Reviewing security alert logs

You monitor the security alert log information for the Network IPS appliance to effectively manage the amount of generated system and event data. If a serious event occurs, you can find the information and solve the problem quickly and immediately block the intruder by using single-click blocking.

About this task

Navigating in the Network IPS Local Management Interface: Review Analysis and Diagnostics > Logs > Security Alerts

Note: If you use the SiteProtector™ system to manage the appliance, view security alerts (event alerts) through the SiteProtector Console. See Monitoring and Analyzing Events in the SiteProtector system online help for information about viewing, filtering, and searching security alerts in the SiteProtector system.
Tips
  • For convenience, Block Intruders by using the single-click blocking feature on any option. The appliance writes a rule to the security policy that you can view on the Quarantine Rules page.
  • Filter events by using the single-click blocking feature on any option.
  • Expand the event file by using the Details column for alert specifics.
  • Click Event Name (Issue ID) and select X-Force Description for an explanation that is written by the IBM® X-Force® team of threat researchers.
  • Click Source and Target IPs to find a Host name Lookup for the event.
  • Use Clear Alerts to delete security alert log files. The option is in the upper right corner under the appliance model.
Table 1. Risk levels
Level Description
High Security issues that allow immediate remote or local access, or immediate execution of code or commands with unauthorized privileges.
Examples: Most buffer overflows, back doors, default or no password, and bypassing security on firewalls or other network components
Medium Security issues that have the potential of granting access or allowing code execution with complex or lengthy exploit procedures, or low risk issues that are applied to major Internet components.
Examples: Cross-site scripting, man-in-the-middle attacks, SQL injection, denial of service of major applications, and denial of service that result in system information disclosure (such as core files)
Low Security issues that deny service or provide non-system information that might be used to formulate structured attacks on a target, but not directly gain unauthorized access.
Examples: Brute force attacks, non-system information disclosure (like configurations and paths), and denial of service attacks

Procedure

  1. In the Alerts Filter area, expand the area to display Filter criteria settings and the Manage views area.
  2. Click Filter time range to focus a search for a specific time period.
  3. In the Search text field, select an option to filter event lists and type keyword text strings. Choose from many options such as the event name, like Smurf_Attack and SQL_SSRP_Slammer_Worm, and event type, like OpenSignatures, SNORT, and Audit.
    Notes:

    For system and firewall logs, the appliance searches files by using approximate string matching. Use this syntax when you type text in the Search text field. For security alerts, the appliance searches files by using approximate string matching for only the Event Name option. You must use exact matches for all other Search text options.

    You can search for more than one keyword by clicking the Plus icon or you can delete keyword searches by clicking the Minus icon.

  4. If you want to save searches, click Save Filter.
  5. In the Manage views area, type a name for the search in the Filter tag field and click Save. You can Load or Delete searches.
  6. Use Oldest, Older, Newer, and Newest to browse through lists of log files.