PDA

Ver la versión completa : DeepSight Analyzer 4.0 Announcement



TseTse
24-11-2002, 16:03
Hi everyone, I wanted to let you know that we have completed the rollout of
DeepSight Analyzer 4.0. As always, the service is available at:

http://analyzer.securityfocus.com

This release includes a number of significant improvements, and features,
that we hope you'll find useful. A partial list of new features follow,

One feature that we added to the system a few months ago now was the
ability to receive a daily summary report (via email) of the top events and
activity being observed on your network. This feature has been extremely
popular, and provides an easy way to receive daily reports on your event
activity.

Second, we've added support for a number of additional devices, including
Firewalls, which many of you have been asking for. The DeepSight Analyzer
service now supports the following devices:


Security Device Versions

BlackIce 2.0-3.x
Cisco IOS 12.x
Cisco PIX 4.2-5.1
Cisco Secure IDS (Netranger) 2.5-3.0
Enterasys Dragon 4.2.2
Firewall-1 Next Generation, NG
IP Chains OS Independent
IPF OS Independent
NetProwler 3.5x
NetScreen 200, 100, 50, 25, 5XP appliance
RealSecure 3.1-5.5, 6.00-6.5
Snort 1.6-1.8.x
Snort Portscan 1.6-1.8.x
ZoneAlarm 2.6.0

A number of improvements have been made to the DeepSight Analyzer website
to facilitate the addition of Firewall data, and to improve the system
based on your feedback. These include the following:

NEW - User statistics page

The statistics page summarizes the event activity being observed by your
sensors by a number of different categories on a single screen. These
categories include:

- Top increasing IDS events - A set of graphs depicting the events that
are seeing the most significant increase on your network

- Top increasing Port activity - A set of graphs depicting the ports that
are seeing the most signficant increase on your network

- Top attacked products - The top products being targetted on your
network

- Top offending ISPs - The top ISPs from which events targetting your
network originate

- Top ports - The top ports your sensors are observing activity on

- Top source IPs - The top source IP addresses from which your sensors
are observing activity

- Top countries - The top sources countries from which your sensors are
observing activity

The majority of these items will also allow you to drill down to view
specific events associated with these items.

NEW - Events Screen

The "Events" screen has replaced the previous "Incidents" screen. This
screen contains a series of sub-options, designed to allow you to view your
Intrusion Detection System and Firewall Events rolled up by a number of
different categories. These categories are:

- By Event Type - This will allow viewing of events rolled up by unique
event type
- By Destination Port - This will allow viewing of events rolled up by
unique destination port
- By Source Address - This will allow viewing of events rolled up by
unique source address
- By Source Domain - This will allow viewing of events rolled up by
unique source domain
- By Source Country - This will allow viewing of events rolled up by
unique source country
- By Source ISP - This will allow viewing of events rolled up by unique
source ISP
- By Logs - This will allow viewing of events rolled up by the log in
which they were uploaded. This will replace the existing upper level "Logs"
tab

NEW - Report Overhaul

We have overhauled the previous reports to consist of a series of 6
summary reports. These 6 reports provide the same information that was
previously available, a more compact fashion. The following six reports
are available:

- Event Summary

This report provides a breakdown of event and port activity observed by
your network intrusion detection and firewall systems. It is helpful in
determining which attacks are targeting your network, and determining the
trend of this activity. This report consists of multiple pages if both IDS
and Firewall events were provided and selected, or a single page if only
one of these event types have been provided or selected.

- Origin Summary

This report provides a breakdown of where events targeting your network
are originating. It is helpful in determining who is attacking you, and
determining the trend of attack activity from each source. This report
depicts both IDS and Firewall activity, if events were provided and
selected, or only one of these if only one of these event types have been
provided or selected. This report includes:

Top IP(s) targeting your network
Top ISP(s) from which attacks originate
Top Country(s) from which attacks originate

- Category Summary

This report provides a breakdown of event activity by the category or
class of events that are targeting your network. This report is useful in
determining the type of activity that is most frequently observed targeting
your network.

- Target Products

This report provides a breakdown of the products and applications that
are being targeted on your network. This knowledge provides you with
insight into the possible intent of these events, and precautions that
should be taken in protecting these services.

- Event Time

This report provides a breakdown of the timeframe when network security
events most commonly occur on your network. Knowledge of when these events
occur allows for the tracking of historical activity and the allocation of
resources for future planning.

- IP Analysis

This report provides insight into the activity of a single IP address
that is targeting your network. This report consists of a number of
components that reflect the activity, habits, and applications that the IP
address is targeting. In correlating a number of these data points, this
report presents the origin of the attacker, and the vulnerabilities and
services targeted by the attacker.

NEW - Report Configuration Wizard

A new Report Configuration Wizard has replaced the previous report
configuration screen in the "Reports" section. This wizard is intended to
simplify the generation of reports, by allowing more flexible selection of
reporting criteria. This screen consists of a series of 6 screens, each
allowing entry of reporting criteria. This screen contains the same
functionality as the previous report configuration screen, with the
following additions:

- The ability to specify which IDS sensors you would like to include data
from in your report
- The specification of multiple source addresses and source countries to
report on
- The specification of multiple destination addresses to report on
- The specification of multiple event categories to report on
- The specification of multiple product categories to report on

We hope you like these changes, and continue to use the DeepSight Analyzer
service. Please feel free to send any feedback to:

oliver_friedrichs@symantec.com

Thank you!

- Oliver



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com