Symantec Event Collector for Internet Security Systems RealSecure SiteProtector for PC
Contents
1. Chapter 1 Chapter 2 Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector About the Symantec Event Collector for ISS RealSecure SiteProtector 9 About SESA sssccvssgessdanescoscancucneecsansecascvesenentensavcncestiesanss cidsansveonelasveantuvsanesevtsind 10 Prior requirements for using the Symantec Event Collector for ISS RealSecure SiteProtectOr oo eeeseceeseseseeseseceeeseseeesescsesesceeeeeeteteeetaees 10 Components of the Symantec Event Collector for ISS RealSecure SItEPLOCE CON ssori cstvaeessevssaedcesactearesstescduesecentssietestgervenevestelvavaeneeeneeesy 11 Server Side component cccccessescssessesssscescscesecsecsecscsecseesscscseesscseeaesseeeees 12 Client side components cc cceeescssescesceseessseeseescesssecsecaecaeeeesecseeseeaeseestens 12 How the Symantec Event Collector for ISS RealSecure SiteProtector WOLKS lt sencseceasasessesenssenesesossiansenvoanszesouasvenatecosonsavivacueunsnecveen 12 How the Event Collector processes events cccscsceseescsscseescsscsseeeseeeees 13 About the Application Event category ccceseeseseececesseseseeseeeseeeeeeeees 14 What you can do with the Symantec Event Collector for ISS RealSecure SItEPLOCE CON esse csiscsecudscetvenessessqutedessctvareseeealaueseeentvbiecesecenusyerstelvananiasedsuests 15 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Before you install the Symant2. Symantec Event Collector for Internet Security Systems RealSecure SiteProtector Integration Guide 9 symantec Symantec Event Collector for Internet Security Systems RealSecure SiteProtector Integration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement Documentation version 1 0 Copyright notice Copyright 1998 2003 Symantec Corporation All Rights Reserved Any technical documentation that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation NO WARRANTY The technical documentation is being delivered to you AS IS and Symantec Corporation makes no warranty as to its accuracy or use Any use of the technical documentation or the information contained therein is at the risk of the user Documentation may include technical or other inaccuracies or typographical errors Symantec reserves the right to make changes without prior notice No part of this publication may be copied without the express written permission of Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 Trademarks Symantec and the Symantec logo are U S registered trademarks of Symantec Corporation Symantec Enterprise Security Architecture SESA Symantec Incident Manager and Symantec Security Response are trademarks of Symantec Corporation Check Point is a tradema
3. Using Java LiveUpdate This chapter includes the following topics m Viewing Java LiveUpdate events m About Java LiveUpdate configurations m Working with Java LiveUpdate configurations m Editing Java LiveUpdate configuration properties m Modifying a Java LiveUpdate configuration Distributing a Java LiveUpdate configuration Viewing Java LiveUpdate events When Java LiveUpdate is integrated with SESA you can view events that report the status of LiveUpdate sessions on computers in your network environment To see Java LiveUpdate events in the SESA Console the SESA Agent which is installed with Java LiveUpdate on each Java LiveUpdate client computer must first establish a connection with the SESA Manager View Java LiveUpdate events You can view the success or failure of this connection on the Events view tab of the SESA Console Any Successful Agent Start up Events or Failed Agent Start up Events are listed in the left pane in the System Events folder s SESA System subfolder All other Java LiveUpdate events appear in the left pane in the System Events folder s LiveUpdate subfolder 50 Using Java LiveUpdate About Java LiveUpdate configurations To view SESA Agent startup events 1 On the Events view tab in the left pane expand SESA DataStore 2 Under SESA DataStore expand System Events gt SESA System 3 Select one of the following reports m Successful Agent Start up Events m Failed Agent Start up Events
4. type a specific computer name or a combination of letters and an asterisk and then click Search By default the Computer name text box contains an asterisk which serves as a wildcard character displaying all computers that have been defined On the Found tab select one or more computers and then click OK In the Computers dialog box repeat steps 5 through 7 as necessary and then click Next In the Configuration Groups dialog box do one of the following m If your computer or computers belong to a configuration group click Add select the configuration group to which the computer or computers belong click OK and then in the Configuration Groups dialog box click Next m If your computer or computers do not belong to a configuration group click Next In the Organizational Units dialog box to associate an organizational unit with the selected computer click Add In the Browse for Organizational Units dialog box on the Found tab select the organizational unit to which the computer or computers belong and then click OK Repeat steps 10 and 11 as necessary Click Next and then click Next again Review the Configuration summary and then click Finish Click Close Using Java LiveUpdate 53 Editing Java LiveUpdate configuration properties Editing Java LiveUpdate configuration properties You must add the computers that will use the Java LiveUpdate configuration before you can distribute the configurat
5. Collector for ISS RealSecure SiteProtector Uninstalling the Event Collector During uninstallation of the collector component that is installed on Windows the two Scheduled Tasks for running LiveUpdate on the Event Collector are not automatically removed You must remove these manually To uninstall the collector component on Windows using the InstallShield uninstaller program 1 On the component computer navigate to the folder containing the Symantec Event Collector for ISS RealSecure SiteProtector The default location is C Program Files Symantec SiteProtectorCollector _uninst folder 2 Inthe _uninst folder double click uninstaller exe 3 Inthe Welcome to the Symantec Event Collector for ISS RealSecure SiteProtector Uninstall Wizard dialog box click Next 4 Inthe Symantec Event Collector for ISS RealSecure SiteProtector will be uninstalled from the following location dialog box verify the summary information and then click Next 5 In the InstallShield Wizard has successfully uninstalled Symantec Event Collector for ISS RealSecure SiteProtector click Finish The Symantec Event Collector for ISS RealSecure SiteProtector as well as the SESA Agent if it is no longer needed are removed from the computer Folders that contain logs and other files modified after the installation will remain in the installation directory It is now safe to delete these files To remove the Scheduled Tasks manually 1 On the Windows taskbar click S
6. Collector for Internet Security Systems ISS RealSecure SiteProtector How the Symantec Event Collector for ISS RealSecure SiteProtector works The Symantec Event Collector for ISS RealSecure SiteProtector also assigns each event one of the following severities 5 Informational Events that represent expected behavior 4 Warning Events that represent suspicious behavior 3 Minor Events that could require attention 2 Major Events that require attention now 1 Critical Events that require attention now with a broad range of application to the enterprise In the SESA environment events that arrive from a SESA Agent are generally understood to be events that are generated by the system on which the SESA Agent is installed However because the Symantec Event Collector for ISS RealSecure SiteProtector is collecting events from a data source that may receive events from multiple computers the event data is structured to preserve the identity of the originating computer Events from the Symantec Event Collector for ISS RealSecure SiteProtector are logged as if they originated from the computer that originally logged the message Therefore collected events will display the machine name of the computer that logged the ISS RealSecure SiteProtector event rather than the machine name of the computer on which the Event Collector resides About the Application Event category In addition to the events that the Symantec Event Collector for ISS
7. ISS RealSecure SiteProtector 2 On the Events view tab in the left pane expand the appropriate SESA DataStore 3 Expand Global Events gt All Events 4 Under the menu bar click Refresh 5 Verify that the Application Start event has been logged by the Symantec Event Collector for ISS RealSecure SiteProtector 33 34 Installing the Symantec Event Collector for ISS RealSecure SiteProtector After you install the Symantec Event Collector for ISS RealSecure SiteProtector After you install the Symantec Event Collector for ISS RealSecure SiteProtector After you have successfully installed the Symantec Event Collector for ISS RealSecure SiteProtector you should perform the following tasks m Run LiveUpdate on the SESA Manager m Configure the SESA Manager to increase event throughput Running LiveUpdate on the SESA Manager After installing the Symantec Event Collector for ISS RealSecure SiteProtector you should run LiveUpdate on each SESA Manager and on each installation of Symantec Incident Manager if installed As updates become available you can update the SESA Manager To run LiveUpdate on the SESA Manager 1 On the computer on which you installed the SESA Manager at the command prompt change directories to the following Sesa Bin 2 At the command prompt type the following sesa lulauncher Configuring the SESA Manager to increase event throughput The SESA Manager has many settings that affect the sp
8. Intrusion Detection Event Family To view reports for the Event Collector 1 Log on to the SESA Console using a SESA user account with sufficient rights to view SESA configurations The SESA user must belong to a role that has rights to the Symantec Event Collector for ISS RealSecure SiteProtector On the Events view tab in the left pane expand the top level domain and then expand SESA DataStore Do one of the following Expand Intrusion Detection m Expand Host Intrusion Detection m Expand Vulnerability Event Family m Expand Network Intrusion Detection Expand Symantec Event Collector for ISS RealSecure SiteProtector Using the Symantec Event Collector for ISS RealSecure SiteProtector Viewing reports for the Event Collector Table 3 1 describes the reports that are specific to the Symantec Event Collector for ISS RealSecure SiteProtector Table 3 1 Symantec Event Collector for ISS RealSecure SiteProtector reports All Events Intrusion Detection Table Displays all events that are Host Intrusion logged by the Event Collector Detection and Network Intrusion Detection Last 30 days Intrusion Detection Table Displays all events that are Host Intrusion logged by the Event Collector in Detection and the last 30 days Network Intrusion Detection Last 24 hours Intrusion Detection Table Displays all events that are Host Intrusion logged by the Event Collector in Detection and the last 24 hour
9. RealSecure SiteProtector collects and forwards to the SESA Manager the Event Collector generates two events of its own These are categorized as Application Events These events indicate that the Event Collector service is starting or stopping so that this information might be available at the SESA Console Table 1 1 describes the events that the Symantec Event Collector for ISS RealSecure SiteProtector generates Table 1 1 Symantec Event Collector for ISS RealSecure SiteProtector events Application Start Application Informational The Event Collector is starting Application Stop Application Informational The Event Collector is stopping Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector What you can do with the Symantec Event Collector for ISS RealSecure SiteProtector 15 What you can do with the Symantec Event Collector for ISS RealSecure SiteProtector After the Symantec Event Collector for ISS RealSecure SiteProtector is installed your ISS RealSecure SiteProtector events will be inserted into the SESA DataStore From the SESA Console you can then view manage and create reports based on the event data With the Symantec Event Collector for ISS RealSecure SiteProtector you can do the following m Collect events for insertion into the SESA DataStore See Installing the Symantec Event Collector for ISS RealSecure SiteProtector on page 25 m Vie
10. RealSecure SiteProtector The Symantec Event Collector for ISS RealSecure SiteProtector integrates your existing ISS RealSecure SiteProtector installation with SESA You should have sufficient prior knowledge of your ISS RealSecure SiteProtector product and its configuration and administration Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector 11 Components of the Symantec Event Collector for ISS RealSecure SiteProtector You should also be proficient in administering the operating system or systems on which you will install the Event Collector The supported operating systems for the collector component of the Symantec Event Collector for ISS RealSecure SiteProtector are as follows m Microsoft Windows 2000 Server with Service Pack 3 m Microsoft Windows 2000 Advanced Server with Service Pack 3 Components of the Symantec Event Collector for ISS RealSecure SiteProtector The Symantec Event Collector for ISS RealSecure SiteProtector is comprised of server side and client side components which you install separately The server side component is installed on the SESA Manager computer Client side components are either installed on the same computer as the security product or on another computer that has access to security product source data Figure 1 1 shows an overview of the components Figure 1 1 Basic component overview Client side components Server side component ISS RealS
11. be free from defects for a period of sixty 60 days from the date of delivery of the Software to You Your sole remedy in the event of a breach of this warranty will be that Symantec will at its option replace any defective media returned to Symantec within the warranty period or refund the money You paid for the Software Symantec does not warrant that the Software will meet Your requirements or that operation of the Software will be uninterrupted or that the Software will be error free TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS YOU MAY HAVE OTHER RIGHTS WHICH VARY FROM STATE TO STATE AND COUNTRY TO COUNTRY 4 Disclaimer of Damages SOME STATES AND COUNTRIES INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE IN NO EVENT WILL SYMANTEC BE LIABLE TO YOU FOR ANY SPECIAL CONSEQUENTIAL INDIRECT OR SIMILAR DAMAGES INCLUDING ANY LOST PROFITS OR LOST DATA A
12. not authorized by this license 2 Content Updates Certain Software utilize content that is updated from time to time including but not limited to the following Software antivirus software utilize updated virus definitions content filtering software utilize updated URL lists some firewall software utilize updated firewall rules and vulnerability assessment products utilize updated vulnerability data these updates are collectively referred to as Content Updates You shall have the right to obtain Content Updates for any period for which You have purchased maintenance except for those Content Updates that Symantec elects to make available by separate paid subscription or for any period for which You have otherwise separately acquired the right to obtain Content Updates Symantec reserves the right to designate specified Content Updates as requiring purchase of a separate subscription at any time and without notice to You provided however that if You purchase maintenance hereunder that includes particular Content Updates on the date of purchase You will not have to pay an additional fee to continue receiving such Content Updates through the term of such maintenance even if Symantec designates such Content Updates as requiring separate purchase This License does not otherwise permit the licensee to obtain and use Content Updates 3 Limited Warranty Symantec warrants that the media on which the Software is distributed will
13. successful reply messages and the request does not time out This is only a test of connectivity Your firewall may be configured to prevent ping traffic without impeding SESA Agent connectivity To run a test Telnet session On the computer on which the collector component will be installed at the command prompt type the following test command telnet lt SESA IP ADDRESS gt 443 where lt SESA IP ADDRESS gt is the IP address of the SESA Manager The connection appears to stop responding but it is not refused After you type a few characters a message appears indicating that the connection has been lost Configuring ISS RealSecure SiteProtector before installing the collector component The Event Collector and SESA Agent can be installed remotely from the ISS RealSecure Enterprise database or on the same computer When you install the collector component the Symantec Event Collector for ISS RealSecure SiteProtector Install Wizard prompts you for a user name and password that the Event Collector can use to access the database You can use an existing database account or you can create an account specifically for the Event Collector However to ensure a secure JDBC connection between the Event Collector and the ISS RealSecure Enterprise database you should use a read only database user account In addition to provide a JDBC connection between the Event Collector and the database you must install the JDBC driver that you downloade
14. the SESA Manager is installed You install the SIP by running the SESA Integration Wizard on the SESA Manager computer The additional components let you centrally view and manage reports for ISS RealSecure SiteProtector events in the SESA Console You must install the SESA Integration Package on every SESA Manager that will receive events from the Event Collector Before running the SESA Integration Wizard you should run LiveUpdate on your SESA Manager as well as any installed products to ensure that you have the latest versions available Installing the Symantec Event Collector for ISS RealSecure SiteProtector 19 Before you install the Symantec Event Collector for ISS RealSecure SiteProtector Planning to install the Microsoft SQL Server 2000 Driver for JDBC Regardless of physical location the Event Collector must have access to the ISS RealSecure Enterprise database To access the database the Event Collector uses the Microsoft SQL Server 2000 Driver for JDBC You can obtain this JDBC driver from the following Microsoft Web site http www microsoft com sql downloads On the Web page select SQL Server 2000 Driver for JDBC Service Pack 2 SP2 The site provides instructions on registering and downloading Setup exe which is the driver file Planning to install the collector component and SESA Agent The next phase of installing the Symantec Event Collector for ISS RealSecure SiteProtector is to install the collector component Th
15. to a server automatically for program updates The connection is made through an HTTP or FTP site Using LiveUpdate technology ensures that you always have the most recent version of your Symantec software installed Running LiveUpdate for the Event Collector manually You can run LiveUpdate manually if necessary If you have distributed a SESA configuration for Java LiveUpdate to the Event Collector computer it will use those settings when LiveUpdate runs To run LiveUpdate for the Event Collector manually on Windows 1 On the Event Collector computer at the command prompt change directories to the ISS RealSecure SiteProtector installation directory The default installation directory is C Program Files Symantec SiteProtector 2 To update the Event Collector rules and knowledge base files type the following command runliveupdate bat 3 To update the Event Collector code type the following command runliveupdatecode bat About scheduling LiveUpdate for the Event Collector The Event Collector installation will schedule automatic LiveUpdate sessions to ensure that you regularly obtain the latest updates Two LiveUpdate sessions are scheduled at the following times m Every Monday at 1AM This session updates the Event Collector rules and knowledge base files m Every Tuesday at 1AM This session updates the Event Collector code On Windows the two new tasks are automatically added to the Scheduled Tasks list Appendix
16. using the command prompt 3 Atthe command prompt navigate to the SESA1 1 SIPI folder on the CD 4 Atthe command prompt type the following java jar setup jar uninstall 5 Inthe Welcome to the SESA Integration Wizard dialog box click Next 6 Inthe SESA Integration Requirements dialog box do one of the following m If the local SESA Manager is running click Next m If the local SESA Manager is not running click Cancel 7 Inthe SESA Domain Administrator Information dialog box do the following m Inthe SESA Domain Administrator Name text box type the name of the SESA Domain Administrator account m Inthe SESA Domain Administrator Password text box type the password for the SESA Domain Administrator account m Inthe Host Name or IP address of SESA Directory text box type the IP address of the computer on which the SESA Directory is installed If you are using authenticated SSL instead of the SESA default anonymous SSL you must type the host name of the SESA Directory computer For example mycomputer com m Inthe Secure Directory Port text box type the number of the SESA Directory secure port By default the port number is 636 8 Click Next 38 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing Java LiveUpdate on the SESA Manager 9 Inthe Ready to proceed dialog box do one of the following m Ifyou are ready to proceed click Next m If you want to change your settings click Bac
17. with the Agent If you must change the IP address or port number for the Agent you must do so through the SESA Console After an Agent is installed it is configured centrally by using the SESA Console even though it is on the computer that is running the security product For more information see the Symantec Enterprise Security Architecture Administrator s Guide SESA Integration Package requirements The SESA Integration Package SIP for the Symantec Event Collector for ISS RealSecure SiteProtector is installed on the SESA Manager computer The SIP requires version 1 1 of SESA If you have an earlier version of SESA installed you must uninstall it before you can install version 1 1 You cannot install version 1 1 over an earlier version or migrate an earlier version to SESA 1 1 SESA Manager requirements Before installing any components on the SESA Manager ensure that the SESA Manager is installed and operating properly and that it has a fixed IP address For more information on installing the SESA Manager see the Symantec Enterprise Security Architecture Administrator s Guide You must install the SESA Integration Package for the Event Collector on the SESA Manager before you install the collector component SESA DataStore requirements After you install the SESA Integration Package and the collector component the collector component can forward events to SESA The amount of disk space that you need to accommodate the e
18. A message is sent to the computers that are associated with the Java LiveUpdate configuration instructing them to contact the SESA Manager for a new configuration A alerting centralized 9 Application Event category 13 14 c categories of events 13 centralized alerting 9 logging 9 reporting 9 collector application module 12 connectivity ensuring 24 Critical event severity level 14 D data managing for events 15 preparing for collection 22 processing Event Collector 13 report generation 10 database installation requirement 22 monitoring 10 reading 27 DE_CustomerRules rule 41 driver JDBC 19 21 E events categories 13 severities 14 throttling 34 H Host Intrusion Detection Event Family 43 incidents 10 Informational event severity level 14 installation Java LiveUpdate 38 planning for 18 SESA integration components 25 Symantec Event Collector for ISS RealSecure SiteProtector 25 verifying 30 Intrusion Detection Event Family 43 ISS RealSecure Enterprise database installation requirement 22 monitoring 10 reading 27 J Java LiveUpdate installing 38 running 48 scheduling 48 using 48 JDBC driver 19 21 L log data preparing for collection 22 logging centralized 9 Major event severity level 14 Microsoft SQL Server 2000 Driver for JDBC 19 21 Minor event severity level 14 Network Intrusion Detection Event Family 43 notifications configuring for events 10 56 Index 0 ov
19. Agent listens Management servlet EventLogger The SESA Management servlet to which the SESA Agent sends messages Note This parameter should be changed with caution Disconnected mode _ 30 minutes The retry interval for sending events to the SESA retry interval Manager when the SESA Manager cannot be contacted Maximum queue 2000 kb The maximum size of the queue in kilobytes size Any subsequent log requests are refused App flush size 15 seconds The triggers that when tripped send outbound App flush time 50 kb SESA Agent data to the SESA Manager App flush count 35 Note This applies only to batch events Direct events are always sent as soon as possible App spool size 100 kb The size in kilobytes of the Event Collector queue that the SESA Agent holds in memory when not able to send the normal queue to the SESA Manager If the queue exceeds this size and it still needs to grow the queue is written to the hard disk Encrypt config file false If true the configuration file that is located on the computer with the SESA Agent is encrypted 48 Using the Symantec Event Collector for ISS RealSecure SiteProtector Using LiveUpdate technology You can adjust these parameters in the SESA Console on the Configurations view tab For more information see the Symantec Enterprise Security Architecture Administrator s Guide Using LiveUpdate technology LiveUpdate technology lets installed Symantec products connect
20. Event Collector to more than one computer that is being managed by the same SESA Manager you only need to install the SIP once See Installing the SESA Integration Package on page 25 m Install the Symantec Event Collector for ISS RealSecure SiteProtector collector components The Symantec Event Collector for ISS RealSecure SiteProtector and the SESA Agent must be installed on the same computer See Installing the collector component and SESA Agent on page 27 m Test the Event Collector installation to verify successful operation See Testing the Event Collector installation on page 30 Installing the SESA Integration Package The SESA Integration Package SIP for the Event Collector extends the functionality of the SESA Manager to include information such as tables fields and reports that is specific to the Symantec Event Collector for ISS RealSecure SiteProtector 26 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector Warning Before you install the SESA Integration Package for the Event Collector back up the SESA Directory and SESA DataStore When installing more point products on the same SESA Manager you may notice a decrease in performance You install the SESA Integration Package by running the SESA Integration Wizard You must run the SESA Integration Wizard on every SESA Manager that will receive IS
21. How the Symantec Event Collector for ISS RealSecure SiteProtector works The collector component reads the data from the ISS RealSecure Enterprise database and composes it into a SESA compatible format The collector component may also perform some event aggregation analysis and filtering as well as assign a Standard Event Code to the event for correlation processing by Symantec Incident Manager if installed The collector component then passes the event to the SESA Agent for forwarding to the SESA Manager which inserts the event into the SESA DataStore Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector 13 How the Symantec Event Collector for ISS RealSecure SiteProtector works You specify the database to be read during the collector component installation The computer on which the collector component and SESA Agent are installed must have access to the specified ISS RealSecure Enterprise database Warning During the collector component installation you are prompted to supply a user name and password for the ISS RealSecure Enterprise database that you want to use with SESA To protect the ISS RealSecure SiteProtector environment ensure that the database account that you specify has read only privileges to the ISS RealSecure Enterprise database A SESA Agent must be installed on the same computer as the Symantec Event Collector for ISS RealSecure SiteProtector When you install th
22. RISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN NO CASE SHALL SYMANTEC S LIABILITY EXCEED THE PURCHASE PRICE FOR THE SOFTWARE The disclaimers and limitations set forth above will apply regardless of whether or not You accept the Software 5 U S Government Restricted Rights RESTRICTED RIGHTS LEGEND All Symantec products and documentation are commercial in nature The software and software documentation are Commercial Items as that term is defined in 48 C F R section 2 101 consisting of Commercial Computer Software and Commercial Computer Software Documentation as such terms are defined in 48 C F R section 252 227 7014 a 5 and 48 C F R section 252 227 7014 a 1 and used in 48 C F R section 12 212 and 48 C F R section 227 7202 as applicable Consistent with 48 C F R section 12 212 48 C F R section 252 227 7015 48 C F R section 227 7202 through 227 7202 4 48 C F R section 52 227 14 and other relevant sections of the Code of Federal Regulations as applicable Symantec s computer software and computer software documentation are licensed to United States Government end users with only those rights as granted to all other end users according to the terms and conditions contained in this license agreement Manufacturer is Symantec Corporation 20330 Stevens Creek Blvd Cupertino CA 95014 United States of America 6 Export R
23. S RealSecure SiteProtector events Immediately after you finish installing the Symantec Event Collector for ISS RealSecure SiteProtector on the SESA Manager computer run LiveUpdate to ensure that you are using the latest event signatures To install the SESA Integration Package 1 On the SESA Manager computer insert the Symantec Event Collector for Internet Security Systems RealSecure SiteProtector CD into the CD ROM drive 2 Ifyou have AutoStart enabled and the SESA Integration Wizard window appears cancel the SESA Integration Wizard You must install the SESA Integration Package using the command prompt 3 Atthe command prompt navigate to the SESA1 1 SIPI folder on the CD 4 Atthe command prompt type the following java jar setup jar 5 Inthe Welcome to the SESA Integration Wizard dialog box click Next 6 Inthe SESA Integration Requirements dialog box do one of the following m If the local SESA Manager is running click Next m If the local SESA Manager is not running click Cancel You must run the SESA Integration Wizard on the computer on which the SESA Manager is installed 7 Inthe SESA Domain Administrator Information dialog box do the following m Inthe SESA Domain Administrator Name text box type the name of the SESA Domain Administrator account m Inthe SESA Domain Administrator Password text box type the password for the SESA Domain Administrator account m Inthe Host Name or IP address of SESA Directory t
24. The status bar in the lower left corner of the window indicates how many events are in the report and which events you are currently viewing To view all other Java LiveUpdate events 1 On the Events view tab in the left pane expand SESA DataStore 2 Under SESA DataStore expand System Events gt LiveUpdate 3 Select any of the reports The status bar in the lower left corner of the window indicates how many events are in the report and which events you are currently viewing About Java LiveUpdate configurations Java LiveUpdate installs with a default configuration as specified in the LiveUpdate conf configuration file However you may want to modify a configuration or distribute additional configurations to Java LiveUpdate client computers You can use the SESA Console to create and distribute additional LiveUpdate configurations to one or more computers on which Java LiveUpdate is installed In addition SESA provides a Default Java LiveUpdate configuration which you can also configure for distribution to Java LiveUpdate computers When you create or modify a Java LiveUpdate configuration you must specify the Java LiveUpdate computers to associate with the configuration You can specify individual computers organizational units configuration units or any combination that suits your network topology You must also specify the SESA organizational unit to which the computer or computers belong As an option you can specify any config
25. alling the SESA Integration Package ccceceseseeseeteeseeeeteees 36 Installing Java LiveUpdate on the SESA Manager cccesesceseeseseteeeeseeees 38 Using the Symantec Event Collector for ISS RealSecure SiteProtector Configuring the Event Collector cccccccccessssssssesesesesesesessesssseeessesesesesesesseees 41 Filtering eVents s0 32cecseesccetenc shine earner aren aes ee 41 Viewing reports for the Event Collector c ccccesssssssesesesesesessesesssseeeeeesesesees 43 Creating CUSTOM rep pOT S oo er pear ae Ea E EN OE ETE PE EENE EEE O EEEE 45 Integrating with Symantec Incident Manager ccccececeseeseeseeeeeeeeeeseeees 46 Starting and stopping the Event Collector and SESA Agent services 46 Configuring the SESA Agent cceee Using LiveUpdate technology Running LiveUpdate for the Event Collector manually 0 0 0 48 About scheduling LiveUpdate for the Event Collector 0 48 Using Java LiveUpdate Viewing Java LiveUpdate events oo cececescssesesseseseeseseseeeeseeeseseneeseseeesseeeeeeees About Java LiveUpdate configurations Working with Java LiveUpdate configurations ccecsssesesesseeseseseseeeees Editing Java LiveUpdate configuration properties Modifying a Java LiveUpdate configuration Distributing a Java LiveUpdate configuration ccccceesesesseseseseceseseseseeees Chapter Introducing the Symantec Event Collector for Interne
26. and java jar setup jar 8 Inthe Welcome to the SESA Integration dialog box click Next 10 11 12 13 14 Installing the Symantec Event Collector for ISS RealSecure SiteProtector 39 Installing Java LiveUpdate on the SESA Manager In the SESA Integration Requirements dialog box verify that you have the SESA Manager running on this computer and then do one of the following m If you have satisfied the requirements click Next m If you have not satisfied the requirements click Cancel The setup program closes so that you can install the necessary files In the SESA Domain Administrator Information dialog box do the following m Inthe SESA Domain Administrator Name text box type the name of the SESA Domain Administrator account m Inthe SESA Domain Administrator Password text box type the password for the SESA Domain Administrator account m Inthe IP address of SESA Directory text box type the IP address of the computer on which the SESA Directory is installed this may be the same as the SESA Manager IP address if both are installed on the same computer If you are using authenticated SSL instead of the SESA default anonymous SSL you must type the host name of the SESA Directory computer For example mycomputer com For more information on SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide m Inthe Secure Directory Port text bo
27. aws of the State of California United States of America Otherwise this Agreement will be governed by the laws of England and Wales This Agreement and any related License Module is the entire agreement between You and Symantec relating to the Software and i supersedes all prior or contemporaneous oral or written communications proposals and representations with respect to its subject matter and ii prevails over any conflicting or additional terms of any quote order acknowledgment or similar communications between the parties This Agreement shall terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software The disclaimers of warranties and damages and limitations on liability shall survive termination Software and documentation is delivered Ex Works California U S A or Dublin Ireland respectively ICC INCOTERMS 2000 This Agreement may only be modified by a License Module that accompanies this license or by a written document that has been signed by both You and Symantec Should You have any questions concerning this Agreement or if You desire to contact Symantec for any reason please write to i Symantec Customer Service 555 International Way Springfield OR 97477 U S A ii Symantec Authorized Service Center PO BOX 5689 Dublin 15 Ireland or iii Symantec Customer Service 1 Julius Ave North Ryde NSW 2113 Australia Contents Technical support
28. cure SiteProtector Before you install the Symantec Event Collector for ISS RealSecure SiteProtector The Symantec Event Collector for ISS RealSecure SiteProtector installs shared and product specific components in order to send events to SESA To enable the Event Collector to forward events to SESA you must do the following m Install the server side SESA Manager component using the SESA Integration Wizard m Install the Microsoft SQL Server 2000 Driver for JDBC required to create a connection between the Event Collector and the ISS RealSecure Enterprise database m Install the collector component and SESA Agent Planning for the Event Collector installation Before you install the Event Collector you should plan for the following installation phases m Installing the SESA Integration Package m Installing the Microsoft SQL Server 2000 Driver for JDBC m Installing the collector component and SESA Agent m Configuring ISS RealSecure SiteProtector before installing the collector component Planning to install the SESA Integration Package The first phase of installing the Symantec Event Collector for ISS RealSecure SiteProtector is to install the SESA Integration Package SIP using the SESA Integration Wizard This package extends the tables and fields in the SESA DataStore so that they are prepared to accept Event Collector data The SESA Integration Package for the Event Collector must be installed on the computer on which
29. d from the Microsoft Web site See Planning to install the Microsoft SQL Server 2000 Driver for JDBC on page 19 Installing the Symantec Event Collector for ISS RealSecure SiteProtector 21 Before you install the Symantec Event Collector for ISS RealSecure SiteProtector Configure ISS RealSecure SiteProtector before installing the collector component To configure ISS RealSecure SiteProtector before installing the collector component and SESA Agent do the following as necessary m Add a read only database user to the ISS RealSecure Enterprise database m Install the Microsoft SQL Server 2000 Driver for JDBC To add a read only database user to the ISS RealSecure Enterprise database 1 Inthe SQL Server Enterprise Manager window in the left pane expand Console Root gt Microsoft SQL Servers gt SQL Server Group gt PHL P7 Windows NT gt Security 2 Right click Logins and then in the context menu click New Login 3 Inthe SQL Server Login Properties dialog box on the General tab type the name of the read only logon account For example read only Click SQL Server authentication Type the password for SQL Server authentication 4 5 6 Inthe Database box click RealSecureDB 7 Inthe Language box click lt Default gt 8 Onthe Database Access tab check RealSecureDB 9 Under Permit in Database Role check Public 10 Click OK 11 Close the SQL Server Enterprise Manager window To install the Microsof
30. ddress and port You must verify that the SESA Manager information is correct Verify the SESA Manager IP address and port Verify that you specified the correct SESA Manager IP address or host name and the correct number for the SESA Secure Directory port when you ran the SESA Integration Wizard To verify the SESA Manager IP address and port on Windows 1 On the Event Collector computer log on as Administrator 2 Change directories to the SESA Agent installation folder The default location is C Program Files Symantec SESA Agent 3 Inatext editor open the configprovider cfg file 4 Verify that the following options contain the correct settings for the SESA Manager to which you want to send ISS RealSecure SiteProtector events MgmtServer contains the correct SESA Manager IP address MgmtPort contains the correct SESA Agent port number default is 443 To verify SESA Agent connectivity from the SESA Console 1 Inthe SESA Console on the System view tab in the left pane expand Organizational Units gt Default 2 Verify that the name of the computer on which the Event Collector is installed is listed 3 Right click the computer name and then click Properties 4 Inthe Computer Properties dialog box on the Services tab in the Started column verify that the SESA AgentStart Service displays Yes Verifying SESA Agent operation You must verify that the SESA Agent is operating correctly To verify SESA Agent operat
31. e SESA Agent you provide a small set of initial parameters such as the SESA Manager IP address and port After you install the SESA Agent you can change its default parameters using the SESA Manager See Configuring the SESA Agent on page 47 The Symantec Event Collector for ISS RealSecure SiteProtector communicates with the installed SESA Agent The SESA Agent securely logs the events that it receives from the Symantec Event Collector for ISS RealSecure SiteProtector to a SESA Manager When the SESA Manager is unavailable the SESA Agent queues messages for later delivery up to a configurable maximum queue size The default maximum queue size is 2 MB You can change this queue size by using the SESA Console See Configuring the SESA Agent on page 47 How the Event Collector processes events The Symantec Event Collector for ISS RealSecure SiteProtector selectively creates SESA events based on the event data that it finds within the specified ISS RealSecure Enterprise database The Event Collector determines how to classify ISS RealSecure SiteProtector events by examining the contents of key fields The Symantec Event Collector for ISS RealSecure SiteProtector assigns one of the following categories to each event Security Messages that come from the ISS RealSecure Enterprise database Application Events that are generated by the Symantec Event Collector for ISS RealSecure SiteProtector 14 Introducing the Symantec Event
32. e collector component reads events from the ISS RealSecure Enterprise database formats them and sends them to the SESA Agent The SESA Agent which installs with the Event Collector if one is not already present enables the communication and configuration of events between SESA and the ISS RealSecure SiteProtector product Network connectivity must exist between the Event Collector computer and the SESA Manager computer In addition no firewall or device policy can block the connection between the Event Collector and the SESA Manager Ensuring network connectivity between the Event Collector computer and the SESA Manager Appropriate routing must exist between the computer on which the collector component is installed and the SESA Manager for event messages to reach the SESA Manager Ensure network connectivity You can verify the connectivity between two networked computers by executing a successful ping command from each computer or by running a test Telnet session 20 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Before you install the Symantec Event Collector for ISS RealSecure SiteProtector To execute the ping command On the SESA Manager computer at the command prompt type the following command ping lt AGENT IP ADDRESS gt where lt AGENT IP ADDRESS gt is the IP address of the computer on which you are installing the Event Collector If the computers are properly connected you receive several
33. e modified by an applicable Symantec license certificate license coupon or license key each a License Module that accompanies precedes or follows this license and as may be further defined in the user documentation accompanying the Software Your rights and obligations with respect to the use of this Software are as ollows You may A use the number of copies of the Software as have been licensed to You by Symantec under a License Module If the Software is part of a suite containing multiple Software titles the number of copies You may use may not exceed the aggregate number of copies indicated in the License Module as calculated by any combination of licensed Software titles Your License Module shall constitute proof of Your right to make such copies If no License Module accompanies precedes or follows this license You may make one copy of the Software You are authorized to use on a single computer B make one copy of the Software for archival purposes or copy the Software onto the hard disk of Your computer and retain the original for archival purposes C use the Software on a network provided that You have a licensed copy of the Software for each computer that can access the Software over that network D use the Software in accordance with any written agreement between You and Symantec and E after written consent from Symantec transfer the Software on a permanent basis to another person or entity provided t
34. ec Event Collector for ISS RealSecure SIC POLE COON coesion vtetensusenss sovesesscciaves ceed E ER 18 Planning for the Event Collector installation cccseseseseseeeseseeees 18 System requirements oo ee eeeccceseeseeseeeseeseesesecseeseescseeseeseeseeseseeseeseeaeeeeeeaeeaeees 22 Event Collector system requirements 0 ccccesecesesseceseeeeseseeeeseereseeeeeees 23 SESA Agent requirements 00 eccceecceessesseseeceeeeeeseeceeeeseeseeeeeseeeeseeaeeaeeaees 23 SESA Integration Package requirements ccccceeesseeesesseseeeeeseeeeeees 24 SESA Manager requirements ccccceeesseseeseseeseeseeeceeeeeseeeeeneeseseeaeeaeeeees SESA DataStore requirements Installing the Symantec Event Collector for ISS RealSecure SiteProtector orione ien RE E ET a 25 Installing the SESA Integration Package cccessssessecesesseseteeseeeeeeees 25 Installing the collector component and SESA Agent ccceesseeeeeee 27 Testing the Event Collector installation 0 cccccesesseeeseeseeeteeseseteeeees 30 8 Contents Chapter 3 Appendix A Index After you install the Symantec Event Collector for ISS RealSecure SItePrOte ctor e he E ee Aah eee itn thee Rane 34 Running LiveUpdate on the SESA Manager ccccseesscesseseseseeseseeeteees 34 Configuring the SESA Manager to increase event throughput 34 Uninstalling the Event Collector 0 0 Uninstalling the collector component Uninst
35. ecure Manager Enterprise database SESA Agent 12 Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector How the Symantec Event Collector for ISS RealSecure SiteProtector works Server side component The server side of the Symantec Event Collector for ISS RealSecure SiteProtector consists of a SESA Integration Package SIP which you install using the SESA Integration Wizard This package extends the SESA DataStore tables and fields so that the DataStore can receive collected events from ISS RealSecure products It also adds additional reports for viewing the collected events in the SESA Console Client side components The client side of the Symantec Event Collector for ISS RealSecure SiteProtector consists of the following components m Collector component This component is the program that parses the ISS RealSecure Enterprise database The collector component determines which events to forward and then formats them for forwarding to the SESA Agent The collector component can also be configured to perform event filtering tasks m SESA Agent The SESA Agent is responsible for all communication with the SESA Manager The collection component passes formatted events to the SESA Agent for forwarding to the SESA Manager The client computer must be able to connect to either a Symantec LiveUpdate server or a LiveUpdate server on your network to receive the latest event signatures
36. eed at which events arrive at the SESA Manager for processing and insertion If you anticipate more than 1 000 events per minute you may want to lower the rate of event throttling or turn throttling off entirely Throttling the flow of events to the SESA Manager The SESA Console has a throttling option available to regulate the flow of events between the SESA Manager and client computers on which SESA Agents reside The Throttle desktop settings determine the delay in seconds of batched events sent by the SESA Agent on the SESA Manager computer to the SESA Agent on the client computers The default value for Throttle desktop is 5 seconds which instructs SESA to wait 5 seconds after an Agent sends a batch of events before sending the next batch This severely limits the throughput of SESA Agents and therefore impedes unwanted intruders from overloading the SESA Manager with unwanted events Installing the Symantec Event Collector for ISS RealSecure SiteProtector 35 Uninstalling the Event Collector However the greater the throttle setting the greater the risk of stagnating SESA enabled security products that generate a large number of events If you are not seeing events flow to the SESA Manager rapidly enough you may want to first attempt lowering the value of the Throttle desktop setting to resolve the problem You can set Throttle desktop to 0 to turn off throttling To throttle the flow of events to the SESA Manager 1 Onthe I
37. egulation Certain Symantec products are subject to export controls by the U S Department of Commerce DOC under the Export Administration Regulations EAR see www bxa doc gov Violation of U S law is strictly prohibited Licensee agrees to comply with the requirements of the EAR and all applicable international national state regional and local laws and regulations including any applicable import and use restrictions Symantec products are currently prohibited for export or re export to Cuba North Korea Iran Iraq Libya Syria and Sudan or to any country subject to applicable trade sanctions Licensee agrees not to export or re export directly or indirectly any product to any country outlined in the EAR nor to any person or entity on the DOC Denied Persons Entities and Unverified Lists the U S Department of State s Debarred List or on the U S Department of Treasury s lists of Specially Designated Nationals Specially Designated Narcotics Traffickers or Specially Designated Terrorists Furthermore Licensee agrees not to export or re export Symantec products to any military entity not approved under the EAR or to any other entity for any military purpose nor will it sell any Symantec product for use in connection with chemical biological or nuclear weapons or missiles capable of delivering such weapons 7 General If You are located in North America or Latin America this Agreement will be governed by the l
38. erview SESA 10 P preinstallation configuration 22 products supported 9 Q queue size 13 R reporting centralized 9 reports All Events 44 All Vulnerabilities Discovered By Severity 45 All Vulnerabilities Discovered Last 30 days 45 All Vulnerabilities Resolved By Severity 45 All Vulnerability Audits 44 By Generic Alert 44 By Severity 44 customizing 45 Last 24 hours 44 Last 30 days 44 Last 8 hours 44 Vulnerability Audit Errors 45 Vulnerability Events 44 S Security event category 13 SESA about 10 events mapping 10 integration components installing 25 SESA Agent communication and configuration of events 19 communication with SESA Manager 12 events logged in 13 14 requirements 23 SESA Console accessing event information through 10 and the Application Event category 14 changing queue size 13 the SESA Agent IP address and port number 24 configuring Java LiveUpdate 38 SESA Console continued creating and distributing LiveUpdate configurations 50 reports added to 12 throttling the flow of events 34 verifying event collection 33 SESA Agent connectivity 32 that the Event Collector appears in 10 viewing events in 10 Java LiveUpdate events in 49 SESA DataStore collected events 12 15 events stored in 10 requirements 24 SESA Integration Package installing 25 uninstalling 36 SESA Integration Wizard 12 SESA Manager requirements 24 throttling the flow of events 34 updating on demand 34 verifying IP addres
39. ext box type the IP address of the computer on which the SESA Directory is installed Installing the Symantec Event Collector for ISS RealSecure SiteProtector 27 Installing the Symantec Event Collector for ISS RealSecure SiteProtector If you are using authenticated SSL instead of the SESA default anonymous SSL you must type the host name of the SESA Directory computer For example mycomputer com For more information on SESA default anonymous SSL and upgrading to authenticated SSL see the Symantec Enterprise Security Architecture Installation Guide m Inthe Secure Directory Port text box type the number of the SESA Directory secure port By default the port number is 636 8 Click Next 9 Inthe Ready to proceed dialog box do one of the following m If you are ready to proceed click Next m If you want to change your settings click Back 10 Inthe Configuring Your System dialog box after the process is completed click Next 11 Inthe SESA Integration Successful dialog box click Finish Installing the collector component and SESA Agent The collector component reads the data from the ISS RealSecure Enterprise database formats the data and forwards it to the SESA Agent The computer on which you install the collector component must have access to the ISS RealSecure Enterprise database You install the collector component on computers with the supported Windows operating systems If the computer is already running the c
40. hat You retain no copies of the Software and the transferee agrees in writing to the terms of this license You may not A copy the printed documentation that accompanies the Software B sublicense rent or lease any portion of the Software reverse engineer decompile disassemble modify translate make any attempt to discover the source code of the Software or create derivative works from the Software C use the Software as part of a facility management timesharing service provider or service bureau arrangement D use a previous version or copy of the Software after You have received and installed a disk replacement set or an upgraded version Upon upgrading the Software all copies of the prior version must be destroyed E use a later version of the Software than is provided herewith unless You have purchased corresponding maintenance and or upgrade insurance or have otherwise separately acquired the right to use such later version F use if You received the software distributed on media containing multiple Symantec products any Symantec software on the media for which You have not received permission in a License Module G use the Software to collect data from a type of technology other than when using a Symantec Event Manager product or another Symantec product designed for use with this Software that corresponds to that type of technology i e antivirus firewall IDS etc nor H use the Software in any manner
41. ion At a minimum you must specify the computer names and associated organizational units To edit Java LiveUpdate configuration properties 1 On the Configurations view tab in the left pane under the top level SESA domain expand LiveUpdate gt Java LiveUpdate Under Java LiveUpdate right click the configuration that you want to modify and then click Properties In the Configuration Properties dialog box on the Computers tab to add a computer click Add In the Searching for Computers dialog box in the Computer name text box type a specific computer name or a combination of letters and an asterisk and then click Search By default the Computer name text box contains an asterisk which serves as a wildcard character displaying all computers that have been defined On the Found tab select one or more computers and then click OK If your computer is associated with a configuration group on the Configuration Groups tab click Add In the Find Configuration Groups dialog box on the Found tab select the configuration group to which the computer belongs and then click OK On the Organizational Units tab to associate an organizational unit with the selected computer click Add In the Browse for Organizational Units dialog box on the Found tab select the organizational unit to which the computer belongs and then click OK 10 Repeat steps 4 through 9 as necessary 11 Inthe Configuration Properties dialog b
42. ion on Windows 1 On the computer on which you installed the Event Collector at the command prompt navigate to the following directory if the SESA Agent was installed to the default directory C Program Files Symantec SESA Agent Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector 2 To get statistics on the SESA Agent type the following java jar agentcmd jar status The sample output including the running status and the SESA Manager URL is similar to the following SESA Agent status running Machine Id KKKKKKKKKKOHSCcUreds KK KKK Listening on 127 0 0 1 8086 SSL On SESA Manager URL https 127 0 0 1 443 sesa servlet Total number of post failures 0 Outbound Thread State WAIT Items in Outbound Queue 0 Queue Status for ProdId 3000 Queue is stored in memory Flush Size KB 50 Flush Time sec 300 Flush Count 35 Spool Size KB 100 Max Queue Size KB 2000 Entries waiting in queue 0 Total Events processed 0 Total Queue Size bytes 0 Verifying event collection in the SESA Console You must verify that the SESA Console is collecting events correctly To verify event collection in the SESA Console 1 Logon tothe SESA Console using a SESA user account with sufficient rights to view SESA events The SESA user must belong to a role that has rights to the SESA integrated Symantec Event Collector for
43. iteProtector retrieves new events from the ISS RealSecure Enterprise database Each supported ISS RealSecure SiteProtector event is mapped toa corresponding SESA event Each supported event is also assigned a Standard Event Code for use with Symantec Incident Manager After you install Symantec Event Collector for ISS RealSecure SiteProtector your ISS RealSecure SiteProtector product is integrated with SESA When a product is integrated with SESA you can use the SESA Console to view the events that it forwards to SESA The SESA Console provides a central location in which to view and manage the reporting of event data across multiple SESA integrated security products SESA is an event management system that collects data from events generated by security products SESA categorizes events into classes such as antivirus content filtering network security and systems management The range of events varies depending on the security products that integrate with SESA The events conform to an extensible family of event classes and types which are defined by sets of XML schema Once collected event information is stored in the SESA DataStore for access by SESA management functions through the SESA Console For more information about SESA see the Symantec Enterprise Security Architecture Installation Guide and the Symantec Enterprise Security Architecture Administrator s Guide Prior requirements for using the Symantec Event Collector for ISS
44. k 10 Inthe Configuring Your System dialog box after the process is completed click Next 11 Inthe SESA Integration Successful dialog box click Finish Installing Java LiveUpdate on the SESA Manager Included with the Symantec Event Collector for ISS RealSecure SiteProtector is a SESA Integration Package that installs the Symantec Java LiveUpdate feature on the SESA Manager This package can be installed to allow for the configuration of Java LiveUpdate through the SESA Console After Java LiveUpdate is registered with the SESA Manager you can create configurations to be distributed to any SESA integrated product that uses Java LiveUpdate The Java LiveUpdate configuration controls how Java LiveUpdate will execute for example which proxies and hosts to use The configuration does not control the scheduling of LiveUpdate See Using LiveUpdate technology on page 48 To install Java LiveUpdate on the SESA Manager 1 On the SESA Manager computer insert the Symantec Event Collector for Internet Security Systems RealSecure SiteProtector CD into the CD ROM drive 2 If the installation program starts automatically click Cancel and then click Exit to stop the automatic installation 3 On the Windows taskbar click Start gt Run 4 Atthe command prompt type the following cmd 5 Press Enter 6 On the CD ROM drive change directories as follows cd JLU20SIPI 7 To launch the installation type the following comm
45. k program files m 95 MB of hard disk space if the SESA Agent JRE and the Event Collector are on one computer Symantec software One or both of the following installed m Symantec Event Manager for Intrusion Protection 1 0 m Symantec Incident Manager 2 0 Sun Java requirements Java Runtime Environment JRE version 1 3 1_02 JRE is not required if the Event Collector is installed on the SESA Manager computer Otherwise it is installed along with the Event Collector Network connection TCP IP connection to a network with a fixed IP address Database connection Microsoft SQL Server 2000 Driver for JDBC with Service Pack 2 These requirements are in addition to resources or requirements of ISS RealSecure SiteProtector components that may be running on the same computer SESA Agent requirements If you have more than one SESA integrated product installed on a single computer these products can share a SESA Agent However each product must register with the Agent Consequently even if an Agent has already been installed on the computer for another SESA integrated security product you must install the Event Collector to register it properly with the Agent The SESA Agent is preconfigured to listen on IP address 127 0 0 1 and port number 8086 The Symantec Event Collector for ISS RealSecure SiteProtector 24 Installing the Symantec Event Collector for ISS RealSecure SiteProtector System requirements uses this information to communicate
46. lSecure SiteProtector Severity vulnerabilities by SESA severity level All Vulnerabilities Vulnerability Pie chart Displays the distribution of Resolved By resolved ISS RealSecure Severity SiteProtector vulnerabilities by SESA severity level Creating custom reports In addition to the reports in the various Event Family folders you can create customized event reports that display data that interests your organization For example to create a report that shows all connection attempts for a specific IP address you can display the All Events report and add a filter that reports the IP address in which you are interested For more information see the Symantec Enterprise Security Architecture Administrator s Guide 46 Using the Symantec Event Collector for ISS RealSecure SiteProtector Integrating with Symantec Incident Manager Integrating with Symantec Incident Manager If you have Symantec Incident Manager installed you can leverage many powerful event escalation and incident management features to do the following m Manually escalate an event or selection of events to an incident m Assign incidents to operational personnel and track status m Receive targeted information describing incidents with known signatures and the business impact For more information see the Symantec Incident Manager Implementation Guide Starting and stopping the Event Collector and SESA Agent services You can sta
47. me Page select the Licensing and Registration link Contacting Technical Support Customers with a current support agreement may contact the Technical Support group via phone or online at www symantec com techsupp Customers with Platinum support agreements may contact Platinum Technical Support via the Platinum Web site at www secure symantec com platinum When contacting the Technical Support group please have the following Customer Service Product release level Hardware information Available memory disk space NIC information Operating system Version and patch level Network topology Router gateway and IP address information Problem description m Error messages log files m Troubleshooting performed prior to contacting Symantec m Recent software configuration changes and or network changes To contact Enterprise Customer Service online go to www symantec com select the appropriate Global Site for your country then choose Service and Support Customer Service is available to assist with the following types of issues Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information features language availability local dealers Latest information on product updates and upgrades Information on upgrade insurance and maintenance contracts Information on Symantec Value License Program Advice on Symantec s technical support options No
48. n Updates for virus outbreaks and security alerts Symantec technical support offerings include m A range of support options that give you the flexibility to select the right amount of service for any size organization m Telephone and Web support components that provide rapid response and up to the minute information m Upgrade insurance that delivers automatic software upgrade protection m Content Updates for virus definitions and security signatures that ensure the highest level of protection m Global support from Symantec Security Response experts which is available 24 hours a day 7 days a week worldwide in a variety of languages for those customers enrolled in the Platinum Support Program m Advanced features such as the Symantec Alerting Service and Technical Account Manager role offer enhanced response and proactive security support Please visit our Web site for current information on Support Programs The specific features available may vary based on the level of support purchased and the specific product that you are using Licensing and registration If the product that you are implementing requires registration and or a license key the fastest and easiest way to register your service is to access the Symantec licensing and registration site at www symantec com certificate Alternatively you may go to www symantec com techsupp ent enterprise html select the product that you wish to register and from the Product Ho
49. new folder labeled Symantec Event Collector for ISS RealSecure SiteProtector and that it contains the following reports depending on the type of data family that you expanded Intrusion Detection m All Events m Last 30 days m Last 24 hours m Last 8 hours Host Intrusion Detection and All Intrusion Detection reports plus the Network Intrusion Detection following m By Severity m By Generic Alert Vulnerability Event Family Vulnerability Events All Vulnerability Audits Vulnerability Audit Errors All Vulnerabilities Discovered Last 30 Days All Vulnerabilities Discovered By Severity m All Vulnerabilities Resolved By Severity On the Configurations view tab expand the top level domain Verify that the Symantec Event Collector for ISS RealSecure SiteProtector is listed For more information about reports and views see the Symantec Enterprise Security Architecture Administrator s Guide To verify that the Event Collector was successfully installed 1 On the Event Collector computer on the Windows taskbar click Start gt Settings gt Control Panel In the Control Panel window double click Add Remove Programs In the Add Remove Programs dialog box verify that Symantec Event Collector for ISS RealSecure SiteProtector is listed 32 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector Verifying the SESA Manager IP a
50. ntechnical presales questions Missing or defective CD ROMs or manuals Symantec Software License Agreement Event Collectors SYMANTEC CORPORATION AND OR ITS SUBSIDIARIES SYMANTEC IS WILLING TO LICENSE THE SOFTWARE TO YOU AS AN INDIVIDUAL THE COMPANY OR THE LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE REFERENCED BELOW AS YOU OR YOUR ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF THIS LICENSE AGREEMENT READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU AND THE LICENSOR BY OPENING THIS PACKAGE BREAKING THE SEAL CLICKING THE AGREE OR YES BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY OR LOADING THE SOFTWARE YOU AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS CLICK THE I DO NOT AGREE OR NO BUTTON OR OTHERWISE INDICATE REFUSAL AND MAKE NO FURTHER USE OF THE SOFTWARE 1 License The software and documentation that accompanies this license collectively the Software is the proprietary property of Symantec or its licensors and is protected by copyright law While Symantec continues to own the Software You will have certain rights to use the Software after Your acceptance of this license This license governs any releases revisions or enhancements to the Software that the Licensor may furnish to You Except as may b
51. nternet go to https lt IP address or FQDN of the SESA Manager computer gt sesa ssmc 2 Log onto the SESA Console using a SESA user account that has sufficient rights to modify SESA configurations The SESA user must belong to a Manager role that has rights to the SESA enabled security product 3 In the SESA Console on the Configurations view tab expand lt DomainName SES gt gt SESA gt SESA Manager Configuration 4 Select the configuration that you want to edit 5 Inthe right pane on the Throttle tab set the desired value for Throttle desktop This is the time in seconds that SESA waits between sending batched events from the SESA Agent queues on the SESA client computers to the SESA Manager The minimum value is 0 which disables throttling 6 Click Apply Uninstalling the Event Collector You uninstall the Symantec Event Collector for ISS RealSecure SiteProtector by uninstalling the collector component on the client computer as well as removing the SESA Integration Package from the SESA Manager computer Uninstalling the collector component Uninstall the collector component from computers that no longer have access to the ISS RealSecure Enterprise database Uninstall the collector component You use the uninstaller program to uninstall the collector component If no other products on the collector component computer use the SESA Agent the uninstaller also removes the SESA Agent 36 Installing the Symantec Event
52. ou can do this by modifying an existing configuration such as the Default Java LiveUpdate configuration or you can create a new Java LiveUpdate configuration To create a new LiveUpdate configuration you must use the Create a new Configuration wizard After you have created or modified a configuration as appropriate you can distribute it to Java LiveUpdate computers See Distributing a Java LiveUpdate configuration on page 54 To modify an existing Java LiveUpdate configuration 1 Edit the Java LiveUpdate configuration properties to add the computers that will use the Java LiveUpdate configuration See Editing Java LiveUpdate configuration properties on page 53 2 Modify the Java LiveUpdate configuration to specify configuration settings See Modifying a Java LiveUpdate configuration on page 53 52 Using Java LiveUpdate Working with Java LiveUpdate configurations To create a new Java LiveUpdate configuration 1 10 11 12 13 14 15 On the Configurations view tab in the left pane under the top level SESA domain expand LiveUpdate gt Java LiveUpdate Right click Java LiveUpdate and then click New In the first dialog box of the Create a new Configuration wizard click Next In the General dialog box type a configuration name and optionally a description and then click Next In the Computers dialog box click Add In the Searching for Computers dialog box in the Computer name text box
53. ox click OK Modifying a Java LiveUpdate configuration To change an existing Java LiveUpdate configuration you modify one or more settings on the Java LiveUpdate tabs 54 Using Java LiveUpdate Distributing a Java LiveUpdate configuration To modify a Java LiveUpdate configuration 1 On the Configurations view tab in the left pane under the top level SESA domain expand LiveUpdate gt Java LiveUpdate Under Java LiveUpdate select the configuration that you want to modify Java LiveUpdate configuration settings tabs appear in the right pane Modify the configuration using the following tabs as necessary m General configuration settings m Java LiveUpdate configuration settings Hosts configuration settings Distributing a Java LiveUpdate configuration You can distribute a Java LiveUpdate configuration to any of the following computer platforms Windows 32 bit Linux Solaris AIX HP UX Macintosh To successfully distribute a Java LiveUpdate configuration you must have specified the target computers and organizational units when you created or modified the Java LiveUpdate configuration To distribute a Java LiveUpdate configuration 1 On the Configurations view tab in the left pane under the top level SESA domain expand LiveUpdate gt Java LiveUpdate Under Java LiveUpdate right click a configuration and then click Distribute When you are prompted to distribute the configuration click Yes
54. rk and Firewall 1 is a registered trademark of Check Point Software Technologies Ltd Internet Security Systems and SiteProtector are trademarks and RealSecure is a registered trademark of Internet Security Systems Inc NetScreen is a trademark of NetScreen Technologies Inc Snort is a trademark of Sourcefire Inc Microsoft Windows and Windows NT are trademarks or registered trademarks of Microsoft Corporation IBM DB2 and SecureWay are registered trademarks of IBM Corporation This product includes software that was developed by the Apache Software Foundation Other brands and product names that are mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged Printed in the United States of America 10 9 8 765 43 2 1 Technical support As part of Symantec Security Response the Symantec global Technical Support group maintains support centers throughout the world The Technical Support group s primary role is to respond to specific questions on product feature function installation and configuration as well as to author content for our Web accessible Knowledge Base The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion For example the Technical Support group works with Product Engineering as well as Symantec Security Response to provide Alerting Services and Virus Definitio
55. rt or stop the Event Collector or the SESA Agent service if necessary Start and stop the Event Collector and SESA Agent services The Event Collector runs as a service on the host computer on which it is installed To start and stop the Event Collector or the SESA Agent you start and stop the service as necessary To start or stop the Event Collector service on Windows 1 On the computer on which you installed the Event Collector on the Windows taskbar click Start gt Settings gt Control Panel gt Administrative Tools gt Services 2 Right click the Symantec Event Collector for ISS RealSecure SiteProtector service 3 Select one of the following m Start m Stop To start or stop the SESA Agent service on Windows 1 On the computer on which you installed the Event Collector on the Windows taskbar click Start gt Settings gt Control Panel gt Administrative Tools gt Services Using the Symantec Event Collector for ISS RealSecure SiteProtector 47 Configuring the SESA Agent 2 Right click the SESA AgentStart service 3 Select one of the following m Start m Stop Configuring the SESA Agent The SESA Agent uses default logging parameters that are appropriate for most event collection circumstances Table 3 2 lists the logging parameters Table 3 2 SESA Agent logging parameters Listen IP 127 0 0 1 The IP address on which the SESA Agent listens Listen port 8086 The port on which the SESA
56. s Network Intrusion Detection Last 8 hours Intrusion Detection Table Displays all events that are Host Intrusion logged by the Event Collector in Detection and the last 8 hours Network Intrusion Detection By Severity Host Intrusion Pie chart Displays the distribution of ISS Detection and Network RealSecure SiteProtector events Intrusion Detection by SESA severity level By Generic Alert Host Intrusion Pie chart Displays the most frequent Detection and Network Generic Alert codes reported by Intrusion Detection the Event Collector The Generic Alert code is a Symantec normalized code that uniquely identifies a security event Vulnerability Vulnerability Table Displays all vulnerabilities that Events are logged by the Event Collector All Vulnerability Vulnerability Table Displays all vulnerability audits Audits that are logged by the Event Collector Using the Symantec Event Collector for ISS RealSecure SiteProtector 45 Creating custom reports Table 3 1 Symantec Event Collector for ISS RealSecure SiteProtector reports Vulnerability Vulnerability Table Displays all vulnerability audit Audit Errors errors that are logged by the Event Collector All Vulnerabilities Vulnerability Table Displays all vulnerabilities that Discovered Last are logged by the Event 30 days Collector in the last 30 days All Vulnerabilities Vulnerability Pie chart Displays the distribution of ISS Discovered By Rea
57. s and port 32 severities of events 14 Standard Event Code 12 supported products 9 Symantec Event Collector for ISS RealSecure SiteProtector about 9 components of 19 installing 25 starting and stopping service 46 system requirements for SESA integration 22 uninstalling 35 verifying operation 35 Symantec Incident Manager 12 46 system requirements Event Collector 23 SESA Agent 23 SESA DataStore 24 SESA Integration Package 24 SESA Manager 24 T throttling event flow 34 U uninstallation of Event Collector 35 updates SESA Manager 34 V Vulnerability Event Family 43 W Warning event severity level 14 Index 57
58. stalled and operating properly on Microsoft SQL Server 2000 with Service Pack 3a For more information see the Internet Security Systems RealSecure SiteProtector documentation The Event Collector is capable of processing events forwarded to the ISS RealSecure SiteProtector product from any combination of the following ISS sensor products m Internet Security Systems RealSecure Gigabit Network Sensor 7 0 m Internet Security Systems RealSecure Network Sensor 6 5 7 0 m Internet Security Systems RealSecure Server Sensor 6 0 1 6 5 7 0 on Windows 2000 Solaris and Linux The Symantec Event Collector for ISS RealSecure SiteProtector installs the SESA Agent and the collector component on the same computer The Event Collector must have access to the ISS RealSecure Enterprise database Installing the Symantec Event Collector for ISS RealSecure SiteProtector 23 System requirements Event Collector system requirements The computer on which you install the SESA Agent must meet the following minimum system requirements Operating system m Microsoft Windows 2000 Server with Service Pack 3 Microsoft Windows 2000 Advanced Server with Service Pack 3 Processor Intel Pentium compatible 133 MHz processor up to and including Xeon class Memory m 32 MB of memory for the SESA Agent m 64MBRAM for each ISS RealSecure SiteProtector product 128 MB or more recommended Hard disk space m 35 MB of hard disk space for Event Collector framewor
59. sword type the password for the ISS RealSecure Enterprise database logon account 14 Click Next 15 Inthe Symantec Event Collector for ISS RealSecure SiteProtector will be installed in the following location dialog box verify the summary information and then click Next The installation process may take several minutes Do not close any windows that appear during the installation process 16 Inthe It is recommended that you run Java LiveUpdate to check for the most recent collector updates dialog box to run Java LiveUpdate click Yes and then click Next 17 Inthe InstallShield Wizard has successfully installed Symantec Event Collector for ISS RealSecure SiteProtector dialog box click Finish 30 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector Testing the Event Collector installation After the Event Collector is installed you can verify that the appropriate components are installed and working properly by doing the following Verifying the Event Collector installation Verifying the SESA Manager IP address and port Verifying SESA Agent operation Verifying event collection in the SESA Console Verifying the Event Collector installation You must verify that the Event Collector is installed correctly Verify the Event Collector installation To verify the installation do the following On the Event Collector computer verif
60. t SQL Server 2000 Driver for JDBC 1 On a computer on which the collector component of the Symantec Event Collector for ISS RealSecure SiteProtector is to be installed navigate to the directory in which you downloaded or copied the Microsoft SQL Server 2000 Driver for JDBC The driver file name is Setup exe 2 Run Setup exe 3 Follow the on screen instructions 22 System requirements System requirements Installing the Symantec Event Collector for ISS RealSecure SiteProtector Before you install the Symantec Event Collector for ISS RealSecure SiteProtector ensure that the computer on which the SESA DataStore is installed has enough hard disk space to accommodate the additional security events that ISS RealSecure SiteProtector sends to it In addition ensure that the computer or computers on which you plan to install the Event Collector meet the necessary requirements and that the following conditions have been met SESA Third party software SESA version 1 1 is installed and operating properly If you have an earlier version of SESA you must first uninstall it before you can install version 1 1 You cannot migrate earlier versions of SESA to version 1 1 or reinstall over earlier versions Version 1 1 is not backward compatible For more information see the Symantec Enterprise Security Architecture Installation Guide Internet Security Systems ISS RealSecure SiteProtector 2 0 with Service Pack 2 or later is in
61. t Security Systems ISS RealSecure SiteProtector This chapter includes the following topics m About the Symantec Event Collector for ISS RealSecure SiteProtector Components of the Symantec Event Collector for ISS RealSecure SiteProtector m How the Symantec Event Collector for ISS RealSecure SiteProtector works m What you can do with the Symantec Event Collector for ISS RealSecure SiteProtector About the Symantec Event Collector for ISS RealSecure SiteProtector The Symantec Event Collector for ISS RealSecure SiteProtector enables centralized cross tier logging alerting and reporting between the Symantec Enterprise Security Architecture SESA event management system and ISS RealSecure SiteProtector The Symantec Event Collector for ISS RealSecure SiteProtector retrieves events that are generated by ISS RealSecure SiteProtector and forwards these events to 10 Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector About the Symantec Event Collector for ISS RealSecure SiteProtector About SESA SESA You can configure the Event Collector to selectively filter the events that you want to forward to SESA These events are stored in the SESA DataStore a database where you can view them in reports use them as the basis for configuring alert notifications and incident creation and configure them as raw data for report generation The Symantec Event Collector for ISS RealSecure S
62. tabase computer click Next m If the local SESA Manager is not running or the Microsoft SQL Server 2000 Driver for JDBC has not been installed on the ISS RealSecure Enterprise database computer click Cancel See To install the Microsoft SQL Server 2000 Driver for JDBC on page 21 7 Ifa SESA Agent has not been installed in the Please enter the destination directory for installing the SESA Agent dialog box do one of the following m To use the default folder click Next m To select another folder click Browse and then click Next Ensure NTFS based ACL protection by selecting a folder on a volume that uses the NTFS file system Do not select root This dialog box does not appear if a SESA Agent is already installed 8 Ifa SESA Agent has not been installed in the Symantec Security Architecture SESA Agent Information dialog box do the following m Inthe Primary SESA Manager IP address box type the IP address of the SESA Manager to which the SESA Agent regularly directs events m Inthe Primary SESA Management Port box type the port number default is port 443 m Inthe Secondary SESA Manager IP address box type the IP address of SESA Manager to which the SESA Agent directs events upon failure of the primary SESA Manager If there is no secondary SESA Manager leave this box blank m Inthe Secondary SESA Management Port box type the port number of the secondary SESA Manager If there is no secondary SESA Manager leave
63. tart gt Programs gt Control Panel gt Scheduled Tasks 2 Right click At1 and then click Delete 3 Right click At2 and then click Delete Uninstalling the SESA Integration Package Uninstalling the SESA Integration Package for ISS RealSecure SiteProtector removes only the information such as tables fields and reports specific to the Symantec Event Collector for ISS RealSecure SiteProtector from the SESA Manager You uninstall the SESA Integration Package SIP by running the SESA Integration Wizard You must run the SESA Integration Wizard on every SESA Manager on which you installed the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector 37 Uninstalling the Event Collector Warning To protect the integrity of the SESA Directory if you uninstall the SESA Integration Package from one SESA Manager you must uninstall the SESA Integration Package from all of the SESA Managers on which it was installed Do not uninstall the SESA Integration Package from more than one SESA Manager at a time To uninstall the SESA Integration Package 1 On the SESA Manager computer insert the Symantec Event Collector for Internet Security Systems RealSecure SiteProtector CD into the CD ROM drive 2 Ifyou have AutoStart enabled and the SESA Integration Wizard window appears cancel the SESA Integration Wizard You must uninstall the SESA Integration Package
64. teProtector events from being sent to the SESA Manager 1 On the Event Collector computer log on as Administrator 2 Ina text editor open the DE_CustomerRules rule file in the ISS RealSecure SiteProtector installation directory The default directory is C Program Files Symantec SiteProtectorCollector kb 2 0 3 Copy and paste the indicated sample area in the file header to make a duplicate Using the Symantec Event Collector for ISS RealSecure SiteProtector 43 Viewing reports for the Event Collector This serves as a template so you can replace the ExampleAlert value with the Standard Event Code that you want to filter For example the following lines filter out any events with the Standard Event Code of LiveUpdateSuccess If GenericAlert is LiveUpdateSuccess then GoalState Endif Delete the comment marker symbol from the duplicated lines to make them active Viewing reports for the Event Collector The Symantec Event Collector for ISS RealSecure SiteProtector lets you use the SESA Console to view events that it logs The SESA Integration Package SIP that you installed on the SESA Manager includes predefined reports for Symantec Event Collector for ISS RealSecure SiteProtector events The reports that are specific to ISS RealSecure SiteProtector events are stored within the following Event Families Intrusion Detection Event Family Host Intrusion Detection Event Family Vulnerability Event Family Network
65. this box blank This dialog box does not appear if a SESA Agent is already installed 9 Click Next Installing the Symantec Event Collector for ISS RealSecure SiteProtector 29 Installing the Symantec Event Collector for ISS RealSecure SiteProtector 10 Inthe Please enter the destination directory for installing the Symantec Event Collector for ISS RealSecure SiteProtector dialog box do one of the following m To use the default folder click Next m To select another folder click Browse and then click Next Ensure NTFS based ACL protection by selecting a folder on a volume that uses the NTFS file system Do not select root 11 Inthe Symantec Event Collector for ISS RealSecure SiteProtector Information dialog box if necessary change the following settings m ISS SiteProtector Database Name m ISS SiteProtector Database Hostname The Installation Wizard automatically detects the host name of the local computer m ISS SiteProtector Database Port The default setting is 1433 Location of the Microsoft SQL Server 2000 Driver for JDBC The default location for the JDBC JAR files is C Program Files Microsoft SQL Server Driver for JDBC Lib 12 Under ISS SiteProtector Database Username type the user name for the ISS RealSecure Enterprise database logon account This should be a read only account See To add a read only database user to the ISS RealSecure Enterprise database on page 21 13 Under ISS SiteProtector Database Pas
66. uration groups to which the computer or computers belong Java LiveUpdate configurations let you specify network proxy server settings that may be required for Java LiveUpdate sessions in your network environment You can also specify additional LiveUpdate HTTP or FTP servers to use for downloading product updates In addition you can create a LiveUpdate configuration to specify that certain LiveUpdate computers use a LiveUpdate configuration file other than the default one Similarly you can Using Java LiveUpdate 51 Working with Java LiveUpdate configurations specify that certain LiveUpdate computers use an internal LiveUpdate Administration host server Java LiveUpdate configurations also let you specify the maximum size of LiveUpdate log files To create a new Java LiveUpdate configuration you use the Create a new Configuration wizard After the configuration is created you can make additional changes by selecting Properties You can also configure the Default Java LiveUpdate configuration See Working with Java LiveUpdate configurations on page 51 See Distributing a Java LiveUpdate configuration on page 54 Working with Java LiveUpdate configurations You can create a new Java LiveUpdate configuration or modify an existing one such as the Default configuration Work with Java LiveUpdate configurations Before you can distribute a Java LiveUpdate configuration you must first configure it for distribution Y
67. urrent version of the SESA Agent the installation program installs only the collector component and registers it with the SESA Agent If the SESA Agent is not already installed the installation program prompts you to specify the information that is needed to install it To install the collector component on Windows 1 Onthe computer with access to the ISS RealSecure Enterprise database insert the Symantec Event Collector for Internet Security Systems RealSecure SiteProtector CD into the CD ROM drive 2 Ifthe installation program does not start automatically navigate to the CD ROM drive and then double click Install setup_win32 exe 3 Inthe Welcome to the Symantec Event Collector for ISS RealSecure SiteProtector Install Wizard dialog box click Next 28 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector 4 Inthe Symantec Software License Agreement dialog box click I accept the terms of the license agreement and then click Next 5 In the Please choose the option you wish to install dialog box click Install Symantec EC for ISS RealSecure SiteProtector and then click Next 6 Inthe Symantec Event Collector for ISS RealSecure SiteProtector Requirements dialog box do one of the following m If the SESA Manager is running on the network and you have installed the Microsoft SQL Server 2000 Driver for JDBC on the ISS RealSecure Enterprise da
68. vent data depends on how many devices are logging events how verbose they are and how long you want to keep the event data in the database 128 GB should be sufficient to store events from several SESA Agents for 30 days This number is in addition to disk space for other devices that may already be reporting to SESA A 128 GB SESA DataStore can store 17 19 million events You must ensure that the DataStore computer has a fixed IP address Installing the Symantec Event Collector for ISS RealSecure SiteProtector 25 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Table 2 1 describes the suggested minimum size of the SESA DataStore based on the anticipated number of events received in 30 days Table 2 1 Minimum size of the SESA DataStore based on data rate 10 events per second 25 920 000 172 GB 30 events per second 77 760 000 518 GB 60 events per second 155 520 000 1 036 GB 100 events per second 259 200 000 1 728 GB Installing the Symantec Event Collector for ISS RealSecure SiteProtector The Event Collector gathers security information from the ISS RealSecure SiteProtector product The Event Collector sends the information through the SESA Agent to the SESA Manager for insertion in the SESA DataStore The Event Collector installation sequence is as follows m Install the SESA Integration Package SIP on the SESA Manager using the SESA Integration Wizard If you are installing the
69. w raw data and reports in the SESA Console See Viewing reports for the Event Collector on page 43 m Create custom reports in the SESA Console See Creating custom reports on page 45 m Configure the Event Collector to filter events and perform some event analysis See Configuring the Event Collector on page 41 m Integrate your events for correlation within Symantec Incident Manager if Symantec Incident Manger is installed on your SESA Manager See Integrating with Symantec Incident Manager on page 46 m Retrieve updated content and rules as they become available See Using LiveUpdate technology on page 48 16 Introducing the Symantec Event Collector for Internet Security Systems ISS RealSecure SiteProtector What you can do with the Symantec Event Collector for ISS RealSecure SiteProtector Chapter Installing the Symantec Event Collector for ISS RealSecure SiteProtector This chapter includes the following topics Before you install the Symantec Event Collector for ISS RealSecure SiteProtector System requirements Installing the Symantec Event Collector for ISS RealSecure SiteProtector After you install the Symantec Event Collector for ISS RealSecure SiteProtector Uninstalling the Event Collector Installing Java LiveUpdate on the SESA Manager 18 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Before you install the Symantec Event Collector for ISS RealSe
70. x type the number of the SESA Directory secure port By default the port number is 636 Click Next In the Ready to proceed dialog box do one of the following m If you are ready to proceed click Next m If you want to change your settings click Back In the Configuring Your System dialog box view the progress of the configuration of the SESA Console for the Symantec Event Collector for ISS RealSecure SiteProtector and then click Next In the SESA Integration Successful dialog box verify that your installation is complete and then click Finish 40 Installing the Symantec Event Collector for ISS RealSecure SiteProtector Installing Java LiveUpdate on the SESA Manager Chapter Using the Symantec Event Collector for ISS RealSecure SiteProtector This chapter includes the following topics Configuring the Event Collector Viewing reports for the Event Collector Creating custom reports Integrating with Symantec Incident Manager Starting and stopping the Event Collector and SESA Agent services Configuring the SESA Agent Using LiveUpdate technology Configuring the Event Collector You can configure the Symantec Event Collector for ISS RealSecure SiteProtector to filter events that you do not want to forward to the SESA Manager Filtering events You perform event filtering by modifying the DE_CustomerRules rule file in the SiteProtectorCollector kb 2 0 directory The DE_CustomerRules rule file is a special te
71. xt file that you can edit to determine how some events will be processed by the Event Collector 42 Using the Symantec Event Collector for ISS RealSecure SiteProtector Configuring the Event Collector Filter events Events are filtered based on their Generic Event Code You must know the Standard Event Code for an event before you can filter it You determine the Standard Event Code for a particular event by examining it in the SESA Console Then you can filter events so that they are not sent to the SESA Manager To determine the Standard Event Code for an event 1 Log on to the SESA Console using a SESA user account with sufficient rights to view SESA events On the Events view tab in the left pane expand the top level domain and then expand SESA DataStore Do one of the following m Expand Intrusion Detection m Expand Host Intrusion Detection m Expand Vulnerability Event Family m Expand Network Intrusion Detection Expand Symantec Event Collector for ISS RealSecure SiteProtector Do one of the following m Click All Events m Ifyou selected the Vulnerability Event Family select the appropriate vulnerabilities report In the right pane locate and double click the event of the type that you want to filter In the Event Details window locate the Intrusion Symantec Signature field The string value of this field such as LiveUpdateSuccess will be the value on which you will filter To filter ISS RealSecure Si
72. y that the appropriate services are running Verify that the Symantec Event Collector for ISS RealSecure SiteProtector appears in the SESA Console On the SESA Manager verify that the Event Collector was successfully installed To verify that the appropriate services have started on Windows 1 On the computer on which you installed the Event Collector on the Windows taskbar click Start gt Settings gt Control Panel gt Administrative Tools gt Services Verify that the SESA AgentStart Service is listed and has started Verify that the Symantec Event Collector for ISS RealSecure SiteProtector is listed and has started To verify that the Event Collector appears in the SESA Console 1 On the Windows taskbar click Start gt Programs gt Symantec Enterprise Security gt SESA Console Log on to the SESA Console using a SESA user account with sufficient rights to view SESA events The SESA user must belong to a role that has rights to the Symantec Event Collector for ISS RealSecure SiteProtector Installing the Symantec Event Collector for ISS RealSecure SiteProtector 31 Installing the Symantec Event Collector for ISS RealSecure SiteProtector On the Events view tab in the left pane expand the appropriate SESA DataStore Do one of the following Expand Intrusion Detection m Expand Host Intrusion Detection m Expand Vulnerability Event Family m Expand Network Intrusion Detection Verify that you have a
Download Pdf Manuals
Related Search