Symantec ManHunt Smart Agent for NetScreen with ScreenOS 3.0.2 for Unix
Contents
1. ManHunt Smart Agent for NetScreen Installation Guide amp symantec ManHunt Smart Agent for Netscreen Installation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Copyright Notice Copyright 2002 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY Thetechnical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec the Symantec logo and Norton AntiVirus are U S registered trademarks of Symantec Corporation LiveU pdate Symantec AntiVirus Symantec Enterprise Security Architecture and Symantec Security Response are trademarks of Symantec Corporation Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective2. Enter 6 Enter the EDP port number used by this M anHunt node By default the M anHunt installation process sets this port to 1333 If you have not edited this port number for the M anHunt node accept the default port 1333 Press Enter 7 Enter the EDP passphrase Press Enter Note This is identical to the passphrase you enter when you create the external sensor node for the M SA for NetScreen See Changing the EDP Passphrase on page 7 8 Reenter the EDP passphrase Press Enter Installing the NetScreen Meta Data You must install the N etScreen meta data on the M anH unt node you log into from the administration console typically the primary master node Thisis done in order for you to be able to create the M SA for NetScreen external sensor node create response policies for N etScreen events and display N etScreen event data in the M anH unt administration console In addition you must install this meta data on the M anH unt node that will receive the N etScreen event data from the M SA for NetScreen if different from the master node You must be logged in as root to install the NetScreen meta data To install the NetScreen meta data 1 PlacetheCD in the CD ROM drive mount the drive if necessary 2 ChangetotheCDROM directory and enter 4 ManHunt Smart Agent for NetScreen install md sh 3 Ensurethe meta data file to be installed begins with netscreen If so press Enter when prompted to continue wit
3. companies and are hereby acknowledged Printed in the nited States of America 1098765 4 3 2 1 SYMANTEC SOFTWARE LICENSE AGREEMENT Smart Agent SYMANTEC CORPORATION AND ORITS SU BSI DIARIES SYMANTEC ISWILLING TO LICENSE THE SOFTWARE TO YOU ASAN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THISLICENSE AGREEMENT READ THE TERMSAND CONDITIONS OF THISLICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THISISA LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING ON THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMSAND CONDITIONS OF THISAGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK ON THE I DO NOT AGREE NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 License The software and documentation that accompanies this license collectively the Software isthe proprietary property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software you will have certain rights to use the Software after your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to you Except as may be modif
4. scripts They are installed in the root M SA install directory Simply run start or stop to start or stop the M SA Uninstalling the MSA To uninstall the M SA go to the lt msA_install_directory gt install directory and run the uninstall script
5. to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A ii Symantec Customer Service Center PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia Contents ManHunt Smart Agent for N e amp tScreen mmm sincer taia a t 1 Configuring NetScreen lll L n n nnnnnsnsnsa 2 Installing the M SA for NetScreen l ll l n nanus 2 Installing the NetScreen Meta Data ll n nanan 3 Configuring ManHunt nana 4 Configuring the M SA for NetScreen ll n n 5 MSA Configuration File _ l n nn 5 Changing the EDP Passphrase l l nn nn 7 Starting and Stopping the MSA l I n nn ansa 8 Uninstalling the MSA isi eee ae ac cazan S ua R aaa oala ata 8 ii Contents ManHunt Smart Agent for NetScreen TheManHunt Smart Agent M SA for N etScreen enables M anH unt to receive eventsin real timefrom a N etScreen appliance convert these eventsinto the ManHunt event format and then send the events to a ManHunt node for aggregation and correlation with all other M anH unt events The M SA also enables you to set response policies for N etScreen eventsin the M anHunt Policy Configuration interface Refer to the M anHunt Administration Guide for instructions on creating response policies NatScmen MSA For cil ManHuni Appliance NetScreen Note The M SA for NetScreen sends only malicious activity
6. work correctly Note The other permissions are optional using then will increase the load on the M SA host 6 TypeinthelP addresses of the M SA hosts to which the NetScreen appliance will send alerts via SNM P traps Installing the MSA for NetScreen TheM SA for NetScreen must be installed on ahost running Solaris 8 on SPARC or Intel You can deploy the M SA for NetScreen in either of two deployment modes m Install the MSA on the M anHunt node m Install the M SA on a dedicated host Note The M SA can not be installed on the NetScreen appliance In either deployment the M SA listens for NetScreen SN M P traps on port 162 by default The M SA converts the SNM P traps into the M anH unt event format and sends the events to M anH unt over EDP Event Dispatch Protocol EDP communication between M anH unt and the M SA is secure and encrypted You must be logged in as root to run the install script 3 ManHunt Smart Agent for NetScreen To install the MSA for NetScreen 1 PlacetheCD intheCD ROM drive mount the drive if necessary 2 ChangetotheCDROM directory and enter install sh 3 Enter adirectory where you want to install the M SA or accept the default directory usr msanetscreen Press Enter 4 Enter a directory to which the M SA will write log files or accept the default lt MSA_install_dir gt logs Press Enter 5 Enter the IP address of the M anH unt node that will accept the NetScreen event data Press
7. 1 1 MSA Configuration File P arameters ManHunt Host IPAddr ThelP address of the M anH unt node to which the NetScreen events are sent The format is IP address port Theport must bethe port on which M anHunt is configured to receive events The default port is 1333 If you change the EDP Port Number parameter on the M anHunt node be sure to change the value in the M SA configuration fileto match and vice versa This parameter is required EDPSecret Thevaluefor EDPSECRET istheencrypted form of the EDP passphrase and is set during MSA installation Do not attempt to edit this parameter from within the configuration file This parameter is required EventDefinitionFile Path to the event definition file The MSA conversion engine uses instructions contained in the event definition fileto convert NetScreen alerts into ManHunt events This parameter is required MSALogDir Thedirectory to which the M SA should writeitslog file The default valueis lt MSA_install_dir gt msanetscreen logs If you deletethis parameter from the configuration file then the default log directory becomes tmp MSALogLevel An integer specifying the level of logging that the M SA uses Possible values are from 1 to 35 with 35 being the most verbose The default value is 5 If you raise the log level above 5 the log files may become large enough to negatively impact M SA performance This parameter is optional 7 ManHunt Smart Agen
8. O USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE Thedisclaimersand limitations set forth above will apply regardless of whether you accept the Software 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to theterms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 Export Regulation Export re export of this Software is
9. and attack events intrusion detection events received from a NetScreen appliance to the ManHunt node To usetheM SA for NetScreen perform the following steps 1 Ensure you have installed M anHunt 2 11 or later 2 Verify that the NetScreen appliance is running ScreenOS 3 0 2 or later The M SA will work with all NetScreen appliances from NetScreen 5XP through NetScreen 5000 3 Configure NetScreen See Configuring NetScreen on page 2 4 Install the M SA for NetScreen See Installing the M SA for NetScreen on page 2 5 Install the NetScreen meta data on the M anHunt node See Installing the NetScreen M eta Data on page 3 6 Configure M anHunt to receive events from the M SA for NetScreen See Configuring M anH unt on page 4 2 ManHunt Smart Agent for NetScreen 7 Start the M SA for NetScreen See Starting and Stopping the M SA on page 8 Configuring NetScreen Use the N etScreen web interface to configure the NetScreen appliance to send SN MP traps to the P address of the M SA host See the N etScreen documentation for more information To configure the NetScreen appliance to send SNMP traps 1 Click System gt Admin in the left frame of the NetScreen console 2 Click SNMP in theright frame and specify the SN M P ports the appliance will use Click New Community at the bottom of the frame 4 Enter the Community Namein theright frame Check Trap in Permissions for M SA NetScreen to
10. governed by the laws and regulations of the United States and import laws and regulations of certain other countries Export or re export of Software to any entity on the Denied Parties List and other lists promulgated by various agencies of the United States Federal Government is strictly prohibited 7 General If You are located in North America or Latin America this Agreement will be governed by the laws of theState of California United States of America Otherwise this Agreement will be governed by the laws of England This Agreement and any related License M oduleis the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survivetermination This Agreement may only be modified by a License M odule which accompanies this license or by awritten document which has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write
11. h the installation Allow theinstallation process to complete and allow the installer to restart M anH unt If this is the M anH unt node used for administration quit and restart any administration consoles connected to the node to enable the consoles to incorporate the new meta data Configuring ManHunt To enable communication between M anH unt and theM SA for NetScreen and to be able to set M anH unt response policies for N etScreen events you must create an external sensor node in the M anH unt topology tree for the machine on which the M SA for NetScreen is installed To add an external sensor node 1 Open theManH unt administration console 2 Right click External Sensors in the topology tree and click Add External Sensor in the pop up menu 3 In Add External Sensor enter a name of up to 39 characters for the device This name will appear in the topology tree Enter a customer ID Enter the IP address for the machine on which you installed the M SA for NetScreen 6 Click NetScreen in Smart Agent Type Note The NetScreen Smart Agent type only appears in the drop down list if you have installed the NetScreen meta data 7 Select the M anH unt node that will receive event data from the M SA for NetScreen Note You must select the M anH unt node before setting the EDP passphrase M anHunt sets the EDP passphrase for the M anH unt node that is selected in the Event Receiver box at the time that you enter the EDP pass
12. ied by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license your rights and obligations with respect to the use of this Software are as follows You may A use that number of copies of the Software as have been licensed to you by Symantec under a License M odulefor Your internal business purposes Your License M odule shall constitute proof of Your right to make such copies If no License M odule accompanies precedes or follows this license you may make one copy of the Software you are authorized to useon a single machine B make onecopy of the Software for archival purposes or copy the Software onto the hard disk of your computer and retain the original for archival purposes C use each licensed copy of the Software on asingle central processing unit and D after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided that you retain no copies of the Software and the transferee agrees to the terms of this license You may not A copy the printed documentation which accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the sourcecode of the Software or create derivative works from the Software C use a previous version or copy of the Softwa
13. istributed will be free from defects for a period of sixty 60 days from the date of delivery of the Software to you Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money you paid for the Software Symantec does not warrant that the Software will meet your requirements or that operation of the Software will be uninterrupted or that the Software will be error free THE ABOVE WARRANTY ISEXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THEIMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THISWARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATESAND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGESSO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA ARISING OUT OF THE USE OR INABILITY T
14. phrase 8 Set theEDP passphrase This passphrase was also entered during step 6 of the M SA for NetScreen installation process ManHunt Smart Agent for NetScreen 9 Enteradescription for the M SA for N etScreen This description will be displayed on the main console screen when this external sensor node is selected in the topology tree 10 Click OK then click Save Changes to save your topology tree changes Configuring the MSA for NetScreen The M SA installation process creates a configuration file called netscreen2mh conf n the lt MSA_install_dir gt etc directory This file contains parameters for M SA operation and for connecting to the M anH unt node These parameters are described in Table 1 1 MSA Configuration File The configuration file is broken down into sections with section headers enclosed in brackets The first section is called M SA and contains most of the configuration parameters The second section is called SNM P The following is a sample configuration file MSA ManHuntHostIPAddr 10 0 0 34 1333 EDPSecret DokdYjNU732mnDuj MSALogDir usr msanetscreen logs MSALogLevel 5 EventDefinitionFile usr msanetscreen etc netscreen2mh evtdef SNMP 6 ManHunt Smart Agent for NetScreen Note Table 1 1 lists all editable parameters If you edit any of the configuration parameter values you must restart the M SA application See Starting and Stopping the M SA on page 8 Table
15. phrase enter the new passphrase the M anH unt node will use to communicate with the M SA for NetScreen The passphrase must be at least 8 characters long Re enter the passphrase for confirmation Click OK Click OK in the Edit External Sensor dialog on N ul Go to the Edit Topology menu and click Save C anges 8 ManHunt Smart Agent for NetScreen To change the EDP passphrase on the MSA for NetScreen machine 1 Gotothe lt MSsA_install_dir gt bin directory 2 Enterthefollowingcommand changesecret lt MSA_install_dir gt etc netscreen2mh conf Enter the old passphrase Enter the new passphrase The passphrase must be at least 8 characters long Re enter the new passphrase Restart the M SA application See Starting and Stopping the M SA on page 8 au Aa W Note If you have forgotten the old passphrase you can delete the EDP Secret line from the configuration file lt msA_install_dir gt etc netscreen2mh conf and then run changesecret again The script will not prompt for the old passphrase once the passphrase line is removed See Configuring the M SA for NetScreen on page 5 Starting and Stopping the MSA TheM SA installer creates startup scripts in the system startup directories etc init d and etc rc2 d to automatically start the M SA for NetScreen when the machine is rebooted In addition start and stop scripts are provided in the lt MSA_install_dir gt You must be logged in as root to run these
16. re after you have received a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed D usea later version of the Software than is provided herewith unless you have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version E use if you received the software distributed on media containing multiple Symantec products any Symantec software on the media for which you have not received a permission in a License M odule nor F use the Softwarein any manner not authorized by this license 2 Content U pdates Certain Symantec software products utilize content that is updated from time to time antivirus products utilize updated virus definitions content filtering products utilize updated URL lists some firewall products utilize updated firewall rules vulnerability assessment products utilize updated vulnerability data etc collectively these are referred to as Content Updates You may obtain Content U pdates for any period for which you have purchased upgrade insurance for the product entered into a maintenance agreement that includes Content U pdates or otherwise separately acquired the right to obtain Content Updates This license does not otherwise permit you to obtain and use Content U pdates 3 Limited Warranty Symantec warrants that the media on which the Software is d
17. t for NetScreen Table 1 1 MSA Configuration File Parameters Event SendRate An integer specifying the maximum number of events per second that can be passed to the ManHunt node If this parameter is not specified in the configuration file the default value is 10 events per second If you add this parameter placeit in the MSA section MaxEvent sinCache An integer specifying the maximum number of events allowed in the cache before the oldest event is dropped If this parameter is not specified in the configuration file the default value is 3000 If you add this parameter place it in the Msa section SnmpTrapPort An optional argument that allows SNM P trapsto be collected on a port other than the default which is port 162 Changing the EDP Passphrase To changethe EDP passphrase on the ManHunt node edit the external sensor topology tree node The EDP passphrase on the M anH unt node must match the EDP passphraseon the M SA for NetScreen machine Therefore if you changethe passphrase on the M anH unt node you must also change the passphrase on the MSA for NetScreen machine by running the changesecret command located in the lt MSA_install_directory gt bin directory To change the EDP passphrase on the ManHunt node 1 Loginto the ManH unt administration console 2 Right click the appropriate M anH unt node and click Edit Devicein the popup menu 3 In Edit External Sensor click Set Passphrase 4 In Change Pass
Download Pdf Manuals
Related Search