DeepSight Analyzer 4.0 Announcement

From: Oliver Friedrichs (oliver_friedrichsat_private)
Date: Mon Nov 18 2002 - 16:40:05 PST

  • Next message: Mally Mclane: "Re: Help - a possible bot"

    Hi everyone, I wanted to let you know that we have completed the rollout of
    DeepSight Analyzer 4.0.  As always, the service is available at:
    
    http://analyzer.securityfocus.com
    
    This release includes a number of significant improvements, and features,
    that we hope you'll find useful.  A partial list of new features follow,
    
    One feature that we added to the system a few months ago now was the
    ability to receive a daily summary report (via email) of the top events and
    activity being observed on your network.  This feature has been extremely
    popular, and provides an easy way to receive daily reports on your event
    activity.
    
    Second, we've added support for a number of additional devices,  including
    Firewalls, which many of you have been asking for.  The DeepSight Analyzer
    service now supports the following devices:
    
    
     Security Device        Versions
    
     BlackIce               2.0-3.x
     Cisco IOS              12.x
     Cisco PIX              4.2-5.1
     Cisco Secure IDS (Netranger) 2.5-3.0
     Enterasys Dragon       4.2.2
     Firewall-1             Next Generation, NG
     IP Chains              OS Independent
     IPF                    OS Independent
     NetProwler             3.5x
     NetScreen              200, 100, 50, 25, 5XP appliance
     RealSecure             3.1-5.5, 6.00-6.5
     Snort                        1.6-1.8.x
     Snort Portscan               1.6-1.8.x
     ZoneAlarm              2.6.0
    
    A number of improvements have been made to the DeepSight Analyzer website
    to facilitate the addition of Firewall data, and to improve the system
    based on your feedback.  These include the following:
    
    NEW - User statistics page
    
      The statistics page summarizes the event activity being observed by your
    sensors by a number of different categories on a single screen. These
    categories include:
    
      - Top increasing IDS events - A set of graphs depicting the events that
    are seeing the most significant increase on your network
    
      - Top increasing Port activity - A set of graphs depicting the ports that
    are seeing the most signficant increase on your network
    
      - Top attacked products - The top products being targetted on your
    network
    
      - Top offending ISPs - The top ISPs from which events targetting your
    network originate
    
      - Top ports - The top ports your sensors are observing activity on
    
      - Top source IPs - The top source IP addresses from which your sensors
    are observing activity
    
      - Top countries - The top sources countries from which your sensors are
    observing activity
    
      The majority of these items will also allow you to drill down to view
    specific events associated with these items.
    
    NEW - Events Screen
    
      The "Events" screen has replaced the previous "Incidents" screen. This
    screen contains a series of sub-options, designed to allow you to view your
    Intrusion Detection System and Firewall Events rolled up by a number of
    different categories. These categories are:
    
      - By Event Type - This will allow viewing of events rolled up by unique
    event type
      - By Destination Port - This will allow viewing of events rolled up by
    unique destination port
      - By Source Address - This will allow viewing of events rolled up by
    unique source address
      - By Source Domain - This will allow viewing of events rolled up by
    unique source domain
      - By Source Country - This will allow viewing of events rolled up by
    unique source country
      - By Source ISP - This will allow viewing of events rolled up by unique
    source ISP
      - By Logs - This will allow viewing of events rolled up by the log in
    which they were uploaded. This will replace the existing upper level "Logs"
    tab
    
    NEW - Report Overhaul
    
      We have overhauled the previous reports to consist of a series of 6
    summary reports.  These 6 reports provide the same information that was
    previously available, a more compact fashion.  The following six reports
    are available:
    
      - Event Summary
    
      This report provides a breakdown of event and port activity observed by
    your network intrusion detection and firewall systems. It is helpful in
    determining which attacks are targeting your network, and determining the
    trend of this activity. This report consists of multiple pages if both IDS
    and Firewall events were provided and selected, or a single page if only
    one of these event types have been provided or selected.
    
      - Origin Summary
    
      This report provides a breakdown of where events targeting your network
    are originating. It is helpful in determining who is attacking you, and
    determining the trend of attack activity from each source. This report
    depicts both IDS and Firewall activity, if events were provided and
    selected, or only one of these if only one of these event types have been
    provided or selected.  This report includes:
    
          Top IP(s) targeting your network
          Top ISP(s) from which attacks originate
          Top Country(s) from which attacks originate
    
      - Category Summary
    
      This report provides a breakdown of event activity by the category or
    class of events that are targeting your network. This report is useful in
    determining the type of activity that is most frequently observed targeting
    your network.
    
      - Target Products
    
      This report provides a breakdown of the products and applications that
    are being targeted on your network. This knowledge provides you with
    insight into the possible intent of these events, and precautions that
    should be taken in protecting these services.
    
      - Event Time
    
      This report provides a breakdown of the timeframe when network security
    events most commonly occur on your network. Knowledge of when these events
    occur allows for the tracking of historical activity and the allocation of
    resources for future planning.
    
      - IP Analysis
    
      This report provides insight into the activity of a single IP address
    that is targeting your network. This report consists of a number of
    components that reflect the activity, habits, and applications that the IP
    address is targeting. In correlating a number of these data points, this
    report presents the origin of the attacker, and the vulnerabilities and
    services targeted by the attacker.
    
    NEW - Report Configuration Wizard
    
      A new Report Configuration Wizard has replaced the previous report
    configuration screen in the "Reports" section.  This wizard is intended to
    simplify the generation of reports, by allowing more flexible selection of
    reporting criteria. This screen consists of a series of 6 screens, each
    allowing entry of reporting criteria. This screen contains the same
    functionality as the previous report configuration screen, with the
    following additions:
    
      - The ability to specify which IDS sensors you would like to include data
    from in your report
      - The specification of multiple source addresses and source countries to
    report on
      - The specification of multiple destination addresses to report on
      - The specification of multiple event categories to report on
      - The specification of multiple product categories to report on
    
    We hope you like these changes, and continue to use the DeepSight Analyzer
    service.  Please feel free to send any feedback to:
    
    oliver_friedrichsat_private
    
    Thank you!
    
    - Oliver
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 19 2002 - 19:44:00 PST