Security Analytics Platform: 7.1.x Administration Guide

Transcription

Blue Coat Security Analytics Platform 7.1.x
Administration Guide
4 April 2016
Copyrights, Trademarks, and Intellectual Property
A trademark symbol (™) or a registered trademark symbol (®) denotes a Blue Coat Systems, Inc. trademark. A degree sign (°)
denotes a third-party trademark. All third-party trademarks are the property of their respective owners. All other trademarks
mentioned in this document are the property of their respective owners.
Copyright © 2016 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any
means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject
to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat
Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter
BlueTouch, DeepSee, Solera, and Security Analytics Platform are trademarks or registered trademarks of Blue Coat Systems, Inc.
in the U.S. and worldwide.
These help files are intended to help you use the web browser and console interfaces for the Security Analytics Platform to
perform network traffic capture, filtering, and playback, as well as general administration. It is not intended as a guide to policies or
procedures for network security or network forensics.
GNU General Public License Source Code Requests
Blue Coat will provide a machine-readable copy of the GPL open-source code on a CD. To obtain a copy, send a written request,
along with a certified check or money order in the amount of US $25.00, payable to Blue Coat Systems, Inc., to:
ATTN: Customer Support
GPL Source Code Request, Security Analytics
Blue Coat Systems
Suite 400
25 E Scenic Pointe Drive
Draper, UT 84020
USA
For technical assistance:
•
Blue Coat Support: bluecoat.com/support/technical-support/contact-service-support
•
BlueTouch Online: bto.bluecoat.com
© 2016 Blue Coat Systems, Inc.
1 of 206
Updated 4 Apr 2016
Table of Contents
Initial Settings ............................................................... 5
Network Settings ................................................................................ 5
Install the License ............................................................................... 6
How the Security Analytics Platform Works ......................... 7
Implementation .................................................................................. 7
Drive Configuration ............................................................................. 7
Packet Capture .................................................................................. 8
Writing the Slots ................................................................................. 9
Data Overwriting .............................................................................. 10
Overwriting Imported PCAPs ............................................................... 11
Data-Enrichment Process ................................................................... 12
Interface Icons ................................................................................. 13
Appliance Ports ................................................................................ 15
2G Appliance ........................................................................... 15
10G Appliance ......................................................................... 15
Central Manager....................................................................... 16
Storage Module ........................................................................ 16
Interface Screens ......................................................... 17
Analyze > Summary .......................................................................... 17
Capture > Summary .......................................................................... 18
Capture Interfaces ............................................................................ 19
Analyze > Summary > Reports ............................................................. 20
Analyze > Summary > Extractions......................................................... 21
Analyze > Summary > Geolocation ....................................................... 22
Data Capture............................................................... 23
Capture Summary Graph .................................................................... 23
Total Traffic per Interface and Uptime ............................................ 23
View Menu .............................................................................. 23
Actions Menu........................................................................... 24
Initiate or Stop Capture ...................................................................... 25
Apply a Capture Filter ................................................................ 25
Capture-Interface Aggregation ............................................................. 26
Reprocessing .................................................................................. 27
PCAP Files ................................................................. 28
Download PCAPs of Captured Data ...................................................... 28
Other PCAP Downloads ............................................................. 29
Automatic PCAP Downloads........................................................ 29
Import PCAP Files ............................................................................ 29
PCAP File Analysis ........................................................................... 30
Analyze PCAPs on the Security Analytics Platform ............................ 30
Storage System Page ................................................................ 31
Capture Summary Page ............................................................. 31
Analyze PCAP Files in Wireshark ................................................. 31
Automatically Import PCAP Files .......................................................... 32
Automatically Export PCAP Files .......................................................... 32
Playback .................................................................... 33
Create a Playback Session ................................................................. 34
Many-to-Many Sessions ..................................................................... 35
CLI Commands for Many-to-Many Session...................................... 35
2 of 206
Data Availability .......................................................... 36
Calendar Display.............................................................................. 36
Capture Summary Graph ................................................................... 37
Data Analysis.............................................................. 38
Summary Views............................................................................... 38
Report Widgets ........................................................................ 38
Create a Summary View ............................................................ 38
Reindexing ..................................................................................... 39
Report Widget Controls...................................................................... 40
Application Group Widgets.......................................................... 41
Apply Filters to Summary Views ........................................................... 41
Save the Output of a Report View......................................................... 41
Session Resolution ........................................................................... 41
Adjust Session Resolution .......................................................... 42
GRE Encapsulation ...................................................... 43
Filtering ..................................................................... 44
Primary Filters ................................................................................. 44
Using the Filter Bar ........................................................................... 44
Preconfigured Filters ................................................................. 45
Timespan Filters ...................................................................... 46
Advanced Filters .............................................................................. 46
Create an Advanced Filter .......................................................... 46
Create Filters from Graphical Screen Elements ................................ 47
Capture Filters................................................................................. 48
Apply a Capture Filter to an Interface............................................. 48
Apply a Capture Filter to a PCAP Download .................................... 48
Primary Filter Attributes ................................................ 49
Advanced-Filter Attributes ............................................. 54
Alerts ............................................................................................ 54
Reports ......................................................................................... 54
Extractions ..................................................................................... 55
Geolocation .................................................................................... 56
Audit Log ....................................................................................... 57
Wildcards and Logical Operators ..................................... 58
Wildcard Usage ............................................................................... 58
Logical Operators in Primary Filters ...................................................... 59
Logical Operators in Advanced Filters............................................ 60
Universal Connector ..................................................... 61
Add an IP Address with the Universal Connector ...................................... 61
Favorites ................................................................... 62
Preloaded Favorites .......................................................................... 62
Create a New Favorite ....................................................................... 62
Create a Favorite from the Filter Bar.............................................. 63
Import Favorites ....................................................................... 63
Export Favorites....................................................................... 63
Delete Favorites............................................................................... 64
Updated 4 Apr 2016
Format a List of Favorites ................................................................... 65
JSON Formatting for Favorites ............................................................. 66
Nested JSON Favorites .............................................................. 66
Reports ..................................................................... 67
Report Results List............................................................................ 68
Active Reports Counter .............................................................. 68
Compare Report Results ............................................................ 68
Save Report Results.................................................................. 69
Export Reports ......................................................................... 69
Available Reports and Report Widgets ................................................... 70
Scheduled Reports ........................................................................... 74
Summary Views........................................................... 75
Media Panel ................................................................................... 95
Artifact Preview ............................................................................... 96
Image.................................................................................... 96
Email .................................................................................... 96
Web Page .............................................................................. 97
Text ...................................................................................... 97
Hex ...................................................................................... 99
HTTP Headers ....................................................................... 99
Strings................................................................................. 100
File Info ............................................................................... 100
Audio .................................................................................. 101
EXIF ................................................................................... 101
jsunpack-n ............................................................................ 102
Report Widgets ................................................................................ 75
Create a Summary View ............................................................. 76
Report Widget Controls .............................................................. 76
Application Group Widgets .......................................................... 77
Apply Filters to Summary Views ................................................... 77
Save the Output of a Report View ................................................. 78
Session Resolution ........................................................................... 79
Adjust Session Resolution........................................................... 79
Data Enrichment ........................................................ 103
Reindexing ................................................................. 80
Actions ................................................................... 108
Geolocation ................................................................ 81
Alerts .......................................................................................... 108
Create a New Alert ................................................................. 108
Activate and Deactivate Alerts ................................................... 109
Viewing Alerts ....................................................................... 109
PCAP Export................................................................................. 110
IPFIX Export ................................................................................. 111
Map Navigation ................................................................................ 81
Results List ..................................................................................... 82
Saving Geolocation Results................................................................. 83
Geolocation Settings ................................................................. 83
Specify Geographic Locations for Internal Subnets ............................ 84
Geolocation Filters .................................................................... 84
MaxMind City Databases ............................................................ 85
Google Earth ........................................................................... 85
Packet Analyzer........................................................... 86
Packet Analyzer Filters ...................................................................... 86
Packet List .............................................................................. 87
Packet Details.......................................................................... 87
Packet Bytes ........................................................................... 87
BlackBox Recorder ...................................................... 88
Extractions ................................................................. 89
MIME-Type Display ........................................................................... 90
Artifacts ......................................................................................... 90
SMB Artifacts........................................................................... 91
HTTP POST Payloads ............................................................... 92
VoIP Extractions ....................................................................... 92
Save Extractions and Artifacts...................................................... 93
Save Multiple Extraction Items ..................................................... 93
Cancel an Extraction ................................................................. 93
Artifact Preview ........................................................................ 93
Root Cause Explorer ................................................................. 94
Artifacts Timeline .............................................................................. 94
Email Extractions.............................................................................. 94
IM Conversations.............................................................................. 95
IM Conversation Preview ............................................................ 95
2 of 206
Query Types ................................................................................. 103
Activate a Data-Enrichment Resource ......................................... 103
Create a New Data-Enrichment Action ......................................... 103
Exclude from Lookup............................................................... 104
Data Enrichment Mode .................................................................... 105
Data Enrichment File Types ...................................................... 105
Data Enrichment Alerts .................................................................... 106
Blue Coat ThreatBLADES ............................................ 112
WebThreat BLADE ......................................................................... 113
WebPulse Database Updates .................................................... 113
FileThreat BLADE .......................................................................... 114
Malware Analysis Appliance.............................................................. 115
Install the Blue Coat Malware Analysis Appliance ........................... 115
Integrate the MAA with the Security Analytics Platform..................... 115
Malware Analysis Alerts ................................................................... 117
Manually Send Samples .................................................................. 118
Integration Providers .................................................. 118
Configure Integration Providers.......................................................... 119
Activate Integration Providers ............................................................ 119
Reputation Providers .................................................. 120
Local File Analysis .......................................................................... 121
Viewing Reputation Information.................................................. 121
Pivot-Only Reputation Providers................................................. 121
YARA Rules ................................................................................. 122
Activate YARA Rules............................................................... 122
Customize YARA Rules ........................................................... 122
YARA Tuning Options ............................................................. 123
Endpoint Providers .................................................... 124
Login Correlation Service ............................................ 125
How the LCS Works........................................................................ 125
Updated 4 Apr 2016
Requirements ........................................................................ 125
Configure the DC ............................................................................ 126
Configure the Advanced Audit Policy Setting.................................. 126
Configure the Group Policy to Enable WMI Access to a Remote
Machine ......................................................................... 126
Update the Group Policy Settings ............................................... 127
Verify That the Audit Policy Settings Were Applied Correctly .............. 127
Install the LCS Agent ....................................................................... 127
Configure the LCS Agent .......................................................... 128
Import DCs and Appliances from a CSV File .................................. 129
Enable LCS on the Appliance ............................................................ 129
View LCS Activity ........................................................................... 130
On the CLI ............................................................................ 130
In the Log File ........................................................................ 130
On the Web Interface............................................................... 130
Appliance Security ..................................................... 131
LDAP Authentication ....................................................................... 131
Enable LDAP ......................................................................... 131
Modify LDAP Server Settings ..................................................... 132
Limiting LDAP User Searches .................................................... 132
Identifying the LDAP Schema Configuration .................................. 133
Specify Mapped LDAP Schema .................................................. 134
Define a New LDAP Schema ..................................................... 134
Kerberos° Authentication ................................................................. 135
LDAP Server Setup ................................................................. 135
Security Analytics Platform Setup ............................................... 135
Single Sign-On Setup .............................................................. 135
RADIUS Authentication .................................................................... 136
Two-Factor Authentication ................................................................ 137
2FA Logins ........................................................................... 137
Troubleshooting LDAP ..................................................................... 138
Passwords ............................................................... 139
Password-Complexity Rules .............................................................. 139
SSL Certificates and Keys ............................................ 140
Install from the Web Interface ............................................................ 140
Certificates for CMCs and Sensors .............................................. 140
Generate a New Certificate and Key .................................................... 141
Disallow Connections That Use Low-Bit Encryption ................................. 143
Authenticated Proxies ...................................................................... 143
User Accounts and Groups .......................................... 144
Local Users ................................................................................... 144
Add a User............................................................................ 144
Modify User Accounts .............................................................. 145
Enabling and Disabling User Accounts ......................................... 145
Shell-Only Users ............................................................................ 146
Account Profile Settings ................................................................... 147
Settings................................................................................ 147
Preferences .......................................................................... 148
User Groups ............................................................. 149
Create or Modify a Group ................................................................. 149
Group Permissions ......................................................................... 150
Default Group Permissions........................................................ 150
3 of 206
Data Access Control ............................................................... 151
Remote Authentication Users .................................................... 151
Account Settings ............................................................................ 152
Remote Access ......................................................... 153
Firewall........................................................................................ 153
Web Access ................................................................................. 153
Web Access Ports .................................................................. 154
SSH Access.......................................................................... 155
Ping (ICMP) .......................................................................... 155
Web Interface Settings ............................................................ 155
Disable SSH Root Logins ................................................................. 156
Security Analytics Platform Ports and Protocols ............... 157
MD5-Encrypted Password for Bootloader ............................................. 159
Federal Information Processing Standards............................................ 159
All Settings .............................................................. 160
Logging and Communication ........................................ 162
Audit Log ............................................................................. 162
System Logs ......................................................................... 162
Email Alerts .................................................................................. 162
SNMP Settings .............................................................................. 163
Syslog Settings.............................................................................. 164
Communication Settings .................................................................. 165
Import Settings ...................................................................... 165
Export Settings ...................................................................... 165
Export Log Entries .................................................................. 165
MIB Files ..................................................................................... 166
Resetting System Logs .................................................................... 166
Remote Notifications ....................................................................... 167
Create a template ................................................................... 167
Default Template Output .......................................................... 168
Enable Remote Notifications for the ThreatBLADES ........................ 168
Software Upgrades ..................................................... 169
Add an Upgrade Server ................................................................... 169
Upgrade the Security Analytics Platform............................................... 169
Licensing ................................................................. 170
License Expiration .......................................................................... 170
Network Settings ....................................................... 171
System Date and Time ................................................ 172
Statistics ................................................................. 173
Network System..................................................................... 173
Size on Disk.......................................................................... 174
Storage System ..................................................................... 174
Disk Space Record ID ............................................................. 174
Active Slot Chains .................................................................. 175
Total Captured....................................................................... 175
Total Filtered ......................................................................... 175
Drive-Space Management ............................................ 176
Capture and Index Drives ................................................................. 176
Updated 4 Apr 2016
System Drive ................................................................................. 176
Delete Controls for Data Types .................................................. 177
Home Drive ................................................................................... 177
Time-Based Data Deletion ................................................................ 178
Reboot or Shut Down.................................................. 179
From the Web Interface .................................................................... 179
From the CLI ................................................................................. 179
Using the IPMI Interface ................................................................... 179
Central Manager ........................................................ 180
CMC Initial Settings......................................................................... 181
Connect Your First Sensor to the CMC................................................. 182
Generate the Authorization Key for the Sensor ............................... 182
Link the Sensor to the CMC....................................................... 182
Grant Yourself Access to the Sensor ........................................... 183
Disconnect Sensors from a CMC ........................................................ 184
Interrupt the Connection ........................................................... 184
Delete the Connection.............................................................. 184
Manage One Sensor with Multiple CMCs ...................................... 185
User Accounts and Groups on the CMC ............................................... 185
Sensor Access ............................................................................... 185
Authorizations ........................................................................ 185
Remote Groups...................................................................... 185
Remote Groups: Example Setup ........................................................ 186
Network Setup ....................................................................... 186
Requirements ........................................................................ 186
Design ................................................................................. 187
Create the Remote Groups ....................................................... 188
Create the Users .................................................................... 189
Assign Sensor Authorizations .................................................... 190
Results ................................................................................ 191
Multi-Sensor Environment ................................................................. 193
View Multiple Sensors .............................................................. 193
Data Aggregation.................................................................... 194
Multi-Sensor Summary Views .................................................... 194
Multi-Sensor Reports ............................................................... 195
Multi-Sensor Extractions ........................................................... 195
Multi-Sensor Favorites ............................................................. 196
Multi-Sensor Actions................................................................ 197
Multi-Sensor Alerts .................................................................. 197
Multi-Sensor PCAP Files .......................................................... 197
PCAP Import ......................................................................... 197
Multi-Sensor Geolocation and Google Earth .................................. 198
Multi-Sensor Data Enrichment.................................................... 198
Upgrading Sensors ......................................................................... 199
CMC Upgrade Repository ......................................................... 199
Add an Upgrade Image to the CMC Repository .............................. 200
Upgrade Sensors from the CMC Repository .................................. 200
CMC Local Management .................................................................. 202
CMC Dashboard..................................................................... 202
Your Sensors list .................................................................... 203
Other Sensors List .................................................................. 203
Control Buttons ...................................................................... 204
Upgrading the CMC................................................................. 204
4 of 206
Updated 4 Apr 2016
Initial Settings: Network Settings
I NITIAL S ETTINGS
This page contains instructions for configuring the Blue Coat Security Analytics Platform for the first time. To see how
to configure other settings, see Settings.
Network Settings
1. After you have logged in to the web interface (admin | Solera), accept the End User License Agreement.
2. The Initial Configuration page is displayed. If you cannot see the Initial Configuration page, append
/settings/initial_config to the appliance's IP address in the address line of your browser.
3. Optional — Specify a Hostname (system name) for the Security Analytics Platform appliance. The name typed
here is displayed as part of the prompt when anyone logs in to the command line on this appliance. You must
register this hostname with your DNS servers if you intend to refer to this appliance by its hostname.
4. Set the IP address, mask, and default gateway for the management gateway (eth0) using one of the following
methods:
•
Select the Use DHCP check box to automatically retrieve network settings. If you choose to enable DHCP, it
is recommended that you use the DHCP reservation feature of your DHCP server to statically map the MAC
address of the management interface to an IP address.
•
Specify the network settings manually.
If you set a temporary IP address on the CLI using sudo ifconfig, you must re-specify the IP
address, netmask, and gateway on this page; otherwise, the IP address will revert to the default
(192.168.20.20) next time you attempt to connect to the web interface.
5. Optional — Specify the IPv6 unicast address. For secondary addresses, separate the addresses with a space.
6. Optional — If your appliance accesses the Internet through a proxy, type the IP address of the proxy in the
following format: <ip_address>:<port>.
If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment:
http_proxy="http://<username>:<password>@<IP_address>:<port>"
https_proxy="http://<username>:<password>@<IP_address>:<port>"
Also see how to install the proxy's SSL certificate.
7. Specify up to three DNS servers. If you will be using hostnames for other settings on this appliance, you must
specify the primary DNS.
8. Set the correct date and time for the appliance (MM/DD/YYYY hh:ii:ss). You can enable NTP later.
Because time is an essential parameter for both PCAP generation and playback, you must set the
correct time on the appliance before you begin to capture data.
9. If available — For Language, select a display language for the web interface.
10. Recommended — Change the root password for the appliance and specify its lifespan.
5 of 206
Updated 04 Apr 2016
Initial Settings
11. For Password, change any of the requirements, as desired.
12. Click Save.
•
If you changed the hostname, HTTP proxy settings, or time zone, the appliance will
automatically reboot.
•
If you changed the IP address, a message is displayed to confirm that the IP address is being
changed. You may need to log out and back in to re-establish a connection to the appliance.
Install the License
13. The License Details dialog is displayed.
14. Locate the license key that Blue Coat gave to you. Does your appliance have access to the Internet
(license.soleranetworks.com; port 443)?
Yes — Under Retrieve License,
input the License Key and click
Send Request.
• If applicable, select the
desired license type.
• The appliance sends the
license key and the license
seed file to the Solera
Networks license server,
which generates the
appropriate license file
(license.tgz) and returns it to
the appliance, which then
automatically reboots.
No — Click Download DS Seed to download the seed
file (dsseed.tgz) to your workstation.
• On a workstation that has Internet access, go to
license.soleranetworks.com.
• Type your license key, upload dsseed.tgz, click
Update.
• If applicable, select the desired license type and click
Update.
• Save the license file (license.tgz) to your workstation.
• Return to the License Details dialog.
• Click Browse and select license.tgz.
• The license is uploaded and the appliance
If you save a TGZ file for another Security Analytics Platform appliance to your workstation, and
your OS names it [filename](x).tgz, the appliance will still accept the file.
15. Once the system has rebooted, select Settings > About > License Details to verify that the items are correct.
16. Click Download to create an archive copy of the license file (solera-license.dat). Store this file in a safe location that
is not on the appliance.
17. Consult All Settings to further configure your system. If you are setting up a Central Manager Console, continue to
these instructions.
6 of 206
Updated 4 Apr 2016
How the Security Analytics Platform Works
H OW THE S ECURITY A NALYTICS P LATFORM W ORKS
Implementation
In a typical deployment, the Security Analytics Platform receives mirrored traffic from a SPAN port or network tap.
The traffic enters the appliance through one or more Ethernet ports, also known as "capture interfaces."
Drive Configuration
All Security Analytics Platform devices (except the CMC) comprise three logical drives or arrays:
•
Capture — Where raw packet data is written
•
Indexing — Indexed metadata (Indexing DB)
•
System — A Red Hat° Fedora°-based operating system
The actual size and composition of the drives vary according to the hardware and the specific configuration of the
Security Analytics Platform deployment. For example, in a Security Analytics 10G Appliance, all three drives are RAID
arrays, whereas in a virtual machine, the drives may be logically separate entities on a conventional hard drive.
7 of 206
Updated 4 Apr 2016
Packet Capture
The figure below shows how incoming packets are processed and analyzed by the Security Analytics Platform.
1
Mirrored packets arrive from the LAN through one or more NICs.
2
When traffic begins to arrive, the NIC requests a "slot," a 65-MB RAM "container” into which the
NIC loads incoming packets. Each packet receives a time-of-capture stamp and a sourceinterface indicator.
3
When the slot is full, the slot is written to the capture drive, and the NIC requests another slot.
4
The metadata (packet headers, capture timestamps, and interface identifiers) for the packets are
written to the index drive. Flows or "conversations" between hosts are identified during indexing.
Also see Data-Enrichment Process.
5
Artifacts (files), email messages, and IM conversations are extracted from the capture drive.
6
When PCAPs are downloaded, the packets are retrieved from the capture drive.
7
Reports, report widgets, the capture summary graph, and geolocation are generated from the
metadata on the index drive.
8 of 206
Updated 4 Apr 2016
Writing the Slots
The capture drive is logically organized into "slots." As each packet is captured, it is written to a slot. Slots are
allocated to the interfaces in sequential order (0–N).
The figure above shows four NICs: eth2 through eth5.
colored
Packet written from that NIC
gray
Nothing written because another NIC has that slot
white
Capture inactive on that NIC
>
Start capture session
X
End capture session
eth2 starts its capture session first, so it is allocated slot 0. eth5 is allocated slot 1, eth3 is allocated slot 2, and eth4
receives slot 3. The faster or busier NICs are allocated slots more frequently than slower or less-busy NICs. In this
example, eth2 and eth5 are allocated more slots because they fill their slots more quickly than eth3 and eth4.
•
Each capture session creates a "slot chain" — a list of the slots that were used for that capture
session in the order in which they were filled.
•
In the figure above, eth2 created the slot chain 0-4-8-12-14-18-21-24-28, whereas eth3 created
slot chains 2-6-10 and 16-19-22-25.
•
Slots are interface-agnostic. After slot N is allocated, slot 0 will be allocated to the next NIC that
requests a slot, regardless of which NIC was allocated slot 0 in the previous cycle.
Select Statistics > Storage System to see slot and slot-chain data.
9 of 206
Updated 4 Apr 2016
Data Overwriting
The figure below shows how packets are logically written to the capture and index drives. The full packets and their
corresponding index entries (metadata) are written simultaneously to the two drives: the red circles represent a
particular set of packets with its corresponding metadata.
1
Packets are written to the capture drive in slot order from 0–N.
2
The corresponding metadata is simultaneously written to the index.
The write process always starts at the first slot and runs continually to the last, which prevents the hard-drive heads
from engaging in excessive motion. It also enables extremely fast packet capture: up to 10 Gbps with the appropriate
system RAM and RAID arrays.
After the last slot is filled, the next captured packet is written to slot 0. When the capture drive overwrites the first slot,
the capture drive has "recycled." Select Statistics > Storage System to see the recycle count for your capture drive.
The interval between cycles depends on the amount of data being captured, the size of the packets being captured,
and the size of the capture drive.
3
The indicated packet data is overwritten as the capture drive recycles the first time.
4
The corresponding metadata is still available for reports.
In the figure above, the recycle count has been incremented by one because the capture drive has begun to
overwrite the first set of packets. Notice that the metadata for the first packets has not yet been overwritten, because
the index drive typically does not recycle as quickly as the capture drive. For this reason, report and geolocation data
is often available after the original packets have been overwritten.
10 of 206
Updated 4 Apr 2016
5
The original packet data’s location is overwritten a second time.
6
The corresponding metadata has now been overwritten.
As the second cycle begins, the metadata for the original packets begins to be overwritten.
The web interface indicates whether the packets or metadata have been overwritten: View Data
Availability.
Overwriting Imported PCAPs
When you import a PCAP, the PCAP is first uploaded to system RAM and queued into slots in the same manner as the
data from the capture interfaces. The interface for an imported PCAP is designated as impt[x].
It is then written to the capture drive alongside the live data.
Because the capture drive overwrites slots according to slot order, not according to timestamps,
imported PCAPs will be overwritten according to their location on the capture drive, not according to
the "age" of the packets.
For example, if you are actively capturing data in 2014 and you import PCAPs from 2013 (and retain
the original timestamps), the capture drive will not overwrite all of the PCAPs from 2013 before
starting to overwrite the data from 2014; instead, it will overwrite the slots in numerical order, 0–N,
as usual.
11 of 206
Updated 4 Apr 2016
Data-Enrichment Process
1
Captured packets and imported PCAPs are written to the capture and index drives.
2
Some flows match rules that are configured via data-enrichment actions and ThreatBLADE activation.
3
Files (artifacts) in the matching flows are reconstructed.
4
The files that are specified by the data enrichment file-types filter are forwarded to data enrichment.
5
The files are analyzed by the ThreatBLADES, Local File Analysis, and reputation, integration, and analysis
providers.
6
The results of the analyses are displayed in alerts and in ThreatBLADE-related reports and report widgets.
12 of 206
Updated 4 Apr 2016
Interface Icons
The following icons appear throughout the web interface as controls and indicators.
Icon
Function
Settings — Click to open the Settings menu
Analyze > [Summary | Reports | Extractions | Geolocation] — Stop Report(s)/Extraction
— Click to stop the data processing on that page.
Active/Inactive — Toggle to activate or deactivate the entry
Delete — Click to delete this record
Download — Click to download the file to the local workstation
Edit — Click to edit this record
Not Shared/Shared. Shared = Visible to all users on this appliance
Help — Click for context-specific help
Analyze > Alerts > List — View Report Summary — Click to see the artifact in the Analyze
Summary page
Analyze > Favorites — Add to Filter Bar — Click to add the favorite to the filter bar
Analyze > Saved Results — View Report — Click to view the saved result as a report
Capture > Import PCAP — View This Import — Click to load the PCAP into the Analyze
Summary page
Settings > Users and Groups — Remote/Local User. Local = Created on this appliance;
remote = created on another authentication server, e.g., LDAP
Settings > Upgrade — Upgrade from Server — Click to initiate a software upgrade from the
corresponding server
Analyze > Alerts > List — View Artifacts — Click to view the artifact on the Extractions page
Analyze > Summary > Extractions — Preview — Click to preview the artifact
Analyze > Alerts > List — Reputation Report — Click to view details from the dataenrichment providers
Analyze > Alerts > List — From cache — The reputation report for this item was retrieved
from the report cache.
Analyze > Alerts > List — URL — The item that triggered this alert is a URL
Analyze > Alerts > List — File — The item that triggered this alert is a file.
Analyze > Alerts > List — Malware — The reputation report for this item was generated
by a Malware Analysis Appliance.
Analyze > Alerts > List — Go to [MAA/profile] — Click to open the report page for
the detonation.
Capture > Import PCAP — Manage Connections — Click to configure/edit a watch folder
Analyze > Actions > Create/Edit PCAP Export — Manage Connections — Click to
configure/edit an external mount point
13 of 206
Updated 4 Apr 2016
Icon
Function
Analyze > Summary — More Information — Click to see more information or to download the
displayed data as a PCAP(NG)
Analyze > Alerts > List — Action Details — Click to display information about the rule that
triggered the alert.
Capture > Import PCAP — Import Information — Click to see information on the imported
PCAP(NG)
Analyze > Summary — Unindexed Flows — Click to see how many of the flows in the current
view are not yet indexed
Capture > Summary — Hidden/Showing — Click to hide or show lines on the capture summary
graph
Capture > Summary — Capture Filter — Click to apply or remove a capture filter on an
interface
Analyze > Alerts > List — Critical Alert
Analyze > Alerts > List — Warning
Analyze > Alerts > List — Notice
Capture > Import PCAP — View Alerts of This Import — Click to view the alerts that were
generated by this PCAP only.
Analyze > Summary > Extractions — Explore Root Cause — Click to view the root cause of
the artifact.
Analyze > Summary > Extractions — Reputation — Click to view available reputation information
for the artifact
Analyze > Summary > Extractions — Analyze PCAP — Click to open the artifact in the Packet
Analyzer
Analyze > Summary > Extractions — Show Payload — For HTTP Method POST artifacts,
display the payload.
14 of 206
Updated 4 Apr 2016
Appliance Ports
Consult the following diagrams to see how ports are designated on a Blue Coat Security Analytics Appliance. For
instructions on cabling and configuration for head unit plus storage module combinations see the Security Analytics
Software Installation Guide for Dell Hardware on BlueTouch Online.
Go to Security Analytics Platform hardware documentation on BlueTouch Online to see the bill of
materials for each model.
The location of the management port in the figures below is valid only after Security Analytics
Software has been installed on the hardware.
2G Appliance
DSA-2G-10T
Dell R620 PowerEdge Server
10G Appliance
SA-10G-26T
Dell R720xd PowerEdge Server
15 of 206
Updated 4 Apr 2016
Central Manager
DSA-CM-4T
Dell R620 PowerEdge Server
Storage Module
DSA-SM-24T and DSA-SM-48T
Dell MD1200 PowerVault Storage Module
16 of 206
Updated 4 Apr 2016
Interface Screens
I NTERFACE S CREENS
Analyze > Summary
See Summary Views for further information.
1
Filter Bar
12 System Utilization and Notifications
2
Analyze Pages: Summary, Reports,
Extractions, Geolocation
13 Application Groups Widget
3
View Selector
14 Reindexing Control
4
Status Bar
15 Session Resolution Control
5
Navigation Bar
16 Information
6
Save and Delete Favorite Controls
17 Application Groups over Time Widget
7
Alerts
18 Actions Menu
8
Update and Stop Reports Buttons
19 Pie Chart Display
9
Timespan Filter
20 Column Display
10 Account Settings
21 Table Display
11 Settings Menu
22 Bar Chart Display
17 of 206
Updated 4 Apr 2016
Interface Screens
Capture > Summary
See Capture for more information.
1 Analyze Menu: Summary, Reports, Extractions, Geolocation
2 Capture Menu
9
3 Statistics Menu
10 View Menu
4 Alerts
11 Actions Menu
5 User Settings
12 Data Availability Histogram
6 Settings Menu
13 Capture Totals
14 Enable/Disable PCAP Import in Graph
8 Status Bar
15 Interfaces
18 of 206
Graph Scales
Updated 4 Apr 2016
Interface Screens
Capture Interfaces
Each capture interface on a Security Analytics Platform appliance has a graphical box.
1
Line color on the graph
2
Interface name: eth — Ethernet; agg — aggregated interfaces. Click to edit the name.
3
Interface speed
4
Toggle to start/stop playback
5
Toggle to enable/disable data representation on the graph
6
Click to apply a capture filter; during playback, click
7
Toggle to start/stop data capture
to see playback information
Each active interface box shows a table with the following columns:
•
Type — Current, maximum, and total
•
Captured — Total amount of data captured by this interface
•
Filtered — Amount of filtered data captured by this interface
19 of 206
Updated 4 Apr 2016
Interface Screens
Analyze > Summary > Reports
See Reports for more information.
1
Filter Bar
11 Settings Menu
2
Analyze Pages: Summary, Reports, Extractions,
3
View Selector
13 Report Summary Chart
4
Status Bar
14 Session Resolution Control
5
Navigation Bar
15 Information
6
16 Total Sessions over Time Histogram. Not
available for packet-based (non-flow) reports.
7
Alerts
17 Actions Menu
8
Update and Stop Report Buttons
18 Report Comparison Control
9
Timespan Filter
19 Advanced Filter
10 Account Settings
20 Results Table
Geolocation
20 of 206
Updated 4 Apr 2016
Interface Screens
Analyze > Summary > Extractions
See Extractions for more information.
1
Filter Bar
11 Account Settings
2
Analyze Menu: Summary, Reports,
12 Settings Menu
3
View Selector: Artifacts, Artifacts Timeline,
Email, IM Conversations, Media Panel
4
Status Bar
14 Actions Menu
5
Navigation Bar
15 Histogram
6
Information
16 Advanced Filter
7
17 Results List
8
Alerts
18 Expanded Artifact Entry
9
Update and Stop Extraction Buttons
19 Artifact Actions: Preview, Download,
Analyze, Explore Root Cause, Reputation
10 Timespan Filter
21 of 206
Updated 4 Apr 2016
Interface Screens
Analyze > Summary > Geolocation
See Geolocation for more information.
1 Filter Bar
10 Account Settings
2 Analyze Pages: Summary, Reports,
11 Settings Menu
3 View Selector
4 Status Bar
13 Map Controls
5 Navigation Bar
14 Geolocation Map
6 Save and Delete Favorite Controls
15 Information
7 Alerts
16 Actions Menu
8 Update and Stop Extraction Buttons
17 Advanced Filter
9 Timespan Filter
18 Results List
22 of 206
Updated 4 Apr 2016
Data Capture
D ATA C APTURE
The Capture > Summary page has two sections: the interactive graph at the top of the page and a set of summary
boxes (one per interface).
Capture Summary Graph
The capture summary graph provides a graphic view of the capture statistics for each network interface so that you can see
patterns in network data over time. Click and drag the cursor to highlight a section to enlarge.
The graph polls the system regularly to get information on interface captures. By default, the graph will display up to
six months of historical data. (This interval can be changed by selecting Settings > About > Data-Retention
Settings.)
Total Traffic per Interface and Uptime
At the upper-left of the graph you can see System Uptime as well as total traffic per interface and PCAP imports.
•
To show or hide each interface, click its Hide/Show Line on Graph
•
To hide or show PCAP import, select View > PCAP Import on the upper-right side of the graph.
•
To view all capture interfaces in aggregate, select View > Aggregated Statistics.
icon.
View Menu
Use this menu to display information about system performance. You can select as many or as few of these values
as you want.
Process
Definition
Unit of Measurement
CPU Usage
Amount of CPU capacity currently used
Percentage of Capacity
RAM Usage
Amount of RAM currently used
Percentage of Capacity
Flow Table Size
Cumulative size of the flow table since last reboot
Cumulative (Kilo)bytes
DPI Threads
Cumulative number of deep-packet inspection (DPI)
threads
Cumulative Number
Slot Overflow
The number of slots that exceed the DPI slot capacity Current Number
Cumulative Flow Maximum
The highest number of flows since last reboot
Cumulative Number
Flows in Progress
The number of flows that are currently being
processed
Current Number
Classification Discards
The number of packets that have not yet been indexed
Current Number
Slots in Use
The number of slots that are currently being
processed
Current Number
23 of 206
Updated 4 Apr 2016
Data Capture
Process
Definition
Unit of Measurement
Packets in Progress
The number of packets that are currently being
processed
Current Number
Flows Initiated
The number of new flows that have begun processing Current Number
Flow-Table Overflow
The number of flows that exceed the flow-table
capacity
Current Number
PCAP Import
Toggle to show/hide PCAP imports in the graph
Network traffic unit of measure
Aggregated Statistics
Toggle to aggregate all interface statistics in one line
Network traffic unit of measure
File Analysis Jobs in Progress
The number of file-analysis jobs that are in the queue
Current Number
Processed File Analysis
The number of file-analysis jobs that have been
processed
Current Number
File Analysis Queue Discards
The number of file-analysis jobs that were dropped
because the extractor's queue limit was exceeded
Current Number
File Analysis Range Discards
The number of file-analysis jobs that were dropped
because the maximum slot range limit was exceeded
Current Number
File Analysis Slot Discards
The number of data-enrichment jobs that were
dropped because the slot was not in memory (not
live)
Current Number
File Analysis ThreatBLADES
Requests
The number of file-analysis requests to the
ThreatBLADES
Current Number
ThreatBLADES Jobs in Progress
The number of ThreatBLADES jobs in the queue
Current Number
ThreatBLADES Discards
The number of ThreatBLADES jobs that were
dropped because the queue limit was reached
Current Number
Actions Menu
Click the Actions menu to access the following options:
•
Download PCAP — Save the data in the selected timespan as a PCAP file. See PCAP Files for more
information.
•
Start Playback — Create a playback session based on the selected timespan. See Playback for more
information.
•
Reprocess — Resend packets through the actions engine. See Reprocessing for more information.
•
Reset Zoom — Reset the graph to the default view.
•
Analyze Data — View the selected timespan on the Summary page.
24 of 206
Updated 4 Apr 2016
Data Capture
Initiate or Stop Capture
You can also use the dscapture command in the CLI for some of these actions. (Consult the Security Analytics
Platform Reference Guide on bto.bluecoat.com.)
1. Select Capture > Summary and identify the graphical box for the interface.
2. Click Start Capture. The green Start Capture button becomes a red Stop Capture button.
3. If there is traffic on that interface, the Current, Max, and Total rows in the Captured column will begin to
populate.
4. To view the interface's traffic in the graph, click the Hidden
icon.
5. The color of the left margin of the graphical box is the same color as the interface's line in the graph.
Apply a Capture Filter
See Capture Filters.
25 of 206
Updated 4 Apr 2016
Data Capture
Capture-Interface Aggregation
In some cases it is advantageous to aggregate two or more physical interfaces into one virtual interface, e.g., if you
have separate physical interfaces for Rx and Tx traffic, an aggregated interface permits the system to match initiator
traffic with its corresponding responder traffic.
The following rules apply to interface aggregation:
•
You can aggregate as many interfaces as are on a single appliance.
•
You can add only one interface to the aggregate at a time.
•
If any of the component interfaces have a capture filter, that filter will be ignored in the aggregate.
•
You can apply a capture filter to the aggregated interface.
•
When you separate an aggregated interface, you separate all of the component interfaces; you cannot delete
only one or two interfaces from the aggregate.
•
After separating an aggregated interface, any filters that were on the individual interfaces will be reapplied,
whereas any filters on the aggregated interface will be removed.
To aggregate interfaces, follow these steps:
1. Stop capture and playback on all of the interfaces that you want to aggregate.
2. Click and drag one interface box onto another interface box.
3. Verify that you have selected the correct interfaces, make a note of the new interface name, and click Combine.
4. Click Start Capture to start capturing on the aggregated interface.
5. To separate the aggregated interface into its component interfaces, stop the capture or playback on the
interface.
6. Click the chain icon at the top-right of the interface box and click Separate.
26 of 206
Updated 4 Apr 2016
Data Capture
Reprocessing
In some cases, when a data-enrichment action sends a query to an external source, or when a ThreatBLADE sends
a query to the Global Intelligence Network, there is no immediate response. In other cases, you may have altered
your favorites or actions, or report attributes may have been included in a newer version of the Security Analytics
Platform.
You can select data to be examined again by the data-enrichment process as well as reindexed.
•
Prior to version 7.1.3, reprocessing did not include reindexing. You might want to reprocess
data that was captured prior to version 7.1.3 so that any new report attributes can be indexed. It
is highly recommended that you reprocess pre-7.1.3 data for the new Heartbleed-detection
attributes.
•
For certain encrypted protocols such as SSH, IPSEC, and ISAKMP, the
tls_heartbeat_attack_attempt attribute will not be indexed during reprocessing. Heartbleed
detection is therefore dependent on the tls_heartbeat_mismatch attribute.
1. On Capture > Summary, select a timespan to reprocess.
2. Select Actions > Reprocess. The Reprocessing Jobs page is displayed.
3. Click New. The Time Range shows the same start and end times as you selected on the Capture Summary
page. You may change the time range, as desired.
4. Click Save. The selected data is sent back through the actions engine and is also indexed again.
5. The columns on the Reprocessing Jobs page are as follows:
•
Start Time — The starting time of the data to be reprocessed.
•
End time — The ending time of the data to be reprocessed.
•
Processing Start — The time that the reprocessing job starts.
•
Processing End — The time that the reprocessing job ends.
•
Command — The type of reprocessing job:
•
o
1 = Reindexing — Packets that were not indexed at time of capture are indexed.
o
2 = Reprocessing — Packets are run again through the indexing and data-enrichment processes.
Source — The origin of the job:
o
1 = Auto — When system resources prevent indexing at time of capture, resulting in classification
discards, the system uses its idle time to index that data.
o
2 = Manual — The reprocessing or reindexing job was initiated by the user:

Reprocessing is manually initiated as described in steps 1–4.

Reindexing is manually initiated on the Summary page status bar.
•
Percent Complete — Percentage of the job that is completed.
•
Actions — Click
to cancel the unfinished portion of the job. If the job is 100% complete, this will delete
the entry from the list.
27 of 206
Updated 4 Apr 2016
PCAP Files
PCAP F ILES
PCAP files contain copies of all captured packets for a given timespan. The Blue Coat Security Analytics Platform
supports PCAP and PCAPNG formats, both Ethernet encapsulated and PPP encapsulated.
PCAP files can be very large. If you are accessing the Security Analytics Platform web interface on
Microsoft IE 8–9 or another browser that cannot send files in chunks, you cannot support PCAP files
larger than 2 GB without using the Web Services API. (Consult the Security Analytics Platform
Reference Guide on bto.bluecoat.com.)
Download PCAPs of Captured Data
1. Do one of the following:
•
On any Analyze page, select Actions > Download PCAP — Any filters in the filter bar are applied to the
downloaded file.
•
On any Analyze page, click the info icon on the Status bar.
2. The Download PCAP dialog is displayed.
3. For Filter click View Path to see the timespan information.
4. Click Calculate Size to see the amount of data that is displayed.
5. For Type, select one of the following:
•
PCAP — File is downloaded in PCAP format.
•
PCAPNG — File is downloaded in PCAPNG format.
•
PCAP without Filters — All primary filters are cleared from the data.
o
To apply a different filter, click the Filter list.
o
Select a preconfigured filter or select Create New Filter, type a name for the filter, and specify the BPF
Expression in the space provided.
6. For Download Options, select one of the following:
•
Browser — Download the PCAP file using your browser's file-download feature.
•
Offline — Send the PCAP download job to the queue, to run in the background.
o
A message indicates that the generation of the PCAP has begun.
o
Click the notification indicator at the upper-right corner of the web interface.
o
The entry shows PCAP generation in progress.
o
When the process has completed, the status changes from Processing to Download. Click the entry and
follow the prompts to save the PCAP file.
28 of 206
Updated 4 Apr 2016
PCAP Files
•
NFS Save — Save to an NFS server.
o
For Server, click the Manage Connections icon.
o
The Manage Connections dialog is displayed. As needed, configure an NFS mount point.
The apache user (on the Security Analytics Apache instance) must have both read and write
permissions to copy the PCAP to the mounted NFS server.
7. Click Download to save data.pcap or data.pcapng.
Other PCAP Downloads
Download PCAPs using your browser's save function:
•
On any Analyze page, select Actions > Analyze Packets, and then click Download PCAP — Any packetanalysis filters are applied to the downloaded file.
•
Select Analyze > Summary > Extractions, then expand an artifact entry.
•
o
Click Download and select Download PCAP or Download PCAPNG.
o
Click Analyze PCAP, and then click Download PCAP — Any packet-analysis filters are applied to the
downloaded file.
Select Capture > Summary, then select Actions > Download PCAP — Any filters on the capture interfaces
are applied to the downloaded file.
Automatic PCAP Downloads
To export PCAPs automatically, create a PCAP Export action.
Import PCAP Files
You can import PCAP files from your workstation, a USB drive, or a remote server. If you will be importing from a
USB drive, insert the drive into the Security Analytics Platform appliance before performing the next steps; do not
remove the USB drive until the import is complete.
Prior to importing a PCAP, it is recommended that you enable PCAP import in the Capture
Summary Graph (Capture > Summary).
You can also use the dspcapimport command in the CLI for this function. (Consult the
Security Analytics Platform Reference Guide on bto.bluecoat.com.)
1. Select Capture > Import PCAP.
2. Click New.
3. For Import from, specify the import device.
•
My Computer — Click Browse, locate the PCAP file, and open. (Not available from the CMC.)
•
Appliance USB Drive — Select the PCAP file to import. (Not available from the CMC.)
29 of 206
Updated 4 Apr 2016
PCAP Files
•
Remote Server — Select an existing server or specify a new one, select the Schedule, and then select the
PCAP file to import.
4. Indicate whether to share the imported PCAP.
5. Clear the Retain original packet timestamps check box to use the importation begin and end times as the
timestamps.
6. Click Import.
•
PCAP import always processes packets as fast as possible; therefore, timestamps will not
necessarily be in PCAP order.
•
PCAP data can be imported on a maximum of ten virtual interfaces.
The Imports table displays the number of Extraction and Data Enrichment jobs that are in progress during the PCAP file's
importation.
•
Extraction Jobs — Number of files that have been reconstructed by the extraction process, which is activated
any time the traffic matches a data-enrichment action or a ThreatBLADES rule.
•
Data Enrichment Jobs — Number of verdicts that have been returned to the Alerts page from the
ThreatBLADES, and reputation, analysis, and integration providers.
PCAP File Analysis
Analyze PCAPs on the Security Analytics Platform
After you have imported a PCAP file, use the following Web interface pages to further analyze the data.
PCAP Imports List
Select Capture > Import PCAP. On the Imports list, the following information is available:
•
Name — Name of the imported PCAP file.
•
Status — Import state such as running, queued, completed, or canceled. To filter the list by status, click All
at the top-left of the list and select the desired criteria.
•
Import Source — The method of importing the PCAP, such as Browser Upload or Remote Server.
•
Interface — The interface on which the PCAP was imported, e.g., impt0.
•
Import ID — Sequential number assigned to the import. Use this number in filters as import_id=[x].
30 of 206
Updated 4 Apr 2016
PCAP Files
•
Extraction Jobs — Number of files that have been reconstructed by the extraction process, which is
activated any time the traffic matches a data-enrichment action or a ThreatBLADES rule.
•
Data Enrichment Jobs — Number of verdicts that have been returned to the Alerts page from the
ThreatBLADES, and reputation, analysis, and integration providers.
•
Created Time — The time at which the PCAP import began.
•
First Packet Time — The timestamp on the first packet in the PCAP file. If you selected Retain original
packet timestamps for the import, this date will be earlier than the Created Time; otherwise, it will be a few
seconds later.
•
Actions — Click an icon:
o
View Import Information — See more information about the import, including error messages.
o
View Alerts of This Import — Open the Alerts page to see only the alerts that this PCAP generated.
o
View This Import — Loads the PCAP into the Analyze > Summary view with import_id=[x] in the
filter bar.
Storage System Page
On the Statistics > Storage System page, an entry for the imported PCAP is displayed under Active Slot Chain for
Interface impt [X].
•
Because PCAPs are imported to the capture drive along with the live captures, imported PCAPs will be
overwritten as the capture process cycles.
•
As a PCAP is overwritten, the values that indicate size and location gradually decrease. The entry for the
PCAP disappears when the PCAP data in the capture drive is completely overwritten.
•
When you import multiple PCAPs via the same virtual interface, the system shows the combined statistics for
the PCAPs in a single entry.
Capture Summary Page
On the Capture > Summary page, click select View > PCAP Import to see the histogram for the PCAP.
•
If you selected the Retain original packet timestamps check box during import, the PCAP data will be
displayed in its original capture timeframe at the far left of the chart.
•
Any activity that the PCAP import generates — such as ThreatBLADE requests or classification discards —
is displayed using the actual timestamps. For example, if the original packet timestamps are in February and
the PCAP is imported two months later, the histogram for the PCAP import will be in February and the
ThreatBLADE requests it generates will be shown as occurring in April.
Analyze PCAP Files in Wireshark
•
To view PCAP files in Wireshark°, you must have downloaded and installed that third-party application.
•
Follow the Wireshark instructions to import and read PCAP(NG) files.
•
Alternatively, open any Analyze page and then select Actions > Analyze Packets. The PCAP is displayed in
the packet analyzer, which has an interface similar to Wireshark's.
31 of 206
Updated 4 Apr 2016
PCAP Files
Automatically Import PCAP Files
Use watch folders to automatically import PCAP files from a remote server.
1. Select Capture > Import PCAP and click the Watch Folders tab.
2. Click New.
3. Do you need to configure a new server?
Yes — Click New and provide the requested
information for the server.
•
No — Select an existing server and continue
the procedure.
Click Save and continue the procedure.
4. For Check for Files, specify the interval to check for new PCAP files.
5. For Select folders, specify which folder(s) to monitor for new PCAP files.
6. Optional — Clear the Retain original packet timestamps check box to ignore the PCAP timestamps and use
the import begin time instead.
7. Click Create. The system will check the specified folder(s) and automatically upload any new PCAP files that it
finds.
8. Click Manage Connections to edit the information for the watch folder servers.
Automatically Export PCAP Files
To automatically export PCAP files, use the PCAP Export action.
32 of 206
Updated 4 Apr 2016
Playback
P LAYBACK
Use the dsregen command in the CLI for these functions. (Consult the
Use the playback feature to reconstruct and transmit captured data flows to a physical network interface for analysis.
Depending on which data is selected for replay, the data is lifted from the capture drives or regenerated directly from
the input interface(s). Play back live data to forward data flows to a physical network interface for analysis. The Blue
Coat Security Analytics Appliance can regenerate traffic with less than 1 ms latency, even at high network speeds (up
to 10 Gbps).
33 of 206
Updated 4 Apr 2016
Playback
Create a Playback Session
1. Select Capture > Summary.
2. For the output interface, click Start Playback.
3. Select the input interface(s) whose data you want to include.
4. Select the Output Interface to be used.
Interfaces that are in use for capture cannot be used as the output interfaces for playback;
otherwise, the existing capture sessions will be stopped.
5. For Time Span, select one of the following:
•
All Captured Data — Select to replay all of the data that is currently on the capture drives.
•
Live Data — Select to send the data that is currently being captured.
•
Custom Time Range — Select to specify the beginning and end.
o
For Start Time, expand the list to select a fixed timespan or specify manually the date and time.
o
Select Never End so that the data continues to play back until you stop it.
o
For End Time, expand the list to select a fixed timespan or specify manually the date and time.
6. For Speed, select the speed at which the data will exit the output interface.
When sending data from multiple input interfaces to a single output, take into consideration the
interface speeds. For example, if you have two 100-Mbps input interfaces and your output interface
is also 100 Mbps, you might experience problems with throughput.
7. To apply a filter to the output interface, expand the Filter list and do one of the following:
•
Select or edit an existing filter.
•
Select Create New Filter and specify a Name and the BPF Expression for the filter.
8. Click Save.
9. The message Playback in Progress is displayed on the interface box if the playback session is successful.
Click to see the parameters of the playback.
34 of 206
Updated 4 Apr 2016
Playback
Many-to-Many Sessions
When a playback session is created, the system merges the input from the physical interfaces and maps it to a virtual
interface (imfX), which then forwards the traffic to another physical output interface.
The web interface permits you to specify many-to-one sessions, i.e., multiple input interfaces to a single output
interface. To create the equivalent of a many-to-many session, you must create one session per output interface.
example
In the example above, there are two output interfaces — eth6 and eth7 — so the following two sessions must be
created:
Session
Input
Filter
Output
1
eth2, eth3
[as desired]
eth6
2
eth2, eth3
[as desired]
eth7
CLI Commands for Many-to-Many Session
To set up the session for the mappings in the example, type the following commands. (For more information, see
dscapture map and dsregen in the Security Analytics Platform Reference Guide on bto.bluecoat.com):
dscapture --map ifm0 eth2
dsregen start ifm0 eth6
To limit the session to a particular timespan — from 8:00 a.m. to 5:30 p.m. on April 25, 2013 — type the following
commands:
dscapture --settime ifm0 04.25.2013.08.00.00 04.25.2013.17.30.00.00
dscapture --settime ifm1 04.25.2013.08.00.00 04.25.2013.17.30.00.00
35 of 206
Updated 4 Apr 2016
Data Availability
D ATA A VAILABILITY
Data availability is a function of the rate at which the capture and indexing drives overwrite existing data.
You can see data availability by expanding the timespan selector.
Data availability information is displayed:
•
[no message] — All metadata and packet data are available.
•
Limited packet data — Full metadata is available as well as some packet data.
•
No packet data — Full metadata is available but no packet data.
•
Limited data — Some metadata and packet data is available.
•
No data — All packets and metadata have been overwritten, or no data was captured during that time.
In some cases, just after packets have been captured but indexing has not been completed, the
data is temporarily not available for searches or reports.
Calendar Display
Click a date to see color-coded information for packet and metadata availability.
•
White background — All metadata and packet data are available. Reports, artifacts, and PCAP downloads
are available for this data.
•
Light pink background — Metadata is available but the corresponding packets have been overwritten. Only
reports are available for this data.
•
Dark pink background — All packet data and metadata have been overwritten, or no data was captured on
those days.
36 of 206
Updated 4 Apr 2016
Data Availability
The capture summary graph (Capture > Summary) indicates overwritten data with the light pink Packet data
overwritten (metadata only) area and dark pink No data available area.
Capture summary data can remain available after the corresponding packets and metadata have
been overwritten because it is not stored on the capture or index drives. See Drive Space
Management for information on retaining and deleting capture summary data.
37 of 206
Updated 4 Apr 2016
Data Analysis
D ATA A NALYSIS
Summary Views
The Security Analytics Platform Summary views are collections of report widgets on a single page. Report widgets
are discrete graphical elements that summarize data according to selected criteria. A collection of widgets can then
be run against a user-selected time period and a user-defined set of filters.
See Summary Page for a description of all its elements.
Report Widgets
Included on the Security Analytics Platform are report widgets that correspond to the Available Reports.
Select a summary view from the view selector.
Use the edit
control to change the name, share the view, or specify a new view as the default.
Create a Summary View
You can create a new summary view from a blank view, or you can modify an existing view.
1. Select Analyze > Summary.
2. Click the view selector and select Add New View.
3. Type a name for your new view.
4. Optional — Select Use flow-based columns to permit the report widgets to adjust to the available width of the
window. Clearing this check box forces the report widgets to stay in a fixed-grid location.
5. Optional — Select Shared to share the view.
6. Optional — Select Duplicate Existing View? to select a view to duplicate for the new view.
7. Optional — Select Set as default to make this the default view.
8. Click Save. You get a blank summary screen and the Add/Edit Widgets dialog box is displayed.
9. In the dialog box, select one or more report widgets from the Available Reports list and add them to the
Selected Reports list.
38 of 206
Updated 4 Apr 2016
Data Analysis
•
The more report widgets in a view, the longer it takes to load the view.
•
Application Group includes the Application Group and the Application Group over Time
widgets.
10. Click Add/Edit Widgets.
Reindexing
During periods of heavy network activity, the system may not be able to index every packet as it is written to the capture
drive. During periods of lower activity, the system returns to the unindexed packets on the capture drive and
attempts to finish indexing them.
On the Status bar, the total amount of data in the flows is indicated. If the system has not been able to finish indexing
all of the packets, the
icon is displayed. Click the icon to see how many flows remain to be indexed.
Click Give Priority to This Timespan to move the unindexed flows in the current view to the top of the reindexing
queue.
In some cases the warning
finished.
icon is still visible for several minutes after the reindexing job has
On Capture > Summary, select Processes > Classification Discards to see the rate at which packets are not
immediately indexed.
As soon as a flow has been indexed, it is examined by the actions engine. If the flow matches an
action, the flow will be processed according to the action.
To see reindexing jobs, select Capture > Summary > Actions > Reprocess. Reindexing jobs show 1 in the
Command column. Also see Reprocessing.
39 of 206
Updated 4 Apr 2016
Data Analysis
Report Widget Controls
To reveal the report widget controls, place your cursor over the widget header.
1
Move Widget
2
Widget Settings
3
Delete Widget
1
Field — Sort-by Field. Select from the widget name or bytes, packets,
sessions, IP fragments, or bad checksums.
2
Order — Ascending, Descending
3
View — Table, Pie, Column, Bar
4
Resolution — Select the check box and slide the selector to the
desired resolution.
The settings affect only this report widget in this view. If this report widget is present in other views,
the settings for those views will be not changed.
40 of 206
Updated 4 Apr 2016
Data Analysis
Application Group Widgets
Two widgets — Application Group and Application Group over Time — are different from the other widgets; user
configuration is limited to session-resolution settings. The Application Group widget has Bytes, Packets, and
Sessions columns. The Application Group over Time widget is a histogram of the Application Group widget. Place
your cursor over a data point to see the details.
When adding widgets to a view, selecting Application Group adds both the Application Group and
the Application Group over Time widget to the view.
Apply Filters to Summary Views
To apply a filter to a summary view, see Primary Filters or Favorites.
Save the Output of a Report View
The output of a summary view can be saved on the appliance and is accessed by selecting Analyze > Saved
Results.
1. Select Analyze > Summary and select the desired view.
2. Add, delete, and modify the report widgets as desired. Add any filters that you want.
3. Click Actions > Save in the upper-right corner of the interface.
4. Type a name for the saved output (max 300 characters).
5. If you click Save before the system has finished processing the data, you have the option to:
•
Save and Stop — Save only the data that was processed before you clicked Save and Stop.
•
Save and Continue — The save operation will continue until all data is processed.
6. If you click Save after Status shows Finished (100%), all of the results are saved.
7. Retrieve the saved results by selecting Analyze > Saved Results. There is a separate report entry for each
widget.
8. Click View Report
to see the report in the Reports (not Summary) view.
Session Resolution
In the Summary, Reports, and Geolocation views, the session resolution indicator is located on the status bar. The
purpose of this feature is to limit reports to a subset of data, which allows quicker display of data.
If you cannot see the session-resolution indicator, select [Account Name] > Preferences and clear the Use packetbased reports and filters check box.
41 of 206
Updated 4 Apr 2016
Data Analysis
Adjust Session Resolution
1. Click the session resolution value for the view.
2. Slide the indicator to the percentage of data that you want to view.
42 of 206
Updated 4 Apr 2016
GRE Encapsulation
GRE E NCAPSULATION
The Blue Coat Security Analytics Platform can identify the endpoints and reconstruct the content of GREencapsulated IPv4, IPv6, and WCCP flows. The following figure shows how GRE-encapsulated traffic appears on the
Summary page in a customized view.
The endpoints of the GRE tunnel are displayed in the Tunnel Initiator and Tunnel Responder report widgets. The IPv4
Conversation report widget shows the IPv4 sessions that were encapsulated in the GRE tunnel. The IPv6
Conversation report widget would show any GRE-encapsulated IPv6 sessions.
Capture filters can be configured to find GRE-encapsulated IPs using offsets. See BPF Syntax in
the Security Analytics Platform Reference Guide on bto.bluecoat.com.
The Extractions page displays the artifacts that passed through the GRE tunnel.
43 of 206
Updated 4 Apr 2016
Filtering
F ILTERING
The Blue Coat Security Analytics Platform employs the following types of filters:
•
Primary Filters — Applied to Summary, Reports, Extractions, and Geolocation pages.
•
Timespan — Applied in the same contexts as the primary filter.
•
Advanced — Applied to the results that are generated on Reports, Extractions, Geolocation, Alerts, and
Audit Log pages.
•
Capture — Applied to capture interfaces and PCAP downloads.
Primary Filters
•
Valid parameters for the filter bar
•
Favorites
The filter bar — present on all Analyze pages — is at the heart of security analytics. With these filters, you can display
specific time frames or attributes of the captured data.
1 Filter bar
2 Timespan filter selector
Using the Filter Bar
Type directly in the filter bar to create a new filter.
1. Select any Analyze page: Summary, Reports, Extractions, Geolocation.
2. Click in the filter bar and begin typing a filter attribute.
3. The system will begin suggesting attributes or favorites based on your typing. You can select the desired
attribute by clicking it or by using the arrow keys.
4. Type the operator.
44 of 206
Updated 4 Apr 2016
Filtering
5. Type the desired value after the operator. You can use wildcard expressions. For CIDR notation, use one of the
following formats:
•
•
•
10.5.*.*
10.5.0.0_16
10.5.0.0/16
6. Press Enter. The system completes the filter by enclosing it in a gray box. Click the green Update button to
apply the filter.
Whenever you change a filter, you must always click Update to regenerate the results. This permits
you to change multiple aspects of the filter before regenerating the results.
7. All applied filters appear as white text against a blue background.
8. To modify a filter, click the blue field and edit as desired. Press Enter or click outside the blue field; the box will
become gray again. Click Update to apply the modified filter.
Preconfigured Filters
The Security Analytics Platform is preloaded with favorites such as non-standard protocols, common MIME types, and
known malware passwords. You can use these favorites as primary filters by expanding the filter bar or by selecting
Analyze > Favorites.
1. Select any Analyze page: Summary, Reports, Extractions, Geolocation.
2. Expand the filter bar to see a list of favorites. Select the desired favorite.
•
Alternatively, select Analyze > Favorites. Under Actions for the desired favorite, click Add to Filter Bar
The Summary view will be displayed with that favorite in the filter bar.
.
3. The favorite appears in the filter bar and is applied to the operation (report, extraction, geolocation).
4. For instructions on creating and editing favorites, see Favorites.
45 of 206
Updated 4 Apr 2016
Filtering
Timespan Filters
By default, the system displays the last 15 minutes of data captured.
Expand the control to select another predefined timespan or click the date/time fields to specify a particular time.
Advanced Filters
•
Valid parameters for advanced filters
With the advanced filters, you can easily and rapidly apply additional filters to the report data. When an advanced
filter is applied, the charts and tables change automatically to reflect the new criteria.
•
Advanced filters are applied directly to the data in the view, whereas applying a primary filter
causes the operation, e.g., extraction, to be performed again.
•
Advanced filters affect only what is shown in the current view; they do not affect what is shown
in other views (Summary, Reports, Extractions, Geolocation).
Create an Advanced Filter
1. Select Analyze > [Reports | Extractions | Geolocation | Alerts] or Settings > Audit Log.
2. Select the desired view from the view selector.
3. Click Add a Filter to select a list of valid attributes for this view.
4. Select an operator.
5. Type or select the desired value and press Enter. The system applies the filter to the displayed data.
46 of 206
Updated 4 Apr 2016
Filtering
Create Filters from Graphical Screen Elements
You can instantly create a primary, advanced, or timespan filter from many of the graphical elements on the Web
interface. The example below shows what happens when you click the value in the URI Host field of an extracted
artifact:
Depending on the attribute, you have the options of:
•
adding the value to the filter bar or advanced filter
•
adding the value as one of multiple attributes
•
using one of up to four logical operators
Other graphical elements with this feature include:
•
Report and widget charts and graphs
•
Items in results lists, e.g., locations, IP addresses, applications
•
The Application Group over Time widget, as shown below:
47 of 206
Updated 4 Apr 2016
Filtering
Capture Filters
With capture filters, you can select the packets to be captured by a given network interface. The Security Analytics
Platform leverages the standard Berkeley Packet Filter language to define traffic filters. Once created, the filter
definition can be saved and reused. Capture filters can also be applied to PCAP downloads and playback.
Traffic that is excluded by a capture filter is not available for analysis.
Apply a Capture Filter to an Interface
1. Select Capture > Summary.
2. For the desired interface, click the filter icon
.
3. For Filter, do one of the following:
•
Select an existing filter.
•
Select Create New Filter.
o
Provide the Name and BPF Expression for the filter.
4. Click Save. The interface will now capture only the traffic specified by the filter.
5. To remove the filter click
again, select No Filter, and click Save.
Apply a Capture Filter to a PCAP Download
Follow the steps in Download PCAP Files of Captured Data and select PCAP without Filters for Type, and then specify a
new filter in the space provided.
48 of 206
Updated 4 Apr 2016
Primary Filter Attributes
P RIMARY F ILTER A TTRIBUTES
Valid primary filter attributes are as follows. Consult Report Attributes in the Security Analytics Platform Reference
Guide on bto.bluecoat.com to see which data is the source for each attribute. Also see Advanced-Filter Attributes.
•
Initiator/Responder Fields — During session-based filtering, the field that provides the value for these
attributes depends on the host’s role in a TCP conversation: the host that sends the first SYN packet is the
initiator and the host that sends the corresponding SYN+ACK packet is the responder. During packet-based
filtering, the initiator value is always from the source field and the responder value is always from the destination
field.
•
Length and Number Parameters — For some attributes, you can specify number or length. num(<attribute>)
returns the flows that contain the specified number of the attribute; len(<attribute>) returns the attribute with the
specified length. For example, len(filename)=6 returns all of the flows that contain a six-character filename,
whereas num(filename)=6 returns all of the flows that contain six instances of the filename attribute.
•
•
When the system detects matching traffic for a filter, it returns the entire flow that contains
matching data, which may include data that do not match the favorite. For example, if the filter
is len(filename)=10, the system will return all of the data from every flow that contains a file
name with 10 characters. Some of those flows may include filenames that do not have exactly
10 characters.
•
Regular expressions are not valid for the len(<attribute>) and num(<attribute>) parameters.
Hash Searches — When using the md5_hash and sha1_hash attributes, the match must be exact to produce
a result, but for fuzzy_hash you can specify how much of the hash must match.
o
Command Line Interface — /fuzzy_hash/_ge_abc123eae%2570/ will find fuzzy hashes that have a
70% or higher match. To specify a range — for example, between 70–80% — type
/fuzzy_hash/_ge_abc123eae%2570_and_le_abc123eae%2580/. Note that the percent sign must be
URL-encoded as %25.
•
Encrypted Heartbleed Attacks — If a "Heartbleed" attack is contained within an encrypted heartbeat
message, the tls_heartbeat_attack_attempt attribute cannot detect it; however, a successful attempt will be
detected by tls_heartbeat_mismatch.
•
Namespaces — The Namespace column indicates the namespace to which the attribute belongs.
o
A Summary view that contains report widgets from different namespaces will take longer to complete.
o
When creating advanced queries for an API, attributes from different namespaces cannot be placed in
the same advanced-query array.
49 of 206
Updated 4 Apr 2016
Attribute
Description
Valid Format
len(x)
num(x)
application_group
Any recognized application group
text
application_id
Any recognized application
text
bytes
Total number of bytes in the flow ("Size
in Bytes" in the Reports menu)
integer
country
Any country
text
country_initiator
Country of the sender
text
country_responder
Country of the responder
text
database_query
Query string sent to any database
text
X
X
dns_query
Any query to a DNS server
9.9.9.9IN-ADDR-ARPA
domain.tld
X
X
email_address
Any email address
[email protected]
X
X
email_recipient
Email address of the recipient
[email protected]
X
X
email_sender
Email address of the sender
[email protected]
X
X
ethernet_address
Any MAC address
a9:a9:a9:a9:a9:a9
ethernet_address_packet
Any MAC address in packet-based
ɸ
indexing
a9:a9:a9:a9:a9:a9
ethernet_address_vendors
Vendor-augmented MAC address
text:a9:a9:a9
ethernet_address_vendors_packet
Vendor augmented MAC address in
ɸ
packet-based indexing
text:a9:a9:a9
ethernet_destination
MAC address of recipient
a9:a9:a9:a9:a9:a9
ethernet_destination_vendors
Vendor-augmented MAC address of
ɸ
recipient
text:a9:a9:a9
ethernet_initiator
MAC address of initiator
a9:a9:a9:a9:a9:a9
ethernet_initiator_vendors
initiator
text:a9:a9:a9
ethernet_protocol
Layer-3 protocol
text
ethernet_responder
MAC address of responder
a9:a9:a9:a9:a9:a9
ethernet_responder_vendors
responder
text:a9:a9:a9
ethernet_source
MAC address of sender
ethernet_source_vendors
ɸ
sender
text:a9:a9:a9
filename
File name or extension
filename.ext, .ext
X
X
file_blade_verdict
Generated by the FileThreat BLADE
integer
file_blade_malware_verdict
Returned by the Malware Analysis
Appliance
ɸ
ɸ
50 of 206
a9:a9:a9:a9:a9:a9
Updated 4 Apr 2016
Attribute
Description
Valid Format
len(x)
num(x)
file_type
Pattern-based detection to approximate
the file type transmitted.
text
X
X
flow_id
Identifier for the data flow. Produced
when viewing the artifacts associated with an
alert.
integer
fuzzy_hash
Fuzzy hash of artifact‡
hex
http_code
HTTP status codes: 404 (not found), 500 integer
(internal server error)
X
X
http_content_disposition
Presentation method of the file; URLencoded
inline%3Bfilename%3D%22%22
attachment%3Bfilename%3Dp.txt
X
X
http_forward_addr
Originating IP address of a host that
uses a proxy
9.9.9.9
X
http_method
HTTP command: GET, SET, PUT
text
X
X
http_server
Host name of server
domain.tld
X
X
http_uri
All URIs
domain.tld/[filepath]
import_id
Identifier for imported PCAPs
integer
interface
Appliance interface of captured data
eth[integer] impt[integer]
ifb[integer]
ip_protocol
TCP, UDP, ICMP, OSPFGP
text
ip_bad_csums
Number of bad checksums; best used
with !=0
integer
ip_fragments
Number of IP fragments; best used
with !=0
integer
ipv4_address
Any IPv4 address
9.9.9.9
§
ipv4_initiator
IPv4 address of the sender
9.9.9.9
§
ipv4_responder
IPv4 address of the receiver/responder
9.9.9.9
§
ipv6_address
Any IPv6 address
a9a9::a9a9:a9a9§
ipv6_initiator
IPv6 address of the sender
a9a9::a9a9:a9a9§
ipv6_responder
IPv6 address of the receiver
a9a9::a9a9:a9a9§
machine_id
Combination of NetBIOS Caller and LLMNR
text
X
X
mail_blade_file_verdict
Generated by the MailThreat BLADE
integer
mail_blade_malware_verdict
Appliance
integer
md5_hash
MD5 hash of artifact
hex
mime_type
The MIME type of the artifact
X
X
X
X
ɸ
text/text
packet_length
Length of a packet in bytes
password
Cleartext passwords
text
port
Any port (TCP or UDP)
integer
51 of 206
X
integer
Updated 4 Apr 2016
Attribute
Description
Valid Format
len(x)
num(x)
port_initiator
TCP or UDP port of the sender
integer
port_responder
TCP or UDP port of the receiver
integer
referer
Referring server
domain.tld
X
X
sha1_hash
SHA1 hash of artifact
hex
social_persona
User name of social networking account
text
X
X
ssl_common_name
CN of host, used to request SSL/X.509
certificates
domain.tld
X
X
ssl_serial_number
SSL serial number
hex
standard_blade_verdict
Generated by Local File Analysis
5 = unknown, 10 = known bad
subject
Text in subject line of email message
text
X
X
tcp_initiator
TCP port of the sender
integer
tcp_port
Any TCP port
integer
tcp_responder
TCP port of the receiver
integer
tls_heartbeat_mismatch
Number of sessions in which the
heartbeat_request and hearbeat_response
payloads are not equal in length.
found <sessions>
not found <sessions>
tls_heartbeat_attack_attempt
Number of sessions in which the
payload_length field of the heartbeat_request
does not match the
(D)TLSPlaintext.length field
found <sessions>
not found <sessions>
tunnel_initiator_ip
IPv4 or IPv6 of the GRE tunnel initiator
9.9.9.9§
a9a9::a9a9:a9a9§
tunnel_responder_ip
IPv4 or IPv6 of the GRE tunnel
responder
9.9.9.9§
a9a9::a9a9:a9a9§
udp_initiator
UDP port of the sender
integer
udp_port
Any UDP port
integer
udp_responder
UDP port of the receiver
integer
user_agent
Product tokens: browser, OS, language,
version
text
X
X
user_name
Username as identified by the LCS
text
uri_category
Generated locally by the WebPulse
database
text; WebThreat BLADE Categories
uri_threat_score
Generated locally by the WebPulse
database
integer
vlan_id
Any VLAN identifier
integer
voip_id
Identifier for a VoIP conversation
integer
X
X
web_blade_file_verdict
Generated by the WebThreat BLADE
integer
web_blade_malware_verdict
Appliance
integer
52 of 206
Updated 4 Apr 2016
Attribute
Description
Valid Format
web_blade_web_category
Returned by the Global Intelligence
Network
text; WebThreat BLADE Categories
web_blade_web_verdict
Returned by the Global Intelligence
Network
integer
web_query
Any search term sent to an Internet
search engine
web_server
Type of web server, e.g., Apache, IIS,
nginx
ɸ
§
len(x)
num(x)
text
X
X
text
X
X
This attribute is available only for data captured previous to version 7.1.5.
For IPv4 and IPv6 networks you can use CIDR notation as follows:
•
10.63.*.*
•
10.63.0.0/16
•
10.63.0.0_16
•
2001::/31
‡
By default, the fuzzy hash is not calculated for microextractions. To enable fuzzy-hash calculation, edit the following value in
/etc/solera/extractor/extractord.conf:
# Flag to calculate the fuzzy hash
calc_fuzzy_hash=1
Remove the # in front of calc_fuzzy_hash and set the value to one. Save and exit. Restart the extractor service:
service solera-extractord restart
53 of 206
Updated 4 Apr 2016
Advanced-Filter Attributes
A DVANCED -F ILTER A TTRIBUTES
The values for the advanced filter are different for each page. Also see Primary Filter Attributes.
Alerts
The Alerts pages offer the following options:
•
action — Name of action that triggered the alert
•
artifact_identifier — Add the identifier from the Alerts List page, as shown above.
•
description — CustomAnalytics BLADE attribute
•
destination_ip — Destination IP address
•
destination_mac — Destination MAC address
•
destination_port — Destination port number
•
favorite — Name of favorite that triggered the alert
•
importance — Notification, Warning, Critical
•
integration_provider — Derived from the values in the Action's Send to field
•
match_criteria — CustomAnalytics BLADE attribute
•
name — CustomAnalytics BLADE attribute
•
score — Score returned by the Integration Provider
•
source_ip — Source IP address
•
source_mac — Source MAC address
•
source_port — Source port number
•
type — For Malware Analysis reports, specify file for verdicts that came from locally cached results and
malware for verdicts that were produced by Malware Analysis Appliance detonation
Reports
For all reports, the advanced filter offers the following options:
•
<report_attribute> — See Primary Filter Attributes for the list.
•
bad_checksums§ — Number of erroneous checksums
•
bytes — Number of bytes
•
fragments — Number of IP fragments
•
packets — Number of packets
•
sessions — Number of sessions
54 of 206
Updated 4 Apr 2016
Extractions
Consult the table below to see which advanced-filter attributes are available in the various Extractions views. Artifacts
and Artifacts Timeline provide identical attributes.
Field
Description
Artifacts
Email
email_bcc
Email addresses in the Blind Carbon-Copy field
X
X
email_cc
Email addresses in the Carbon-Copy field
X
X
email_from
Email addresses in the From field
X
X
email_messageid
Email message ID
X
X
email_priority
Email priority
X
X
email_replyto
Email addresses in the Reply To field
X
X
email_subject
Email subject line
X
X
email_to
Email addresses in the To field
X
X
file_extension
Extension of file (DOCX, COM, EXE, JPG)
X
X
file_size
Size of file in kilobytes (KB)
X
X
file_type
Type of file
X
X
file_type_mismatch
All entries where the presented MIME type is
different from the detected MIME type.
X
fuzzy‡
Fuzzy hash of artifact
X
hex
Hexadecimal value
X
http_header
String in HTTP header
X
http_method
post or get
X
http_request_header
String in HTTP Request headers only
X
http_response_code
Three-digit HTTP response code, e.g., 404, 302
X
http_response_header
String in HTTP Response headers only
X
image_height
Image height (x-value) in pixels
X
X
image_width
Image width (y-value) in pixels
X
X
ip_address
Any IP address (IPv4 or IPv6)
X
X
X
X
ip_initiator
Source IP address (IPv4 or IPv6)
X
X
X
X
ip_responder
Destination IP address (IPv4 or IPv6)
X
X
X
X
keyword
Text string inside an artifact
X
X
X
keyword_arabic
Keyword in Arabic alphabet (UTF-8, ISO 8859-6)
X
keyword_european
Keyword in Roman alphabet (UTF-8, ISO 88591, Windows 1252)
X
keyword_japanese
Keyword in Japanese characters (UTF-8,
Japanese Shift-JIS, ISO-2022-JP, EUC-JP)
X
55 of 206
IM
Media
X
Updated 4 Apr 2016
Field
Description
Artifacts
Email
IM
Media
keyword_korean
Keyword in Korean characters (UTF-8, EUC-KR)
X
keyword_utf8
Keyword in UTF-8 encoded characters
X
md5
MD5 hash of artifact
X
X
port
Any port number
X
X
X
X
port_initiator
Destination port number of artifact
X
X
X
X
port_responder
Source port number of artifact
X
X
X
X
protocol
Protocol
referer
Referrer of artifact
X
sha1
SHA1 hash of artifact
X
url
URL of artifact
X
user
Username of participant in IM conversation
X
X
X
X
X
X
X
‡
By default, the fuzzy hash is not calculated for microextractions. To enable fuzzy-hash calculation, edit the following value
in /etc/solera/extractor/extractord.conf:
calc_fuzzy_hash=1
Geolocation
The Geolocation advanced filter offers the following options:
•
bytes — Number of bytes
•
ip_count — Number if IP addresses at a location
•
location — Name of location
56 of 206
Updated 4 Apr 2016
Audit Log
•
category — Alerts, Capture, Hardware, Misc, Playback, Solera Events, System Events, User
•
event — As follows:
•
•
Alerts Cleared
•
PCAP Download
•
Report Schedule Created
•
Audit
•
PCAP Exported
•
Report Schedule Deleted
•
Break-Glass Mode
Activated
•
PCAP Import Started
•
Report Schedule Edited
•
PCAP Import Stats
•
Report Viewed
•
CSV Generation
•
PCAP Import Stopped
•
Reprocessing Job Added
•
Capture Start
•
PCAP Import Timestamps
•
Reprocessing Job Done
•
Capture Stop
•
PDF Download
•
•
Viewed
•
PDF Generation
Reprocessing Job
Initialized
Packet Analyzer Viewed
Reputation
Change Gateway
•
•
•
Rules Engine Notification
Change IP Address
Packet Loss
•
•
•
Saved Results Viewed
Change Netmask
Playback Start
•
•
•
Playback Stop
Storage Failure
Change Time
•
•
•
Template Created
Disk Status
Power Supply 1 Status
•
•
•
Template Deleted
Extraction Created
•
•
•
User Added
Extraction Viewed
•
•
•
User Deleted
Favorite Import
Program Halted
•
•
•
Query
User Group Added
Filter Added
•
•
•
User Group Deleted
Filter Removed
Query Results
•
•
•
User Group Modified
Google Earth Viewed
Query Results Exported
•
•
•
Reindexing Job Added
User Login
Information
•
•
•
User Login Failed
Interface Down
Reindexing Job Done
•
•
•
Reindexing Job Initialized
User Logout
Interface Up
•
•
•
User Modified
JSON Favorite
Report Created
•
•
•
•
User SU
•
Log Cleared
priority — Critical, Debug, Emergency, Error, Informational, Notice, Warning
57 of 206
Updated 4 Apr 2016
Wildcards and Logical Operators
W ILDCARDS AND L OGICAL O PERATORS
Wildcard Usage
Favorites and filters support two regular-expression characters: the question mark (?) and the asterisk (*):
? = single character
* = zero or more characters
These wildcard expressions may be used in the filter bar and for favorites. (The advanced filters use other conventions.)
Expression
Description
Returns
Excludes
filename=*solera*
All file names that contain the string solera.
solera
mysolerastuff
solerastuff
mysolera
sol123era
sollera
filename=*solera
All file names that end with solera.
solera
mysolera
solerastuff
filename=solera*
All file names that begin with solera.
solera
solerastuff
mysolera
filename=sole*ra
All file names that begin with sole and end with ra.
solera
solenoid
solemncapybara mordedura
filename=sol?ra
All file names that start with sol and end with ra and that have
a single character between sol and ra.
solera
sol1ra
sol123ra
*solera*
solera
mysolera
filename="*solera*" All file names that are exactly *solera*. The double quotes
disable the character expansion.
filename="sol?ra"
All file names that are exactly sol?ra.
sol?ra
solera
filename=\*solera*
All file names that begin with *solera. The backslash disables
the character expansion for the first wildcard only.
*solera
*solerastuff
solerastuff
mysolerastuff
filename!=*
The file name does not exist.
All entries
without
filenames
All entries that
have
filenames
To include a hyphen in a filter value, use a backslash, e.g., http_uri=wp\-admin
58 of 206
Updated 4 Apr 2016
Logical Operators in Primary Filters
Complex filters can be created by combining multiple filters in the filter path. Filters are applied from left to right, such
that the first value on the left is filtered first and each filter is applied afterward, in order. For example, for the filter
the data is filtered first on the application_id value and then on the ipv4_initator value, which results in all entries where
the application is HTTP and the initiator IP is not 10.10.2.123.
Operation
Syntax
Example
Result
AND
<attribute>=<value1,value2>
ipv4_address=1.1.1.1,2.2.2.2
Returns entries with both 1.1.1.1 and
2.2.2.2 as host addresses.
<attribute1>=<value>
<attribute2>=<value>
ipv4_address=1.1.1.1
application_id=http
Returns HTTP entries with host address
1.1.1.1.
OR
<attribute>=<value1>
<attribute>=<value2>
Returns entries with either 1.1.1.1 or
2.2.2.2 as host addresses.
RANGE
<attribute>=<value1-value2>
ipv4_address=1.1.1.1-1.1.1.254
Returns entries with any host address
between 1.1.1.1 and 1.1.1.254.
NOT
<attribute>!=<value>
application_id!=http
Returns all applications except HTTP.
!<favorite>
!MIME Type BIN
Returns everything that does not match
mime_type="application/bin",
"application/binary", "application/xmsdownload"
contains
<attribute>~<value>
http_uri~yahoo
Returns all URIs that contain yahoo.
does not
contain
<attribute>!~<value>
http_uri!~twitter
Returns all URIs except those that
contain twitter.
is null
<attribute>!=*
referer!=*
Returns all entries where the referer field
is empty or non-existent.
greater than
<attribute>><value>
vlan_id>45
Returns all entries that have VLAN ID
numbers larger than 45.
greater than or
equals
<attribute>>=<value>
packet_length>=1024
Returns all entries that have packet
lengths of 1024 bytes or larger
less than
<attribute><<value>
interface<3
Returns all entries from interfaces with
an ID less than 3.
less than or
equals
<attribute><=<value>
port_initiator<=35000
Returns all entries that have port
initiator number of 35000 or lower
59 of 206
Updated 4 Apr 2016
•
OR is operational only with the same attribute types, e.g., two application_id filters or multiple port filters. If the
attribute types are different, the operation is always AND.
•
To apply a primary filter to a different view (Summary, Reports, Extractions, Geolocation), select the view
while the filter is still present in the filter bar.
•
To save a primary filter, click the star
•
To delete an individual filter, click its white
•
To delete everything in the filter bar, click
•
To modify an attribute/value pair, click it to enter edit mode, type the new value, and press Enter.
•
Applying a primary filter causes an operation, e.g., extraction, to be performed again, whereas advanced filters
are applied only to the data already in the view.
to add it to the favorites list.
and click Update or press Enter.
and click Update or press Enter.
Logical Operators in Advanced Filters
•
NOT (does not equal) is treated as a negative AND. When there are multiple NOTs in the filter, they are treated
as a single AND operator.
•
Any special character between double quotes is treated as plain text, e.g., the asterisk in "A*C" is treated
as plain text, whereas in A*C it is a wildcard.
•
The term null is valid for the = and != operators, e.g., referer!=null will return all entries where the referer
field contains a value.
60 of 206
Updated 4 Apr 2016
Universal Connector
U NIVERSAL C ONNECTOR
With the Universal Connector, you can directly add IP addresses to the filter bar from a Web browser.
To install the Universal Connector, select Settings > About > Universal Connector.
Under Browser Bookmarklet, do one of the following:
1. Right-click the Bookmark button and select Add to favorites, Bookmark this link, or Add link to bookmarks
(depending on your browser).
2. Drag the Bookmark button onto your bookmarks bar.
Add an IP Address with the Universal Connector
3. Browse to a page with one or more IP addresses on it. (The IP addresses must be in dotted-decimal notation:
111.222.33.44, not domain.tld.)
4. Launch the Universal Connector by opening Bookmarks and double-clicking Universal Connector.
5. The Universal Connector underlines all IP addresses (linked and plain text). Place your cursor over an IP address
to invoke the Add control and click.
6. The IP address is added to the list; alternatively, you can click the IP Address field and type the address
manually.
7. Optional — For Endpoint, select Either, Source, or Destination.
8. Optional — For Port, type a port number and select the Type and Endpoint values.
9. Optional — Select a new date or time (default: last 15 minutes).
10. For Appliance, type the hostname or IP address of your appliance.
11. Click Investigate in DeepSee.
12. The filter is added to the filter bar in the Analyze Summary view.
61 of 206
Updated 4 Apr 2016
Favorites
F AVORITES
Use favorites to combine and save commonly used primary filters.
Preloaded Favorites
The Blue Coat Security Analytics Platform is preloaded with a variety of favorites, including but not limited to the
following:
•
ThreatBLADE Defaults
•
Non-Standard Protocols
•
Common MIME Types
•
Content Mismatches
•
Watchlist Countries
•
Known Malware Passwords
•
Cleartext Passwords
•
Dynamic DNS Domains
•
G01PACK URI Wordlist
•
Inexplicitly Labeled File Types
•
TLD/Country Mismatches
•
Known Bad User-Agent
Strings
To use these favorites, do one of the following:
•
Select Analyze > Favorites. For the favorite, click Add to Filter Bar
on the Summary page.
•
Select Analyze > [Summary | Reports | Extractions | Geolocation] and
•
Expand the filter bar to select the desired favorite.
•
Begin to type the name of a favorite and select it from the options that the system presents. You can choose
to include or exclude the favorite, i.e., favorite or !favorite.
•
Select Analyze > Actions and enable the corresponding preloaded action, e.g., click
. The favorite is added to the filter bar
Activate/Deactivate
for Known Malware Password Usage. These favorites contain all of the filters of a
single type, e.g., Non-Standard Network Communications contains all of the favorites that begin with
"Non-Standard."
Create a New Favorite
1. Select Analyze > Favorites.
2. Select Tools > New. The Create a Favorite dialog box is displayed.
3. Specify a Name for the favorite.
4. For Filter, type one or more filter attributes or the names of existing favorites. Begin typing to get suggestions. You
can use wildcard expressions and logical operators.
5. Optional — Select the Shared check box.
6. Click Save.
62 of 206
Updated 4 Apr 2016
Favorites
Create a Favorite from the Filter Bar
1. In the filter bar, type the desired filter attributes. You can use wildcard expressions and logical operators.
2. Click the star
to save the favorite.
3. Provide a name for the favorite and indicate whether it is to be shared.
4. Click Save. You can view the new favorite on Analyze > Favorites or in the filter bar drop-down list.
Import Favorites
1. Select Analyze > Favorites and select Tools > Import.
2. For File Type, select one of the following:
•
DShield — Access the rules at feeds.dshield.org/block.txt.
•
List — Import a text file that contains one or more values for a single filter attribute. Delimiters determine the
boolean.
•
Snort° — Access the rules at rules.emergingthreats.net/blockrules/.
•
JSON — Favorites formatted as JSON arrays, such as favorites that have been exported from the system.
3. Specify a Name for the favorite.
4. Optional, for Snort favorites — Select the Honor rule directionality check box.
5. Location — Select one of the following:
•
Browser Upload — Click Browse and select a file to upload.
•
Remote — Specify the URI where the file is located, then set the schedule for how often the file is to be
uploaded. Each time the file is uploaded, all additions, deletions, and edits will be written to the Favorites list.
This scheduler is similar to the scheduler for reports.
6. Select the Shared check box to share the favorite.
7. Click Save.
Export Favorites
You can export JSON favorites to import to another Security Analytics Platform appliance.
1. Select the check box for the favorite(s) that you want to export.
2. Select Tools > Export.
3. Follow the prompts to save favorites.json to your workstation.
63 of 206
Updated 4 Apr 2016
Favorites
Delete Favorites
When you delete a favorite, you also delete every favorite, alert, and action that contains that favorite (unless the
action contains a favorite that is not deleted).
example
The following items contain FAVORITE1:
•
FAVORITE3 contains FAVORITE1 and application_group=web.
•
AlertABC contains FAVORITE1 and another favorite called Email.
•
AlertXYZ contains ChinaWeb and FAVORITE3.
The alerts that are triggered by FAVORITE1 are as follows:
When FAVORITE1 is deleted, these are the results:
•
FAVORITE3 is deleted.
•
AlertXYZ is deleted.
•
AlertABC has a remaining favorite, so it is not deleted.
•
All alerts triggered by FAVORITE1 and FAVORITE3 are deleted.
•
The alerts that were triggered by Email in AlertABC still remain.
64 of 206
Updated 4 Apr 2016
Favorites
Format a List of Favorites
You can import a list of values for a single filter attribute. Importing a list of values in this manner automatically creates
the favorite as attribute=value. The list delimiter determines the boolean operator.
Delimiter
Example Text File
Favorite(s) Created
network service
attribute="network management, file server, file transfer,
network service"
192.168.*.*, 10.0.0.0_8, 172.16.0.0/12
attribute="192.168.*.*, 10.0.0.0_8, 172.16.0.0/12"
22
33
44
55
attribute="22"
attribute="33"
attribute="44"
attribute="55"
*solera*
sol?ra
"solera"
attribute="*solera*"
attribute="sol?ra"
attribute="\"solera\""
Comma (AND) network management, file server, file transfer,
Line Break
(OR)
•
The system will automatically escape double quotation marks, backslashes, and other nonwildcard characters.
•
For other operators, nesting, or multiple attributes, use JSON formatting and import as a JSON
favorite.
65 of 206
Updated 4 Apr 2016
Favorites
JSON Formatting for Favorites
•
Define the favorites to import using JSON. The file should be UTF-8 encoded without BOM.
•
Imported favorites that have the name of an existing favorite will be renamed <Favorite> 2.
•
Valid values for attribute and value come from the primary filter.
•
Valid values for <operator> are equals (=), not equals (!=), less than (<), less than or equals (<=), greater than
(>), greater than or equals (=>), contains (~), not contains (!~). Format single-level favorites as follows:
{
"favorite_name_1":
[
"attribute_1<operator>value_1",
"attribute_2<operator>value_2"
],
"favorite_name_2":
[
"attribute_3<operator>value_3",
]
}
Nested JSON Favorites
To nest favorites, the lowest-level favorites must be defined first in the file, followed by the "container" favorite. The
container cannot reference favorites that already exist on the appliance. The following example creates four favorites:
three "subfavorites" and one "container" that includes the subfavorites.
{
"subfavorite_1":
[
],
"subfavorite_2":
[
],
"subfavorite_3":
[
]
"CONTAINER_FAVORITE":
[
"favorite=subfavorite_1", "favorite=subfavorite_2",
"favorite=subfavorite_3"
]
}
66 of 206
Updated 4 Apr 2016
Reports
R EPORTS
The Reports page present a detailed, filterable view of every kind of report. On the Summary page, double-click the
heading of a widget to open the report in the Reports screen.
•
Reports Screen Details
•
List of Available Reports
1 Report Summary Chart
2 Total [Unit] over Time histogram. Not available for packet-based (non-flow) reports.
3 Report comparison controls and advanced filter
4 Report results list
67 of 206
Updated 4 Apr 2016
Reports
Report Results List
The report results list is a table of the individual records as well as the bytes, packets, sessions, IP fragments, and
bad checksums associated with that record. (You can display the IP fragments and bad checksums by clicking the
column selector control.) The column values are shown as both an absolute number and as a percentage. Click on
any of the column headers to sort on the column value; click a second time to invert the sort order. To specify how
many rows to display at a time use the Results Per Page control at the bottom of the page. (Permanently set this
value by selecting [Account Name] > Preferences.)
Reports are limited to 100,000 rows.
When you change the sort topic or the sort order, the Report Summary and Total Sessions over Time charts are
updated to reflect the changed topic or order.
Active Reports Counter
Click the System Utilization icon in the upper-right corner of the UI to see how many reports are active.
This tally displays the total of the reports on this Reports page and of the report widgets on the Summary pages. PDF
and CSV reports are not included.
Compare Report Results
On the Reports page, you can compare the amount of change over time.
1. Select Analyze > Summary > Reports.
2. Select the desired view from the view selector.
3. Select Enable Report Comparison.
4. Optional — Select the unit of measurement to compare: Bytes, Packets, or Sessions.
5. Optional — The Comparison Time Range box displays the From and To times in the main timespan selector.
Expand the timespan control to select a timespan (last 15 minutes, last 60 minutes, etc.) or click the date/time to
specify another time.
6. The change over time is displayed both as the amount (Change column) and the percentage (Change %
column). The default sort order is Change in absolute values, with the greatest value first.
68 of 206
Updated 4 Apr 2016
Reports
7. The Total [Unit] over Time chart displays a line that represents the older timespan.
8. In the Selected Totals chart, change the display settings to Bar Chart or Column Chart to see the comparison
line.
Save Report Results
You can save report results to view later.
2. From the view selector, select the view to save.
3. Optional — Use the primary filter, timespan filter, and advanced filter, as desired.
4. Select Actions > Save.
5. Type a name for saved output (max. 300 characters).
6. Click Save.
7. Retrieve the saved results by selecting Analyze > Saved Results and clicking View Report
for that entry.
Export Reports
You can export basic reports in CSV or PDF format. (Compared results cannot be exported.)
2. From the view selector, select the view to export. Filter and modify the results as desired.
3. Select Actions > Download [PDF | CSV].
•
CSV file:
o
•
Follow the prompts to save deepsee-report.csv.
PDF file:
o
A message indicates that the generation of the report has begun.
o
Click the notification indicator at the upper-right corner of the web interface. The entry shows PDF
generation in progress.
o
When the process has completed, the status changes from Processing to Download. Click the entry and
follow the prompts to save deepsee-report.pdf.
69 of 206
Updated 4 Apr 2016
Reports
Available Reports and Report Widgets
The following reports and report widgets are available on the Blue Coat Security Analytics Platform. To see which
attributes are included in each report, see Report Attributes in the Security Analytics Platform Reference Guide on
bto.bluecoat.com.
Report Category
(Reports Page)
Report Name
Contents
Application
Application
Any one of the recognized applications
Application Group
Any one of the recognized application families
Email Recipient
Recipient email addresses
Email Sender
Sender email addresses
Email Subject
Email subject lines
Encrypt
SSL Common Name
Domain name of host, used to request SSL certificates
File Reports
File Name
File names
File Type
Pattern-based detection to approximate the file type transmitted
Email
‡
Geographical
Network Layer
Fuzzy Hash
Fuzzy hash of artifacts; data available only when hash-related data-enrichment
actions are active
MD5 Hash
MD5 hash of artifacts; data available only when hash-related data-enrichment
actions are active
MIME Type
MIME types of files transferred by mail and file-server applications
SHA1 Hash
SHA1 hash of artifacts; data available only when hash-related data-enrichment
actions are active
VoIP ID
Caller or call-recipient identifiers
Country Initiator
Country of sending device
Country Responder
Country of responding device
DNS Query
DNS queries
Ethernet Address Vendors
Vendor name of the MAC address NICs
ɸ
Ethernet Destination
MAC address of packet recipient
ɸ
Ethernet Destination Vendors Vendor names of the destination NICs
Ethernet Initiator
MAC address of session initiator
Ethernet Initiator Vendors
Vendor name of initiator NICs
Ethernet Protocol
Layer 3 protocol (IPv4 or IPv6)
Ethernet Responder
MAC address of session responder
Ethernet Responder Vendors
Vendor name of the responder NICs
ɸ
Ethernet Source
MAC address of packet sender
ɸ
Ethernet Source Vendors
Vendor names of the source NICs
Interface
Interface the data was captured on
70 of 206
Updated 4 Apr 2016
Reports
Report Category
(Reports Page)
Persona
Report Name
Contents
IP Bad Checksums
Bad IP checksums in the sessions
IP Fragments
Fragmented IP packets in the sessions
IP Protocol
IP protocols used
IPv4 Conversation
IPv4 addresses of both hosts in a session; includes complete session
IPv4 Initiator
IPv4 addresses of hosts that initiated a session
IPv4 Port Conversation
IPv4 addresses and ports of both hosts in a session; includes complete session
IPv4 Responder
IPv4 addresses of hosts that answered a session request
IPv6 Conversation
IPv6 addresses of both hosts in a session; includes complete session
IPv6 Initiator
IPv6 addresses of hosts that initiated a session
IPv6 Port Conversation
IPv6 addresses and ports of both hosts in a session; includes complete session
IPv6 Responder
IPv6 addresses of hosts that answered a session request
Machine ID
The combination of two values: NetBIOS Caller and LLMNR
ɸ
The length of the packets captured
Port Initiator
Port of sending application
Port Responder
Port of responding application
Size in Bytes
Number of bytes in the session
Size in Packets
Number of packets in the session
TCP Initiator
TCP port of initiating application
TCP Responder
TCP port of responding application
Tunnel Initiator
IPv4 or IPv6 of the GRE tunnel initiator
Tunnel Responder
IPv4 or IPv6 of the GRE tunnel responder
UDP Initiator
UDP port of initiating application
UDP Responder
UDP port of responding application
VLAN ID
Virtual LAN ID
Password
Cleartext passwords
Social Persona
Nicknames, logins, or account names for social networking applications and
sites

Threat Intel
Packet Length
User Name
User names that are identified by the Login Correlation Service
* FileThreat BLADE — File
Analysis
Degree of risk (very low to very high) or unknown for files extracted from the FTP,
SMB, and TFTP protocols.
§
FileThreat BLADE —
Malware Analysis
Verdicts returned by the Malware Analysis Appliance.
Local File Analysis
Unknown or Known Bad verdicts from local resources
* Local URL Analysis
Verdicts assigned by a local copy of the WebPulse database
71 of 206
Updated 4 Apr 2016
Reports
Report Category
(Reports Page)
Web
Report Name
Contents
* Local URL Categories
Categories assigned by a local copy of the WebPulse database
* MailThreat BLADE — File
Analysis
Degree of risk (very low to very high) or unknown for files extracted from the SMTP,
IMAP, and POP3 protocols.
§
MailThreat BLADE —
Malware Analysis
* WebThreat BLADE — URL
Analysis
Verdicts generated by the live Global Intelligence Network
* WebThreat BLADE — URL
Categories
Categories assigned by the live Global Intelligence Network
* WebThreat BLADE — File
Analysis
Degree of risk (very low to very high) or unknown for files extracted from the HTTP
protocol.
§
WebThreat BLADE —
Malware Analysis
Database Query
Raw queries submitted to database applications
HTTP Code
HTTP status codes, e.g., 404 (not found), 500 (internal server error)
HTTP Content Disposition
For MIME entries, specifies the presentation method of the file: inline or
attachment. The values for this report will always be URL-encoded.
HTTP Forward Address
Originating IP address of a client that connects to the Internet through a proxy or
load-balancer
HTTP Method
Such as GET, PUT, POST
HTTP Server
Server names such as google.com, apple.com
HTTP URI
The full HTTP request, e.g., http://www.google.com/search?q=Solera+Networks
Referrer
The web page that referred the current web page
SSL Certificate Serial Number
The serial number of an SSL certificate, displayed as 0x123456789abcde
TLS Heartbeat Mismatch
Whether a session contains a heartbeat reply message that is not equal in length
to a heartbeat request message
TLS Heartbeat Attack Attempt Whether a session contains an unencrypted heartbeat request message-length
field that does not match the TLS record length field
User Agent
Client applications that implement a network protocol
Web Query
Raw queries submitted to search engines
Web Server
Type of web server, e.g., Apache, IIS, nginx
* Data for this report is available only if you have a subscription for the corresponding ThreatBLADE.
§
Data for this report is available only if you have a Malware Analysis Appliance as well as the ThreatBLADE subscription.

Data for this report is available only if you are running the Login Correlation Service.
ɸ
Data for this packet-based report is available only for data captured previous to version 7.1.5.
‡
By default, the fuzzy hash is not calculated for microextractions. To enable fuzzy-hash calculation, edit the following value in /etc/solera/extractor/extractord.conf:
calc_fuzzy_hash=1
72 of 206
Updated 4 Apr 2016
Reports
73 of 206
Updated 4 Apr 2016
Reports
Scheduled Reports
You can set up reports to be run at predetermined times on a regular basis. These reports are sent to specified email
accounts.
Prior to receiving scheduled reports, you must configure SMTP settings.
1. Select Analyze > Scheduled Reports.
2. Click New.
3. For Name, specify a unique name for the schedule. This name will be the filename of the report.
4. For Recipients, type one or more email addresses to receive the reports.
5. For Output Format, select PDF or CSV.
6. Specify whether the scheduled report is to be shared. (A shared report can be edited by all of the authorized
users on the appliance; however, the reports will be sent only to the accounts that are specified in the Recipients
field.)
How often will the report run?
7. Select the tab that represents the frequency of the report to be run and set the parameters.
•
In the Hour fields, 00 = midnight.
•
For Custom, you can select multiple values for Months, Weeks, and Days.
•
The value in [x] Week of the Month is defined according to ISO 8601 conventions, which means that the
week in which the first day of the month appears is the first week, even when the first day falls on a
weekend.
What is on the report?
8. For Report Type, select one of the available report types. Begin typing to skip to the report name.
9. Optional — For Filter, type filter attributes and values to apply. Begin typing to get suggestions.
The attributes for imported PCAPs — interface=imptX and import_id=Y — are not valid for this field
unless you selected Once Only for the timespan.
10. For the report timespan, select whichever option is available:
•
Standard Range — Select the amount of time to be included in the report. The time is calculated
backwards from the time the report will run. For example, if you schedule a report to run daily at 13:00 and
you specify a range of 2 hours, the report will contain data from the two hours previous to 13:00, i.e., 11:00 to
13:00.
•
Custom Range — Specify the timespan.
11. Click Save. The scheduled report is displayed in the Scheduled Reports list.
74 of 206
Updated 4 Apr 2016
Summary Views
S UMMARY V IEWS
The Security Analytics Platform Summary views are collections of report widgets on a single page. Report widgets
are discrete graphical elements that summarize data according to selected criteria. A collection of widgets can then
be run against a user-selected time period and a user-defined set of filters.
See Summary Page for a description of all its elements.
Report Widgets
While the data is still loading for the Summary page, you may click the red Stop Reports button
from processing.
to stop the data
Included on the Security Analytics Platform are report widgets that correspond to the Available Reports.
Select a summary view from the view selector.
Use the edit
control to change the name, share the view, or specify a new view as the default.
75 of 206
Updated 4 Apr 2016
Summary Views
Create a Summary View
You can create a new summary view from a blank view, or you can modify an existing view.
1. Select Analyze > Summary.
2. Click the view selector and select Add New View.
3. Type a name for your new view.
4. Optional — Select Use flow-based columns to permit the report widgets to adjust to the available width of the
window. Clearing this check box forces the report widgets to stay in a fixed-grid location.
5. Optional — Select Shared to share the view.
6. Optional — Select Duplicate Existing View? to select a view to duplicate for the new view.
7. Optional — Select Set as default to make this the default view.
8. Click Save. You get a blank summary screen and the Add/Edit Widgets dialog box is displayed.
9. Select one or more report widgets from the Available Reports list and add them to the Selected Reports list.
•
The more report widgets in a view, the longer it takes to load the view.
•
Application Group includes the Application Group and the Application Group over Time
widgets.
10. Click Add/Edit Widgets.
Report Widget Controls
To reveal the report widget controls, place your cursor over the widget header.
1
Move Widget
2
Widget Settings
3
Delete Widget
76 of 206
Updated 4 Apr 2016
Summary Views
1
Field — Sort-by field and unit of measure Bytes, Packets, Sessions, IP
Fragments, Bad Checksums.
2
Order — Ascending, Descending
3
View — Table, Pie, Column, Bar
4
Resolution — Slide the selector
The settings affect only this report widget in this view. If this report widget is present in other views,
the settings for those views will be not changed.
Application Group Widgets
Two widgets — Application Group and Application Group over Time — are different from the other widgets; user
configuration is limited to session-resolution settings. The Application Group widget has Bytes, Packets, and
Sessions columns. The Application Group over Time widget is a histogram of the Application Group widget. Place
your cursor over a data point to see the details.
When adding widgets to a view, selecting Application Group adds both the Application Group and
the Application Group over Time widget to the view.
Apply Filters to Summary Views
To apply a filter to a summary view, see Primary Filters or Favorites.
77 of 206
Updated 4 Apr 2016
Summary Views
Save the Output of a Report View
The output of a summary view can be saved on the appliance and is accessed by selecting Analyze > Saved
Results.
1. Select Analyze > Summary and select the desired view.
2. Add, delete, and modify the report widgets as desired. Add any filters that you want.
3. Click Save in the upper-right corner of the interface.
4. Type a name for the saved output (max 300 characters).
5. If you click Save before the system has finished processing the data, you have the option to:
•
Save and Stop — Save only the data that was processed before you clicked Save and Stop.
•
Save and Continue — The save operation will continue until all data is processed.
6. If you click Save after Status shows Finished (100%), all of the results are saved.
7. Retrieve the saved results by selecting Analyze > Saved Results. There is a separate report entry for each
widget.
8. Click View Report
to see the report in the Reports (not Summary) view.
78 of 206
Updated 4 Apr 2016
Summary Views
Session Resolution
In the Summary, Reports, and Geolocation views, the session resolution indicator is located on the status bar. The
purpose of this feature is to limit reports to a subset of data, which allows quicker display of data.
If you cannot see the session-resolution indicator, select [Account Name] > Preferences and clear the Use packetbased reports and filters check box.
Adjust Session Resolution
1. Click the session resolution value for the view.
2. Slide the indicator to the percentage of data that you want to view.
79 of 206
Updated 4 Apr 2016
Reindexing
R EINDEXING
During periods of heavy network activity, the system may not be able to index every packet as it is written to the capture
drive. During periods of lower activity, the system returns to the unindexed packets on the capture drive and
attempts to finish indexing them.
On the Status bar, the total amount of data in the flows is indicated. If the system has not been able to finish indexing
all of the packets, the
icon is displayed. Click the icon to see how many flows remain to be indexed.
Click Give Priority to This Timespan to move the unindexed flows in the current view to the top of the reindexing
queue.
On Capture > Summary, select View > Classification Discards to see the rate at which packets are not immediately
indexed.
As soon as a flow has been indexed, it is examined by the actions engine. If the flow matches an
action, the flow will be processed according to the action.
To see reindexing jobs, select Capture > Summary > Actions > Reprocess. Reindexing jobs show 1 in the
Command column.
Also see Reprocessing.
80 of 206
Updated 4 Apr 2016
Geolocation
G EOLOCATION
The Blue Coat Security Analytics Platform provides "geolocation," which is a representation of a host location on a
world map.
Select Analyze > Summary > Geolocation to view the geolocation report.
The Report Summary panel displays a geographic representation of the filtered data. By default, the map is centered
on the Greenwich meridian at the equator (0 lat, 0 long).
The geographic location of every IP address is identified by a dot on the map. The size of the dot indicates amount of
data transferred to or from that geographical area, and the saturation of the color indicates the concentration of
markers, i.e., darker dots indicate that, upon zooming in on that location, you will see multiple markers.
A large dot in the ocean beside Western Africa (0 lat, 0 long) is the marker for those IP addresses whose geographic
location cannot be determined.
Geolocation can locate only IP addresses that have location information in the MaxMind databases.
Map Navigation
Use the controls in the upper-left corner to zoom and center the map.
Press Shift and drag your cursor to select
a specific area of the map to enlarge. The
results will change to list only the results
that are in the view.
To return to the full view, click the globe
icon.
81 of 206
Updated 4 Apr 2016
Geolocation
Place your cursor over a dot to see how
many IP addresses and how much traffic is
associated with that location.
To save the view (the magnification and
area), select Save Current Map as View.
Fill in the fields as desired and click Save.
The view is now available from the view
selector.
Results List
Click a location to see all of the IP addresses that
are associated with that location.
The locations in the list will be as specific as
possible. A general item such as “United States”
contains all of the IP addresses in the U.S. for
which a more specific location could not be
found. It is not the total of all U.S. IP addresses.
82 of 206
Updated 4 Apr 2016
Geolocation
Saving Geolocation Results
1. To save the results, click Actions > Save.
2. Give the results a name and click Save.
3. Retrieve the results from Analyze > Saved Results. Click View Report
Conversation report.
to open the results as an IPv4
Notes on the Accuracy of Geolocation Data
•
Geolocation can identify only the server location, not a specific device.
•
Routing randomization with services such as Tor° or Onion may produce unreliable geolocation data.
•
IP addresses can be spoofed with readily available technology.
Geolocation Settings
Select Settings > Geolocation to open the Geolocation page. On this page you can view and specify values used
when examining the geographic location of connections. These include internal subnets, Google Earth country
colors, and MaxMind city databases.
Internal Subnets
Use the Internal Subnets controls to specify the geographic location of an internal subnet (or multiple subnets). This
marks all the traffic on that subnet as occurring at a single location.
By definition, internal subnets do not have an externally knowable geographic location and by default are located at
0 latitude, 0 longitude (this places them in the Atlantic Ocean, slightly south and west of Nigeria). Use the Internal
Subnets feature to specify where your subnets are located on the world map.
example
A company has offices in New York, Vancouver, and Tokyo. Their network IPs are 10.1.0.0/16 for New York, 10.2.0.0/16
for Vancouver, and 10.3.0.0/16 for Tokyo. Without setting the internal subnet values, they would all appear at 0,0 on the
map. With the Internal Subnets feature, the subnets appear in their proper locations.
83 of 206
Updated 4 Apr 2016
Geolocation
Specify Geographic Locations for Internal Subnets
1. Select Settings > Geolocation.
2. Under Internal Subnets, select the Enable Internal Subnets check box.
3. Type the IP address for the subnet using a CIDR notation that includes zeroes, e.g., 192.168.0.0/16.
4. Type the latitude and longitude for the subnet.
5. Type a label for the subnet.
The label that you specify can be anything you want; it will be displayed in the data table and when
users place their cursors over the dot on the map.
6. To specify additional internal subnets, click add a new subnet.
Geolocation Filters
The Advanced Filter control in the Results panel allows you to easily and rapidly apply additional filtering to the report
data.
To apply an advanced filter, click the Add a Filter box and select the filter term you want to use. To apply a primary
filter, follow these steps:
1. Select Analyze > Summary > Geolocation.
2. In the Results panel, under Location, click the city name that you want to look at. The item expands, displaying a
list of the IP addresses associated with that geographic location.
3. Click the IP address to examine.
4. For each IP address to add as a filter, click Add to Filter Bar > As [attribute] > [Equals | Not Equals]. The filter
is added to the filter bar.
•
If you click Add to Filter Bar only, the filter ipv4_address="x.x.x.x" is added to the filter bar.
5. When you have finished adding filters, click Update.
84 of 206
Updated 4 Apr 2016
Geolocation
MaxMind City Databases
The system can use either the free (GeoLite° City) or paid (GeoIP° City) versions of the MaxMind City Databases. For
more information on these databases, visit www.maxmind.com.
•
Once a MaxMind City database is uploaded, it cannot be removed.
•
Download the database from the MaxMind site in GZ (GZIP) format.
•
MaxMind releases a new free database every month and a new paid database every week. You must upload
these updated versions manually.
2. Under Upload MaxMind City Database, click Browse.
3. Locate and select the database file.
4. Click Upload. This uploads the database to the Security Analytics Platform, and it is immediately available for
geolocation.
Google Earth
Use the Google Earth settings to control the default color used for markers and routes in Google Earth, enable and
disable the display of routes, and set the color used for transactions that start or end in a country.
Google Earth can color the routes to captured IP addresses differently from the defaults or those of a different
country.
2. Under Google Earth Country Colors, do the following:
•
Click the color swatch for Default Color to change the pin color.
•
Select Enable Routes.
•
Select Enable Country Colors.
3. If you selected Enable Country Colors, select a country.
4. Click the Color swatch to open the color picker.
5. Specify the color and click Select.
6. To specify colors for additional countries, click add a new color.
7. Click Save.
Google Earth Files (KML, KMZ)
KMZ files are compressed KML files.
1. On any Analyze page, select Actions > Google Earth.
2. Select Save File and click OK.
3. The KMZ file is saved to your downloads directory.
4. To display KMZ and KML files, open them in the Google Earth application.
85 of 206
Updated 4 Apr 2016
Packet Analyzer
P ACKET A NALYZER
Select Actions > Analyze Packets from any Analyze view (Summary, Reports, Extractions, Geolocation) to see the
data in an interface similar to Wireshark’s.
By default, the Packet Analyzer will load only the first 1000 packets of the specified PCAP. As you scroll down to
packet number 1001, Packet Analyzer will automatically load the next 1000 packets onto the screen. (For reference,
the PCAP path is displayed at the top of the window.) It is recommended that you not load more than 10,000
packets to avoid performance degradation.
Packet Analyzer Filters
The Packet Analyzer filter uses the same syntax as Wireshark° display filters. Type the desired filter string in the space
provided and click Apply Filter. For more examples and information, see wiki.wireshark.org/DisplayFilters.
Action
Filter Syntax
Show only SMTP (port 25) and ICMP traffic.
tcp.port eq 25 or icmp
Show packets originating from 192.168.0.0 and destined for 172.16.0.0.
ip.src == 192.168.0.0/16 and ip.dst ==
172.16.0.0/12
TCP buffer full — Source is instructing Destination to stop sending
data.
tcp.window_size == 0 &&tcp.flags.reset != 1
Filter on Windows — Filter out noise, while watching Windows
Client/DC exchanges.
smb || nbns || dcerpc || nbss || dns
Match packets that contain the 3-byte sequence 0x81 0x60 0x03
anywhere in the UDP header or payload.
udp contains 81:60:03
Match HTTP requests where the last characters in the URI are the
characters gl=se.
http.request.uri matches "gl=se$"
The $ character is a PCRE punctuation character that matches the
end of a string, in this case the end of the http.request.uri field.
86 of 206
Updated 4 Apr 2016
Packet Analyzer
Packet List
The Packet List pane has 8 columns and as many rows as needed to show the data being analyzed. You cannot
change the columns, the sort order, or the colors. The default columns show the following data:
No. The number of the packet in the capture file. This number will not change even when a filter is used.
Time The timestamp of the packet. The presentation format of this timestamp cannot be changed.
Source The IP address of the packet’s origin
Src Port The port of the packet’s origin
Destination The IP address of the packet’s destination
Dst Port The port of the packet’s destination
Protocol The protocol name in a short (perhaps abbreviated) version
Info Additional information about the packet content
Packet Details
The Packet Details pane shows the selected packet in a detailed form that explicitly identifies the packet’s protocols.
Click a protocol to see details.
The following two protocol fields are displayed in a particular manner:
•
Generated fields — The packet analyzer generates additional protocol fields that are enclosed
by brackets. The information in these fields is derived from the known context to other packets
in the capture file. For example, if the Packet Analyzer is doing a sequence/acknowledge
analysis of a TCP stream, these will be displayed in the [SEQ/ACK analysis] fields of the TCP
protocol.
•
Links — If the Packet Analyzer detects a relationship to another packet in the capture file, it will
generate a link to that packet. Links are blue and underlined.
Packet Bytes
The Packet Bytes pane shows the data of the selected packet in a standard hex-dump style. As is usual for a hex
dump, the left column shows the offset, the middle columns show the data in hexadecimal, and the right column
shows the corresponding ASCII characters.
87 of 206
Updated 4 Apr 2016
BlackBox Recorder
B LACK B OX R ECORDER
This feature is available in preview mode only. Contact Security Analytics Support for more
information.
The BlackBox Recorder is a Blue Coat Security Analytics Appliance that functions similarly to a black-box recorder on
an airliner: it quietly captures all network events until a security incident requires that you "break the glass" to view its
contents.
When the BlackBox Recorder is in "lights-out" mode, you have access only to the controls that permit capture and
appliance security. When the BlackBox Recorder is activated, the full range of analytical tools is made available for a
limited time, as specified by your custom license.
88 of 206
Updated 4 Apr 2016
Extractions
E XTRACTIONS
The Blue Coat Security Analytics Platform extracts and reconstructs many file types so that you can see accurate
copies of the images, web pages, and documents that have been transported across your LAN.
•
Prior versions of the Security Analytics Platform used signature-based extraction to produce
artifacts. Beginning in version 7.1, extraction is protocol-based.
•
With version 7.1.6, Security Analytics Platform can extract artifacts from unknown protocols
(application_id=unknown) but only as long as signature-based extraction is enabled to run in
parallel with protocol-based extraction. As a result, signature-based extraction (on Settings >
System) is now enabled by default.
Artifacts are now extracted from the following protocols:
•
HTTP
•
TCP
o
SIP
o
Jabber
•
TFTP
o
MGCP
o
MSN
•
Telnet
o
RTP
o
PalTalk
•
SMB
o
RTCP
o
QQ Transfer
•
FTP
o
AIM
o
Second Life
•
FTP-Data
o
AIM Express
o
Teamspeak v2
•
Email Protocols
o
AIM Transfer
o
Yahoo Messenger
o
POP3
o
Badoo
o
o
IMAP
o
eBuddy
Yahoo Web
Messenger
o
SMTP
o
Facebook
VoIP Protocols
o
Google Chat
o
IRC
•
o
SIP
o
MGCP
o
RTP
o
RTCP
•
IM Protocols
•
IM Protocols (cont.)
For a list of artifact types that are extracted from these protocols, see "Identifiable File and MIME
Types" in the Security Analytics Platform Reference Guide on bto.bluecoat.com.
89 of 206
Updated 4 Apr 2016
Extractions
MIME-Type Display
You can specify which method determines the file type of an artifact: Select [Account Name] > Preferences:
•
Artifact MIME-Type Display — Specify the method for the extractor to determine the file type:
o
MIME — Use the value in the Content-Type field of the HTTP or email header, else return unknown.
o
Magic — Use the embedded magic number or file signature, else return unknown.
o
Derived — If both MIME and magic values are present, use internal logic to determine the most likely file
type.
Artifacts
Artifacts are objects such as Microsoft Word files, executables, and web pages. Extraction is performed automatically
as part of the capture operation, and the results are visible on the Extractions pages.
When an artifact is transferred via HTTP or email, the MIME type is specified in the header ("presented" in system
nomenclature). If it differs from the file type that the system "detects," using the magic number or file signature, the
value in the Type column is shown in red text. You can also use the file_type_mismatch attribute in the advanced filter to
find all such artifacts.
90 of 206
Updated 4 Apr 2016
Extractions
Click an entry in the Results list to see additional information about the artifact.
1 HTTP response code
4 Actions
2 MD5 and SHA1 hash values
5 HTTP method
3 Fuzzy hash value
6 MIME type
A set of actions along the bottom provides the following functionality:
Preview
See Artifact Preview
Download
Download the artifact in its native format, as a ZIP file,
or as PCAP(NG)
Analyze PCAP
View all artifact packets in the packet analyzer
Explore Root Cause
See Root Cause Explorer
Reputation
View reputation-service information
SMB Artifacts
For artifacts transmitted over SMB, an extra field is displayed.
SMB Fragment displays whether the artifact is a known SMB fragment (true). To display SMB fragments, go to
Settings > System and select the Display SMB fragments check box.
91 of 206
Updated 4 Apr 2016
Extractions
HTTP POST Payloads
For HTTP POSTs, the payload has a separate entry from the original POST and is displayed below it.
The payload artifact does not display an HTTP method or the HTTP response icon.
Click Show Payload to see a separate artifact entry for the payload.
VoIP Extractions
VoIP artifacts are presented slightly differently than other artifacts. Each side of the conversation is extracted
separately as an RTP media stream (MIME type: audio/x-raw). It is then merged into a new VoIP call entry (MIME type:
audio/x-voip). The SIP call entry is displayed by itself and then with the two separate streams in different entries.
92 of 206
Updated 4 Apr 2016
Extractions
When previewing the call, you can select the OGG or WAV format, you can download the separate streams as RAW
files, or download the merged call as OGG, WAV, PCAP, or PCAPNG.
Save Extractions and Artifacts
You may save the extraction results at any time, even if the extraction process for that view is not complete.
1. Open an Extractions page and apply any desired filters.
2. Select Actions > Save.
3. Type a name for the results.
4. If you click Save before the extraction process is finished, you are provided with two options:
•
Save and Stop — Everything that was extracted until you click Save and Stop will be saved.
•
Save and Continue — The save operation will continue until the extraction process is completed.
5. If you click Save after Status shows Finished (100%), all of the results in the view will be saved.
6. Click Save.
7. Go to Analyze > Saved Results to retrieve the extraction.
Save Multiple Extraction Items
1. Open an Extractions page and apply any desired filters.
2. Select the check boxes for the artifacts to save.
3. In the left panel, under Selected Actions (X), click Download Artifacts and follow the prompts to save the
artifacts to your workstation in a ZIP file.
Cancel an Extraction
While an extraction is running, you can cancel it without saving the results.
1. Select Actions > Stop Extraction. A few minutes may elapse before the extraction stops completely.
2. When the extraction has fully stopped, the status will show Canceled 100% regardless of how much data was
processed.
3. Optional — Select Actions > Save to save the data that was extracted before the process was canceled. After
you have saved the data, you may restart the extraction by selecting Actions > Rerun.
Artifact Preview
See Artifact Preview.
93 of 206
Updated 4 Apr 2016
Extractions
Root Cause Explorer
The root cause explorer presents the chain of referrers for a given artifact.
1. To view referrer URL information, select Analyze > Summary > Extractions.
2. Click an artifact.
3. If there is a value in the Referrer field, click Explore Root Cause. The system will display the referring artifact. If
that artifact also has a referrer, that artifact will be displayed as well, until no more referrers are found. All of the
referrers must be in the same extraction session (same timespan and filters) for the referrer to be included.
Artifacts Timeline
The Artifacts Timeline view displays the distribution of artifacts across time.
•
You can view the timeline by initiator/responder IP or port or by file type.
•
Click the artifact or [X] Artifacts to see more information.
•
Once you have selected an individual artifact, you can view it the same way as a single artifact.
Email Extractions
The Email view provides information about email messages (EML) and their attachments. If an attachment is included
in an email, it can be exported.
The Security Analytics Platform extracts only non-encrypted email messages.
•
Click View Preview to see the email.
•
Click the attachment to select the file-type for download.
•
Click View Attachment Details to see more information.
94 of 206
Updated 4 Apr 2016
Extractions
IM Conversations
The IM Conversations view displays a list of IM conversations.
The Security Analytics Platform extracts only non-encrypted IM conversations.
IM Conversation Preview
1
Participant list, including avatars
2
Click to view more about each participant
3
Conversation details
4
Date of capture, e.g., date the PCAP file was imported or the conversation was
captured
5
Click to hide or show status changes
6
Conversation date
Media Panel
The media panel displays thumbnails of captured image, audio, and multimedia files. By default, images that are
smaller than 2 Kb are not displayed.
1. Under Filter Results, you can select one or more image or audio file types.
2. Use the Advanced Filter to narrow the search.
3. Preview small, medium, or large thumbnails.
4. Place your cursor over a thumbnail to see a summary of its attributes (URL, source/destination IP, file size, MIME
type). Click the thumbnail to see the image's actual size.
5. For audio files, click to launch an audio player for the file.
95 of 206
Updated 4 Apr 2016
Extractions
Artifact Preview
The Preview function provides the following views, according to the artifact type:
•
Image — The actual image: GIF, BMP, PNG, etc.
•
HTTP Headers — Request and response headers
for the artifact
•
Email — The actual email message
•
Web Page — The HTML document, with or
without graphics, style sheets, and JavaScript°
•
Strings — Output of the strings command
•
File Info — Output of the file command
•
Text — The plain text or formatted code,
including FTP and Telnet sessions
•
Audio — Audio player for VoIP calls.
•
•
Hex — Hex dump of the plain text
EXIF — The Exchangeable Image File data for
JPG/JPEG files
•
jsunpack-n — The jsunpack-n results
Image
The Image preview shows the actual image.
Email
The Email preview displays the email message in HTML format.
96 of 206
Updated 4 Apr 2016
Extractions
Web Page
Preview for text/html displays the stripped-down web page.
Click View Options to add other elements (images, cascading style sheets, scripts) to the view.
•
Captured Data — Retrieve elements from data on your capture drive.
•
External — Retrieve elements from the Internet.
•
When you view scripts (captured or external), you risk infecting your system with any malware
in the scripts.
•
To prevent the importation of external images, stylesheets, and scripts during HTML preview,
select Settings > Web Interface and clear the Enable External HTML Elements Preview check
box.
•
Click View Page Elements to see a list of images, CSSs, and scripts that are included in the web page.
•
Click Download Artifact to save the HTML page (but not the page elements).
Text
The text view presents the artifact in plain text. If the text consists of code, you can select one of the Syntax
Highlighting options to produce an easy-to-read version.
Syntax Highlighting Options
ActionScript°3
CSS
HTML
JavaFX°
Ruby
Bash/Shell
Delphi
HTML Formatted
Perl°
Scala
ColdFusion
Diff
JavaScript
PHP
SQL
C#
Erlang
JS Formatted
Plain Text
Visual Basic°
C/C++
Groovy
Java
Python
XML
97 of 206
Updated 4 Apr 2016
Extractions
When the text consists of obfuscation-encoded characters such as BASE-64 or URL, you can decode the text by
copying the text and selecting [Account Name] > Encoder/Decoder Tool.
For FTP sessions, the Text preview shows the sequence of events .
For Telnet sessions, the Text preview (HTML Formatted) displays the messages with <server> and <client> tags.
98 of 206
Updated 4 Apr 2016
Extractions
Hex
The Hex view displays a conventional hex dump of the text.
HTTP Headers
The HTTP Headers view presents the HTTP request and response headers for the artifact, e.g., GET, POST, error
codes, cookies.
In the results list, place your cursor over the icon to see the HTTP response code, if any.
99 of 206
Updated 4 Apr 2016
Extractions
Strings
Results from the Strings command.
File Info
Results from the File command, such as the artifact filename, file modification date/time, application version, flags,
and so on.
The filename of an artifact consists of the following underscore-delimited values:
•
Hostname of the appliance that captured the artifact.
•
Time of capture, expressed as <YYYY-MM-DD>T<hh:ii:ss>-<timezone>
•
Source and destination IP addresses and ports
•
MD5 hash of the artifact
100 of 206
Updated 4 Apr 2016
Extractions
Audio
For VoIP extractions, an Audio view is presented. Click to play the full conversation.
The filename of an artifact consists of the following underscore-delimited values:
•
Hostname of the appliance that captured the artifact.
•
Time of capture, expressed as <YYYY-MM-DD>T<hh:ii:ss>-<timezone>
•
Source and destination IP addresses and ports
•
MD5 hash of the artifact
EXIF
For JPG/JPEG files, you can view the embedded EXIF information.
101 of 206
Updated 4 Apr 2016
Extractions
jsunpack-n
On the jsunpack-n view, you can see the results from jsunpack-n. In most cases, there is no JavaScript inside the
artifact, so it will return [nothing detected] and info: [0] no JavaScript.
For JS, PDF, HTML, and SWF files, the process will usually return more details. The phrase [nothing detected] means that
no malicious code was found. The error messages shown in the figure above are generated by the script as it
attempts to access data and variables in other files; they are not an indication that the file has been corrupted.
A corrupted file will designate elements as "malicious" or "suspicious":
102 of 206
Updated 4 Apr 2016
Data Enrichment
D ATA E NRICHMENT
Use data enrichment (also called "real-time extraction" or "micro-extraction") to send selected artifacts and data flows
to external sources for analysis. Among the external resources are:
•
Blue Coat ThreatBLADES
•
Analysis Providers
•
Reputation Providers
•
Integration Providers
Also see Data-Enrichment Process.
Query Types
The Security Analytics Platform supports two kinds of reputation query:
•
On Demand — On-demand queries are performed when the user views information from the reputation providers.
•
Data-Enrichment Action — The user creates a data-enrichment action, wherein matching traffic is
automatically sent to one or more enrichment providers.
Activate a Data-Enrichment Resource
Data-enrichment resources must be licensed before they can be activated. Contact Security Analytics Support to
purchase a Blue Coat ThreatBLADE or Malware Analysis Appliance subscription. The Third Party On-Demand
Reputation Providers are licensed by default; licenses for the Third Party On-Demand Integration Providers are the
responsibility of the user.
1. Select Settings > Data Enrichment.
2. In the Actions column, click a deactivated icon
to activate that resource.
Create a New Data-Enrichment Action
1. Select Analyze > Actions.
2. Click New. The New Action dialog box is displayed.
•
Name — Type a name for the data-enrichment action.
•
Favorites — Type the name of one or more existing favorites, or create a new favorite.
•
Type — Select Data Enrichment.
•
Send to — Select one or more data-enrichment resources. The options for this field are derived from the
items on the Data Enrichment Settings page.
•
You can select a resource that is not active or licensed, but the action will not produce a result
until the resource is activated.
•
For data-enrichment actions, the importance level (critical, warning, notice) will be determined
by the score that the resource provides.
103 of 206
Updated 4 Apr 2016
Data Enrichment
•
Shared — Select to make the action available to everyone who has access to this appliance.
•
Remote Notifications — Select one or more remote-notification types. You may select the default template
or configure a template on Settings > Communication > Templates. If you have not already done so,
configure the appropriate server(s).
o
•
SMTP — Optional — Specify email accounts to receive the alert notifications.
Endpoint Providers — Select to send endpoint data to endpoint analysis providers.
3. Click Save.
•
When using data enrichment, it is recommended that you create capture filters for all capture
interfaces to exclude traffic to or from eth0, i.e., (!ifname eth0); otherwise, you will capture
duplicate traffic as the artifact is exported from the Security Analytics Platform appliance to the
external resource.
•
Consult Security Analytics Platform Ports and Protocols to configure your network firewalls for
data-enrichment traffic.
Exclude from Lookup
You can specify IP addresses and domains to exclude from lookup under Settings > Data Enrichment > Exclude
from Lookup.
This setting applies only to providers that evaluate URLs, such as WebThreat BLADE URL and
VirusTotal URL.
•
For IP Subnets, type those IP addresses that you want to exclude. Use CIDR notation without zeros, e.g.,
specify 127.0.0.0/8 as 127/8.
•
For Internal Domains, type domain names to exclude. Use the asterisk (*) as a wildcard, as needed.
•
Type each entry on its own line.
104 of 206
Updated 4 Apr 2016
Data Enrichment
Data Enrichment Mode
Under Settings > Data Enrichment > Data Enrichment Mode, indicate the method by which this appliance is to
connect to the Blue Coat Global Intelligence Network.
•
Query Local Database — The appliance does not connect to the Internet; resources such as Local File
Analysis and the WebPulse database may still be used.
•
Query Global Intelligence Network — The appliance has a connection to the Internet. If the appliance
connects to the Internet via a proxy, configure the proxy on Settings > Network.
The ThreatBLADES require the Query Global Intelligence Network setting.
•
Also see Local File Analysis.
Data Enrichment File Types
To prevent data enrichment from being overloaded, you can select which MIME types to send through or exclude
from the process under Settings > Data Enrichment > Data Enrichment File Types.
Select the check boxes of the file types to send to data enrichment. To see which XFTYPEs are included in each category,
click More Information.
The Data Enrichment File Types settings do not affect Local File Analysis or FTP File Mover. To
control file types that are sent to those two providers, create actions.
105 of 206
Updated 4 Apr 2016
Data Enrichment
Data Enrichment Alerts
When an artifact matches the favorite(s) that is specified by the action, the artifact is subjected to the selected
action(s), and an entry appears in the Analyze > Alerts list.
example
The following example demonstrates data-enrichment alerts from the WebThreat BLADE.
1. On Settings > Data Enrichment, activate the WebThreat BLADE by clicking its activation icon.
2. When a response is returned from the WebThreat BLADE, a "parent entry" is displayed on Analyze > Alerts >
List. The scores are displayed as child entries to the parent. The scores are displayed next to the favorite that
triggered the alert.
to open the Summary page in a new tab with the artifact's unique flow_id in
•
Click View Report Summary
the filter bar.
•
Click View Artifacts
same flow_id.
to open the Extractions page in a new tab that displays the artifacts from in the
•
Click the minus icon
to hide the child entries.
•
Malware
•
From cache
indicates that the verdict came from the cache instead of being produced directly by the
data-enrichment resource.
•
Click Go to [ MAA/profile]
•
Click Reputation Report
, File
, and URL
indicate which type of item triggered the alert.
to open the report page for the detonation.
to view more about the verdict.
106 of 206
Updated 4 Apr 2016
Data Enrichment
•
The Reputation Report displays any information that the data-enrichment provider returned.
•
If a query does not return a result, a parent entry is not displayed in the Alerts List.
•
Alerts appear in reverse-chronological order according to the newest child entry.
•
After you add or edit actions, you can run data enrichment again on selected timespans.
107 of 206
Updated 4 Apr 2016
Actions
A CTIONS
Use actions to trigger a process on any packet flow that matches one or more favorites. The action types are:
•
Alerts — Matching traffic triggers a conventional alert.
•
Data Enrichment — Matching traffic is submitted to external resources for analysis.
•
PCAP Export — Matching traffic is saved as a PCAP to an external server.
•
IPFIX Export — Matching traffic is sent to an external IPFIX collector.
Alerts
An alert is a type of action that generates a notification whenever captured traffic matches one or more favorites. If you
want to send alerts to one or more email addresses, first set up the email server.
Create a New Alert
•
Name — Type a name for the alert.
•
Type — Select Alert.
•
Recipients (Optional) — Type email addresses to receive alerts. If you specify email addresses here, you
must also configure an email server. If no email address is specified here, the default email address will be used
(Settings > Communication > Server Settings).
•
Email Frequency — Specify how often email alerts are sent (15 minutes, hour, day, and week).
•
Importance — Select the importance level.
•
Shared — Select to make the action viewable by everyone who has access to this appliance.
•
o
•
Endpoint Providers — Select to send endpoint data to endpoint analysis providers.
3. Click Save.
108 of 206
Updated 4 Apr 2016
Actions
Activate and Deactivate Alerts
1. The alert is shown in the Actions list. The green icon
2. Click the green icon to deactivate the alert
indicates that the alert is active.
.
3. View the instances when the alert is triggered on the Analyze > Alerts pages.
After 100,000 of these alerts, the oldest alerts will begin to be overwritten; however, because of the
way the system counts different types of alerts, the alert count in the upper-right corner of the web
interface can exceed 100,000.
Viewing Alerts
Summary
The Summary page organizes alerts by attributes such as importance, favorite, and IP addresses. Use the Advanced
Filter and the time range to narrow the results, or click the table entries to view them on the List page.
List
The List page displays all alerts in reverse chronological order. Use the Advanced Filter and the time range to narrow
the results. See Data Enrichment Alerts for an explanation of the icons and results.
109 of 206
Updated 4 Apr 2016
Actions
PCAP Export
Before you set up a PCAP export action, you must specify a directory (mount point) on an external server where the
PCAPs will be sent. You may configure a mount point by clicking Capture > Import PCAP and clicking Manage
Connections or by configuring the mount point at the same time as the PCAP Export action.
•
Name — Type a name for the PCAP export.
•
Favorites — Do one of the following:
o
Type the name of one or more existing favorites
o
Click Create New Favorite. The Create a Favorite dialog box is displayed:

Specify a Name for the favorite.

For Filter, type one or more filter attributes or the names of existing favorites. Begin typing to get
suggestions. You can use wildcard expressions and logical operators.

Shared — Select to make the favorite viewable by everyone who has access to this appliance.

Click Save.

Type the first few letters of the new favorite name, and then select the favorite.
•
Type — Select PCAP Export.
•
Server — Select an existing mount point on an external server or click the Manage Connections icon
configure a new mount point.
•
PCAPNG — Select to export in the PCAPNG format.
•
Shared — Select to make the action viewable by everyone who has access to this appliance.
•
o
to
3. Click Save. When network traffic matches the favorite(s), the entire flow is exported to the specified directory as a
PCAP(NG) file.
110 of 206
Updated 4 Apr 2016
Actions
IPFIX Export
Create an IPFIX Export action if you have an IPFIX collector on your network. The IPFIX files that the Security
Analytics Platform produces are IPFIX (NetFlow) v.10-formatted.
•
Name — Type a name for the IPFIX export.
•
Favorites — Do one of the following:
o
Type the name of one or more existing favorites
o
Click Create New Favorite. The Create a Favorite dialog box is displayed:

Specify a Name for the favorite.

For Filter, type one or more filter attributes or the names of existing favorites. Begin typing to get
suggestions. You can use wildcard expressions and logical operators.

Shared — Select to make the favorite viewable by everyone who has access to this appliance.

Click Save.

Type the first few letters of the new favorite name, and then select the favorite.
•
Type — Select IPFIX Export.
•
Server IP — Specify the IP address or hostname of the IPFIX collector.
•
Server Port — Specify the port number that the IPFIX collector uses.
•
Shared — Select to make the action viewable to everyone who has access to this appliance.
•
o
3. Click Save. When network traffic matches the favorite(s), the entire flow is exported to the external IPFIX
collector.
111 of 206
Updated 4 Apr 2016
B LUE C OAT T HREAT BLADES
The Blue Coat Advanced Threat Protection Suite provides a unified, cost-effective security solution to detect
advanced malware as well as threats from common protocols. Each ThreatBLADE contains a proprietary blend of
on-box, and off-box, and cloud technologies. For more information visit the web site or contact Security Analytics
Support to subscribe to one or more ThreatBLADES.
•
WebThreat BLADE — Examines files that are transported over HTTP and sends URLs to the Blue Coat Global
Intelligence Network powered by WebPulse, which calculates a verdict based on domain and URL reputation
as well as provides site categorization.
•
MailThreat BLADE — Examines files that are transported via common email protocols such as SMTP,
IMAP, POP3.
•
FileThreat BLADE — Examines files that are transported via file protocols such as FTP, SMB, TFTP.
•
Malware Analysis Appliance — Selected flows are "detonated" by the Blue Coat Malware Analysis Appliance in
a sandbox or virtual environment to evaluate their behavior. A verdict that indicates the level of maliciousness
is returned.
•
CustomAnalytics BLADE — Preview Only: Advanced rules for complex events, a customizable open parser,
and customizable metadata.
•
SCADAThreat BLADE — Preview Only: Provides reports and report widgets for MODBUS and DNP3
attributes.
•
Local File Analysis — A feature that is included by default, Local File Analysis automatically checks files
against ClamAV°, jsunpack-n, a portable executable scanner, and a proprietary hash database. The Solera
Hash DB accumulates "known bad" hashes as published by services such as Mandiant°, Malware.lu°, and
the National Software Reference Library. Local File Analysis also returns the name of any virus that is provided by
ClamAV.
112 of 206
Updated 4 Apr 2016
WebThreat BLADE
Leveraging the Blue Coat Global Intelligence Network powered by WebPulse, the Blue Coat
WebThreat BLADE provides real-time, comprehensive protection against web-based threats such as
phishing, proxy, bots, denial of service, scanners, spam, and Windows exploits.
The following features are available only with the WebThreat BLADE. To obtain a subscription,
contact Security Analytics Support.
The WebThreat BLADE includes the following reports and report widgets:
•
•
•
§
Local URL Analysis — URL threat level as
calculated by a local copy of the WebPulse
database.
URL Analysis — URL threat level as calculated
by the live Global Intelligence Network.
File Analysis — HTTP-transported files are
extracted and evaluated for known threats.
•
Local URL Categories — URL category returned
from a local copy of the WebPulse database.
•
URL Categories — URL category returned from
the live Global Intelligence Network.
•
Malware Analysis§ — Files for which the
WebThreat BLADE has no information are sent to
the Malware Analysis Appliance for evaluation.
Data for this report is available only with the Blue Coat Malware Analysis Appliance.
To enable the WebThreat BLADE, select Settings > Data Enrichment. For additional instructions, see Data
Enrichment.
WebPulse Database Updates
To configure the updates for the local copy of the Global Intelligence Network, i.e. the WebPulse database, select
Settings > Data Enrichment and scroll down to WebPulse Update Location.
•
WebPulse Version — Displays the current WebPulse version and when it was last updated.
•
Initiate Web Pulse Update — Click Update to force a local WebPulse update.
•
Update Interval in Seconds — Specify how many seconds between automatic WebPulse updates.
•
Enable Custom Update Location — Select the check box to configure an alternate location from which to
update the WebPulse database.
o
URL — Specify the location. If the database is controlled by Basic HTTP Auth, also specify the
Username and Password.
113 of 206
Updated 4 Apr 2016
FileThreat BLADE
The Blue Coat FileThreat BLADE works exclusively with the Security Analytics Platform and is
powered by the Blue Coat WebPulse Collaborative Defense Cloud, which maintains the latest
data on all known files, good and bad. The Cloud also provides background processes that hunt
for evidence of malware and malicious content — based on intelligence aggregated from
75 million endpoints.
The following features are available only with the FileThreat BLADE. To obtain a subscription,
contact Blue Coat Support.
The FileThreat BLADE includes the following reports and report widgets:
§
•
File Analysis — Files transported over protocols such as FTP, SMB, and TFTP are extracted and evaluated
for known threats.
•
Malware Analysis§ — Files for which the FileThreat BLADE has no information are sent to the Malware
Analysis Appliance for evaluation.
Data for this report is available only with the Blue Coat Malware Analysis Appliance.
To enable the FileThreat BLADE:
2. Click the activation icon
for the FileThreat BLADE.
3. Optional — Click the Edit icon
and select one or more of the following:
•
Remote Notifications — To send ThreatBLADE alerts as remote notifications via SNMP, syslog, or SMTP,
select the respective check boxes.
•
Endpoint Providers — Select to make endpoint information from FileThreat BLADE alerts available to
endpoint-analysis providers.
•
Unknown Protocols — Select to send artifacts from unknown protocols to the FileThreat BLADE.
For additional information, see Data Enrichment.
114 of 206
Updated 4 Apr 2016
Malware Analysis Appliance
The Blue Coat Malware Analysis Appliance provides comprehensive, cost-effective protection against unknown and
advanced malware, malicious files, and zero-day threats. As part of the Blue Coat Security Analytics Platform for
Advanced Threat Protection, the Malware Analysis Appliance is the key to enhanced malware-detection accuracy
and faster, more complete protection for your workforce and your business.
The latest MAA documentation is located at Blue Touch Online.
If you would like to send details about EXE and DLL detonation to the Blue Coat Global Intelligence
Network to share with other WebPulse users, select Settings > Web Interface and select Enable
WebPulse Feedback.
Install the Blue Coat Malware Analysis Appliance
You can install one or more Malware Analysis Appliances (MAAs) on your network. The MAAs provide the SandBox
and virtual emulation environments that are necessary to detonate and evaluate potential malware.
To set up an MAA, follow these steps:
1. Follow the steps in the Quick Start Guide that was included with your Blue Coat Malware Analysis Appliance to
install the appliance and to set the IP address for the management interface.
2. Access the browser interface and follow the instructions in the wizard to install the requisite license keys.
3. Follow the instructions in the Blue Coat Malware Analysis Appliance: Integration Guide for the Blue Coat Security
Analytics Platform to configure one or more VM profiles.
For Blue Coat Malware Analysis Appliance 4.2.x and later, you can configure default task settings
for each environment (IntelliVM, SandBox, MobileVM). These settings will be automatically applied
to samples that Security Analytics sends to the MAA. Consult the latest Malware Analysis Appliance
Administration Guide on bto.bluecoat.com for instructions.
Integrate the MAA with the Security Analytics Platform
Follow these steps to integrate an MAA with Security Analytics.
1. Log on to the MAA with administrator credentials.
2. Select System Settings > Users. Click the UID of an admin-level account, or create a new admin-level user for
the Security Analytics Appliance.
a.
Under Add New API Key, specify an API key label (recommended: something related to the Security
Analytics Appliance).
b. Select administrator for API Key Access Level.
c.
Click Add New Key.
d. Copy the key from the popup and save temporarily to a text file. You cannot access this key again after you
click away from the MAA.
115 of 206
Updated 4 Apr 2016
3. Log on to the Security Analytics Platform with administrator credentials.
4. Select Settings > Data Enrichment. Under Blue Coat Analysis Providers click the Edit
Analysis Appliance.
icon for the Malware
5. For Name, provide a name for the MAA.
6. For Address, type the IP address of the MAA. Do not include http:// or https://.
7. For Username, type the user account name for which you created the API key.
8. For API Key paste the key that you copied from the MAA. It must correspond with the MAA Username provided
in the previous field.
9. Click Save. An MAA/profile pair is displayed.
It is recommended that you click the name of the MAA and then click the Test the Connection
icon to verify connectivity.
10. For that entry, select a profile. The values in the list are the profiles that are configured on the MAA, e.g.,
SandBox, Windows 7 SP1.
11. Optional — Click Add a new Malware Analysis Appliance/profile pair. A duplicate of the first entry is displayed.
Do one of the following:
•
Select a different profile for the MAA.
•
Click the name of the MAA, select Connect to a new Malware Analysis Appliance, and repeat the
procedure to add the new MAA.
12. If you have more than one MAA/profile pairs configure How should the profiles be queried?:
•
In Parallel — Queries are sent to all of the MAA/profile pairs at the same time.
•
Sequentially — Queries are sent to the MAA/profile pairs one at a time, beginning with the first pair.
o
When you have added two or more MAA/profile pairs, you can set the conditions for sending the query
to the next MAA/profile pair: If the result is [operator] [value] continue to [MAA/profile pair] .
o
You can drag and drop the MAA/profile pairs to change their order in the sequence.
13. When you are ready to begin sending samples to the MAA from the Security Analytics Platform, click the
(inactive) control to activate
the Malware Analysis Appliance entry.
116 of 206
Updated 4 Apr 2016
Samples that are submitted to multiple MAA/profile pairs are processed according to the following
rules:
•
A sample is sent one time to the MAA, where it is processed in a separate task for each profile.
•
For samples sent in parallel, Security Analytics sends the sample to the SandBox first (provided
that the SandBox supports the file type); if the results indicate a suspicious sample, the sample
is sent to the iVM profile(s). This measure prevents filling the iVM queues with innocuous
samples.
•
As soon as one profile returns a significant result, that result is returned to Security Analytics
instead of waiting for all profiles to complete before sending a verdict.
•
The MAA automatically routes mobile samples (Android APK) to the MobileVM, regardless of
which profiles are configured on Security Analytics.
•
To see the health of the MAA connection, open the System Utilization window.
Green means that the connection is active.
Malware Analysis Alerts
Any results will be displayed as follows:
•
In the [ThreatBLADE] — Malware Analysis reports and report widgets for which you have a subscription.
•
On the Analyze > Alerts pages.
o
When the MAA returns a verdict, the Malware
Report
o
Click the
icon is displayed with the alert. Click Reputation
for an overview of the detonation results.
icon to view the full detonation results on the MAA.
A known-bad file — as determined by the ThreatBLADE's file analysis — is not sent to the MAA.
Only files that are Unknown/Unrated are sent to the MAA for detonation.
117 of 206
Updated 4 Apr 2016
Manually Send Samples
You can send individual artifacts to the MAA from the Security Analytics interface.
1. Select Analyze > Extractions. Select the timespan and apply any filters to display the artifact to send.
2. Expand the artifact entry.
3. Click the File Name field and select View Reputation Information > Malware Analysis Appliance. The file is
sent to the MAA profiles that you configured on Settings > Data Enrichment.
I NTEGRATION P ROVIDERS
The Blue Coat Security Analytics Platform supports the following third-party integration providers in data-enrichment
actions.
Provider Type
Service
Bit9°§
MD5 and SHA1 file hashes are sent to Bit9 to check against a list of known trusted files and malware.
Cuckoo°§
Extracted files are sent to a Cuckoo sandbox for detonation.
Only version 0.6 and later is supported by the Blue Coat Security Analytics Platform, version 7.0. If you
used an earlier version of Cuckoo with an earlier version of Solera, you will need to upgrade your
Cuckoo server.
The file api.py must be run on the server side. See the Cuckoo documentation for more information.
The Cuckoo response is written to /var/log/messages, where you can find the link to the Cuckoo report.
FireEye°§
Extracted files are sent to FireEye for malware detonation.
FTP File Mover
Extracted files are sent to your own FTP server.
Lastline° File
Extracted files are sent to Lastline for malware detonation.
§
Lastline Hash
MD5 and SHA1 file hashes are sent to Lastline to check against known bad files.
§
VirusTotal° File
VirusTotal Hash
VirusTotal URL
§
Extracted files are sent to VirusTotal for malware detonation.
§
§
§
MD5 and SHA1 file hashes are sent to VirusTotal to check against known bad files.
URLs are sent to VirusTotal to check against known bad URLs.
Licensing and installation of these services is the responsibility of the user.
118 of 206
Updated 4 Apr 2016
Configure Integration Providers
You may configure as many entries for each provider type as you wish. For example, if you have three FTP servers,
you may configure three FTP entries and then specify which servers will receive the extracted data in the dataenrichment action.
2. Under Integration Providers, click edit
for the desired entry or click New.
3. Specify or edit the Name and add a Description, as desired.
4. Select the Type of provider.
5. Select the Category, if an option is provided — File, Hash, or URL.
6. Supply the information for the provider type:
•
Bit9 — Provide the account credentials.
•
Cuckoo — Provide the Location (hostname or IP address)
•
FireEye — Provide the Location (hostname or IP address) and account credentials.
•
FTP File Mover — Provide the Location (hostname or IP address), account credentials, target directory, and
mode.
o
Before sending files to the FTP server, Security Analytics renames the files to avoid conflicts. The new
filename is the MD5 hash of the artifact time, source IP address/port, destination IP address/port and
the MD5 hash of the file itself, followed by the original filename, when available, for example:
<md5_of_original_filename>_<original_attachment_filename>
o
Optional — Select the Attachment Only check box to send email attachments but not email messages
(EML files) to the FTP server.
•
Lastline — Provide the Key and Token for your account.
•
NormanShark — Provide the Location, Username, Key, and Profile. (Profiles are configured on the
NormanShark appliance.)
•
VirusTotal — Provide the account Key.
7. The new Integration Provider is displayed in the list.
Activate Integration Providers
•
When you create a new Integration Provider, it is automatically activated, as shown by the green
icon.
•
To activate an inactive Integration Provider, click the red
•
Go to Data Enrichment to see how to use the Integration Providers.
119 of 206
active
inactive icon.
Updated 4 Apr 2016
R EPUTATION P ROVIDERS
Third Party On-Demand Reputation Providers supply information on web sites, IP addresses, file hashes, and
artifacts. Reputation Providers are supplied by default on the Blue Coat Security Analytics Platform and are available
for on-demand queries.
On-demand reputation provides responses from the following sources:
Reputation Provider
Service Provided
Blue Coat File Reputation Service
File lookups against multiple antivirus engines and a whitelist lookup.
Blue Coat Web Reputation Service
Hash lookups against Blue Coat's own blacklist
Domain Age Reporter
The amount of time elapsed since the domain was first registered
Google Safe Browsing°
URL validation
Google° Search
Google search results for the item
Local File Analysis
Results from ClamAV, Solera HashDB, Static Analysis, and jsunpack-n
RobTex° Host
Hostname-based reputation
RobTex IP
IP-based reputation
SANS ISC° Hash
File hash lookups against a database of known original installation files.
SANS ISC Host
Hostname lookups against known bad hostnames
SANS ISC IP
IP lookups against known bad IPs
SORBS DNSBL° Host
DNS reputation
SORBS DNSBL IP
IP address reputation
WHOIS Host
Domain registration information
WHOIS IP
IP address information
120 of 206
Updated 4 Apr 2016
Local File Analysis
Local File Analysis is operational in both Data Enrichment Modes: Query Local Database and Query Global
Intelligence Network.
You may include or exclude some of the reputation providers for Local File Analysis. Click Save after changing your
selections.
•
ClamAV — Selected by default
•
Solera HashDB — Whitelist check (returns true or false)
•
Static Analysis — Portable executable scanning
•
YARA — Helps detect live exploits before the URI is known to the Blue Coat Global Intelligence Network.
See YARA Rules.
•
jsunpack-n — JavaScript unpacker and analyzer
After you click Save, approximately two minutes will elapse before the changes take effect in the
data-enrichment process.
Viewing Reputation Information
You can view reputation information in one of several ways:
•
Click an entry in any selected results lists (Reports, Extractions, Geolocation) and select View Reputation
Information > [reputation service provider].
•
Click a field in the artifact details and select View Reputation Information > [reputation service provider].
•
Click an item in the Extractions list to expand the view, and then click Reputation to show all reputation
information for all fields.
Pivot-Only Reputation Providers
See scm_pivot_only_provider in the Security Analytics Platform Reference Guide on bto.bluecoat.com.
121 of 206
Updated 4 Apr 2016
YARA Rules
YARA rules (version 3.2.0) can help detect live exploits before the URI is known to the Blue Coat Global Intelligence
Network. YARA rule hits are displayed as alerts on the Analyze > Alerts pages (when the score is 6 or higher) and in
the reputation information for individual artifacts.
Activate YARA Rules
Follow these steps:
2. Activate the WebThreat BLADE and Local File Analysis.
3. Under Data Enrichment Mode, select the YARA check box.
4. Select Analyze > Actions and enable the Local File Analysis - Live Exploits action.
The Live Exploits Favorite
The Local File Analysis - Live Exploits favorite, which is used by the Local File Analysis - Live Exploits action,
specifies multiple mime_type=[x] values and then specifies uri_category="Unrated". That uri_category filter is included to
prevent overloading the YARA rules. With the WebThreat BLADE activated, files from known-malicious web sites are
tagged with uri_category=[WebPulse Category] and so are excluded by the Local File Analysis - Live Exploits favorite. In
this way the YARA rules are applied only to files from unknown web sites.
Customize YARA Rules
You can customize your YARA rules by following these steps:
1. Open the YARA rules file: /usr/lib64/python3.3/site-packages/derp/providers/third_party/yara_rules/rules.yar
2. Add, delete, or modify YARA rules, as desired. Keep in mind that YARA-rule analysis can be resource-intensive. If
a rule takes longer than two seconds to process, the analysis will be terminated. Consult YARA Tuning Options,
below, to change this interval.
3. Save the file. The new rules are available immediately. To test the new rule(s), open the Extractions page, expand
an artifact entry, and then click Reputation.
122 of 206
Updated 4 Apr 2016
YARA Tuning Options
Tuning options are available in /etc/solera/config/derp.conf.
"standard_analysis_process": {
"abbr_name": "std_anlys",
"dependents": [
"submission"
],
"max_tasks": 100,
"queue_size": 10000,
"weight": 0.3
},
queue_size (Default: 10000) determines how many YARA
requests are stored before Local File Analysis begins to drop
requests. If you find that too many tasks are being dropped, you
can increase the queue size to store more tasks. Keep in mind
that a larger queue size requires additional memory.
"derpd": {
"yara_max_size": 31457280,
"yara_max_wait": 2,
},
These two attributes are not present in derp.conf by default. Add
them to the derpd section to override the embedded default
values, which are shown here.
•
yara_max_size — Maximum size in bytes (default: 30 MB)
of a file that YARA will process. Any file larger than this limit
will not be processed by YARA.
•
yara_max_wait — Time in seconds (default: 2) to allow a
YARA rule to process. Any process that exceeds this limit
will be terminated.
123 of 206
Updated 4 Apr 2016
Endpoint Providers
E NDPOINT P ROVIDERS
The Security Analytics Platform can provide endpoint information to external endpoint-analysis providers such as
EnCase° Cybersecurity by Guidance° Software. Using a Security Analytics Web API, endpoint analysis providers
retrieve source and destination IPs, source and destination ports, and the timespan for selected alerts. With this
information, the provider can conduct its own endpoint investigations.
It is the responsibility of the user to license and install third-party endpoint analysis solutions.
Endpoint analysis support can be enabled as follows:
•
For alerts and data-enrichment actions, select the Endpoint Providers check box on the Create/Edit Action
dialog.
•
For the ThreatBLADES, click the Edit icon
the Endpoint Providers check box.
for the ThreatBLADE (Settings > Data Enrichment) and select
124 of 206
Updated 4 Apr 2016
Login Correlation Service
L OGIN C ORRELATION S ERVICE
If you have already installed the Login Correlation Service prior to version 7.1, go to Settings > Data
Enrichment to download and install the latest version.
The Login Correlation Service for Microsoft° Active Directory° associates network activity with Microsoft AD domain
users. The LCS sends the following information to the Security Analytics Platform:
•
Username
•
IP address (as found in the domain server's DHCP log)
•
Login time
•
Authentication method
How the LCS Works
The LCS has two components:
•
LCS agent — Detects user logons and logoffs and creates an IP-to-username correlation. Resides on a DC,
server, or a workstation.
•
adlistener-d — A Linux daemon that adds the correlation information to the Indexing DB, from which the
User Name report is generated. Resides on the Security Analytics Platform.
The LCS agent parses the logon/logoff events of a DC's security logs. Specifically, it monitors the logs for these event
IDs:
•
4624 — An account was successfully logged on.
•
4634 — An account was logged off. After detecting this event ID, the LCS agent sends a WMI query to the
workstation to verify whether the user has actually logged off.
The LCS agent extracts the following information from those events:
•
User Name
•
Logon Type
•
Source Port
•
Domain
•
Workstation Name
•
Time
•
Logon ID
•
Source Network Address
•
Date
The LCS agent correlates User Name with Source Network Address and sends the pairings to adlistener-d over port 8843,
which adds the information to the Indexing DB.
Requirements
•
.NET Framework 3.5 or later
•
Windows Server 2008 DC (Windows Server 2012 is not supported)
125 of 206
Updated 4 Apr 2016
Configure the DC
For every Active Directory DC, that you want to monitor for logon events, perform these steps:
Configure the Advanced Audit Policy Setting
User logon information is stored in security logs on the DC. The LCS derives its information from these logs. To
capture logon events, the DC’s advanced audit policy must be configured to audit successful logon and logoff
events.
To configure an advanced domain login audit policy setting, follow these steps:
1. Log on to the DC as a member of the local administrators group.
2. Select Start > Administrative Tools > Group Policy Management.
3. In the console tree, double-click your forest, e.g., Forest: soleranetworks.com.
4. Double-click Domains, and then double-click the DC, e.g., solera.com.
5. Right-click Default Domain Policy, and then click Edit.
6. Open the following items in this order:
a.
Computer Configuration
f.
Configuration
b. Policies
g. System Audit Policies
c.
h. Logon/Logoff
Windows Settings
d. Security Settings
e.
i.
Logon
Advanced Audit Policy
7. Select the Configure the following audit events check box, select the Success check box, and then click OK.
8. Set Logoff to Success as well.
Configure the Group Policy to Enable WMI Access to a Remote Machine
•
The LCS uses remote WMI queries to verify whether a domain user is logged off. If a domain
workstation does not respond to a WMI query, then the LCS regards the user as not logged off.
•
If the user does not log off gracefully, Windows does not generate an event log; therefore, the
LCS does not detect the event. This missed event can sometimes be inferred when a user logs
on later to a workstation with the same IP address.
1. Select Administrative Tools > Group Policy Management > Group Policy Objects > Default Domain Policy.
2. In both the standard and domain profiles, select Computer Configuration > Administrative Templates >
Network > Network Connections > Windows Firewall and enable the Allow inbound remote administration
exception.
126 of 206
Updated 4 Apr 2016
Update the Group Policy Settings
1. Select Start > All Programs > Accessories, right-click Command Prompt, and click Run as administrator.
2. If the User Account Control dialog box is displayed, confirm that the action it shows is what you want, and then
click Yes.
3. Type gpupdate and press Enter.
Verify That the Audit Policy Settings Were Applied Correctly
1. Type auditpol.exe /get /category:"Logon/Logoff" and press Enter.
C:\Windows\system32>auditpol /get /category: "Logon/Logoff"
System audit policy
Category/Subcategory
Logon/Logoff
Logon
Logoff
Account Lockout
IPsec Main Mode
IPsec Quick Mode
IPsec Extended Mode
Special Logon
Other Logon/Logoff Events
Network Policy Server
Setting
Success
Success
Success
No Auditing
No Auditing
No Auditing
Success
No Auditing
Success and Failure
2. Verify that the setting for both Logon and Logoff is Success.
Install the LCS Agent
2. Click Download Version [x] of the Login Correlation Service Installation File and save DSLoginCorrelation.exe to
your workstation.
•
Only one LCS agent is required per domain.
•
You may install the LCS agent on the DC, on a Windows workstation in the domain, on a server
that is not in the domain, or on a server that is in the domain. The last option is recommended.
•
If you install the LCS agent on a Windows workstation, the workstation must be in the same
domain as the controller that you want to monitor, and it must always be connected to the
network. It is not recommended that the LCS agent be installed on a portable workstation.
127 of 206
Updated 4 Apr 2016
3. Run DSLoginCorrelation.exe on the target machine and follow the prompts to install it. DSLoginCorrelation.exe installs
the following:
•
The LCS agent
•
A GUI application to configure the LCS
The installation process requires a system restart to complete.
4. Launch SOLERA NETWORKS > Login Correlation Service.
5. On the welcome page click Next.
6. On the Select Installation Folder page, specify the folder and click Next. The LCS agent begins to install.
7. When the Set Service Login dialog is displayed, specify credentials to authenticate to the LCS agent. Use the
following format:
•
Local user — <PC_name>\<username>
•
Domain user — <domain_name>\<domain_username>
<domain_username> must be a domain administrator account or an account that has permission to
read DC security event logs and execute WMI queries.
8. On the Installation Complete page, click Close.
Configure the LCS Agent
1. Launch Login Correlation Service and click Connect.
2. No DCs are detected. Click Add.
3. Click Add again.
4. In the Domain Controllers section:
•
For Domain Name, type the name of a DC, e.g., ad.solera.com.
•
For Domain IP, type the IP of the DC.
•
For Login Name and Password, type the name and password of the administrator account for the DC.
•
Click Apply.
5. In the DeepSee Appliances section:
•
Click Add.
•
For Appliance IP, type the IP address of the Security Analytics Platform appliance.
•
For Login Name and Password, type the name and password of the root account.
•
Click Apply.
6. Optional — If the Security Analytics Platform appliance requires a client certificate, select the Use Client
Certificate check box.
128 of 206
Updated 4 Apr 2016
Client authentication occurs when the adlistener-d service on the appliance requests a certificate
from the LCS agent during the SSL handshake; an LCS agent cannot initiate a request to be
authenticated.
7. Click Import SSL Certificate and upload a PEM-format certificate that will permit the LCS agent to access the
appliance.
8. Select File > View > Read-Only Tree View to see a hierarchical view of the DCs and appliances.
Import DCs and Appliances from a CSV File
You can import multiple DCs and Security Analytics Platform appliances from a CSV file.
Syntax for DCs
DomainController-IP,username,password
example
192.168.5.55,administrator,<password>
Syntax for Security Analytics Platform Appliances
Appliance-IP,username,password,SSL_agent_certificate_path
example
192.168.1.20,root,<password>
192.168.2.219,root,<password>,F:\shares\certificates\adl-cacert.pem
192.168.2.25,root,<password>
Enable LCS on the Appliance
1. Select Settings > Data Enrichment on the web interface.
2. Scroll down to Login Correlation Service. Do one of the following:
•
Select the Allow All Agent IPs check box. With this setting enabled, the login events from all LCS agents will
be accepted by this Security Analytics Platform appliance.
•
To specify which LCS agent events to accept, clear the Allow All Agent IPs check box.
o
For Server, type the address of an LCS agent.
o
Optional — Click add another agent IP for additional LCS agents.
3. Click Save.
4. Select Settings > Security and click Configure Firewall.
5. The default setting permits all LCS traffic (port 8843) from all IPs. Create more rules as desired.
129 of 206
Updated 4 Apr 2016
View LCS Activity
On the CLI
1. Log on to the appliance via the CLI with root credentials and execute the following command:
ps -aux | grep adl
2. You should see a display similar to the following:
In the Log File
The log file DomainLogonWatcher.log is created in the application data folder on the machine where the LCS agent
resides, e.g., C:\Users\<username>\AppData\Roaming\Solera Networks\. The file has a maximum size of 100 Mb.
The \AppData\ directory is hidden by default.
Login Correlation Service activity appears similar to the following:
Domain Admin Account
4/12/2013
4/23/2013
4/23/2013
4/23/2013
4/23/2013
4/23/2013
4/23/2013
8:02:33
8:02:33
8:02:33
8:02:33
8:02:33
8:02:33
8:02:33
PM
PM
PM
PM
PM
PM
PM
Updated configuration will be applied to domain : <domain_name>
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
Trying to authenticate at appliance 10.1.1.149
AcknowledgeReceiverThread started for ip 10.1.1.149
Authenticated to ADListner 10.1.1.149
Adding domain controller <domain_name> : 10.1.1.150
Adding domain controller <domain_name> : 10.1.1.151
Non-Admin Account
4/23/2013 6:11:06
4/23/2013 6:11:08
4/23/2013 6:11:08
Access is denied.
4/23/2013 6:11:11
Access denied
4/23/2013 6:11:18
4/23/2013 6:11:18
Access is denied.
4/23/2013 6:11:21
PM Updated configuration will be applied to domain : <domain_name>
PM trying to connect to domain controller <domain_name> [ 10.1.1.151 ]
PM Exception received while connecting to Domain Controller <domain_name> :
(Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
(Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
On the Web Interface
To see LCS activity on the web interface, do one of the following:
•
On the default page of the web interface, add the User Name widget to a Summary page.
•
On the Analyze > Report page, select the User Name report.
130 of 206
Updated 4 Apr 2016
Appliance Security
A PPLIANCE S ECURITY
LDAP Authentication
Because each network is unique, we cannot make specific recommendations as to how you should
integrate LDAP with your Blue Coat Security Analytics Platform.
When a user attempts to authenticate via LDAP, the process is as follows:
1. The user logs in via HTTP or SSH.
2. The appliance sends a BIND request containing the BIND DN credentials to the LDAP server.
3. The LDAP server returns success or failure.
4. The appliance sends the LDAP user credentials and search base criteria to the LDAP server.
5. The LDAP server returns success or failure.
6. The appliance allows authentication; if successful, the user is added to the user list on the Users and Groups
settings page.
With the LDAP authentication service, users can log on to the Security Analytics Platform using a
username/password combination stored on an external LDAP server. These credentials are valid for both the web
interface and the CLI.
Enable LDAP
1. Select Settings > Authentication.
2. Select the Enable LDAP Authentication check box. The system will automatically attempt to discover an LDAP
server.
3. If the auto-discover is unsuccessful, the LDAP Auto-Discover dialog box is displayed. Do one of two things:
•
Click Cancel and manually specify the LDAP settings.
•
Supply the BIND domain FQDN and click Save. Follow any other prompts to provide the LDAP BIND
authentication credentials for the domain controller. The system then discovers the configuration information
from Active Directory or the LDAP server and populates the LDAP Service page.
At any time during LDAP configuration, you can click the Test LDAP button to see if the settings are
valid.
131 of 206
Updated 4 Apr 2016
Appliance Security
Modify LDAP Server Settings
If there is more than one domain controller on the system, by default the system discovers the primary server
configured. You can change the settings to use another domain controller by following these steps:
2. For Server, type the LDAP server’s hostname or IP address.
3. For Port, type one of the following:
•
389 for LDAP
•
3268 for Active Directory°
4. Select the Encryption Type.
•
For TLS or SSL, you should select the Verify Server Certificate check box only if your LDAP server has a
certificate from a valid certificate authority.
•
If the LDAP server certificates are self-signed, clear the Verify Server Certificate check box.
5. Enter the BIND DN and BIND Password for an account that has rights to search the containers where the LDAP
users are located. If your LDAP server does not require an authorized login, then you may leave the
Authenticated BIND fields blank.
6. Click Save. The appliance will immediately try to connect to the LDAP server.
Limiting LDAP User Searches
To improve LDAP login performance, you can constrain the range of containers to be searched when looking for an
LDAP user.
Search base
The starting container where the LDAP server will begin searching for LDAP users. Only one search base is allowed.
Specify using LDIF, e.g., DC=<subdomain>,DC=<domain>.
Scope
How the LDAP server will search within that container.
•
base — Queries only the search base but nothing below it
•
one — Queries only the first level under the search base but not the search base itself
•
sub — Queries the search base and every level under it
132 of 206
Updated 4 Apr 2016
Appliance Security
Group DN
The group that is authorized to authenticate to the Security Analytics Platform. Only members of the specified group
will be able to authenticate to the appliance. Examples of the group members that are included in the search
parameters are displayed. The Group DNs are valid entries for the LDAP Groups field when creating a user group.
If the Group DN field is left blank, all users in the search scope will be able to authenticate, which
may pose a security risk.
You must correctly set the group membership attribute under Schema Configuration, because this
attribute’s syntax varies depending on the LDAP implementation used. If the attribute is incorrect, it
will not return the proper group membership information for authentication.
Identifying the LDAP Schema Configuration
Because LDAP schema mappings vary between LDAP implementations, you can select an appropriate schema
mapping such as InetOrgPerson, Microsoft° Active Directory°, and Microsoft Services for Unix°. Select the LDAP schema that
your server uses from the list. Most Open LDAP implementations will work with the InetOrgPerson configuration. If your
server’s schema is not in the list, select User Defined and fill out the resulting fields.
Note on Server-Side Changes to LDAP
Depending on the LDAP server being used, schema may need to be extended to allow for certain attributes such as
Unix attributes to be added to the user objects themselves. This may require elevated rights to make the necessary
modifications to either the LDAP schema or the LDAP users. The attributes that must be present on the LDAP users
are uidnumber, gidnumber, and homeDirectory.
133 of 206
Updated 4 Apr 2016
Appliance Security
Specify Mapped LDAP Schema
1. Select Settings > Authentication and scroll down to Schema Configuration.
2. For LDAP Schema select one of the following options:
•
InetOrgPerson — Standard LDAP configurations
•
Microsoft Active Directory — Microsoft Active Directory configurations
•
Microsoft Active Directory (RFC 2307) — MS Active Directory configurations compliant with the ITEF RFC
2307 standard
•
Microsoft Services for Unix 2.0 — MS Active Directory configurations compliant with the Unix 2.0 standard
•
Microsoft Services for Unix 3.5 — MS Active Directory configurations compliant with the Unix 3.5 standard
•
RFC 2307 Network Information Service — Network Information Service compliant with the ITEF RFC 2307
standard
•
RFC 2307bis Network Information Service — Network Information Service compliant with the ITEF RFC
2307bis standard
•
User Defined — All other LDAP configurations. If you select this option, go to Define a new LDAP schema.
3. Click Save. The appliance will now use these values when searching for LDAP users.
Define a New LDAP Schema
2. Select the Enable LDAP Authentication check box. When the LDAP Auto-Discover dialog is displayed, click
Cancel.
3. Scroll down to the Schema Configuration section.
4. For LDAP Schema, select User Defined.
5. Specify the User Object Class.
6. For Login Name Attribute, type the LDAP distinguished name.
7. For Full Name (GECOS) Attribute, type the full name of the user (or application name, if the account is for a
program). You can also append the following (separated by commas):
•
Building and room number or contact person
•
Office telephone number
•
Any other contact information (pager number, fax, etc.)
8. For User Password Attribute, type the account password.
9. Select the Password Change Method:
•
•
•
•
•
Active Directory (ASDI)
Cleartext
Cleartext (remove old password first)
Crypt
IBM° RACF
•
•
•
•
134 of 206
MD5
Novell° NDS
RFC 6032
RFC 6032 (send old and new passwords)
Updated 4 Apr 2016
Appliance Security
10. Specify the User ID Number Attribute and Home Directory Attribute.
11. For User Shell Attribute, type the name of the shell that the user will use to log in.
12. Specify the Group Object Class and Group ID Number Attribute for nested and dynamic groups.
13. For Group Membership Attribute, type the name(s) of the group(s) this account is in.
14. Select Distinguished Name or UID for Group Membership Type.
15. Click Save. The appliance will now use these mapping values when searching for LDAP users.
Kerberos° Authentication
If Kerberos is implemented on your network, you can provide single sign-on (SSO) access to the Security Analytics
Platform.
Kerberos SSO and Active Directory authentication via an LDAP group DN are mutually exclusive. If
Kerberos is enabled, anyone in the domain can authenticate to the Security Analytics Platform
appliance successfully. If you specify a group DN in the Searches section, Kerberos authentication
will be automatically disabled.
LDAP Server Setup
Install and configure the Active Directory or LDAP server. Consult the LDAP vendor's documentation for instructions.
Security Analytics Platform Setup
1. Select Settings > Date/Time and select the Use Network Time Protodocol (NTP) check box.
2. For Primary NTP, type the FQDN of the LDAP server and click Save.
3. Select Settings > Network. Make a note of the Hostname.
4. On all of the DNS servers that are listed in the Domain Name Servers section, add forward and reverse lookup
entries for the Security Analytics Appliance hostname, e.g., <ip_address> = <hostname>
5. Follow the steps in Enable LDAP to configure LDAP authentication.
6. For Group DN, verify that nothing is selected.
7. Select the Enable Kerberos check box. The Domain Controller, Realm, and Domain fields should be autopopulated with the LDAP configuration settings
8. Specify the Username and Password to bind the appliance to the Kerberos domain.
9. Click Save.
Single Sign-On Setup
For every device that is to authenticate to the Security Analytics Appliance using single sign-on, peform these steps:
1. Verify that the device is in the same Kerberos domain as the Security Analytics Appliance.
2. The FQDN of the Security Analytics Appliance must be specified as a trusted site, according to browser settings:
135 of 206
Updated 4 Apr 2016
Appliance Security
•
For Firefox°, go to the about:config page and modify the network.negotiate-auth.trusted-uris setting to include the
FQDN of the appliance.
•
For IE, go to Internet Options > Local Intranet, and add the FQDN of the Security Analytics Appliance as a
local intranet site. (If you are using the Windows short name, you do not need to perform this step.)
3. Configure the browser to negotiate with Kerberos instead of NTLM (NT LAN Manager).
4. Users must navigate to the domain name of the Security Analytics Appliance instead of its IP address. This
domain name can be the Windows short name or the FQDN. (The FQDN is recommended, because that is the
name in the certificate for HTTPS management.)
RADIUS Authentication
You can configure the Security Analytics Platform to accept RADIUS authentication.
2. Select the Enable RADIUS Authentication check box.
3. Fill in the fields as follows:
•
Server — The IP address or hostname of the RADIUS server
•
Port — The port number (default: 1812)
•
Shared Secret — Type the string
•
Timeout (Seconds) — Type the number of seconds before an idle RADIUS session times out.
4. Click Save.
136 of 206
Updated 4 Apr 2016
Appliance Security
Two-Factor Authentication
2FA requires a token in addition to the username and password to access the web interface. The authentication
token is created by the Google Authenticator° mobile app, which is available for the following smart phones:
•
Android° 2.1 or later
•
BlackBerry° OS 4.5–6.0
•
iPhone° iOS 3.1.3 or later
Do not enable 2FA until after you have verified the following; otherwise, you may be locked out of
the web interface*:
• Google Authenticator is installed on your smart phone and is working.
•
The time on the Security Analytics appliance is correct and coordinated with NTP. Because the
2FA token is valid for only 30 seconds, the appliance will reject a token that appears to be
outside the validity timespan.
*Use the scm tally command to restore access.
1. Go to Install Google Authenticator at the Google° Accounts Help Center web page and follow the instructions to
install the application on your smart phone.
2. On the web interface, select [Account Name] > Preferences.
3. Select the Enable Google Authenticator check box.
4. Enter the secret key to Google Authenticator in one of two ways:
•
Scan the QR code.
•
Type the case-sensitive secret key into the space provided.
5. Click Save. 2FA is now enabled for this user account.
2FA is enabled per user account, not per appliance; therefore, some user accounts on the same
appliance can require 2FA to log in while others do not.
2FA Logins
When logging in to the web interface with a 2FA-enabled account, follow these steps:
1. Type the username and password as usual and click Log In.
2. A second login prompt is displayed. Type the authentication token as provided by Google Authenticator and click
Log In.
The authentication token changes about every 30 seconds, so you must consult Google
Authenticator for each login instance.
137 of 206
Updated 4 Apr 2016
Appliance Security
Troubleshooting LDAP
Consult this page to solve common problems. For further assistance, contact Security Analytics Support.
problem
The system returns the error message: Your LDAP settings were not discoverable. Please enter the BIND Domain FQDN and
another attempt will be made.
solution
Verify that the name servers are configured properly. The search base and domain should not be pointing to
the wrong domain in /etc/resolv.conf.
problem
The system returns the error message: Your LDAP settings were not discoverable. Please check the username and password. If
that still does not fix the problem, cancel this dialog and manually enter your settings.
solution
Select Settings > Network and verify that DNS is configured correctly and is pointing to a Windows domain
controller. Verify that the username and password are correct for the domain controller.
138 of 206
Updated 4 Apr 2016
Passwords
P ASSWORDS
The passwords to access features on the Blue Coat Security Analytics Platform are as follows:
•
Local Users
•
Remote Users
•
Root
•
Boot Loader
•
Administrator
•
Two-Factor Authentication
•
SNMPv3
•
SMTP
•
syslog
Password-Complexity Rules
The password-complexity rules affect the local and remote users (including the admin account) and root (SSH). To alter
the password-complexity rules, follow these steps:
1. Select Settings > Security and scroll down to Password.
2. Adjust the Length as desired.
3. Select or clear the check boxes to require digits (numerals), other characters (non-alphanumeric), or upper-case
letters.
4. Click Restore Defaults to reset as follows:
•
Length — 14
•
Require Digits — Enabled
•
Require Other Characters — Enabled
•
Require Uppercase — Enabled
139 of 206
Updated 4 Apr 2016
SSL Certificates and Keys
SSL C ERTIFICATES AND K EYS
You may install a certificate for the Blue Coat Security Analytics Platform or require that browsers have a certificate to
access the web interface. A self-signed certificate and key is automatically included on the appliance with the
Security Analytics Platform installation.
Install from the Web Interface
1. Select Settings > Security and scroll down to PKI and SSL.
2. The default certificate for the appliance, its common name, fingerprint, and date modified are displayed. The
name of the default private key is also displayed. Click edit
to upload a new certificate or key.
To generate a new certificate and key for the appliance, go to Generate a New Certificate and Key.
3. To require that browsers have a certificate to access the web interface, select the Require Client Certificate to
Access Web Interface check box.
When you enable this feature, all web browsers that do not have a valid certificate from the Issuing
Authority — including yours — will be prevented from accessing the web interface.
•
Upload the certificate that validates client certificates to Issuing Authority's Certificate.
•
Specify the URL of the certificate revocation list.
Certificates for CMCs and Sensors
If you have a CMC, you may set up one of the following scenarios:
•
All sensors present a certificate to the CMCs
•
All CMCs present a certificate to the sensors
•
Both the CMCs and the sensors present certificates to each other
1. On the appliance that requires the certificate (server role), do the following:
•
Select Require Client Certificate to Access Web Interface.
•
Upload the certificate that validates client certificates to Issuing Authority's Certificate.
•
Specify the URL of the certificate revocation list (PEM, DER, or CRL format).
140 of 206
Updated 4 Apr 2016
2. On the appliance that is required to present a certificate (client role), do the following:
•
Select Use Appliance Certificate and Key to use the credentials that you uploaded in Step 2. This option is
valid only if the appliance certificate can function for both server and client roles.
When you select the Use Appliance Certificate and Key check box and click Save, the web
interface will be refreshed and the check box will be cleared. The client table will also not display the
Common Name and Fingerprint information from the appliance. However, the client is using the
appliance certificate as designed.
•
Upload the client certificate and key to authenticate to the other appliance.
3. Click Save.
Generate a New Certificate and Key
Follow these steps to generate a new SSL certificate and key for your Security Analytics Platform appliance.
1. Initiate an SSH session with the appliance and log in as root.
2. Using OpenSSL, generate a private key. You will need to specify the encryption type and bit value:
openssl genrsa [-<encryption_type>] -out localhost.key <key_size_in_bits>
If you create a private key with a passphrase (by specifying an encryption type), then, users must
enter the passphrase every time the system is rebooted. You may use an external program in place
of the built-in passphrase to bypass this security measure; however, omitting a passphrase (not
passing the encryption type) allows anyone who has the private key to impersonate the appliance or
to decrypt its data.
The following encryption types are available:
•
DES — Key encrypted with DES in CBC mode
•
DES3 — Key encrypted with DES in EDE CBC mode with a 168-bit key
•
IDEA — Key encrypted with IDEA in CBC mode
•
AES[128|192|256] — PEM output encrypted with AES in CBC mode
•
Camellia[128|192|256] — PEM output encrypted with Camellia in CBC mode
141 of 206
Updated 4 Apr 2016
example
Encryption type AES256 with a 2048-bit key. (It is recommended that you specify 2048 bits or stronger):
openssl genrsa -aes256 -out localhost.key 2048
1. Generate a certificate-signing request (CSR) (not to be confused with CSR):
openssl req -new -key localhost.key -out localhost.csr
If you generate a CSR using a different method, you must upload the key that was used to generate
the CSR along with the signed certificate in step 5, below.
2. Export localhost.csr via SCP (or the equivalent) to your workstation.
3. Send the CSR to a CA to be signed. You will need to provide the country name, state, locality name,
organization name, organizational unit name, common name, email address, challenge password, and optional
company name.
4. The CA returns the signed certificate (localhost.crt).
5. You have these options to load the certificate and key to the appliance:
•
Upload both the certificate and the key to the appliance through the web interface.
If you use this method, you must move the key and certificate off the appliance before uploading
them, which may present a significant security risk.
•
Copy both files from the root directory to overwrite the current files:
mv localhost.key /etc/pki/tls/private/
mv localhost.crt /etc/pki/tls/certs/
service httpd restart
If you use this method, you bypass audit and record-keeping controls, which might be in violation of
your organization's security policy.
•
RECOMMENDED — Copy the key from the root directory to overwrite the current key, and then upload the
certificate through the web interface.
o
Copy the key to overwrite the old key:
mv localhost.key /etc/pki/tls/private/
o
On the web interface, select Settings > Security.
If you upload a key or certificate using the web interface and click Save, the internal HTTP server
automatically restarts. If you attempt to restart the HTTP server manually before both the key and its
corresponding certificate have been loaded, the HTTP server will not restart.
142 of 206
Updated 4 Apr 2016
•
Go to Install from the Web Interface and follow the instructions to upload the certificate.
Disallow Connections That Use Low-Bit Encryption
1. Edit the ssl.conf file to allow only HIGH or HIGH and MEDIUM encryption ciphers, according to your preference:
vi /etc/httpd/conf.d/ssl.conf
2. Navigate to line 100:
100G
3. Remove :!LOW or :!MEDIUM and :!LOW from the default cipher suite:
Before: SSLCipherSuite RC4-SHA:AES128SHA:ALL:!ADH:!EXP:!MEDIUM:!LOW:!MD5:!SSLV2:!NULL
After1: SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!MEDIUM:!MD5:!SSLV2:!NULL
After2: SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!MD5:!SSLV2:!NULL
4. Press Esc and type :wq to save your changes.
5. Restart the internal HTTP server:
service httpd restart
Authenticated Proxies
If your appliance connects to the Internet via an authenticated proxy, and the proxy has a certificate handshake for
SSL traffic, add the CA certificate (PEM format) as follows:
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak
openssl x509 -text -in <new_cacert>.crt >> /etc/pki/tls/certs/ca-bundle.crt
openssl verify -CAfile /etc/pki/tls/certsca-bundle.crt <new_cacert>.crt
Reboot to apply changes.
How to set the proxy's network settings.
143 of 206
Updated 4 Apr 2016
User Accounts and Groups
U SER A CCOUNTS AND G ROUPS
Select Settings > Users and Groups to configure local user accounts and their groups. With these groups you can
exercise RBAC. RBAC gives administrators the ability to assign specific view or modify permissions to "roles" (which
are represented by "groups" on the Blue Coat Security Analytics Platform), and then to assign the users to one or
more groups. In this way, administrators can impose a granular level of control over what users are permitted to do
or see on the Security Analytics Platform.
Local Users
•
You can create up to 256 local users on the Security Analytics Platform appliance.
•
User names and passwords support the UTF-8 character set.
•
Password strength can be configured on Settings > Security.
•
To enable two-factor authentication on an account, see Two-Factor Authentication.
Also see dsadduser in the Security Analytics Platform Reference Guide on bto.bluecoat.com.
Add a User
1. Select Settings > Users and Groups > Users.
2. Select Tools > New.
3. Under Login Details, specify the username and type the password twice. The username cannot contain spaces.
4. Optional — For User Groups, the default user group is present. You can delete this group and add other user
groups, as desired.
A user account that does not belong to any groups does not have access to the appliance.
5. Optional — Under Account Details specify the user's real name and email address.
6. Click Save.
If you lose access to all of the admin-level accounts on the web interface, log on to the CLI with root
permissions and run the following:
/gui/dsweb/Console/cake --app /gui/dsweb solera_acl elevate
<username>
where <username> is the name of an existing user account. The command places the user in a new
group with administrator privileges called elevated-admin-<YYYY-MM-DD>T<hh:ii:ss>. Log on with
this account using its original password, and then edit the account and the group in Settings >
Users and Groups.
144 of 206
Updated 4 Apr 2016
Modify User Accounts
Use the controls on the Users and Groups page to modify or delete user accounts.
Local User — This user account was created directly on the appliance. When
you delete this user, the user’s group membership and login data are deleted, so
the user cannot log in to the appliance again.
Edit Account — Click to change the user’s password, enable or disable the
account, or change group membership.
Delete User — If a user is logged in when its account is deleted, the user’s next
action will fail.
Non-Local Account — This user has logged in to the appliance using remoteserver credentials such as LDAP or RADIUS. When you delete a non-local user
from the appliance, the user is deleted from all groups, but the account on the
remote server is unaffected. When the user logs in to the appliance again using
those remote credentials, the user account appears again on the Users and
Groups page in the default group, and the Admin must manually add it to any
other group.
To prevent remote users from automatically logging on to the appliance, do one
of the following:
•
Create a group that has no access privileges and designate it as the default
group.
•
In the LDAP search settings, select a Group DN that excludes unwanted users.
Enabling and Disabling User Accounts
•
User accounts are disabled automatically after a specified number of failed login attempts. (See Session
Controls.) You can re-enable the user account by clicking its Edit icon
•
and clearing Account Disabled.
Likewise, you can manually disable a user account by selecting the Account Disabled check box.
145 of 206
Updated 4 Apr 2016
Shell-Only Users
Shell-only user accounts can access the appliance through an SSH session only. They do not appear on and cannot
be modified in the web interface. The password for a shell-only user expires after 60 days.
To create a shell-only user, log in to the CLI with root credentials.
syntax
scm solera_acl shell_only [<parameters>]
parameters
<username> User name for the shell account; this account must already exist on the appliance, created either on
the web interface or with the dsadduser command.
-r Remove the shell-only flag from the account.
examples
scm solera_acl shell_only
Displays a list of shell-only users.
scm solera_acl shell_only <username>
Converts the user account to shell only.
scm solera_acl shell_only -r <username>
Removes the shell-only flag from the user account.
146 of 206
Updated 4 Apr 2016
Account Profile Settings
Click the name of the current account to change user name, email, password, display, and authentication
preferences.
Settings
[Account Name] > Account Settings
1. For Name, type a display name for your account.
2. For Email, type the email address to associate with the account.
3. Optional — Click Change Password.
The default rules for password strength are:
•
•
•
•
14 characters
numeral
non-alphanumeric (#, &, %)
upper-case letter
To change these rules, go to Settings > Security.
•
Type the current (old) password.
•
Type and then retype the new password.
4. API Key — The API key is used for web services APIs.
5. Time Prefix, Time Suffix — See "Single Time-Value Configuration" in the Security Analytics Platform Reference
Guide on bto.bluecoat.com.
147 of 206
Updated 4 Apr 2016
Preferences
[Account Name] > Preferences
•
Number of Entries per Page — Select the number of rows to display for the data tables.
•
Network Traffic — Select the unit of measurement to display: bits, bytes, packets.
•
Use packet-based reports and filters — Select to disable session-based reports.
•
Language — Select the language for the interface.
•
Enable Google Authenticator — Select to enable 2FA.
the web interface*:
•
•
Artifact MIME-Type Display — Specify the method for the extractor to determine the file type:
o
o
o
Derived — If both MIME and magic values are present, use internal logic to determine the most likely file
type.
148 of 206
Updated 4 Apr 2016
User Groups
U SER G ROUPS
The Security Analytics Platform has three preconfigured user groups:
•
admin — Full modification rights via the web interface and the CLI
•
auditor — View and download logs
•
user — View and modify permissions for capture and analysis; all new users are assigned to this group by
default.
Create or Modify a Group
1. Select Settings > Users and Groups > Groups.
•
Click the Edit icon for an existing group.
•
Click Tools > New and specify a unique Name.
3. Optional — Select Default to make this the default group. All new users will placed into this group by default.
4. Optional — For Description, describe the group characteristics.
5. Specify the group's access rights. See Group Permissions.
6. Optional — For Filter, specify which data this group can access. See Data Access Control for more information.
7. Optional — For Users, type the names of the group's members. You can also leave this field blank and return
later to add names.
8. Is LDAP authentication enabled on this appliance?
Yes — Optional: For LDAP Groups, type any value that
exists in the Group DN field on the Authentication Settings
page. See LDAP Authentication for more information.
No — Continue the
procedure.
9. Click Save.
149 of 206
Updated 4 Apr 2016
User Groups
Group Permissions
When assigning group permissions, you can select a parent permission to include all of its children permissions, or
you can select each permission separately. When you select the Capture check box, for example, you assign all
capture-related permissions to the group. You can also clear any of the child check boxes as desired.
Default Group Permissions
Permission
Admin Auditor User
Full modify permissions
X
Modify all settings pages — All pages on the Settings menu
X
Authentication — Remote login services (LDAP, RADIUS, Kerberos)
X
Central Manager — Add and remove CMC control
X
Data Enrichment and Reputation — Data-enrichment server setup; reputation providers
X
Data Retention — Time-based data deletion; summary graph data purge
X
Date/Time — Time zone, NTP
X
Geolocation — Google Earth, MaxMind databases, internal subnets
X
License — Install and modify
X
Logging — SNMP, syslog, notifications
X
Network — IP address, hostname, DNS, proxy
X
Security — Firewall, access control, session control
X
System
X
CSR — Download
X
Reboot
X
Shutdown
X
Upgrades — Initiate upgrades
X
Users and Groups — Create, edit, delete
X
Web Interface — Session timeouts, referrers, and message of the day
X
Statistics — View only
X
Logs — View and download
X
150 of 206
X
X
X
Updated 4 Apr 2016
User Groups
Permission
Admin Auditor User
Capture
X
Capture Summary Graph — View only
X
Import PCAP
X
Import Remote PCAP — From remote servers
X
Import Local PCAP — From local directories and USB drives
X
X
X
X
X
Analyze — All analytical functions
X
X
CLI — Full modify permissions on the CLI via SSH (not root access)
X
Capture, PCAP, Playback, Filters
Data Access Control
•
Use data access control to specify which data types a group can access. All primary filter attributes are valid
for this field (see Primary Filter Attributes).
•
For example, if you specify application_group=web, the users in the group can access only the data that is
related to the web application group. Leave the field blank to grant access to all data types.
Remote Authentication Users
•
When remote authentication is enabled (LDAP, Kerberos, RADIUS), users can log on to the appliance without
the Admin creating the user on the appliance.
•
When a user logs on to the appliance with remote credentials, the user automatically appears on the Settings
> Users and Groups page and is placed in the default group.
•
Remote users are designated by this icon
•
If remote authentication is enabled, you cannot create a local username that is identical to a username on a
remote authentication server.
, whereas local users are designated thus:
151 of 206
Updated 4 Apr 2016
User Groups
Account Settings
The settings in this menu affect only the account with which you are logged in.
•
Account Settings — Change the display name, associated email, and password; set the time prefix and
suffix for APIs, and view the account's API key.
•
Preferences
o
Number of Entries per Page — Select the default number of rows to show in results tables.
o
Network Traffic — Select the unit of measurement: bits, bytes, or packets.
o
Language — Select the display language for the web interface. This setting does not affect text that is
drawn from outside sources, e.g., MaxMind databases on the Geolocation page or the verdicts from the
reputation providers.
o
Enable Google Authenticator — Select to enable Two-Factor Authentication (2FA).
the web interface*:
•
o
•
Artifact MIME-Type Display — Specify which method the extractor uses to determine the file type of an
artifact:



Derived — If both MIME and magic values are present, use internal logic to determine the most
likely file type.
Encoder/Decoder Tool — Convert to and from encoding algorithms such as URL and Base 64.
152 of 206
Updated 4 Apr 2016
Remote Access
R EMOTE A CCESS
Control how users and other network devices connect to and interact with the appliance.
Firewall
Settings > Security
•
Enable Firewall — Select to enable the firewall. The default setting is to accept HTTP, HTTPS, SSH, ICMP,
Central Management, and Login Correlation Service connections.
•
Configure Firewall — Click to add more firewall rules.
1. Click New
2. For Rule, type an IPv4 address, MAC address, or IPv4 network in CIDR format.
3. For Type, select accept or reject.
4. Select one or more services:
•
HTTP, HTTPS, SSH, ICMP, SNMP — Well-known ports
•
Central Management — VPN port; default is 1194 or as specified on the CMC
•
Login Correlation — Port 8843
5. Click Save.
Web Access
Settings > Security
These settings affect how users access the appliance via the web interface.
You can also use the scm_tally command in the CLI for some of these settings.
(Consult the Security Analytics Platform Reference Guide on bto.bluecoat.com.)
•
Maximum Login Attempts — Specify the number of login failures before an account is disabled. Default: 3
•
Unsuccessful Login Timeout (Seconds) — Specify the number of seconds that elapse before a disabled
account is automatically enabled. To prevent accounts from being automatically enabled, enter 0 (zero) or
leave the field blank. Default: 1200
•
Maximum Concurrent Sessions — Specify the number of sessions that can access the appliance at the
same time. Default: 10
•
Require HTTPS — Select to require that users access the appliance via HTTPS.
153 of 206
Updated 4 Apr 2016
Remote Access
•
When an account is disabled by failed login attempts, you can re-enable it in one of these ways:
°
Wait for the interval in Unsuccessful Login Timeout to expire.
°
Access the user account on Settings > Users and Groups and clear the Account Disabled
check box.
°
With root access on the CLI, run scm tally.
•
Users are not notified that their accounts have been disabled by unsuccessful login attempts.
•
The root account for the CLI is not disabled after reaching the maximum number of
unsuccessful logins.
Web Access Ports
If you intend to manage this appliance with a CMC, do not change the port numbers for HTTP (80)
and HTTPS (443), or the CMC cannot connect to this appliance.
•
HTTP Port — Type an integer for the new HTTP port number.
•
HTTPS Port — Type an integer for the new HTTPS port number.
Click Restore Defaults to reset as follows:
•
Maximum Login Attempts — 3
•
Unsuccessful Login Timeout — 1200
•
Maximum Concurrent Sessions — 10
•
Require HTTPS — Enabled
•
HTTP Port — 80
•
HTTPS Port — 443
154 of 206
Updated 4 Apr 2016
Remote Access
SSH Access
Settings > Security
•
Allow SSH Access — Select to permit access to this appliance via SSH.
•
SSH Port — Type an integer for the new SSH port number.
•
Restore Defaults — Click to restore the SSH port to 22.
Also see Disable SSH Root Logins.
Ping (ICMP)
Settings > Security
•
Respond to Pings (ICMP) — Select to permit this appliance to respond to ICMP (ping) requests on the
management interface (eth0).
Because the capture interfaces do not have an IP stack, they cannot be assigned an IP address and
therefore cannot be pinged.
Web Interface Settings
Inactivity Timeout
•
Inactivity Timeout — Select the desired interval. The timeout value for the current browser session is
updated immediately. The timeout value for other active browser sessions will not be updated until the page
is changed or refreshed.
HTML Preview
• Enable External HTML Elements Preview — Select to permit the Web page preview function to retrieve
external images, style sheets, and scripts from the Internet. When this feature is disabled, you can view
images and CSSs that are only on the capture drive.
Anonymous User Tracking
• Enable Anonymous Usage Tracking — Select to permit your appliance to send the following data to Solera
Networks:
•
Randomly unique identifier that is not tied to
any known information
•
Time in use
•
Pages accessed and actions taken
•
Public IP address of the appliance
•
Time to generate reports and extractions
•
Country and city of the appliance
•
Query attributes used (not values)
•
Version, build, and model number
•
Widgets in use
•
User ID (and role, pre-DeepSee 6.6)
•
•
Browser type and version
Number of favorites, actions, PCAPs,
replays, filters
155 of 206
Updated 4 Apr 2016
Remote Access
WebPulse Feedback
• Enable WebPulse Feedback — Select to send details about EXE and DLL detonation to the Blue Coat
Global Intelligence Network to share with other WebPulse users. This setting is valid only in conjunction with
the Malware Analysis Appliance.
Message of the Day
Add custom text to the system login screen and the CLI.
•
Message of the Day — Type the text in the space available:
o
Limit of 5000 characters (including formatting).
o
The only supported HTML tags are B and U.
Allowed Referrers
• Allowed Referrers — Type the hostname or IP address of a host that is allowed to link back to this
appliance.
Disable SSH Root Logins
Follow these steps to prevent users from logging in to the Security Analytics Platform as root using SSH.
1. Edit the sshd_config file:
[prompt]# vi /etc/ssh/sshd_config
2. Uncomment the line #PermitRootLogin yes and set the value to no:
PermitRootLogin no
3. Save and exit sshd_config.
4. Restart the ssh daemon to apply the changes:
service sshd restart
156 of 206
Updated 4 Apr 2016
Security Analytics Platform Ports and Protocols
S ECURITY A NALYTICS P LATFORM P ORTS AND P ROTOCOLS
Consult this table to configure your firewalls, according to the services that you have activated on your Security
Analytics Platform appliance.
During the licensing and license update procedures, the appliance will communicate with
license.soleranetworks.com over TCP 443.
Service
URL/IP
Ports
Active Directory°
[none]
TCP/UDP 3268
Central Management
[none]
TCP/UDP 443
If this port number is changed, CMCs cannot
communicate with their sensors.
Central Management VPN
10.x.x.x/x
TCP/UDP 1194
or specified
These defaults can be changed on the Central Manager
Console.
ClamAV° 1
database.clamav.net
UDP 53
TCP 80
Requires a DNS query to database.clamav.net, then add the
mirrors (obtainable through freshclam --list-mirrors)
Cuckoo
[as needed]
TCP/UDP 9420
[none]
TCP/UDP 8843
DNS2
[as needed]
TCP/UDP 53
[same as WHOIS]
[same as
WHOIS]
FireEye° 3
[as needed]
[as needed]
FTP
[none]
TCP 21
Google Safe Browsing°
sb-ssl.google.com
TCP 443
Uses Internet connection from workstation
Google° Search
google.com
TCP 80
HTTP
[none]
TCP/UDP 80
This default can be changed on Settings > Security.
HTTPS 2
[none]
TCP/UDP 443
This default can be changed on Settings > Security. (Do
not change if your appliance is or is being managed by a
CMC.)
Lastline° 1,3
analysis.lastline.com
TCP 443
LDAP authentication
[none]
TCP/UDP 389
Malware Analysis
Appliance
[as needed]
TCP/UDP 80,
443
NormanShark°3
[as needed]
TCP/UDP 80,
443
NTP
[as needed]
UDP 123
RADIUS
[as needed]
UDP 1812, 1813
Domain Age Reporter
1
2
Comment
157 of 206
This port is used to communicate between the LCS and
the agent's UI application. The Security Analytics Platform
firewall has a setting to permit this traffic.
The WHOIS settings also permit Domain Age Reporter
traffic
Consult this site:
support.ntp.org/bin/view/Servers/NTPPoolServers
Updated 4 Apr 2016
Service
URL/IP
Ports
Comment
robtex.com
TCP 80
SANS ISC° 1
isc.sans.edu
TCP 80, 443
Host and IP queries are transmitted over SSL but hash
queries are unencrypted.
SMTP
[as needed]
TCP 25
[as needed]
TCP 161 (polling)
TCP/UDP 162
(trap)
SORBS DNSBL° 1
dnsbl.sorbs.net
UDP 53
SSH 2
[none]
TCP/UDP 22
syslog 2
[as needed]
UDP 514
ThreatBLADES 1,3
ti.soleranetworks.com
TCP 443
VirusTotal° 1,3
api.vtapi.net
TCP 80
WebPulse Updates
[none]
TCP 443
To be used with the MailThreat BLADE
WHOIS 1
[as needed]
TCP 43
The WHOIS lookup service will query different WHOIS
servers based on the registry associated with the top-level
domain of the target. Consult this authoritative list of WHOIS
servers.
RobTex°
SNMP
1
2
This default can be changed on Settings > Security.
Service requires Internet access.
Service is always used by the Security Analytics Platform.
3
Licensing for this service is the responsibility of the user.
1
2
158 of 206
Updated 4 Apr 2016
MD5-Encrypted Password for Bootloader
1. Generate an MD5-encrypted password using any valid method, for example:
python -c 'import crypt; print crypt.crypt("<password>", "$1$<salt>$")'
2. Edit the grub.conf file:
[prompt]# vi /boot/grub/grub.conf
default=0
timeout=5
password --md5 <password_hash>
<== Insert this line here.
splashimage=(hd0,0)/grub/solera-bootsplash.xpm.gz
3. For <password_hash>, paste the MD5-hashed password.
4. Save and exit grub.conf.
Federal Information Processing Standards
The FIPS certificate for the Security Analytics Platform was issued on 12 Nov 2013 and can be viewed at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm#2025.
When upgrading your Security Analytics Platform, to ensure that the Apache° server is compliant, the following
directive must be added to /etc/httpd/conf.d/ssl.conf:
SSLFIPS on
To confirm that Apache is running in FIPS mode, look for the following message in /var/log/httpd/error_log:
[notice] Operating in SSL FIPS mode
159 of 206
Updated 4 Apr 2016
All Settings
A LL S ETTINGS
Consult the table below to see where to configure all settings on the Blue Coat Security Analytics Platform. The
Settings menu is available only to users with administrative privileges for the appliance. The settings in the [Account
Name] menu affect only the account with which you are logged in.
Setting
Interface Location
CLI
Account name and email
dsadduser
Anonymous usage tracking
Settings > Web Interface
API settings
Capture summary graph data
Settings > About > Data-Retention Settings
Central Manager linkage
Settings > Central Management
Certificates
Settings > Security
Data Enrichment mode
Settings > Data Enrichment
CSR
Settings > System
DHCP
Settings > Network
DNS
Settings > Network
Email logs, server setup
Settings > Communication > Server Settings
Enable external HTML elements preview
Entries per page
Firewall
Settings > Security
Google Authenticator
Google Earth° settings
Settings > Geolocation
Hostname
Settings > Network
HTTP proxy
Settings > Network
HTTPS access
Settings > Security
ICMP response
Settings > Security
Inactivity timeout
Internal subnets for geolocation
IPs to exclude from reputation lookup
IPv4 and IPv6 addresses
Settings > Network
Kerberos single sign-on
Settings > Authentication
LDAP authentication
Licensing
Settings > About > License Details
Log file export
Settings > Communication > Advanced
dslc
Log file purge
dslc
Log notifications
dslc
160 of 206
csr.sh
dslc
dsfirewall
Updated 4 Apr 2016
All Settings
Setting
Interface Location
CLI
Log settings import
dslc
Logging (syslog, SNMP)
Settings > Communication
dslc
Malware Analysis Appliance setup
MaxMind° uploads
Message of the day
MIB
NTP
Settings > Date/Time
Packet-based vs. session-based reports
Passwords
Various, click link
Ping response
Settings > Security
RADIUS authentication
Reboot appliance
Settings > System
Referrers
Reputation providers
Root password
https://<appliance>/settings/initial_config
Session controls
Settings > Security
Shut down appliance
Settings > System
SNMP
SSH access
Settings > Security
syslog
ThreatBLADE setup
Time/date/zone settings
Settings > Date/Time
Time-based data deletion
Settings > Data Retention
Two-factor authentication
Units of measurement
Upgrade system software
Settings > Upgrade
User accounts and groups
Settings > Users and Groups
WebPulse Updates
WebPulse Feedback
161 of 206
dslc
dslc
dsadduser
scm solera_acl_elevate
scm solera_acl_shell_only
Updated 4 Apr 2016
Logging and Communication
L OGGING AND C OMMUNICATION
Communication consists of logging, alerts, SNMP, and remote notifications.
For each event, the logs record the date and time of the event as well as the priority and the category.
You can also use the dslogdump command in the CLI for these settings. (Consult the
Audit Log
Select Settings > Audit Log. Use the advanced filter to search the logs by priority, category, or event.
System Logs
From the CLI, you can access two different logs:
•
/var/log/audit/audit.log — User-initiated events written by auditd
•
/var/log/messages — System events from all components
Email Alerts
You can also use the dslc command in the CLI for many of these settings. (Consult the
The Security Analytics Platform can send email alerts to any standard email address, either directly or through an
SMTP server gateway. Configuring the email settings will automatically send outbound emails for log entries to one or
more email addresses. You can specify any email address you prefer in the From field.
The Security Analytics Platform appliance uses the sendmail application and must therefore have
Internet access to send a message to an external email address. You can also configure the
appliance to point to an internal SMTP server; however, that SMTP server must be set up to relay
email from the Security Analytics Platform appliance.
1. Select Settings > Communication > Server Settings.
2. For To, type at least one valid email address. Separate multiple email addresses with a comma.
3. For From, type the email address to be displayed in the From field. Leave the field blank to use the system
name.
4. For SMTP Server and SMTP Port, type the server IP address or hostname and its port number.
162 of 206
Updated 4 Apr 2016
5. Does the SMTP server require authentication?
Yes — For Username and Password, type the
credentials for SMTP server access.
No — Select the No authentication required
check box.
6. Select the Use STARTTLS check box if the SMTP server requires it.
7. For Default Email Address, type the email address that will be used whenever no email address is specified for an
Alert.
8. Click the Advanced tab.
9. Under Remote Notifications, enable the Email check box in the System Events row and click Save.
SNMP Settings
By default, the appliance will respond to incoming public queries from external SNMP devices. The Blue Coat
Security Analytics Platform can be configured to send SNMP traps and inform messages to external SNMP servers.
SNMP traps are error messages that do not require acknowledgement of receipt; SNMP informs require that the
receiving server send back an acknowledgement.
•
You can specify the same server to receive both trap and inform messages.
•
The Security Analytics Platform supports only SHA for authentication and AES for privacy.
Any special characters — including a space — that are entered in these SNMP fields will be
converted to an underscore (_). The exception is the @ character, which will be left as-is.
1. Select Settings > Communication > Server Settings and scroll down to SNMP Settings.
2. Under Polling, configure these settings:
•
Optional —Select Enable Polling.
o
•
Type the read-only username and read-only community name in the spaces provided, or accept the
default (public).
Optional —Select Enable Authentication.
o
Specify the authentication and privacy-encryption passwords.
3. Under Trap, configure these settings:
•
Specify the name for the trap community.
•
Specify the inform and trap server settings.
•
Optional —Select Enable Authentication.
o
Specify the read-only username and the authentication and privacy-encryption passwords.
4. Optional — Select Enable Authtrap.
163 of 206
Updated 4 Apr 2016
5. Click Save.
7. Under Remote Notifications, enable the SNMP check box in the System Events or Solera Events row and
click Save.
•
System Events — Login, logoff, events (misc, users, system, capture/playback) Log in as root on the CLI
and type dslc show categories to see the current list.
•
Solera Events — Alerts, reports
Syslog Settings
Syslogs record information about the operation of a computer or computer-related device. Syslog messages can be
sent to an external syslog server.
1. Select Settings > Communication > Server Settings and scroll down to Syslog Settings.
2. Optional — If multiple syslog messages are issued simultaneously, select the Enable Coalescing check box to
group the messages before they are sent. This setting applies to all syslog servers.
3. For Syslog facility, select one of the following:
Kernel
User
Mail
Daemon
Auth
syslog
News
UUCP
Cron
AuthPriv
FTP
Local Use 0–7
LPR
4. For Syslog Servers, type the hostname or IP address and port number.
5. Click add a new host for multiple syslog servers to use the same facility.
To set up a many-to-many relationship among syslog servers and facilities, use dslc add syslog
server <server> <port> <facility>. Each server entry will be visible on the web interface but the
facility that is associated with each entry will not be visible at this time.
6. Click Save.
8. Under Remote Notifications, enable the Remote Syslog check box in the System Events and/or Solera Events
row and click Save.
164 of 206
Updated 4 Apr 2016
Communication Settings
Import Settings
Use the dslc import command in the CLI for these same settings. (Consult the Security
Analytics Platform Reference Guide on bto.bluecoat.com.)
Select an existing communication configuration file and apply those settings to your Security Analytics Platform
appliance.
Importing settings is valid only for transferring configurations between the same model of hardware,
e.g., from one Dell 720xd to another Dell 720xd.
1. Select Settings > Communication > Advanced.
2. Under Import Communication Settings, click Browse.
3. Locate and select a settings file, e.g., logging_config.dat, and click Open.
4. The New Settings File box shows the path to the selected file.
5. Click Import Communication Settings.
Your existing settings will immediately be overwritten, and — unless you had previously exported
them — will not be recoverable.
Export Settings
You can export your current communication settings to view them or to import to an identical hardware model of
appliance.
Do not modify the text file in an attempt to modify the settings.
2. Under Import/Export Communication Settings, click Export Settings. This saves your settings file as
logging_config.dat in your local downloads directory.
Export Log Entries
Click Download to save the log as a CSV file.
165 of 206
Updated 4 Apr 2016
MIB Files
The Security Analytics Platform supports remote logging via SNMP and syslog. To use SNMP logging, you must
export the MIB and install it on your SNMP system.
Do not modify the MIB text in an attempt to modify the settings.
2. Under Download SNMP MIB click Download MIB to save mibfiles.zip in your local downloads directory. This
archive contains three files:
•
ENTITY-MIB.mib
•
SOLERA-AGENT-MIB.mib
•
SOLERA-SMI-MIB.mib
Resetting System Logs
Once the log files have been cleared, the information that was in them cannot be recovered.
2. Under Reset Log, click Clear Log Entries. This deletes all audit log entries.
Use the dslc factory command in the CLI to restore the logging system to its default settings.
(Consult the Security Analytics Platform Reference Guide on bto.bluecoat.com.)
166 of 206
Updated 4 Apr 2016
Remote Notifications
With the remote notifications feature, you can customize the alert notifications that the system sends to configured
SNMP, SMTP, and syslog servers.
Create a template
Create one or more templates and customize the format.
1. Select Settings > Communication > Templates.
•
Three preconfigured templates are already present on this page (CEF, SMTP, SNMP). They cannot be edited
or deleted.
2. Click New. The New Template dialog is displayed.
3. For Template Name, specify a name.
4. For Type, select SNMP, SMTP, or syslog.
•
If you selected SMTP, type the Subject Line for the email message.
5. For Available Fields, select the fields to include in the template. The fields correspond to the primary filter
attributes plus Flow Timestamp, which is start_time="".
6. Use the up and down arrows to put the fields in the desired order.
7. For Delimiter, select which character to put between the fields.
8. The Template Output Characters field displays the template and counts the characters. This field is not
editable.
9. Click Save. These templates are available in the Actions dialog boxes (Create, Edit) under Remote Notifications.
When you select a remote notification type, a drop-down list is displayed with the available templates.
167 of 206
Updated 4 Apr 2016
Default Template Output
The default templates output the following data, formatted as shown:
CEF
CEF messages conform to ArcSight CEF version 17.
CEF:0|<OB_CEF_DEVICE_VENDOR>|<OB_CEF_DEVICE_PRODUCT>|<VERSION>|<OB_CEF_EVENT_ID_ALERT>|<OB_
CEF_EVENT_NAME_ALERT>|<alert importance>|src=<ipv4_initiator> spt=<port_initiator>
dst=<ipv4_responder> dpt=<port_responder> start=<UNIX timestamp> end=<UNIX timestamp>
smac=<ethernet_initiator> dmac=<ethernet_responder> msg="Action: '<action name>' was
triggered by Favorite: '<favorite name>'"
SMTP
SMTP messages are tab-delimited.
ipv4_initiator=<ipv4_initiator>→port_initiator=<port_initiator>→ipv4_responder=<ipv4_respo
nder>→port_responder=<port_responder>→start_time=<UNIX timestamp>
SNMP
SNMP messages are pipe-delimited.
ipv4_initiator=<ipv4_initiator>|port_initiator=<port_initiator>|ipv4_responder=<ipv4_respon
der>|port_responder=<port_responder>|start_time=<UNIX timestamp>
Enable Remote Notifications for the ThreatBLADES
To send ThreatBLADE alerts as remote notifications, follow these steps:
2. Under Blue Coat ThreatBLADES, click the Edit icon
for the ThreatBLADE.
3. Select one or more of the following:
•
SNMP
•
Syslog
•
SMTP
4. Click Save.
168 of 206
Updated 4 Apr 2016
Software Upgrades
S OFTWARE U PGRADES
To upgrade the Blue Coat Security Analytics Platform, you must have a link to an upgrade server, then you must
download the new image from the upgrade server, initiate the upgrade, and reboot.
Add an Upgrade Server
During the licensing procedure for the appliance, the upgrade server upgrade.soleranetworks.com should have been added to
the Upgrade Servers list. If there is no entry in the Upgrade Servers list, follow these steps to add the upgrade server
manually.
1. Select Settings > Upgrade. The Upgrade Servers page is displayed.
2. Click New. The Add Upgrade Server dialog box is displayed.
3. For Protocol, select https.
4. To add the upgrade server, follow these steps:
•
For Host, type upgrade.soleranetworks.com
•
For Path, type /upgrades/
•
Under Login Information, type the credentials to access the upgrade server. Contact Security Analytics
Support if you do not know your credentials.
5. To add a different upgrade server, specify the hostname and file path for the manifest.xml file on that server. Add
login credentials, as necessary.
6. Click Save. The server is added to the list of available upgrade servers.
Upgrade the Security Analytics Platform
1. Select Settings > Upgrade. The Upgrade Servers page is displayed.
2. For the desired upgrade server, click Upgrade from Server
.
3. Select the upgrade version and click Download Upgrade.
4. When the download is complete, click Initiate Upgrade. The new image is downloaded, verified, and unpacked.
5. When prompted click Reboot. The system restarts, and the new image is installed.
•
The system will continue to operate normally until you click Reboot. During the reboot/upgrade,
all capture and logging are suspended.
•
The upgrade may take as long as 30 to 45 minutes, depending on your configuration.
•
When the upgrade is complete, the system will automatically resume capture and logging.
6. When you log in again, verify that you are using the upgraded version by placing your cursor over the logo for
Blue Coat Systems, Inc.. The version number is displayed in a pop-up.
169 of 206
Updated 4 Apr 2016
Licensing
L ICENSING
During initial configuration, you are presented with the license dialog, where you must install a license before you can
continue. To update or change a license, follow these steps:
1. Contact Security Analytics Support to obtain the new license key.
2. Select Settings > About and then click License Details.
3. Does your appliance have access to the Internet (license.soleranetworks.com; port 443)?
Yes — Under Retrieve License,
input the License Key and click
Send Request.
•
If applicable, select the desired
license type.
•
The appliance sends the
license key and the license
seed file to the license server,
which generates the
appropriate license file
(license.tgz) and returns it to the
appliance, which then
No — Click Download DS Seed to download the seed file
(dsseed.tgz) to your workstation.
•
On a workstation that has Internet access, go to
license.soleranetworks.com.
•
Type your license key, upload dsseed.tgz, and click Update.
•
If applicable, select the desired license type and click Update.
•
Save the license file (license.tgz) to your workstation.
•
Return to the License Details dialog.
•
Click Browse and select license.tgz.
•
The license is uploaded and the appliance automatically
reboots.
License Expiration
The expiration for each license type results in the following conditions and behavior:
•
For the WebThreat BLADE and the FileThreat BLADE, users are permitted to initiate 1000 queries per blade
per month after the ThreatBLADE subscription expires. These lookups (View Reputation Information) must
be initiated from the Extractions page.
170 of 206
Updated 4 Apr 2016
Network Settings
N ETWORK S ETTINGS
Settings > Network
•
Hostname — The name typed here is displayed as part of the prompt when anyone logs in to the command
line on this appliance. If you add this appliance to your domain name service, input the host name here.
•
Use DHCP — If you select this check box, it is recommended that you use the DHCP reservation feature of
your DHCP server to statically map the MAC address of the management interface to an IP address.
•
IP Address, Netmask, Default Gateway — Enter these values in dotted-decimal format.
•
IPv6 Address — Input the appliance's unicast address.
•
IPv6 Secondaries — Separate each address with a single space.
•
HTTP Proxy — If your appliance accesses the Internet through a proxy, type the IP address of the proxy in
the following format: <IP_address>:<port>
o
If your appliance accesses the Internet through an authenticated proxy, edit /etc/environment as follows:
http_proxy="http://<username>:<password>@<ip_address>:<port>"
https_proxy="http://<username>:<password>@<ip_address>:<port>"
•
Primary DNS, Secondary DNS, Tertiary DNS — Specify up to three DNS servers. If you intend to add this
appliance to your domain name service, or if you will be specifying hostnames for other devices in this
appliance's settings, then you must specify at least one DNS server.
•
When you change the hostname, HTTP proxy setting, or time zone, the appliance will
automatically reboot.
•
When you change the IP address, you may need to wait for 10 seconds before attempting to
connect to the new IP address.
171 of 206
Updated 4 Apr 2016
System Date and Time
S YSTEM D ATE AND T IME
Time is an important parameter for both PCAP file generation and playback; therefore, it is recommended that you
use NTP to synchronize time between the management workstation and the appliance whenever possible.
1. Select Settings > Date/Time.
2. For Date, type the date as MM/DD/YYYY.
3. For Time, type the time as hh:ii:ss.
4. For Time Zone, select the appropriate time zone for your location.
You must manually input the time and date even if you intend to enable NTP.
5. Optional — Select the Use Network Time Protocol (NTP) check box. You may use the default NTP servers or
specify others.
6. Optional — To enable NTP encryption:
•
For each NTP server:
o
Select the Use Autokey check box to enable encryption.
o
Click Browse to upload the group key that was generated by the NTP server. When the key has been
accepted, the Current Group field will be populated with the following: ntpkey_iff_[<ntp_server_name>|<IP>]
•
Optional — Type the Group Key Password if a password was generated for the group key. This password
must be the same for all of the servers' group keys.
•
Select the Generate NTP Host Keys check box to generate a certificate and a host key for the appliance.
These files will expire after one year.
If you change the name of an NTP server, you will have to upload a new group key. If you change
the hostname of the appliance on the Network Settings page, you will have to generate new NTP
host keys.
7. Click Save. If you changed the time zone, the appliance will automatically reboot.
172 of 206
Updated 4 Apr 2016
Statistics
S TATISTICS
Network System
The Network System page displays network interface statistics for the Blue Coat Security Analytics Platform. Select a
specific network interface to view the statistics for that interface. Select Automatically Refresh Statistics to
continuously update the displayed information.
Some of the "total" statistics will be reset after an upgrade or a reboot.
Statistic
Description
Current Packets Captured per
Second
The number of packets per second currently being captured. This is a snapshot statistic.
Current Packets Filtered per Second
The number of packets per second currently being filtered. This is a snapshot statistic.
Current Bytes Captured per Second
The current number of bytes per second currently being captured. This is a snapshot
statistic.
Max Packets Captured per Second
The maximum number of packets received in a second.
Max Packets Filtered per Second
The maximum number of packets filtered in a second.
Max Bytes Captured per Second
The maximum number of bytes received in a second.
Total Packets Captured
The total number of packets captured. Depending on the storage size, these packets may
have already been overwritten.
Total Bytes Captured
The total number of bytes captured. Depending on the storage size, these packets may
have already been overwritten.
Total Packets Filtered
The total number of filtered packets matching the filter.
Total Bytes Filtered
The total number of bytes recorded from the filtered packets received.
Slot Allocation Misses
The number of packets dropped due to no available memory slots.
Space Map Errors
The number of packets dropped due to no available allocation for network interface.
DSR Read Misses
The Disk Space Record was not found.
Active Slot
The memory slot currently receiving packets.
Address of Active Slot
The memory address of the active slot.
Packets Captured in Active Slot
The number of packets stored in the current memory slot.
Ring Buffers in Active Slot
The total number of ring buffers (on the network capture card) used to capture packets.
Bytes Captured in Active Slot
The total number of bytes stored in the active memory slot.
Metadata in Active Slot (Bytes)
The total metadata bytes in the active memory slot.
173 of 206
Updated 4 Apr 2016
Statistics
Size on Disk
The Size on Disk page displays a pie chart that depicts the total bytes of storage used by capture operations on each
Ethernet interface. This data is a representation of disk space used to store the data and not necessarily the exact
amount of data stored. For example, a pie slice showing 25 GB may be a combination of 23 GB of actual payload
data and 2 GB of overhead. Place the cursor over a segment of the graphic to see how large the segment is.
Storage System
The Storage System page displays a list of storage device statistics. Select Automatically Refresh Statistics to
continuously update the displayed information.
Disk Space Record ID
Statistic
Description
Disk Space Type
The identified purpose of the storage.
Disk Space Active
Identifies if the storage space is in use.
Disk Space Date/Time
Time stamp of the disk space creation.
Member Count
The number of logical storage devices.
Disk ID
The kernel reported drive type (e.g., 20 = SATA).
Partition ID
The name of the logical disk partition.
Slot Size (bytes)
The number of bytes allocated for each slot.
Total Slots
The total number of memory slots available for storage.
Cluster Size (bytes)
The cluster size in bytes.
Total Clusters
The total number of clusters available for storage.
Total 4K Blocks
The total number of 4K blocks available for storage.
Disk Record Blocks
The total number of disk record blocks.
Logical Data Area Start
The start address for the logical data area.
Start of Slot Data
The start address of slot data.
Space Table Size (bytes)
The total size of the space table, in bytes.
Recycle Count
The number of times the capture drive has filled to capacity.
174 of 206
Updated 4 Apr 2016
Statistics
Active Slot Chains
For each interface, the Storage System page shows the following data:
Statistic
Description
Start Cluster
Address of the start cluster
End Cluster
Address of the end cluster
Start Time
Start time and date
End Time
End time and date
Slot Count
Number of slots occupied
Elements
Number of elements
Size (bytes)
Bytes in the chain
Active Slot
Active slot number
Active Slot Address
Address of active slot
Packets
Number of packets in the chain
Ring Buffers
Number of ring buffers
Total Bytes
Total bytes in the chain
Total Metadata Bytes
Total bytes that contain metadata
Total Captured
The Total Captured page displays a pie chart that depicts the total bytes captured by each Ethernet interface. Place
your cursor over a segment to display the actual amount captured by that interface.
Total Filtered
The Total Bytes page displays a pie chart depicts the total bytes for each filtered interface. Place your cursor over a
segment to display the amount of filtered data captured by that interface.
175 of 206
Updated 4 Apr 2016
Drive-Space Management
D RIVE -S PACE M ANAGEMENT
It is important to be aware of how the Blue Coat Security Analytics Platform organizes data so that you can delete the
appropriate data sets if you need to free up space for new data.
Capture and Index Drives
The data in both the capture and index drives are automatically overwritten according to the method described in
Data Overwriting. To purge all data from the capture and index drives, log in as root on the CLI and type dszap.
You cannot retrieve data that you erase with the dszap command.
System Drive
The Security Analytics Platform saves the following data on the system drive, so the data is not affected by the
overwrite cycles on the capture and index drives:
†
•
Favorites and actions†
•
Capture filters†
•
Logs
•
Statistics
•
Saved reports†
•
Saved extractions†
•
Capture summary graph data
•
Packet analysis data
Save operation initiated by user
Some of the data is deleted with a special button; other data is deleted through settings and other controls. The
following table shows how to delete each data type.
176 of 206
Updated 4 Apr 2016
Delete Controls for Data Types
Data Type
UI
CLI
Favorites
Analyze > Favorites >
n/a
Actions
Analyze > Actions >
n/a
Saved Reports
Analyze > Saved Results >
Included in the dszap deletion
Saved Extractions
Analyze > Saved Results >
Included in the dszap deletion
Audit Logs
Settings > Communication > Advanced >
Clear Log Entries
dslogdump --clear
Statistics
n/a
dsstats --reset
Packet Analyzer
n/a
rm -fr /home/apache/hammerhead
Captured Packets and
n/a
dszap
Capture Summary Drive
Data
Settings > About > Data-Retention Settings >
Delete ALL Capture Summary Data
Metadata
You cannot retrieve data that you erase with the dszap command.
Home Drive
Select Analyze > Saved Results. The text at the bottom of the page indicates how much space is available on the
home drive.
The following data types are stored on the home drive.
§
•
Saved reports
•
Saved artifacts
•
Packet analysis data§
Data from the last 10 invocations of the packet analyzer are automatically stored.
You can delete data from the home drive in the following ways:
•
On Analyze > Saved Results, delete one or more entries.
•
On Settings > About > Data-Retention Policies, enable time-based data deletion.
177 of 206
Updated 4 Apr 2016
Time-Based Data Deletion
You can specify the amount of time that the system retains your data before automatically deleting it.
1. Select Settings > About > Data-Retention Settings.
2. Select the Enable Time-Based Data Deletion check box.
3. For Delete data older than, specify the number of days or hours to keep data before deletion.
4. Optional — Select Delete Saved Reports and Artifacts.
5. Click Save.
Applying data-retention rules does not overwrite the captured packets or the metadata, but the
saved reports and artifacts that are derived from them are deleted.
If you have time-based data deletion enabled for saved reports and extractions, then the following behaviors may
occur:
1
A saved item with a start time after the deletion time and an end time before deletion will display
the data that is still present but not the data that has been deleted.
2
A saved item with a start and end time that is after deletion will continue to appear in the Saved
Results list but with Time Deletion in the Status column. When you attempt to view the saved
item, you will be prompted to delete the item from the list.
3
A saved item that is being viewed during the deletion operation will be visible until the data is
deleted. A message will then be displayed to inform you that the data has been deleted.
178 of 206
Updated 4 Apr 2016
Reboot or Shut Down
R EBOOT OR S HUT D OWN
Never power off a Security Analytics Platform appliance manually.
From the Web Interface
1. Select Settings > System.
•
Under Reboot Appliance, click Reboot.
•
Under Shut Down Appliance, click Shut Down. The appliance immediately shuts down. You must have
physical access to the appliance to reboot it.
3. If you are unsuccessful and you have physical access to the appliance, press Ctrl+Alt+Delete on the console
keyboard to initiate a clean system restart, then power down the appliance using the power button on the
appliance — after the system POST (power-on self-test) but before system begins to boot.
From the CLI
1. Open an SSH session and navigate to the management interface's IP address.
2. Log in using an account with administrator or root privileges.
3. Type the command shutdown -r and press Enter. The appliance will shut down and then reboot itself. You
should then be able to log in normally.
Using the IPMI Interface
1. Connect to the IP address of the IPMI port from a web browser.
If the Blue Coat Security Analytics Platform is installed on a Dell OEM server, consult Dell iDRAC
user documentation to obtain this same functionality.
2. Click Remote Control.
3. Click the Remote Control tab and then click Launch Console to open a hardware-level console connection to
the appliance. (Java° software is required for this operation.)
4. To remotely power on, power down, or reset the appliance, click the Power Control button and select the
desired option.
Selecting any of the following IPMI menu options — Power Off Server – Immediate, Reset Server,
or Power Cycle Server — will not perform a graceful shutdown of the appliance. Select one of
these options only if you are unable to power down the appliance using the interfaces (web
and CLI).
179 of 206
Updated 4 Apr 2016
Central Manager
C ENTRAL M ANAGER
The Blue Coat Security Analytics Platform CMC is a dedicated appliance that is licensed as a CMC. With the CMC,
you can manage multiple sensors (formerly "managed appliances") and analyze data from the sensors. Specifically,
the CMC provides:
•
An aggregated view of data across multiple sensors
•
An interface for sensor management
•
Centralized sensor software upgrades
This illustration shows one possible configuration: three sensors being managed by a CMC. Notice that all
connections between the sensors and the CMC are conducted over VPN connections. The browser for the CMC’s
web interface uses an HTTPS connection.
All communications between sensors and CMCs are conducted over a dedicated VPN, with each link between a
sensor and the CMC having its own connection. Communications over the VPN subnet are protected by industrystandard SSL/TLS encryption that uses 1024-bit RSA-encrypted keys.
•
Because each of these connections is a separate tunnel, no sensor can "see" or communicate
with another sensor through the VPN.
•
The VPN may cross network boundaries.
•
CMC-to-sensor traffic that is captured by the system is classified as udp > openvpn or tcp >
openvpn in the Tunneling application group.
180 of 206
Updated 4 Apr 2016
Central Manager
CMC Initial Settings
1. Complete the steps to configure a standalone appliance.
2. The Central Management Settings page should be the next display on the CMC interface, after the Initial Settings
page. If you are not on this page, select Settings > Central Management > Settings.
3. Select TCP or UDP as the VPN connection protocol.
4. Specify the following:
•
Subnet — Specify the IP addresses to be used for the VPN connections between the sensors and the CMC.
The default is 10.8.0.0/16. This subnet must be different from any other subnet on your network.
•
Netmask — Specify the netmask for the VPN subnet. The address space should be large enough to provide
4 IP addresses for each sensor that the CMC controls.
•
Port — Specify the port for the VPN connection on the sensors: Default is 1194. It is strongly recommended
that you not use ports 22, 80, or 443, because they are reserved for other applications and protocols.
•
If you have more than one CMC on your network, the VPN subnets must be unique for each
CMC.
•
The CMC is always xx.xx.xx.1 on the VPN subnet, and it assigns subnet addresses to the
sensors automatically (xx.xx.xx.2–254).
•
Your corporate firewalls and routers must permit the traffic between the CMC and the sensors
that you want to manage through the CMC. Verify that the VPN, port, and protocol settings
(including HTTPS) permit the connections.
5. Click Save. Registration and configuration may take several minutes, depending on your network conditions. The
VPN network settings are being established during this time.
Do not change the port numbers for HTTP (80) and HTTPS (443) on the Security Settings page, or
the CMC will not connect to the sensors.
181 of 206
Updated 4 Apr 2016
Central Manager
Connect Your First Sensor to the CMC
This page explains how to connect one sensor to the Blue Coat Security Analytics Platform CMC and to grant
yourself (the Administrator on the CMC) access to the sensor.
Generate the Authorization Key for the Sensor
1. On the CMC, select CMC > Dashboard.
2. Click Manage Sensors.
3. Click Tools > New.
4. Type a unique, descriptive name for the sensor.
•
The sensor's hostname and IP address do not appear on the CMC dashboard, so the sensor
name should be as specific as possible.
•
In the sensor selector, only the first 15–20 characters of the sensor name are visible; you may
want to put the more distinguishing part of the name first.
5. For now, leave the Authorizations and Remote Groups fields blank.
6. Click Save. A one-time field is displayed above the Sensors table.
7. Click Download Key to save the authorization key file as <sensor_name>_auth_key.tar.gz.
To download the authorization key file at a later time, you can return to the Manage Sensors page
and click Download for the sensor.
Link the Sensor to the CMC
1. Log in directly to the sensor with administrator credentials and select Settings > Central Management.
2. Click New.
3. For Authorization Key File click Browse.
4. Locate the key file for this sensor (<sensor_name>_auth_key.tar.gz) and click Open.
5. For Central Manager Host, type the IP address for the CMC that generated the key. Use the IP address for the
CMC's management port (eth0), not the CMC's VPN address.
6. Click Save. When the authorization is complete, an entry for the CMC appears in the Central Manager Settings
list.
7. On the CMC, go to the dashboard.
8. The sensor appears in the Other Sensors list.
If you cannot see the sensor, verify with your network administrators that the CMC and the sensor
have HTTPS connectivity through ports 443 and 80.
182 of 206
Updated 4 Apr 2016
Central Manager
Grant Yourself Access to the Sensor
1. On the CMC, select Settings > Users and Groups and click the Remote Groups tab.
2. Verify that the admin (Default) remote group is present.
3. Click the Edit
icon for the admin remote group; under Group Members, type adm and select admin when it is
displayed. Click Save.
4. Select Settings > Central Management and click the Sensors tab.
5. The Sensors list displays the following information:
Name Name of the sensor, as created on the CMC
Host IP address of the sensor on the VPN network
Authorized Users Users who are authorized to access the sensor through the CMC, according to
their remote-group permissions. Users in this field have access to the sensor
even when the other remote-group members do not.
Authorized Remote User groups that are authorized to access the sensor through the CMC.
Groups
Model Hardware type
Version Current software version of the sensor
Actions Controls to perform the following tasks:
Download the sensor's authorization key
Edit the sensor entry
Delete the sensor entry
Upgrade the software on the sensor
6. Click Edit
for the sensor and do one or both of the following:
•
For Authorizations, type adm and then select admin when it is displayed. This setting provides the admin
account with admin-level access to the sensor without giving it to other users who are members of the admin
remote group.
•
For Remote Groups, type adm and then select admin when it is displayed. This setting provides admin-level
access to the sensor to all members of the remote group.
On the CMC, the groups grant access to the CMC itself, whereas the remote groups grant access to
the sensors through the CMC.
7. Click Save and return to the dashboard. The sensor should be in the Your Sensors list. You can click the sensor
icon to access it or select it from the sensor selector (CMC button).
183 of 206
Updated 4 Apr 2016
Central Manager
Disconnect Sensors from a CMC
To disconnect sensors from a CMC, you have these options:
•
Interrupt the connection
•
Delete the connection
Interrupt the Connection
Method 1
•
On the CMC, click CMC to open the sensor selector.
•
Click
Method 2
•
to remove the sensor from the Selected column.
Log on directly to the sensor.
•
Select Settings > Central Management.
•
For the CMC, click
to deactivate it
.
Delete the Connection
Method 1
•
Log on directly to the sensor.
•
Select Settings > Central Management.
•
For the CMC, click
to remove it.
When you disconnect the sensor in this manner, the sensor's entry in the CMC's
Sensors table is not deleted. To reconnect to that CMC, you can repeat the connection
process with the original authorization key.
Method 2
•
•
On the CMC, select Settings > Central Management.
Click Reset Settings to reset the communication settings to default values.
When you click Reset Settings, you de-authorize all currently authorized sensors,
delete all connections to them, and remove their entries from the Sensors table. To
reconnect the sensors, you must create new sensor entries, download new
authorization keys, and create new CMC entries on each sensor.
184 of 206
Updated 4 Apr 2016
Central Manager
Manage One Sensor with Multiple CMCs
You may set up a many-to-one relationship among multiple CMCs and one sensor. Follow these steps:
1. Verify that each CMC is on a different subnet.
2. On each CMC that will manage the sensor, generate a key for the sensor.
3. Add the authorization key file to the sensor on Settings > Central Manager.
Do not attempt to push-upgrade the same sensor from different CMCs at the same time.
User Accounts and Groups on the CMC
As with standalone appliances, access to a Blue Coat Security Analytics Platform CMC is granted by membership in a
group. To these groups, you can assign permissions at a granular level; any user in the group has those permissions
on the appliance.
Likewise, users who access a sensor through the CMC must be assigned to a group that specifies which
permissions the user has on the sensor. On the CMC, these are called "Remote Groups."
For instructions on assigning local permissions to groups — including LDAP groups — consult User
Accounts and Groups for standalone appliances.
Sensor Access
There are two methods for granting sensor-access privileges to a user:
•
Authorizations — Individual access to the sensor, according to remote-group permissions
•
Remote Groups — Provides RBAC for groups of users
You may use one or both of these methods, i.e., a user may be present in both the Authorizations field and in a
remote group that is present in the Remote Groups field.
Authorizations
1. On the CMC dashboard, click Manage Sensors.
2. Click Edit
for the sensor.
3. For Authorizations, type the first few letters of the username and then select it when it becomes visible.
4. Click Save.
Remote Groups
•
See Create or Modify a Group for instructions on creating a remote group. This process is identical to creating
user groups on a standalone appliance.
•
See Remote Groups: Example Setup for a scenario in which granular access controls to individual sensors are
granted to a variety of users.
185 of 206
Updated 4 Apr 2016
Central Manager
Remote Groups: Example Setup
The following example describes how to assign specific sensor permissions to different users using the CMC's
remote groups. This example does not include instructions on assigning permissions to the CMC itself.
Network Setup
The example network has three sensors that are controlled exclusively through one CMC.
•
Sensor 1 monitors general workstation traffic in the organization.
•
Sensor 2 monitors traffic that includes a public-facing web site, hosted on a cluster of HTTP servers that are
on VLAN 7. Other file servers are on different VLANs that the sensor also monitors.
•
Sensor 3 monitors traffic that includes VLAN 12, which contains executive workstations, devices, and servers
that contain sensitive corporate, accounting, and human-resources data.
Requirements
The organization needs the following sensor functions to be performed by different users:
•
Full administrative access to modify all settings and accounts
•
Log auditing to check for conformity to network policy as well as the archiving of logs
o
Only one user is to be entrusted with auditing the traffic on VLAN 12
•
Security enforcement, which ensures that all devices and user accounts conform to security policies
•
General analysis of all LAN traffic to check for malware, breaches, and usage violations
o
•
Only one user is to be entrusted with analyzing the traffic on VLAN 12
Monitoring and analysis of all incoming traffic to the public web site, but no access to other LAN traffic
186 of 206
Updated 4 Apr 2016
Central Manager
Design
The requirements are best fulfilled with five remote groups:
•
admin — All permissions. This remote group is already present on the CMC.
•
auditor — View and download the audit log. This remote group is already present on the CMC.
•
Security — Modify all sensor-access settings such as authentication, certificates, and the firewall.
•
Analyst — View and modify all Analyze pages, import PCAPs from local and remote sources, view and
download audit logs, view the capture summary graph, modify data-enrichment settings.
•
Website — View and modify all Analyze pages, import PCAPs from local sources, only view web-related
traffic on VLAN 7.
The groups will be assigned permissions on the sensors as follows:
•
Sensor 1 — admin, Analyst, Auditor, Security
•
Sensor 2 — admin, Auditor, Security, Website
•
Sensor 3 — admin, Security
In this example, eight users have access to the sensors:
•
admin — Senior system administrator
•
Analyzer1 — Senior analyst
•
Analyzer2 — Associate analyst
•
Auditor1 — Senior auditor
•
Auditor2 — Associate auditor
•
Watchman — Security compliance administrator
•
WebMaster1 — Web site administrator
•
WebMaster2 — Web site administrator
The order in which the remote groups, users, and sensor permissions are created is flexible. A simple sequence is
presented here:
•
Create the remote groups
•
Create the users
•
Assign sensor authorizations (the example assumes that the sensors are already connected to the CMC)
187 of 206
Updated 4 Apr 2016
Central Manager
Create the Remote Groups
Create the remote groups shown in the table (except admin and auditor, which are included by default):
Remote Group
Permissions
Analyst
All Analyze pages, local and remote PCAP import, view and download audit log,
view capture summary, modify data-enrichment settings
Security
Modify authentication, sensor-access, SSL certificates, and web-interface
settings
Website
All Analyze pages, PCAP import, web-related traffic only, traffic on VLAN 7 only
1. Log on to the CMC with admin permissions.
2. Select Settings > Users and Groups. Click the Remote Groups tab.
4. For Name, type Analyst.
5. For Description, type All Analyze pages, capture summary, PCAP import, data enrichment.
6. Select the following check boxes:
•
•
Capture > Capture Summary
•
Capture > Import PCAP
•
Analyze
7. For now, leave the Data Access Control and Group Members sections blank and click Save.
9. For Name, type Security.
10. For Description, type Settings: authentication, security, and web interface.
11. Select the following check boxes:
•
•
Settings > Security
•
12. Click Save.
14. For Name, type Website.
15. For Description, type application_group=web, vlan_id!=4,5,6; all Analyze pages, view and
download audit log, local PCAP import
188 of 206
Updated 4 Apr 2016
Central Manager
16. Select the following check boxes
•
Logs
•
Capture > Import PCAP
•
Analyze
17. Under Data Access Control do the following:
•
Type application_group=web and press Enter.
•
Type the following and press Enter:
•
o
vlan_id!=4
o
vlan_id!=5
o
vlan_id!=6
Optional — Type vlan_id=7 and press Enter.
18. Click Save.
Create the Users
Create the users and assign them their remote groups, as shown in this diagram.
1. Click the Users tab.
2. Verify that for the admin account, admin is shown under Remote Groups. If it is not:
for the admin account.
•
Click the Edit icon
•
For Remote Groups, type adm and select admin when it is displayed.
•
Click Save.
4. For Username type Auditor1. This name cannot be changed later.
189 of 206
Updated 4 Apr 2016
Central Manager
5. For Password and Confirm Password, type a password.
6. Under Group Memberships, do the following:
•
For User Groups, accept the default: user. This setting determines the permissions that the user has on the
CMC itself.
•
For Remote Groups, delete admin, then type aud and select Auditor when it is displayed.
7. Click Save.
8. Create the remaining users with the values shown in the following table:
Username User Groups Remote Groups
Analyzer1
user
Analyst
Analyzer2
user
Analyst
Auditor2
user
Auditor
Watchman
user
Security, Auditor
WebMaster1 user
Website
WebMaster2 user
Website
Assign Sensor Authorizations
1. Select Settings > Central Management and click the Sensors tab.
2. Click the Edit icon
for Sensor 1.
3. For Remote Groups, add the following:
•
admin
•
Analyst
•
auditor
•
Security
4. Click Save.
5. Add the authorizations and remote groups to Sensor 2 and Sensor 3 according to the following information:
Sensor
Authorizations
Sensor 1
Remote Groups
admin, Analyst, auditor, Security
Sensor 2
Analyzer2
admin, auditor, Security, Website
Sensor 3
Auditor1, Analyzer1
admin, Security
190 of 206
Updated 4 Apr 2016
Central Manager
Results
To verify the inputs, go to Settings > Users and Groups > Remote Groups. The Remote Groups table should have
the following data:
Name
Description
Users
admin (Default)
Analyst
admin
All Analyze pages, capture summary, PCAP import, data
enrichment.
auditor
Security
Analyzer1,
Analyzer2
Auditor1,
Auditor2,
Watchman
Settings: authentication, security, and web interface
Watchman
user
Website
application_group=web, vlan_id!=4,5,6; all Analyze pages, view WebMaster1,
and download audit log, local PCAP import
WebMaster2
Given the preceding setup, the resulting sensor-access permissions are as follows:
Sensor 1
•
All users that belong to the remote groups admin, Analyst,
auditor, and Security are able to access Sensor 1 with their
respective permissions.
•
Watchman has both Security and auditor permissions on
Sensor 1.
•
All users that belong to the remote groups admin, auditor,
Security, and Website are able to access Sensor 2 with their
respective permissions.
•
Analyzer2 can access Sensor 2 with Analyzer permissions.
Analyzer1 does not have permissions on Sensor 2.
•
WebMaster1 and WebMaster2 can access web-related
traffic on VLAN 7 only.
•
The admin, Auditor1, Auditor2, and Watchman accounts have
no data-specific restrictions on their access.
•
Watchman has both Security and auditor permissions on
Sensor 2.
Sensor 2
191 of 206
Updated 4 Apr 2016
Central Manager
Sensor 3
•
Auditor1 is the only user with auditor permissions on
Sensor 3.
•
Analyzer1 is the only user with Analyzer permissions on
Sensor 3.
•
All users that belong to the remote groups admin and
Security are able to access Sensor 3 with their respective
permissions.
192 of 206
Updated 4 Apr 2016
Central Manager
Multi-Sensor Environment
The Blue Coat Security Analytics Platform CMC does not perform data capture but rather aggregates reports that the
sensors send.
View Multiple Sensors
On the CMC dashboard, click CMC to expand the
sensor selector.
•
Click each sensor to move it under Selected, and then
click Update with Selected.
To return to the CMC dashboard, expand the sensor selector and click Dashboard.
193 of 206
Updated 4 Apr 2016
Central Manager
Data Aggregation
With two or more sensors selected, the summary screen displays aggregated data from the sensors. The Reports,
Extractions, and Geolocation views have a drop-down arrow at the left of the status bar. Expand to see the status for
each individual sensor.
Aggregation is not available for the following:
•
Capture pages
•
Statistics pages
•
Settings pages
For these pages, select a sensor from the selector in the upper-right corner of the interface to view each sensor's
page separately.
Multi-Sensor Summary Views
On all of the Summary pages (Default, Social, Web, IP Layer, Ethernet Layer, Threat Intel) the data is aggregated from
all selected sensors. When you create or edit a view on the CMC (by deleting or adding widgets, for example), the
changes are not propagated to the individual sensors.
194 of 206
Updated 4 Apr 2016
Central Manager
Multi-Sensor Reports
The reports that are available on the CMC are the same as for a standalone appliance.
The CMC does not generate reports for the sensors — each individual sensor generates its own
report and passes the data to the CMC. However, the saved, aggregated report views are stored on
the CMC.
If you are viewing the data from more than one sensor, click on a row to show the breakout per sensor.
In the Application report, above, DNS data has been captured by four sensors.
Multi-Sensor Extractions
•
On the Extractions page, the display in the Distribution panel is aggregated, whereas the items listed in the
Results panel are not.
•
In a multi-sensor environment, the Sensor column shows which sensor captured the artifact.
•
In the expanded view, the sensor name is also visible.
195 of 206
Updated 4 Apr 2016
Central Manager
Multi-Sensor Favorites
On the Favorites and Actions pages, a Sensors column shows the where the item is present, or for the Alerts page,
which sensor generated the alert.
•
•
If the same favorite is present on multiple sensors, click the [N] more link to see the full list of sensors.
When creating a favorite, you can apply it to one or multiple sensors. In the Sensors field, all sensors appear by
default. Delete any sensors to which you do not want to apply the favorite.
•
Any favorite that you add to the Filter field must already be present on the sensor(s) where the
new favorite is to be created.
•
When you create an unshared favorite through the CMC, it will be visible only through the CMC
to the user who created it. If the favorite is shared, it is visible on the sensors and to other CMC
users.
•
You can use the Remove from list on the delete dialog to delete a shared favorite from your
account only or from all accounts.
•
When you delete a favorite, you also delete other favorites, actions, and alerts that contain the
favorite. See Delete Favorites.
196 of 206
Updated 4 Apr 2016
Central Manager
Multi-Sensor Actions
•
When creating an action, you must select the sensor on which the action is to be created.
•
When creating an action, the favorite(s) in the Favorites/First Event field must already be
present on the sensor(s) where the action is to be created.
•
When you create an unshared action through the CMC, it will be visible only through the CMC
to the user who created it. If the action is shared, it is visible on the sensors.
•
If the action is shared, you can use the Remove from list on the delete dialog to delete it from
only your account or from all accounts.
Multi-Sensor Alerts
•
On Analyze > Alerts, you can see each instance of a triggered alert. The sensor that registered the hit is
displayed in the Sensors column.
Multi-Sensor PCAP Files
•
You can download PCAP files from the CMC from any Analyze page (Summary, Reports, Extractions,
Geolocation).
•
The CMC creates a single ZIP file that contains a separate PCAP for each sensor.
PCAP Import
•
PCAP imports cannot be aggregated.
•
When importing a PCAP to a sensor via the CMC, only the Remote Server option is supported for Import
from.
197 of 206
Updated 4 Apr 2016
Central Manager
Multi-Sensor Geolocation and Google Earth
Although the Geolocation and the Google Earth tools can show maps with both aggregated data and individual
sensor data, the Geolocation tool in the CMC does not identify the sensor that the data came from. With the Google
Earth tool, you can choose to display either aggregated data or data from any individual sensor.
When you download a Google Earth file with multiple sensors selected, you can choose whether to view the
aggregated data or to view sensor data separately.
There are two methods to link the source sensor to a geographic location:
•
Select the IP address, filter on that and view reports.
•
Deselect all but one sensor and regenerate the Geolocation image; you may need to repeat this
for each sensor until you find the desired data.
Multi-Sensor Data Enrichment
For every sensor that is to use the data-enrichment resources, you must install a license. If the data-enrichment results
are to be viewed through the CMC, the CMC must also have a license for each data-enrichment resource.
Sensors may access the data-enrichment resources either through their CMCs or through their own Internet
connections. Go to Settings > Data Enrichment on each sensor and configure the settings accordingly.
Multi-Sensor Communication Settings
For settings that are related to remote notifications, scheduled reports, and other communication settings, the CMC
will not synchronize its SNMP, SMTP, or syslog server information with that of the sensors.
This non-synchronization permits you to specify separate servers for the CMC and for each sensor.
198 of 206
Updated 4 Apr 2016
Central Manager
Upgrading Sensors
You can use a Blue Coat Security Analytics Platform CMC as a software repository for the sensors so that you
download the upgrade from the Internet only once. (Alternatively, the sensors can be upgraded from their own
interfaces in the same way as standalone appliances.)
CMC Upgrade Repository
For the CMC to act as an upgrade repository for its sensors, it must have at least one upgrade server configured on
the CMC repository as well as an upgrade image in the CMC repository.
An upgrade image in the CMC repository is available to the sensors for upgrade but it is not
available for the CMC itself to upgrade. Select Settings > Upgrade to perform an upgrade of the
CMC.
On the dashboard, click Upgrade Repository. During the licensing procedure for the CMC, the upgrade server
upgrade.soleranetworks.com should have been added to the CMC's External Repository list.
If no upgrade server is listed, follow these instructions to add the upgrade server:
1. On the CMC, do one of the following:
•
Select Settings > Central Management > Upgrades.
•
On the dashboard, click Upgrade Repository.
2. Click New.
3. For Protocol, select https.
4. For Host, type upgrade.soleranetworks.com
5. For Path, type /upgrades/
6. For Username and Password, contact Security Analytics Support.
7. Click Save. The upgrade server is saved under External Repository.
This same server will also be listed on the CMC's Settings > Upgrade page.
199 of 206
Updated 4 Apr 2016
Central Manager
Add an Upgrade Image to the CMC Repository
Before you can upgrade the sensors, the upgrade image must be present on the CMC repository.
•
Select Settings > Central Management > Upgrades.
•
On the dashboard, click Upgrade Repository.
2. For the upgrade server, click Download from Server
.
3. Select the desired version and click Download.
4. The latest version is now in the Local Repository list. The list shows which upgrade version is appropriate for
each version to be upgraded.
Upgrade Sensors from the CMC Repository
To upgrade sensors from a CMC repository, you have two options:
•
"Push" the upgrade from the CMC to the sensor
•
"Pull" the upgrade from the CMC to the sensor
Push Upgrades
A push upgrade is initiated on the CMC.
Sensors that are running version 6.5.x or earlier cannot receive push upgrades; you must upgrade
them to 6.6.x or later manually.
Do not attempt to push-upgrade the same sensor from multiple CMCs at the same time.
•
On the dashboard, click Manage Sensors.
•
Select Settings > Central Management > Sensors.
2. Select the check boxes for the sensors to be upgraded.
3. Alternatively, you can click Upgrade
for each individual sensor.
4. Select Tools > Upgrade.
5. Select the upgrade file to use and click Upgrade.
6. On the dashboard, you can view the progress of the upgrade for each sensor. To see the whole upgrade
message, place your cursor over the bottom line of the sensor's box.
7. While the upgrade image is loading onto the sensor, you can monitor its progress on the sensor's Settings >
Upgrade page.
200 of 206
Updated 4 Apr 2016
Central Manager
Do not click Initiate Upgrade on the sensor during a push upgrade; the process is automatic.
8. After the sensor has finished upgrading (including reboot), you can see that the CMC repository has been
automatically added to the sensor's Upgrade Servers list on the Settings > Upgrade page.
•
The IP address under Host is the CMC's VPN address, which is always xxx.xxx.xxx.1.
•
You now have the option of clicking Upgrade from Server on the sensor to upgrade the software.
Pull Upgrades
A pull upgrade is initiated on the sensor.
1. Access a sensor by doing one of the following:
•
Log on directly to the sensor with admin-level permissions.
•
Access the sensor through the CMC with a remote group account that has admin-level permissions.
2. Select Settings > Upgrade. Is there an entry for the CMC's repository in the Upgrade Servers list?
Yes — Verify that the latest
upgrade image is on the
CMC.
•
Continue the
procedure.
No — Select New.
•
For Protocol, select https.
•
For Host, type the VPN IP address of the CMC, which is
xxx.xxx.xxx.1
•
For Path, type /upgrades/
•
Under Login Information, provide admin-level credentials
for the CMC.
•
Click Save and continue the procedure.
3. On the sensor, click Upgrade from Server.
4. When the download is complete, click Initiate Upgrade.
201 of 206
Updated 4 Apr 2016
Central Manager
CMC Local Management
This page describes how to manage the Blue Coat Security Analytics Platform CMC itself. When managing the
sensors through the CMC, the process is similar to single-appliance management, with the exceptions described in
Multi-Sensor Environment.
CMC Dashboard
1
Sensor selector — Use this control to select one or more sensors to view or
manage
2
Settings menu
3
Your Sensors list
4
Other Sensors list
5
Control buttons
202 of 206
Updated 4 Apr 2016
Central Manager
Your Sensors list
The Your Sensors list shows all of the sensors for which you have a role (remote group or authorization). Each individual
sensor is represented on the dashboard page by a graphical box.
1
Connection indicator (blue = connected; gray = not connected)
2
Sensor name
3
Connection status
4
Software compatibility status
5
Capture status
6
Software version
7
Model number and upgrade status
The capture status is available only when the sensor is connected to the CMC and the user has
access to the sensor.
Software Compatibility Status
When a sensor has a different software version than the CMC, an information icon
is displayed in the upper-right
corner of the sensor's box. It is highly recommended that you upgrade the software; otherwise, some functionality is lost
when selecting the sensor with outdated software.
Other Sensors List
The Other Sensors list is visible only to CMC admin accounts and shows two types of appliances:
•
Sensors for which you have begun but not finished the authorization process.
•
Sensors for which your account does not have a role.
Software version number and capture status are not visible in the Other Sensors list.
203 of 206
Updated 4 Apr 2016
Central Manager
Control Buttons
Manage Sensors button
•
Click to go to the Settings > Central Management > Sensors page.
o
Add and delete sensors.
o
Generate authorization key files.
Upgrade Repository button
•
Click to go to the Settings > Central Management > Upgrades page.
o
Configure upgrade servers.
o
View the software versions that have been uploaded to the repository.
Upgrading the CMC
During the licensing procedure for the CMC, the upgrade server license.soleranetworks.com should have been added to
the CMC's Upgrade Servers list. If it has not, add the upgrade server and return to these instructions.
The upgrade image that you download here is available to the CMC for upgrade but it is not
available for sensor upgrade. Click Upgrade Repository on the dashboard to upgrade sensors.
1. On the CMC, select Settings > Upgrade.
2. For the upgrade server, click Upgrade from Server
. A status bar is displayed.
3. When the upgrade file has finished downloading, click Initiate Upgrade. After the CMC has upgraded, you are
prompted to reboot the CMC.
4. When you log back in, you can verify that you are using the updated software by placing your cursor over the
Blue Coat logo.
204 of 206
Updated 4 Apr 2016

Security Analytics Platform: 7.1.x Administration Guide

Transcription

Similar documents

I`m helping to end MS by participating in the 2016 Jayman BUILT MS

The Board of Directors of Qatar Fuel (WOQOD) is pleased to invite

5 `S` Training Program at ABV-IIITM, Gwalior on 21.07.2016

2016 MW Alliance Raffle - Manitowish Waters Alliance LTD

HERE - Perfect Shots Photography

2016 Sponsorship Prospectus

Annonce S1

CREATEng

Print PDF - TheBayNet.com

conference presenter - The Ohio Association of Elementary School