMOD attempted
IDENTN/A ALERT possible IDENT attack
IMAPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT possible exploit attempt IMAP
IPN/A ALERT ICMP - Duplicate SEQ number
N/A ALERT ICMP - Encrypted PAYLOAD
N/A POLICY - Possible spoofed IP address
NNTPN/A ALERT NNTP signature
N/A ALERT shell command in news ctrl msg
POPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT possible exploit attempt POP
TelnetCVE-1999-0067 ALERT attack - PHF bug
CVE-1999-0067 ALERT attack - known phf bug
311Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
CVE-1999-0277 ALERT linux workman exploit
N/A ALERT expn - known sendmail problem
N/A ALERT possible AIX lquerypv exploit
N/A ALERT possible attack - gene
N/A ALERT possible chmod sgid file
N/A ALERT possible chmod suid file
N/A ALERT possible chmod uid/sgid file
N/A ALERT sendmail pipe bug
N/A ALERT tprof -x AIX
TFTPN/A ALERT TFTP - Attempt to grab system file
WWWCVE-1999-0039 ALERT SGI webdist.cgi attack
CVE-1999-0039 ALERT SGI webdist.cgi/wrap attack
CVE-1999-0058 ALERT php.cgi access. known security exposure
CVE-1999-0067 ALERT PHF attempt
CVE-1999-0146 ALERT CAMPAS SECURITY BUG
CVE-1999-0175 ALERT Novell convert.bas vulnerability
N/A ALERT ./UnlGG1.1 vulnerability
N/A ALERT /bin/filemail.pl vulnerability
N/A ALERT /cgi-bin/bnbform.cgi vulnerability
N/A ALERT /cgi-bin/cgimail.exe vulnerability
N/A ALERT /cgi-bin/mlog.phtml vulnerability
N/A ALERT /cgi-bin/mylog.phtm vulnerability
N/A ALERT AT-admin.cgi vulnerability
N/A ALERT Attempting to retrieve access file
N/A ALERT CGI_lite.pm, know security problem
312 P<8gs 3 jj<9 8
N/A ALERT EWS (Excite for Web Servers) CGI hole
N/A ALERT Glimpse Server attack
N/A ALERT Hostile Servlet attempt
N/A ALERT IIS icat script vulnerable
N/A ALERT IIS perl script vulnerable
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT Link to BAK file
N/A ALERT Link to LNK file
N/A ALERT Link to URL file
N/A ALERT Lotus Notes system file attempt
N/A ALERT MAN-sh Possible Vulnerable program access
N/A ALERT MS Front Page vulnerable ext
N/A ALERT MS IIS CGI filename exploit
N/A ALERT MS Index Server Source Disclosure
N/A ALERT MS Personal Web Server listing bug
N/A ALERT MS frontpage vulnerability
N/A ALERT POST proxy attempted
N/A ALERT Page Services bug attempted
N/A ALERT Possible Code Red compromise
N/A ALERT Possible Code Red worm attack
N/A ALERT Possible Counter.cgi attack
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SGI - Vulnerable program access
N/A ALERT SGI handler attack
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Showcode vulnerability attempted
313Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
N/A ALERT Suspicious HTTP Request
N/A ALERT UNICODE
N/A ALERT Vulnerable CGI program detected
N/A ALERT Vulnerable CGI
N/A ALERT WINDOWS Teamtrack vulnerability
N/A ALERT WWW dumping system files
N/A ALERT WebGAIS Accessed - check logs
N/A ALERT WebGAIS Accessed via mail - check logs
N/A ALERT WebSite buffer Overflow
N/A ALERT Windmail vulnerability attempted
N/A ALERT accessing vulnerable script
N/A ALERT asapi/query vulnerability
N/A ALERT asapi/srch vulnerability
N/A ALERT attempt to break out of dir
N/A ALERT attempt to locate shell
N/A ALERT attempting to use date
N/A ALERT coldfusion display openfile vulnerability
N/A ALERT coldfusion exprcalc vulnerability
N/A ALERT coldfusion openfile vulnerability
N/A ALERT dumping .asp source code
N/A ALERT getmvs vulnerability
N/A ALERT htmlscript access attempt
N/A ALERT lyris vulnerability
N/A ALERT maillist.pl vulnerability
N/A ALERT proxy attempted
N/A ALERT survey.cgi vulnerability
314 P<8gs 3 jj<9 8
N/A ALERT test-cgi access. known security exposure
N/A ALERT tools/getdrvrs.exe vulnerability
N/A ALERT tools/iisamin vulnerability
N/A ALERT tools/newdsn.exe vulnerability
N/A ALERT uploader.exe access. check logs
N/A ALERT web-store.cgi vulnerability
N/A ALERT webcom guestbook vulnerability
N/A ALERT websendmail vulnerability
X11CVE-1999-0067 ALERT attack - PHF bug
CVE-1999-0067 ALERT attack - known phf bug
N/A ALERT expn - known sendmail problem
N/A ALERT linux workman exploit
N/A ALERT possible AIX lquerypv exploit
N/A ALERT possible attack - newline problem in httpd
N/A ALERT possible chmod sgid file
N/A ALERT possible chmod suid file
N/A ALERT possible chmod uid/sgid file
N/A ALERT sendmail pipe bug
N/A ALERT tprof -x AIX
XDMCPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
��
DNSN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
315Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Spawning ROOT shell
N/A ALERT write file foobar
N/A AUTH NULL or Bad Password
N/A AUTH Null or Bad user name
FTPN/A ALERT attempt to go to root directory
N/A AUTH Anon FTP login
N/A AUTH BOGUS login
N/A AUTH attempt to login as demos
N/A AUTH attempt to login as lp
N/A AUTH attempt to login as sync
N/A AUTH guest login banner
N/A AUTH guest login
N/A AUTH root login offpeak
POPN/A AUTH POP login failure
TelnetN/A ALERT rlogin -froot bug
N/A AUTH AS/400 Default accounts attempted
N/A AUTH DEC server default accounts attempted
N/A AUTH DEFAULT USER Account access attempted
N/A AUTH ROOT logging in
N/A AUTH ROOTKIT Default password
N/A AUTH login failure
N/A AUTH permission warning
316 P<8gs 3 jj<9 8
TFTPN/A ALERT TFTP - Attempt to grab password file
N/A ALERT TFTP - password file contents in TFTP session
N/A ALERT TFTP - router password file in TFTP session
WWWN/A ALERT attempt to access password file
X11N/A ALERT rlogin -froot bug
N/A AUTH login failure
N/A AUTH permission warning
�+����
DNSN/A BACKDOOR Back Orifice
N/A BACKDOOR Common Backdoor port
N/A BACKDOOR Deep Throat port
N/A BACKDOOR Deep Throat traffic
N/A BACKDOOR NetBus getinfo request
N/A BACKDOOR NetBus port
N/A BACKDOOR NetBus traffic
N/A BACKDOOR PC Anywhere port access
��
DNSN/A CONFIG 3270 mapper - service
N/A CONFIG ALIS - service
N/A CONFIG DATABASE_SVC - service
N/A CONFIG ETHERSTATD - service
N/A CONFIG KEYSERVD - service
N/A CONFIG LLOCKMGR - service
N/A CONFIG NLOCKMGR - service
317Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
N/A CONFIG NSEMNTD - service
N/A CONFIG PCNFS - BAD SERVICE
N/A CONFIG REXD - vulnerable service
N/A CONFIG RJE MAPPER - service running
N/A CONFIG RQUOTAD - service
N/A CONFIG RSED - service
N/A CONFIG RSTATD - service
N/A CONFIG RUSERS - service
N/A CONFIG RWALLD - vulnerable service
N/A CONFIG SELECTION SVC - vulnerable service
N/A CONFIG SHOWFHD - vulnerable service
N/A CONFIG SNMP - service
N/A CONFIG SPRAYD - vulnerable service
N/A CONFIG STAT - vulnerable service
N/A CONFIG STATMON - vulnerable service
N/A CONFIG SUNLINK MAPPER - vulnerable service
N/A CONFIG TFSD - vulnerable service
N/A CONFIG TOOLTALK - vulnerable service
N/A CONFIG X25.inr - service
N/A CONFIG YPBIND - vulnerable service
N/A CONFIG YPPASSWD - vulnerable service
N/A CONFIG YPSERVE - vulnerable service
N/A CONFIG YPUPDATE - vulnerable service
N/A CONFIG YPXFRD - vulnerable service
N/A CONFIG bad resolve request
FTPN/A CONFIG deleting file/directory
318 P<8gs 3 jj<9 8
IPN/A CONFIG - LSRR Loose Source Routing
N/A CONFIG - RR Record Route
N/A CONFIG - SSRR Strict Source Routing
SSHN/A CONFIG - Old SSH Server
N/A CONFIG - SSH protocol mismatch
TelnetCVE-1999-0291 CONFIG WinGate installed
N/A CONFIG . in PATH
TFTPN/A CONFIG - TFTP - Service attempt
WWWN/A CONFIG Directory Browsing Enabled
N/A CONFIG SERVER protocol ERROR
N/A CONFIG www-sql - can access protected files
X11N/A CONFIG . in PATH
XDMCPN/A CONFIG XDMCP traffic
��-���
DNSN/A AUTH DOS Probe
N/A DOS - Traffic FROM trino master
N/A DOS - trino traffic
N/A DOS - trinoo traffic
N/A DOS CICSO router DOS
N/A DOS NT RAS PPTP DOS attempt
319Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
FTPN/A DOS Lotus Notes MTA DOS
N/A DOS Serve-U FTP DOS check
FingerN/A DOS recusrsive finger
IPN/A DOS - Fragment too small
N/A DOS - Huge fragment
N/A DOS - IP fragment out of order
N/A DOS - Out-Of-Band Packet- Possible WINNUKE attack
N/A DOS - fragmented packet overlap
WWWN/A ALERT cgi-dos/args.bat vulnerability
N/A DOS Possible Annex DOS
N/A DOS web oracle web server
Gopher
GopherCVE-1999-0124 ALERT GOPHER - known gopher attack
N/A CONFIG GOPHER traffic
N/A SCAN GOPHER - password file
LOKI
IPN/A ALERT ICMP - LOKI Tag in ICMP packet
Port
FTPN/A Bad PORT Command
�
DNSCVE-1999-0166 ALERT NFS attack: ../
CVE-1999-0166 ALERT NFS attack: ../.
320 P<8gs 3 jj<9 8
N/A ALERT Bad requuest Buffer Overflow probe
N/A SCAN - Requested Service Dump
N/A SCAN .rhosts file lookup
N/A SCAN 3270 mapper - service
N/A SCAN ALIS - service
N/A SCAN Browsing
N/A SCAN DATABASE_SVC - service
N/A SCAN ETHERSTATD - service
N/A SCAN KEYSERVD - service
N/A SCAN LLOCKMGR - service
N/A SCAN NLOCKMGR - service
N/A SCAN NSEMNTD - service
N/A SCAN Nessus Scan - IMAil Test
N/A SCAN Nessus Scan
N/A SCAN PCNFS - BAD SERVICE
N/A SCAN REXD - vulnerable service
N/A SCAN RJE MAPPER - service running
N/A SCAN RPCinfo query
N/A SCAN RQUOTAD - service
N/A SCAN RSED - service
N/A SCAN RSTATD - service
N/A SCAN RUSERS - service
N/A SCAN RWALLD - vulnerable service
N/A SCAN Requesting Service IPC$
N/A SCAN Requesting Service ROOT
N/A SCAN Requesting Service WINNT$
321Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
N/A SCAN SELECTION SVC - vulnerable service
N/A SCAN SHOWFHD - vulnerable service
N/A SCAN SNMP - service
N/A SCAN SPRAYD - vulnerable service
N/A SCAN STAT - vulnerable service
N/A SCAN STATMON - vulnerable service
N/A SCAN SUNLINK MAPPER - vulnerable service
N/A SCAN TFSD - vulnerable service
N/A SCAN TOOLTALK - vulnerable service
N/A SCAN X25.inr - service
N/A SCAN YPBIND - vulnerable service
N/A SCAN YPPASSWD - vulnerable service
N/A SCAN YPSERVE - vulnerable service
N/A SCAN YPUPDATE - vulnerable service
N/A SCAN YPXFRD - vulnerable service
N/A SCAN password file lookup
N/A SCAN shadow file lookup
N/A SCAN ypcat password
N/A SCAN zonexfer request from outside network
FTPN/A ALERT Possible Buffer Overflow Probe
N/A SCAN Nessus FTP check writable directory
N/A SCAN expn - recon
N/A SCAN looking at passwd file
N/A SCAN possible mailed password file
N/A SCAN possible xfered password file
N/A SCAN verify - recon
322 P<8gs 3 jj<9 8
FingerN/A ALERT Cfinger Search exploit
N/A ALERT compromised finger daemon
N/A ALERT finger pipe attempt
N/A ALERT finger to program
N/A SCAN finger dump
N/A SCAN finger traffic - RECON
N/A SCAN finger traffic - root
GopherN/A SCAN router password file
IDENTN/A SCAN IDENT request
N/A SCAN possible password file
IMAPN/A SCAN possible mailed password file
NNTPN/A SCAN possible password file
POPN/A SCAN possible mailed password file
TelnetN/A ALERT attack - generic IFS probe
N/A SCAN - fingering root user
N/A SCAN - obtaining list of files
N/A SCAN - poking http
N/A SCAN - probe w/ finger
N/A SCAN - wildcard finger
N/A SCAN verfiy - recon
N/A SCAN zone xfer attempt via dig
323Risk Manager f<6<:&,$I
F.
Netw
ork
IDS
����3<
:�
WWWN/A ALERT Fax Survey cgi probed
N/A ALERT Possible Buffer Overflow Probe
N/A SCAN - using finger to get information
N/A SCAN Accessing WWW Admin Port
N/A SCAN Attempt to grab password file
N/A SCAN Attempting to retrieve passwd file
N/A SCAN Browsing Scripts Directory
N/A SCAN gathering file names
X11N/A ALERT attack - generic IFS probe
N/A SCAN - fingering root user
N/A SCAN - obtaining list of files
N/A SCAN - poking http
N/A SCAN - probe w/ finger
N/A SCAN - wildcard finger
N/A SCAN verify - recon
N/A SCAN zone xfer attempt via dig
324 P<8gs 3 jj<9 8
��
N"TO
"@W?< (adapter)Risk Manager Nlg""@W?<Oj=<9rbK?<7F"j=<9rI}G-kh&K9k#"@
W?<Ops ($YsH) rM@7"$YsHr Tivoli Enterprise Console (TEC) GH(kA0KQ99
k#!$G"@W?<O"$YsHr TEC Kw.9k#$YsH&"@W?<*hS TME "@W?
<b2H#
"@W?<=.!= (Adapter Configuration Facility)Tivoli D-GO"Tivoli "I_K9Hl<?<,""@W?<=.WmU!$krHCF$YsH&"@
W?<rJ1K=.7+9?^$:G-kh&K9k"0iU#+k&f<6<&$s?<U'<9#
"@W?<=.WmU!$k (Adapter Configuration Profile)"@W?<=.l3<IQN3sFJ<#"@W?<=.WmU!$kO""@W?<=.(sI]$
sHX[[G-k#1 DJeN$YsH&"@W?<KD$FNps,^^l"=.U!$kNm1<
7gs""@W?<ND-QtjA (5<P<Nm1<7gsJI)"$YsH&U#k?<jA"*h
S=N>NU!$k[[Wa,^^lF$k#
"I_K9Hl<?< (administrator)rdr2H#
"i<` (alarm)T3J"/F#SF#<,"kH""I_K9Hl<?<&"i<`*hS=N>N=.D=J~z,
/07";-ejF#<I}No</m<IrZ:9k# Risk Manager "@W?<O"&QP<8gs
N ISS RealSecure *hS Cisco Secure IDS (NetRanger) KhCF8.5lk"i<`r TEC $YsH
K^CW9k#Tivoli f<6<Kl]<H5lk"i<`NcKO"Web 9-cs (nTNj9H)"]
<H&9-cs (5<S9Nj9H)"*hSf<6<&m0$sNnT (f<6<>Nj9H) ,^^l
k# TEC $YsHb2H#
$YsH (event)Tivoli D-K*1k"79F`&j=<9"MCHo</&j=<9"^?OMCHo</&"Wj1
<7gsNuVN-zJQ9# Risk Manager GO"djN$YsH"djrhN$YsH"^?O5o
J?9/0;N$YsHr8.G-k#$YsHNcH7FO"LoNh}N+Odd_"h}N[o
J*;"*hS5<P<Nm0nJI,"k# Risk Manager Nlg"$YsHO/~!N$YsHG"
k#
$YsH&"@W?< (event adapter)Tivoli D-K*$F"$YsHr Tivoli Enterprise Console GH(kA0KQ99k=UH&'"#$Y
sH&"@W?<O"$YsHr$YsH&5<P<K>w9k# Tivoli Event Integration Facility (EIF)
^?O Risk Manager Event Integration Facility rH&3HKhj"=l>lNMCHo</D-dCj
N,WK~8F405l?"H+N$YsH&"@W?<r+/9k3H,G-k#"@W?<=.!
= (Adapter Configuration Facility) *hS"@W?<=.WmU!$k (Adapter Configuration Profile) b
2H#
$YsH&/i9 (event class)Tivoli D-K*1k"$YsHNoL#$YsH&"@W?<,$YsH&5<P<Xw.9kpsN
?$Wr(9#
$YsH&0k<W (event group)Tivoli D-K*$F"CjNp`r~?9$YsHN8g#$YsH&3s=<kN"$3sO"F$
YsH&0k<Wr=9# Tivoli "I_K9Hl<?<O"Cj,nNU$HX8N"k$YsH&0
k<WrbK?<G-k#
325Risk Manager f<6<:&,$I
�
�
$YsH&0k<W&U#k?< (event group filter)Tivoli D-K*$F"$YsH&0k<W&U#k?<O""@W?<&lYkGU#k?<5lk$
YsH&0k<W4HK"$YsHN/i9"=<9"/8;rjA9k#
$YsH&3s=<k (event console)Tivoli D-K*$F"79F`I}T,$YsH&5<P<+iG#9QCA5l?$YsHr=(7
~zG-kh&K9k"0iU#+k&f<6<&$s?<U'<9 (GUI)#
$YsH&5<P< (event server)Tivoli D-K*$F"$YsHrh}9kf{5<P<#$YsH&5<P<O"e.$YsH4HK
`\rn.9k#$YsH&5<P<O"$YsHrk<k&Y<9KM-go;F>A7"$YsH
X+0*K~z9k+"^?O$YsHr+0*KQ99k+I&+rhj9k#5iK$YsH&5
<P<O"$YsH&3s=<kr=_N$YsHpsG979k# 1 !$YsH&5<P<,xQG
-J$lg"$YsHr 2 !$YsH&5<P<Xw.9k#
(sI]$sH&N<I (end point node)1) Tivoli I}j<8gs (TMR) NfG"I}`nN?<2CHH7F1HG=.5l? Tivoli /i
$"sH#2) 1 DN^N*<K"kN<I#~UN<IH1Al#
N+TO
I}P]N<I (managed node)Tivoli D-K*$F"Tivoli Enterprise Framework ,$s9H<k5lkI}P]j=<9#
/i9 (class)*V8'/HX~_W^?OWm0i_s0K*$F"&LNjAr&Q9k3HKhj"&LNC
-"!="0nr&Q9k*V8'/H2N3H#0k<WNasP<N3Hr"/i9N$s9?s
9H$&#$YsH&/i9b2H#
0iU#+k&f<6<&$s?<U'<9 (graphical user interface)Tivoli D-K*$F"79F`I}T,=l>lNMCHo</&3sTe<F#s0D-rI}9k
?aKH&0iU#+k&f<6<&$s?<U'<9 (GUI)# Risk Manager $YsH&3s=<kG
O"Tivoli G9/HCW,Holk#$YsH&3s=<kr2H#
6b (attack)vD5lF$J$M*,"MCHo</&79F`N!=rm1K5i=&H9k3H#/~nTb2
H#
N5TO
5<S9826b (Denial of Service attacks)5$P<6bNlo#
79F`e@Y>AWm@/H (vulnerability assessment products)79F`e@Y>AWm@/HGO"79F`r"/F#VK9-cs9k3HKhCF"79F`I
}TO"BTfNe@HJk5<S9KD$FNsp"^?O=._9Nspru1k#
/~!N79F` (intrusion detection system)1) "/;9)fdU!$"&)<kJIN>N]n!=,/~TKhCFKil?lgK""I_K9
Hl<?<,MCHo</N;}rI0?aKr)D;-ejF#<&D<k#2) bK?<P]j=<
9KP9k6bNnT^?O6bN.yr!P9k#bK?<P]j=<9O"MCHo</NltG
b[9H&79F`NltGb+^oJ$#
/~nT (intrusion attempt)vD5lF$J$M*,"MCHo</&j=<9X"/;97?jKu7?j7h&H9k3H#
326 P<8gs 3 jj<9 8
9/jWH (script)l"N$YsHr=9@}=$#
;s5< (sensor)$YsH&bK?<#
jX(s8s (correlation engine)Risk Manager k<k&(s8s#k<k&(s8sr2H#
0- (attribute)I}P]*V8'/HbK"j"*V8'/H-&,OC-j7F$kps#0-KO"=N0-GX
j5lkpsNOOr(9V?$WWH"=NOONfK^^lkVMW,"k# Risk Manager GO"
F$YsH0-,v0jA5lF$k#=l>lN$YsH0-KO>0HM,"j"3lO6bNC
-r=9QtG<?G"k#0-NA0O"attribute_name=value HJk#"@W?<O"psr$Ys
H&/i9 K,1"3Npsr0-KU)<^CH7"Tivoli $YsH&5<P<Kw.9k#
N?TO
Ev-!: (validation)G<?N5N5"^?OG<?,"Wj1<7gs,J"k<k",'K`r7F$k3Hr4Yk3
H#
N1Y<9&79F` (knowledge-based system)N1Y<9&79F`O"{NN6b*hS79F`Ne@KD$FNpsNG<?Y<9r^`79
F`&(s8srH&#N1Y<9&79F`,Q?<sr'19kH"3liN(s8sO"79F
`,6b5lF$kH[j7F"i<`r/9k#N1G<?Y<9KpE/!NG"k?a"6"i
<`Nf(OsoKc/Jk#
0nY<9&79F` (behavior-based system)79F`&(s8srH$"LoN79F`0nbGk+iNP9r!w9k3HKhj"/~Tr!
N9k#3Nh&J8`*J0nO"vF5lkf<6<hVrBT9k]K"Hl<Ks0|Vr_
j9k3HKhCFjA9k#D^j"3Nh&J79F`GO"{NNQ?<sHlW5;k3HN
G-J$"/7gs,88k?SK""i<`,/89k#lLK"0nY<9&79F`GO"so
Kb$f(G6"i<`,88kbNN"$NN6br/+G-kH$&x@,"k#0nY<9&7
9F`GO"(s8srD-Kgo;F409k,W,"k#
NJTO
MCHo</&Y<9&79F` (network-based system)bK?<rT&[9H,6N7?MCHo</&Q1CHrL7Fpsr}89k#3liNQ1CH
r,O9k3HKhj"f<6<hVrF=[9k3H,G-k#MCHo</&Y<9ND<krH
&H"lYNbK?<GMCHo</4NKD$FNpsr~jG-k?a"j-"N39Hrc/^
(ilk#MCHo</&Y<9ND<kO""Wj1<7gs&G6NG-J$clYkNQ1CH
,X87?6br!NG-k#?<2CH&"Wj1<7gsK~#7J$".y7J+C?6bKD
$Fb"MCHo</&Y<9ND<kKhCF-?5lk#
NOTO
U!$"&)<k (firewall)0N$&HbtNMCHo</rhj}A"@NJG<?@1rLa5;k[9H#
U)<^CH&U!$k (format file)U)<^CH&U!$kO"TME "@W?<N CDS U!$kr8.9k#U)<^CH&U!$k
O"3liN"@W?<N$YsH&/i9rQ97"U)<^CH&U!$k+i77$ CDS U!
327Risk Manager f<6<:&,$I
�
�
$kr8.9k?aKHQ5lk# Risk Manager GO"TME "@W?<,"G<?rM-go;F"
Tivoli Enterprise Console KAwG-kh&KU)<^CH7>9?aK"3lrHQ9k#
sp"j[o (false negative)6b,88Fb=J,"i<`r8.7J$lgK/89k#/~TN"/7gs,4/$U+l:K
TolkD=-,"kNG"3N1<9O@i+KdjG"k#7?,CF"IDS O Tivoli "I_K9
Hl<?<KP7"gfW@H$&VcC?6Pr?(kD=-,"k#
sp"j5o (real positive)6b,"j"=J,57/sp9kH-N$s9?s9#}[*J IDS GO"6bOsp"j5oKJ
k#
spJ7[o (false positive)spJ7[oO"6b,J$NK=J,"i<`r8.9klgK/89k#spJ7[oKxx9k
"I_K9Hl<?<,T,WJ"/7gsrhkD=-,"kNG"3N1<9OdjHJklg,
"k# IDS ,"I_K9Hl<?<N#lNps;G"klg"v3""I_K9Hl<?<O3l,
spJ7[oG"k3HK$U+J$#7Pi/9kH""I_K9Hl<?<O"3NCj"i<H
O6bKhkbNGOJ$Hd@7""i<`r5k9kh&KJk+b7lJ$#7+7"=3K
O"Risk Manager ,B]N6bb5k7F7^&D=-,"k#
spJ75o (real negative)6b,J$NG=J,"i<`r/7J$H-N$s9?s9#}[*J IDS GO"LoN$YsH^
?Ou1~lD=J$YsHOspJ75oKJk#spJ75oO"aLO$YsHH7FBN=5
lk3HOJ$#F:$YsHN?tO3N+F4j<K:v9k#
[9H (host)MCHo</K*$F"G<?L."/;9}0,8_9kh}uV#
[9H&Y<9&79F` (host-based system)[9H&Y<9&79F`O"79F`NF:m0rH$"6br!w9k#"Wj1<7gs*hS
*Zl<F#s0&79F`O"3liNU!$kK`\rw.G-k#7?,CF"[9H&Y<
9&79F`O"f<6<&;C7gsr8+7Ff/-ANbNG"k#[9H&Y<9&D<kN
x@O"9GK/87?$YsHr4Yk3HKhj"6bN.yH:Tr!:G-k3HG"k#5
iK"U!$k&"/;9^?OC"5<S9XN"/;9JI"CjN79F`&"/F#SF#<
bbK?<9k#
NdTO
rd (roles)"I_K9Hl<?<NrdKO"super"senior"admin"*hS user rd,"k#3liNrdO"f
<6<,$YsHK~z7Fv0Khail??9/2rBT9k3HrD=K9k"vDN8gG"
k#
%hY (priority)Risk Manager O"b%hY"i<`JINh&K""i<`K%hYrdjvFk#?H(P"UNIX
syslogd %hgLQia<?<r_j9k3H,G-k# TME "@W?<Khk3lJ_Nh}KD$
F"$YsHrjb<H UNIX Y<9N syslog G<bsXP)Xj9kH-KO"3NQia<?<
@1rH&#
328 P<8gs 3 jj<9 8
NiTO
)}N (cube)?!5N^?O PowerPlay )}NHbFPlk# Cognos PowerPlay Transformer Khjn.5lk
.mdc U!$kN3H#$/D+N!5KT.5l?,j (G<?) r^_"G<?Y<9NFoSe<
rs!9k#9YFN PowerPlay Se<&U!$k (.ppr) O")}NU!$kKjA5l?Se<r]
$sH9k#
k<k (rule)Tivoli D-K*$F"$YsH&5<P<,$YsHVNX" ($YsHjX) r'17"=lK~8F
+0=5l?~zrBTG-kh&K9k" 1 DJeN@}9F<HasHN8g#
k<k&(s8s (rules engine)k<k&(s8sO"Tivoli Enterprise Console N4!t,G"k#3lOl2Nk<krH$"$Ys
HKP7F"/7gsrBT9k,W,"k+I&+r=L9k#
k<k&Y<9 (rule base)Tivoli D-K*$F"k<kN8gG"j"k<k,n.5lkH-N$YsH&/i9jAN8g#
Tivoli Enterprise Console O"$YsHrI}9kH-K3Nk<k&Y<9rH&#H%O"?/5s
Nk<k&Y<9rn.7"=l>lNk<k&Y<9,"MCHo</&3sTe<F#s0I}N
DLN,Wr~?9h&K9k3H,G-k#
A
ACF"@W?<=.!= (Adapter Configuration Facility) r2H#
ACP"@W?<=.WmU!$k (Adapter Configuration Profile) r2H#
B
BAROC U!$k (BAROC file)C Khk*V8'/HNp\l3<@< (BAROC) U!$k#$YsH&5<P<bN"jAQ_$Y
sH&/i9Nbt=-# Risk Manager Nlg"BAROC U!$kO"Risk Manager "@W?<NC
j?$WKhCF5]<H5lF$k$YsHN/i9r-R9k#
E
EIFTivoli Event Integration Facility r2H# Risk Manager Event Integration Facility b2H#
G
GUI0iU#+k&f<6<&$s?<U'<9 (graphical user interface) r2H#
I
IDS/~!N79F` (intrusion detection system) r2H#
329Risk Manager f<6<:&,$I
�
�
IISInternet Information Server r2H#
Internet Information Server (IIS)Microsoft Web 5<P<#
J
Java >[^7s (Java Virtual Machine)Java =UH&'"N?aK"79F`KM87J$$s?<U'<9rs!9k=UH&'" (Java i
s?$`D-r^`)#3NQlO"B]N Java >[^7srX9H-KH&bNG" Java is?$`
D-rX9o1GOJ$#
Java is?$`D- (Java Runtime Environment)Java =UH&'"Nis?$`D-rs!9k# Java >[^7s (JVM) NeGT09k#CKm-,
J1lP"3NQlO"Vi&6<"Web 5<P<""k$O>N3sF-9HKhCFs!5lkl
LN Java BTD-rX9bNG" Sun RG-N JRE =JrX9bNGOJ$#
JREJava is?$`D- (Java Runtime Environment) r2H#
JVMJava >[^7s (Java Virtual Machine) r2H#
P
PerlPractical Extraction and Report Language#
PrologProgramming in Logic#@}Wm0i`@lNU!_j<+iNWm0i`@lN 1 D#
R
Risk Manager Event Integration FacilityJ1J"Wj1<7gs&Wm0i_s0&$s?<U'<9 (API) rs!7"\R*hS Tivoli Q<
HJ<, Tivoli SecureWay Risk Manager N77$$YsH&"@W?<r+/7F"$YsHr Tivoli
Enterprise Console X>wG-kh&K9k?aND<k-CH#\RO"5<I&Q<F#<^?OR
b+/N"Wj1<7gs+i"$YsHrQ99k3HbG-k#
T
TECTivoli Enterprise Console r2H#
TEC $YsH (TEC event)Tivoli Enterprise Console G-N$YsH#
Tivoli Enterprise Console79F`""Wj1<7gs"MCHo</"*hSG<?Y<9&$YsHXN$5"/7gsr}
87"h}7"+0*K+O9k Tivoli =J#3lO"9YFN=<9+iN$YsHNf4@KJ
k# Tivoli Enterprise Console KO"8f*+D4N*JMCHo</&3sTe<F#s0D-,w(
ilF$k#psr}89kH-KO,6$YsH&bK?<,"psrh}9kH-KOf{$Ys
H&5<P<,"=7F79F`I}TKpsr(9H-KO,6$YsH&3s=<k,Holk#
330 P<8gs 3 jj<9 8
Tivoli Event Integration FacilityJ1J"Wj1<7gs&Wm0i_s0&$s?<U'<9 (API) rs!7"\R*hS Tivoli Q<
HJ<,77$$YsH&"@W?<r+/7F"$YsHr Tivoli Enterprise Console X>wG-kh
&K9k?aND<k-CH#\RO"5<I&Q<F#<^?ORb+/N"Wj1<7gs+i"
$YsHrQ99k3HbG-k#
Tivoli Management EnvironmentTivoli Management Framework rY<9K7? Tivoli "Wj1<7gs#CjN\Rm1<7gsK$
s9H<k5l"$m$mJWiCHU)<`r[(FMCHo</&3sTe<F#s0I}psK
"/;99k# Tivoli D-K*$F79F`I}TO"=UH&'"r[[7"f<6<=.rI}
7""/;9"rQ97"`nr+0=7"j=<9rbK?<7"8gVr918e<k9k3H,
G-k# Tivoli Management Environment O"J0O TME 10 HN7F$?#
Tivoli Management FrameworkTivoli Management Environment =J2G"Wj1<7gsrBT9kH-K,WKJkp\=UH&'
"#3N=UH&'"N$sUi,0(ilkH" Tivoli H Tivoli Q<HJ<N79F`I}"Wj1
<7gs&Wm0i`r}g9k3H,G-k# Framework KO"!NbN,^^lk#
¶ *V8'/HWaVm<+< (oserv)
¶ ,6*V8'/H&G<?Y<9
¶ p\I}!=
¶ p\"Wj1<7gs&5<S9
¶ 0iU#+k&f<6<&$s?<U'<9 (GUI) JINp\G9/HCW&5<S9
Tivoli Management Environment K*$FO"F/i$"sH*hSF5<P<K Tivoli Management
Framework r$s9H<k9k#?@7"!NlgOc0G"k#
¶ Tivoli Management Framework r/i$"sHNQ<=Jk&3sTe<?<K$s9H<k7?3
H,J/" PC (<8'sHrQ<=Jk&3sTe<?<K$s9H<k7F$klg#
¶ Tivoli I}j<8gs (TMR) 5<P<,"04J*V8'/H&G<?Y<9r]}7F$k#l
N5<P<G"klg#
Tivoli I}j<8gs (Tivoli Management Region)Tivoli Management Environment K*$F" TMR 5<P<JiSK TMR 5<P<HkPlF$k/i
$"sHN8g# 1 DNH%G#tN TMR r_j9k3H,G-k# TMR Oj=<9N*}\3r
X7"]j7<&j<8gsOj=<9N@}T.rX9bNG"k#
TMETivoli Management Environment r2H#
TME "@W?< (TME adapter)s!5lF$k,ZJU)<^CH&U!$krH$" TEC $YsHr8.9k#"@W?<O=UH
&'"&Wm0i`G"j"psr}87"m<+k&U#k?<`nrBT7"X8N"k$YsH
r TEC GH(kU)<^CHKQ99k# Risk Manager GO"IDS ;s5<G TME "@W?<
(UNIX NlgO LogFile "@W?<" Windows NT NlgO NT Event Log "@W?<) ,,WKJ
k#"@W?< (adapter) *hS$YsH&"@W?< (event adapter) b2H#
TMRTivoli I}j<8gs (Tivoli Management Region) r2H#
331Risk Manager f<6<:&,$I
�
�
332 P<8gs 3 jj<9 8
��
|\l, tz, Qz, Cl8zNgK[s5lF$^
9#J*, y;H>y;O6;H1yK7olF$^
9#
N"TO"/;9&m0&U!$k
5W 116
=. 124
Ev-!: 127
j"k?$`GN97 113, 130, 131
"@W?<
ACF Khk=. 50
ACF WmU!$kKhk=. 50
TEC 16
Windows 79F`GN$s9H<k 44
"@W?<"$s9H<k
Cisco Secure PIX Firewall 167
"@W?<"7,*hS!=/=5l?
jj<9 3.8 NQ9@ 3
"@W?<"Cisco Secure IDS QN
I} 143
d_ 143
f<6<&?9/ 143
TEC ?9/ 143
"@W?<"ISS RealSecure N
I} 152
f<6<&?9/ 152
"@W?<"Risk Manager
Check Point FireWall-1 177
Cisco Secure IDS 140
Cisco Secure PIX Firewall 163
Cisco k<?< 155
Host IDS 193
ISS RealSecure 147
McAfee Alert Manager 197
Norton AntiVirus 203
"@W?<=.!= (ACF) xvii
"@W?<=.WmU!$k (ACP) xvii
"@W?<N$s9H<k
G-N$s9H<k 39
AIX 39
AIX smit 41
AIX 3^sIT 40
Linux 42
"@W?<N$s9H<k (3-)
Solaris 42
Windows 79F` 44
"@W?<N+O
Check Point FireWall-1 186
"@W?<Nd_
Check Point FireWall-1 189
"I_K9Hl<?<
Web Y<9Nps 23
"I_K9Hl<?<"Tivoli
$YsHNbK?< 64
qA xvii
"i<H
Network IDS 211
Network IDS"H_~_ 218
"i<`&]j7<N_j
Check Point FireWall-1 184
$YsH
*j8Jk 102
EgYN@&s0l<I 67
8.N^) 67
0-N_j 67
E#N!P 77
Ws 103
js/ 76
$YsH (TEC event r2H) 330
$YsHh}"TEC $YsH&5<P<N 16
$YsH>w
Check Point FireWall-1 179
$YsHNbK?< 64
$YsHNm.s0
Cisco Secure PIX Firewall 174
$YsH&0k<W
n. 52
Ws 51
$YsH&3s=<k
5W 14
$YsH&5<P<
$s9H<k 33, 45
97 64
=. 46
Risk Manager 3s]<MsHN|n 64
TEC 16
$YsH&G<?Y<9 13, 15
$YsH&U#k?< 100
$YsH&aC;<8 51
333Risk Manager f<6<:&,$I
��
$s9H<k
$YsH&5<P< 33, 45
{8Nk<k&Y<9 63
Wh 33
1c= 3
QC1<8 212
aC;<8 253
jj<9 3.8 Na=CINQ9@ 3
Check Point FireWall-1 179
Cisco Secure PIX Firewall 167
Host IDS 194
ISS RealSecure 149
Network IDS 212
Norton AntiVirus 205
Risk Manager QC1<8 36
TEC Correlation 59
Tivoli 0sro=J 34
Tivoli G9/HCW+iN 39
TME "@W?< 45
Web IDS 122
Web Intrusion Detection NEv-!: 127
$s9H<kN`w
Host IDS 194
$s?<U'<9
0iU#+k&f<6<&$s?<U'<9
(GUI) 325, 326
jl<7gJk&G<?Y<9 14
TEC $YsH&3s=<k 326
Tivoli ^?O Tivoli J0 16
&)</9k< 8
(i<h}
Check Point FireWall-1 190
(i<&aC;<8
TEC Correlation 227
(s8s
9-CW"sig.nefarious U!$k 120
Hi9H"sig.nefarious U!$k 120, 135
Q<5<"sig.nefarious U!$k 118, 133
Q?<s"sig.nefarious U!$kN 119, 132, 133
suspicion"sig.nefarious U!$k 119, 135
*W7gs
webids 130, 131
*Zl<F#s0&79F`
jj<9 3.8 NQ9@ 4
*Zl<F#s0&79F`N5]<HNWs
jj<9 3.8 NQ9@ 1
N+TO+O
Network IDS 214
TME "@W?< 49
Web IDS 130
5W
Risk Manager 7
+&s?<
:j 137
lYk 136
H%WmQF#<"W3C U)<^CHQN 126
I}
"@W?<"ISS RealSecure N 152
Check Point FireWall-1 185
Cisco Secure IDS QN"@W?< 143
Cisco k<?<Q"@W?< 160
Web IDS 128
I}P]N<I
TEC Correlation N$s9H<k 59
I}?9/
TEC Correlation 63
,J"C 89
,' xix
&Lm0&U)<^CH (CLF r2H) 116
H_~_"i<H
Network IDS 218
/i9jA9F<HasH"Tivoli
H_)F 49
F8. 49
tecad_logfile.cds 49
tecad_nt.cds 49
/i9jA9F<HasH&U!$k 18
kg
Risk Manager H TME "@W?<NU)<^CH&U
!$k 47
sig.nefarious Q?<s&F9H 133
!P"E#$YsHN 77
:j
M 136
MN_j 72
+&s?< 137
6b$YsH",O 131
6b70KAc< 133
ISS RealSecure 297
Network IDS 218
6b70KAc<Nps
Cisco Secure IDS 140, 289
ISS RealSecure 147
Network IDS 218, 307
97
$YsH&5<P< 64
k<k&Y<9 63
334 P<8gs 3 jj<9 8
=.
"/;9&m0&U!$k 124
$YsH&5<P< 46
Check Point FireWall-1 179
Cisco Secure PIX Firewall 168
Host IDS 195
iPlanet Web Server 125
Microsoft Internet Information Server 126
Risk Manager Correlation 59
Risk Manager Server Correlation 64
Risk Manager TEC Correlation 60
Web 5<P< 124
=.U!$k 59
Check Point FireWall-1 180
Cisco Secure PIX Firewall 174
Prolog =.U!$kb2H 61
riskmgr_thresholds.pro 57
rmcorr_cfg 60, 63, 64
z(
jj<9 3.8 NQ9@ 4
m~O(i<&aC;<8 51
3^sI
gencds 49
logfile_gencds ^?O nt_gencds 49
nids 216
riskmgr_gencds 91
rmeif_cfg 93
webids ^?O webids.bat 113, 130
wrmadmin 91
wrmsendmsg 91
G-N$s9H<k
"@W?< 39
Risk Manager QC1<8 37
3s]<MsH
|n 54
Risk Manager 11, 36
3s]<MsHN|n 54
N5TO5<P<"$YsH ($YsH&5<P<r2H) 46
5<P<"Web (Web 5<P<r2H) 11
5<P<=.U!$k
Check Point FireWall-1 180
F8."CDS U!$kN 49
n.
$YsH&0k<W 52
7,k<k&Y<9 63
(?*Zl<7gs
Network IDS "i<H 215
5^j<&$YsH 103
~VVV
uVG<?N>w 73
-z|B,Zl?uVNA'C/ 70
jUlC7e&?$^<N~VVVN_j 70, 74
7-$M
=.U!$k 82
40 136
jA 82
70KAc< 132
Cisco Secure PIX Firewall 166
70KAc<"/~
Cisco Secure PIX Firewall 166
70KAc<&U!$k
Network IDS 214
70KAc<&U!$k (sig.nefarious U!$kr2
H) 117
Xj
T3J"/F#SF#<N?$W 135
EgY 67
`w"$s9H<k
Cisco Secure PIX Firewall 167
Rp
5]<H5lk Web 5<P< 115
BAROC U!$k 17
CDS U!$k 19
Cisco Secure PIX Firewall 163
Host IDS 193
Network IDS 209
Network Intrusion Detection System 209
Perl 5]<H 116
Risk Manager Server Correlation 57
Web IDS sig.nefarious U!$k 117
c2"TEC Correlation N 227
\Y="refining sig.nefarious Q?<s&F9HN 133
uV
5W 57
Ws 58
uV$YsH
$YsHrlL*JbN+iqN*JbNX409k
71
$YsHrqN*JbN+ilL*JbNX409k
71
uVG<?">w 73
ps"Risk Manager N xviii
|n
70KAc<&/i9 132
Hi9FCI&70KAc< 135
T3J[9HNjA 134
Web 6b70KAc< 133
|n"s;-e"&$YsHN 72
335Risk Manager f<6<:&,$I
��
h}
TEC Correlation (i<&aC;<8 227
qA
jj<9 3.8 NQ9@ 5
Cisco Secure IDS 140
ISS RealSecure 147
Risk Manager xviii, xix
TEC 0sro=J xvii
Tivoli ;-ejF#<=J xx
7!="\jj<9N 1
/~70KAc<
Cisco Secure PIX Firewall 166
/~nT
b@ 10
9-CW&(s8s 120
9/jWH&U!$k
rmcorr_cfg 47
9H<`&$YsH
7-$MNjA 75
_j
:jM 72
jUlC7e&?$^<N~VVV 70, 74
_jQ9
Web Y<9Nps 54
;s5<
Check Point FireWall-1 178
Cisco Secure IDS (NetRanger) =J 140
Cisco Secure PIX Firewall 164
ISS RealSecure =J 147
Network IDS 209
Web IDS 113
;s5<N5W
Check Point FireWall-1 178
;s5<&"/;9"Q9
Cisco Secure PIX Firewall 170
;s5<&?$W
jA 66
;s5<&m.s0"=(
Cisco Secure PIX Firewall 172
;s5<&m.s0"Q9
Cisco Secure PIX Firewall 172
0sro"$s9H<k 34
0sroHJk=J 13
=<9*hS8hpsNWa
Check Point FireWall-1 187
jX
"k4j:`c2N(i<&aC;<8 51
$s9H<k 59
(s8s"Rp 14
1c= 10
Risk Manager Correlation N=. 64
TEC Correlation N=. 60
jXaC;<8 263
0-
msg 102, 103
pix_code 103
pix_ifname 103
pix_sev 103
rm_DestinationIPAddr 103
rm_SensorIPAddr 103
rm_SourceIPAddr 103
N?TOP]IT xvii
?$W"T3J"/F#SF#<N 135
?$`&9?sW
vF5lkQLNjA 69
uVN-z|BNjA 69
@&s0l<I"$YsHNEgYN 67
?9/
Check Point FireWall-1 190
Cisco Secure PIX Firewall 173
?9/"I}
I}?9/r2H 63
Cisco Secure IDS QN"@W?< 143
Cisco k<?<Q"@W?< 160
ISS RealSecure N"@W?< 152
Web IDS 128
?9/&i$Vij< 107
Cisco Secure PIX Firewall 175
Network IDS 213
Ev-!:"WebIDS $s9H<kN 127
mUv`"$s9H<kN
ISS RealSecure 150
40
:j+&s?< 137
7-$MH:jM 136
0nY<9/~!N79F` 327
lYk&+&s?< 136
40"$YsHN
lL*JbN+iqN*JbNX 71
qN*JbN+ilL*JbNXN 71
IC
70KAc<&/i9 132
Hi9FCI&70KAc< 135
T3J[9HNjA 134
Web 6b70KAc< 133
G<?Y<9"RDBMS 15
G<?Y<9N5]<HNWs
jj<9 3.8 NQ9@ 2
336 P<8gs 3 jj<9 8
G<?Y<9&Se<NjA
Web Y<9Nps 52
jA
vF5lk?$`&9?sWQL 69
~VVV"-z|B,Zl?uV 70
7-$M 82
uVN-z|B 69
9H<`&$YsHN7-$M 75
;s5<&?$W 66
Hi9FCI&[9H 65
MCHo</&[9H&^7s 65, 77, 79, 81
sig.nefarious Q?<s&(s8s&F9H 133
d_
Cisco Secure IDS QN"@W?< 143
Network IDS 214
TME "@W?< 49
>w"uVG<?N 73
Aw)fWmH3k / $s?<MCH&WmH3k
(TCP/IP) xvii
H</sNjA 83
IT xvii
Hi9FCI&70KAc< 135
Hi9FCI&[9H
jA 65
Hi9H&(s8s 120, 135
HiCW
Cisco k<?< 161
Hj,< 58
NJTOMCHo</&[9H&^7s 65, 77, 79, 81
NOTOQ<5<&(s8s 118, 133
P<8gs 3.8
^$0l<7gs 285
[V
Web IDS 113, 114
Q9o<I]n
Cisco Secure PIX Firewall 169
Q?<s&(s8s 119, 132, 133
Q?<s&F9H"sig.nefarious 133
QC1<8"$s9H<k 212
QU)<^s9
jj<9 3.8 NQ9@ 4
s/~70KAc<
Cisco Secure PIX Firewall 166
s;-e"&$YsH"|n 72
U!$"&)<kI}$YsH
Check Point FireWall-1 178
U!$"&)<k&$YsH
Check Point FireWall-1 178
U!$k
"/;9&m0 116
/i9jA9F<HasH&U!$k 18
U)<^CH 19
CDS 18
cpfw.baroc 18
crouter_snmp.baroc 18
csids.fmt 20
fmt 19
netranger.baroc 18
nids.baroc 18
os.baroc 18
os_aix.fmt 20
os_nt.fmt 20
os_solaris.fmt 20
pix.baroc 18
pix.fmt 20
pix_nt.fmt 20
realsecure.baroc 18
riskmgr.baroc 17
rmad_summary.rules 103
rmcorr_cfg 60, 63, 64
rmcorr_cfg =.U!$k 47
rmnav.fmt 20
rmvirus.baroc 18
sensor_abstract.baroc 18
sensor_generic.baroc 18
sig.nefarious 117, 133
startconsole.sh iPlanet Web Server 9/jWH 125
webids 3^sI 130
webids.baroc 18
webids.nt,fmt 20
.cds 49
U)<^CH&U!$k 19
$s9H<k 46, 59
kg 47
Ws 20
TEC Nkg 47
U)<^CH&U!$k"Tivoli
tecad_logfile.fmt 20, 48, 49
tecad_nt.fmt 48, 49
#tN$YsH&5<P< 33
T3
$YsHNbK?< 64
T3J
"/F#SF#< 114, 134, 135
[9H 114
337Risk Manager f<6<:&,$I
��
,O
j0Ghj~s@ps 132
MCHo</&Q1CH 327
Web 6b$YsH 131
Web 5<P<&"/;9&m0 113, 130, 131
Q9@"Risk Manager 3.8 N 1
[9H
jA 65, 77, 79, 81
[9H"T3J 134
[9H>Nh@
Network IDS "i<H 215
]j7<&j<8gs 107
\qKD$F xvii
\qN=. xviii
N^TO^$0l<7gs
P<8gs 3.8 X 285
^(,-ps xvii
aC;<8
$s9H<k 253
jX 263
Check Point FireWall-1 254
Cisco Secure IDS 259
Event Integration Facility 268
Network IDS 237
Network Intrusion Detection System 237
Sam /i$"sH 257
Web IDS 277
NdTOf<6<N?9/
Cisco Secure IDS QN"@W?< 143
Web IDS QN 128
f<6<&?9/
"@W?<"ISS RealSecure N 152
Cisco k<?<Q"@W?< 160
TEC Correlation 63
-z|BZl"uV 69
Ws
"@W?<&?9/ 143, 152
$YsH&0k<W 51
HQ5lk,' xix
uV 58
H</sNjA 83
U)<^CH&U!$k 20
BAROC U!$k 17
Ws (3-)
Prolog =.U!$k 61
TEC ?9/ 107
Web IDS N?9/ 128
Ws!=FsWl<H 103
^)"$YsH8.N 67
NiTOjj<9 3.8 NQ9@ 1
$s9H<k}! 3
*Zl<F#s0&79F` 4
*Zl<F#s0&79F`N5]<HNWs 1
z( 4
qA 5
7,*hS!=/=5l?"@W?< 3
G<?Y<9N5]<HNWs 2
QU)<^s9 4
TEC ?9/ 4
Web 5<P<N5]<HNWs 2
Web Y<9Nps 3
js/"$YsHN 76
k<k&U!$k
$s9H<k 59
Ws 143
k<k&Y<9
$s9H<k 63
97 63
n. 63
?9/&j9H 63
m<I 63
c
jX(9+l<7gs7-$MN_j 84
U)<^CH&U!$kN"k 48
LEA 5<P<N=. 182
wrmsendmsg 91
lYk&+&s?< 136
m<I
{8Nk<k&Y<9 63
Risk Manager 3s]<MsH 36
m<I^CW"$s9H<k 37
m.s0
Network IDSalerts 215
m0&U!$k
Web IDS 116
m0&U)<^CH (CLF r2H) 116
338 P<8gs 3 jj<9 8
AACF
=. 49
=.D=J"@W?< 50
ACF ("@W?<=.!=) xvii
ACF Khk=. 49
ACP ("@W?<=.WmU!$k) xvii
AIX
$s9H<kD=J Risk Manager QC1<8 39
AIX 3^sIT
"@W?<N$s9H<k 40
Cisco Secure PIX Firewall N$s9H<k 41
Host IDS N$s9H<k 41
Network IDS N$s9H<k 41
SNMP 5]<HN$s9H<k 40
Web IDS N$s9H<k 40
BBAROC U!$k 17
$s9H<k 59
Ws 17
sensor_abstract.baroc 20
Bugtraq Web 5$H 132
CCDS
U!$k 18
CDS U!$k
F8. 49
Check Point FireWall-1
"@W?<N+O 186
"@W?<Nd_ 189
"i<`&]j7<N_j 184
$YsHN>w 179
$s9H<k 179
(i<h} 190
I} 185
=. 179
=.U!$k 180
5<P<=.U!$k 180
Rp 177
;s5<N5W 178
=<9*hS8hpsNWa 187
?9/ 190
U!$"&)<k+i LEA 178
U!$"&)<kI}$YsH 178
U!$"&)<k&$YsH 178
Check Point FireWall-1 (3-)
IP "Il9NWa 186
OPSEC /i$"sH=. 182
OPSEC 5<P<=. 181
SAM 5<P<=. 183
Solaris 3^sIT$s9H<k 43
TEC ?9/ 185
Check Point FireWall-1 N$s9H<k
Solaris 3^sIT 43
Check Point FireWall-1 NaC;<8 254
Check Point FireWall-1 Q"@W?<
TEC ?9/ 185
Cisco Secure IDS
6b70KAc< 289
Rp 140
=JqA 140
=JN Web 5$H 140
Solaris 3^sIT$s9H<k 43
Cisco Secure IDS N$s9H<k
Solaris 3^sIT 43
Cisco Secure IDS NaC;<8 259
Cisco Secure PIX Firewall
"@W?<"$s9H<k 167
$YsHNm.s0 174
$s9H<k 167
$s9H<kN`w 167
=. 168
=.U!$k 174
70KAc< 166
70KAc<"/~ 166
Rp 163
/~70KAc< 166
;s5<N5W 164
;s5<&"/;9"Q9 170
;s5<&m.s0"=( 172
;s5<&m.s0"Q9 172
?9/ 173
?9/&i$Vij< 175
Q9o<I]n 169
s/~70KAc< 166
AIX 3^sIT$s9H<k 41
Solaris 3^sIT$s9H<k 44
TEC ?9/ 169
TEC k<k 165
Cisco Secure PIX Firewall N$s9H<k
AIX 3^sIT 41
Solaris 3^sIT 44
Cisco k<?<
5W 155
HiCW 161
AIX K*1k SNMP 5]<HN$s9H<k 40
Solaris K*1k SNMP 5]<HN$s9H<k 44
339Risk Manager f<6<:&,$I
��
Cisco k<?<Q"@W?<
I} 160
CLF
Web 5<P<KhCFHQ5lk 116
Common Vulnerabilities Enumeration (CVE) 132
Comprehensive Perl Archive Network (CPAN r2H) 89
CPAN ,J 89
cpfw.baroc 18
CRITICAL 7-$M 83
crouter_snmp.baroc 18
csids.fmt U)<^CH&U!$k 20
CVE (sHj<
Web 5$H 211
CVE Vf
Network IDS 218
Ddrop_unsecure_events 72
EEIF 87
EIF (Event Integration Facility r2H) 325
EIF (Event Integration Facility) xvii
Event Integration Facilities 325
Event Integration Facility 87
Event Integration Facility (EIF) xvii
Event Integration Facility NaC;<8 268
Event Logging API (LEA) 177
Ggencds 3^sI 49
HHost IDS
$s9H<k 194
$s9H<kN`w 194
$s9H<k&9FCW 194
=. 195
Rp 193
AIX 3^sIT$s9H<k 41
Solaris 3^sIT$s9H<k 44
TEC correlation 193
Host IDS (3-)
TEC ?9/ 196
Host IDS N$s9H<k
AIX 3^sIT 41
Solaris 3^sIT 44
Host Intrusion Detection (Host IDS) 193
IInternet Security Systems (ISS) 147
IP "Il9NJ,
Network IDS "i<H 215
IP "Il9NWa
Check Point FireWall-1 186
iPlanet Web Server 125
ISS RealSecure
$s9H<k 149
6b70KAc< 297
Rp 147
qA 147
mUv`"$s9H<kN 150
AIX K*1k SNMP 5]<HN$s9H<k 40
Solaris K*1k SNMP 5]<HN$s9H<k 44
Web 5$H 147
LLEA Event Logging API 177
LEA +iU!$"&)<kXN\3
Check Point FireWall-1 178
Linux
"@W?<N$s9H<k 42
Check Point FireWall-1 "@W?<N+O 186
logfile_gencds 3^sI 49
MMcAfee Alert Manager
5W 197
Microsoft Internet Information Server 126
MINOR 7-$M 83
340 P<8gs 3 jj<9 8
NNetRanger (Cisco Secure IDS =Jr2H) 140
netranger.baroc 18
Netscape Enterprise Server 125
Network IDS
"@W?<N+O 213
"@W?<Nd_ 213
"i<H 211
$s9H<k 212
+O 214
5W 209
I}?9/ 214
H_~_"i<H 218
6b70KAc< 218
(?*Zl<7gs 215
70KAc<&U!$k"97 214
70KAc<&Y<9N6b70KAc< 218, 307
d_ 214
[9H>Nh@ 215
aC;<8 237
m.s0 215
AIX 3^sIT$s9H<k 41
CVE Vf 218
IP "Il9NJ, 215
nids 3^sI 216
Solaris 3^sIT$s9H<k 43
TEC correlation 210
TEC ?9/ 213
Network IDS N$s9H<k
AIX 3^sIT 41
Solaris 3^sIT 43
Network IDS Q"@W?<
TEC ?9/ 213
Network Intrusion Detection System
$s9H<k&QC1<8 212
$s9H<k&m<I^CW 212
5W 209
I}?9/ 214
aC;<8 237
nids 3^sI
Network IDS 216
nids.baroc 18
Norton AntiVirus
$s9H<k 205
5W 203
TEC correlation 205
nt_gencds 3^sI 49
OObserver
Risk Manager 89
Open Platform for Secure Enterprise Connectivity 177
OPSEC /i$"sH=.
Check Point FireWall-1 182
OPSEC 5<P< 177
OPSEC 5<P<=.
Check Point FireWall-1 181
os.baroc 18
os_aix.fmt U)<^CH&U!$k 20
os_nt.fmt U)<^CH&U!$k 20
os_solaris.fmt U)<^CH&U!$k 20
PPAN 89
Perl 5]<H
5W 116
pix.baroc 18
pix.fmt U)<^CH&U!$k 20
pix_nt.fmt U)<^CH&U!$k 20
Prolog =.U!$k
Ws 61
riskmgr_thresholds.pro 82
Prolog c2N(i<&aC;<8 51
Prolog U!$k
$s9H<k 59
Rratio_down 71
ratio_up 71
RDBMS G<?Y<9 15
realsecure.baroc 18
Risk Manager
"@W?< 12
$YsH&0k<WNWs 51
$s9H<kgx 34
$s9H<k&QC1<8 36
$s9H<k&m<I^CW 37
&)</9k< 8
5W 7
G-N$s9H<k&QC1<8 37
3s]<MsH 11
uV 57
uVNWs 58
qA xviii, xix
/~!N$YsHNbK?< 64
341Risk Manager f<6<:&,$I
��
Risk Manager (3-)
?9/&i$Vij< 107
jA 7
U)<^CH&U!$kNWs 20
x@ 7
ACF rHQ7?$s9H<k 49
BAROC U!$kNWs 17
Event Integration Facility 325
iPlanet Web Server N=. 125
Risk Manager Correlation N=. 64
Risk Manager Server Correlation N5W 57
TEC Correlation N=. 60
Web IDS N5W 113
Web 5<P<N=. 124
Web ps xx
Risk Manager 3.8 N*Zl<F#s0&79F`NWs
1
Risk Manager 3.8 NQ9@ 1
Risk Manager Correlation
=. 64
Risk Manager EIF
s TME D-QN=. 93
TME D-QN=. 93
Risk Manager Event Integration Facility 87
Risk Manager Observer 89
Risk Manager Server Correlation
5W 57
Prolog =.U!$k 61
Risk Manager Web IDS N$s9H<k
AIX 3^sIT 40
Risk Manager "@W?<
Check Point FireWall-1 177
Cisco Secure IDS 140
Cisco Secure PIX Firewall 163
Cisco k<?< 155, 160
Host IDS 193
ISS RealSecure 147
McAfee Alert Manager 197
Norton AntiVirus 203
Risk Manager 3s]<MsH
$YsH&5<P<+iN|n 64
u7N=( 63
Risk Manager ;s5<
Network IDS 209
Network Intrusion Detection System 209
Risk Manager N$s9H<k 33
riskmgr.baroc 17
riskmgr_links.pro
9H<`&$YsHN7-$MNjA 75
E#$YsHN!P 77
js/"$YsHN 76
riskmgr_parameters.pro
lL*JbN+iqN*JbNXuV$YsHr409
k 71
vF5lk?$`&9?sWQLNjA 69
qN*JbN+ilL*JbNXuV$YsHr409
k 71
:jMN_j 72
uVG<?N>w 73
uVN-z|BNjA 69
|n"s;-e"&$YsHN 72
>w"uVG<?N 73
-z|B,Zl?uVN/j<s"CW 70
jUlC7e&?$^<N~VVVN_j 70, 74
RiskMgr_Reception 51
RiskMgr_Situations 51
riskmgr_thresholds.pro 82
riskmgr_thresholds.pro U!$k 57
rmad_summary.rules 103
rmcorr_cfg =.U!$k 60
rmcorr_cfg U!$k 47, 61, 63, 64
rmeif_cfg 3^sI 93
rmnav.fmt U)<^CH&U!$k 20
rmvirus.baroc 18
RM_Error 51
RM_InputErr 51
RM_PrologErr 51
RM_SituationErr 51
RM_TrustedHosts 51
SSam /i$"sH&aC;<8 257
SAM 5<P<=.
Check Point FireWall-1 183
sensor_abstract.baroc 18
sensor_generic.baroc 18
SET G#l/F#V 104
set_decay_value 72
sig.nefarious
Q?<s&F9H 133
Web IDS 117
sig.nefarious U!$k
GU)kHN$s9H<klj 116
smit
"@W?<N$s9H<k 41
SNMP 5]<H
AIX 3^sIT$s9H<k 40
Solaris 3^sIT$s9H<k 44
SNMP 5]<HN$s9H<k
AIX 3^sIT 40
342 P<8gs 3 jj<9 8
SNMP 5]<HN$s9H<k (3-)
Solaris 3^sIT 44
Solaris
"@W?<N$s9H<k 42
Check Point FireWall-1 "@W?<N+O 186
Solaris 3^sIT
Check Point FireWall-1 N$s9H<k 43
Cisco Secure IDS N$s9H<k 43
Cisco Secure PIX Firewall N$s9H<k 44
Host IDS N$s9H<k 44
Network IDS N$s9H<k 43
SNMP 5]<HN$s9H<k 44
Web IDS N$s9H<k 43
startconsole.sh iPlanet Web Server 9/jWH 125
status
Risk Manager 3s]<MsHN=( 63
suspicion (s8s 119, 135
TTasks for Enterprise Risk Management
Rp 107
TCP/IP (Aw)fWmH3k / $s?<MCH&WmH3
k) xvii
TEC
"@W?< 16
$YsH&3s=<k 14
$YsH&5<P< 16
qA xvii
Web Y<9Nps 23
TEC Correlation
$YsH8.N^) 67
$YsH0- 67
$YsHNEgYN@&s0l<I 67
$s9H<k 59
(i<Nh} 227
I}?9/ 63
=. 60
=.U!$k 59
7-$MNjA 82
;s5<&?$WNjA 66
H</sNjA 83
Hi9FCI&[9HNjA 65
MCHo</&[9H&^7sNjA 65, 77, 79, 81
riskmgr_thresholds.pro =.U!$k 57
Web IDS QN 120
TEC correlation
Host IDS 193
Network IDS 210
Norton AntiVirus 205
TEC event ($YsHr2H) 330
TEC "@W?<
5W 16
TEC $YsH
bK?< 64
TEC $YsH&3s=<k ($YsH&3s=<kr2
H) 14
TEC ?9/
Ws 107
Cisco Secure PIX Firewall 169
jj<9 3.8 NQ9@ 4
Check Point FireWall-1 185
Check Point FireWall-1 Q"@W?< 185
Cisco Secure IDS QN"@W?< 143
Cisco Secure PIX Firewall 169
Host IDS 196
Network IDS 213
Network IDS Q"@W?< 213
TEC k<k
Cisco Secure PIX Firewall 165
tecad_logfile.cds 49
tecad_logfile.fmt 19, 20, 48, 49
tecad_nt.fmt 19, 48, 49
TEC-Region ]j7<&j<8gs 107, 213
Tivoli
"@W?<=.!= (ACF) xvii
"@W?<=.WmU!$k (ACP) xvii
=JN Web 5$H xx
;-ejF#<I} Web ps xx
Event Integration Facility (EIF) xvii, 325
Risk Manager 7
Risk Manager 0sroN$s9H<k 34
Risk Manager K,WJ=J 13
TEC "@W?<N5W 16
Tivoli Enterprise Console NRp 14
Tivoli Decision Support 221
Tivoli Enterprise Console (TEC r2H) xvii, 330
TME "@W?<
$s9H<k 45
+O 49
jA 331
d_ 49
GU)kH&G#l/Hj<XN$s9H<k 47
Risk Manager U)<^CH&U!$kHNkg 47
Web IDS HNHQ 120
WW3C U)<^CH 126
WARNING 7-$M 83
343Risk Manager f<6<:&,$I
��
Web IDS
"/;9&m0&U!$k 116
"/;9&m0&U!$kN=. 124
$s9H<k 122
+O 130
5W 113
I} 128
:j+&s?< 137
:j+&s?<N40 137
5]<H5lk Web 5<P< 115
7-$MH:jMN40 136
70KAc<&/i9N|n 132
70KAc<&/i9NIC 132
Hi9FCI&70KAc<NIC^?O|n 135
Q?<s&F9HNkgH\Y= 133
T3J"/F#SF#<N?$WNXj 135
T3J[9HNIC^?O|n 134
f<6<N?9/ 128
lYk&+&s?<N40 136
AIX 3^sIT$s9H<k 40
iPlanet Web Server N=. 125
Microsoft Internet Information Server N=. 126
Perl 0sro 116
sig.nefarious U!$kNRp 117
Solaris 3^sIT$s9H<k 43
TEC Correlation 120
Web 6b$YsHN,O 131
Web 6b70KAc<NIC^?O|n 133
Web IDS N$s9H<k
Solaris 3^sIT 43
Web IDS NaC;<8 277
Web Intrusion Detection
$s9H<kNEv-!: 127
Web 6b
$YsH 131
70KAc< 133
Web 5<P<
iPlanet Web Server N=. 125
Microsoft IIS N=. 126
Risk Manager Khk5]<H 115
Web 5<P<N5]<HNWs
jj<9 3.8 NQ9@ 2
Web 5$H
;-ejF#<I}ps xx
Bugtraq 132
Cisco Secure IDS =JqA 140
Common Vulnerabilities Enumeration (CVE) 132
CVE (sHj< 211
Internet Security Systems (ISS) 147
ISS RealSecure qA 147
ISS RealSecure =JqA 147
Tivoli Risk Manager xx
Web 5$H (3-)
Tivoli =J xx
Web qA
Cisco Secure IDS =J 140
ISS RealSecure=J 147
Risk Manager xviii
Web Y<9Nps
Rp 23
_jQ9 54
G<?Y<9&Se<NjA 52
=(9kps 33
jj<9 3.8 NQ9@ 3
webids 3^sI 130
webids.baroc 18
webids.bat 127, 130, 131
webids.nt.fmt U)<^CH&U!$k 20
Windows 79F`
"@W?<N$s9H<k 44
Check Point FireWall-1 "@W?<N+O 186
NCl8zO.baroc U!$k (BAROC U!$kr2H) 17
.cds (/i9jA9F<HasH&U!$kr2H) 19
344 P<8gs 3 jj<9 8
tJVf: CT0P8JA
Printed in Japan
GC88-8881-01
(1P)
P/N:
CT0P8JA