http://khika.com/wiki/api.php?action=feedcontributions&user=Dhanashree+kulkarni&feedformat=atomkhika - User contributions [en]2024-03-29T10:05:24ZUser contributionsMediaWiki 1.32.1http://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3098MediaWiki:Sidebar2021-03-05T06:08:37Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows<br />
** KHIKA Apps | All Apps</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3097MediaWiki:Sidebar2021-03-05T06:08:11Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows<br />
** All Apps | KHIKA Apps</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3096MediaWiki:Sidebar2021-03-05T06:05:58Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA Apps | KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3095MediaWiki:Sidebar2021-03-05T06:04:00Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA_Apps | KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3094MediaWiki:Sidebar2021-03-05T06:03:01Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA Apps | KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Dashboards&diff=3093KHIKA Dashboards2020-12-09T10:43:30Z<p>Dhanashree kulkarni: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
<br />
A dashboard displays a collection of visualizations and saved searches. Go to "Dashboards" menu from the left main menu panel in KHIKA and the list of standard dashboards with each KHIKA App installed, comes up here. Click on any one dashboard name to open and check out the report.<br />
<br />
You can arrange, resize, and edit the dashboard content and then save the dashboard so you can share it and use it. This means you can create different visualisations, say, one for Active Directory, one for Firewall, one for Anti Virus etc and club together everything in one single dashboard so that you get consolidated view of all your critical data in one single pane of glass.<br />
A collection of relevant visualizations are pinned to a dashboard. This serves as one live monitoring report that can be refreshed at a desired frequency. <br />
Below is a sample dashboard:<br />
<br />
<br />
[[File:Dash1.jpg|700px]]<br />
<br />
</br><br />
[https://youtu.be/hfySFLxlQAA See Video]<br />
<br />
== Creating a Dashboard ==<br />
<br />
From the left pane of our application screen, click on “Dashboard”. A list of existing Dashboards is displayed on the right. There is an option to create a new Dashboard “+”<br />
<br />
<br />
[[File:Dash2.jpg|700px]]<br />
<br />
<br />
Click on “Add”<br />
<br />
<br />
[[File:Dash3.jpg|700px]]<br />
<br />
<br />
This displays a list of Visualizations which were already created in previous section. From this list, you can click on any one or more visualizations, and they get added to this Dashboard. <br />
Add new visualization to create one. If you have a large number of visualizations, you can search the list.<br />
<br />
<br />
[[File:Dash4.jpg|700px]]<br />
<br />
<br />
To add a saved search, click the Saved Search tab, and then select a name from the list.(Available in Advanced version)<br />
When you’re finished adding and arranging the dashboard content, go to the menu bar, click Save, and enter a name. Optionally, you can store the time period specified in the time filter by selecting Store time with dashboard.<br />
<br />
<br />
[[File:Dash5.jpg|700px]]<br />
<br />
<br />
By default, our dashboards use a light color theme. To use a dark color theme,click Edit option and then click Options and select Use dark theme. To set the dark theme as the default, go to Management > Advanced Settings and set dashboard:defaultDarkTheme to On.<br />
<br />
<br />
[[File:Dash6.jpg|700px]]<br />
<br />
<br />
<br />
== Editing Elements on a Dashboard ==<br />
<br />
The visualizations and searches in a dashboard are stored in panels that you can move, resize, and delete. To start editing, open the dashboard and click on “Edit” from various options on the top right.<br />
<br />
<br />
[[File:Dash7.jpg|700px]]<br />
<br />
<br />
[[File:Dash8.jpg|700px]]<br />
<br />
<br />
'''To move a box of visualization''' - click and hold the header of a panel and drag drop to the new location.<br/><br />
'''To resize a box of visualization''' - click the resize control on the lower right and drag to the new dimensions.<br />
Additional commands for managing each visualization and its contents are in the gear menu in the upper right.<br />
<br />
<br />
== Viewing Visualization data on Dashboard ==<br />
<br />
You can see the precise raw data behind the visualization using the export link at the bottom of the visualisation. There are options for exporting the data in “Raw” or “Formatted” ie. Calculated form as is on the dashboard. <br />
Open the dashboard.<br />
Hover over the visualization and click the Expand button in the upper right.<br />
To export the visualization data as a comma separated values (CSV) file, click Raw or Formatted at the bottom of the data table. Raw exports the response data as provided. Formatted exports the response data using applicable field formatters.<br />
<br />
<br />
[[File:Dash9.jpg|700px]]<br />
<br />
<br />
To return to the visualization, click the Shrink button (the same as Expand button) in the top right corner.<br />
<br />
<br />
== Searching / Filtering data on the dashboard ==<br />
<br />
In the above sections we saw how we can explore our inbuilt Dashboards. If we have added multiple APV devices in KHIKA, then we see data for all of them – on each dashboard. <br />
To see data on the dashboard for only one device, you have to select the required APV on your Dashboard. There are couple of ways to select a device on your dashboard : <br />
*Add a filter<br />
*Enter Search query<br />
The following procedure is applicable to all Dashboards.<br />
<br />
<br />
===<div id="Steps for Adding a Filter on a Dashboard"> Steps for Adding a Filter on a Dashboard </div> ===<br />
<br />
On each dashboard, there is an option, “Add a filter”. Click on the “+” sign to add a new one. Use the simple drop downs in combination, to create your logical filter query. <br />
<br />
<br />
[[File:Dash10.jpg|700px]]<br />
<br />
<br />
[[File:Dash11.jpg|700px]]<br />
<br />
<br />
The first dropdown is the list of fields from our data. We have selected “server_ip” here. The second dropdown is a logical connector. We have selected “is” in this dropdown. The third dropdown has the values of this field. We have selected one device say 10.13.1.3 here. So now, our filter query is : “server_ip is 10.13.1.3”<br />
Click on Save at the bottom of this filter pop up. <br />
Your Dashboard now shows data for only the selected IP address in all the pie charts, bar graphs and summary table – everywhere in the dashboard.<br />
The applied filter is seen on top. <br />
<br />
<br />
[[File:Dash12.jpg|700px]]<br />
<br />
<br />
To remove the filter, hover on the filter icon on top (selected in red in above figure). Icons appear. Click on the bin icon to remove the filter. The Dashboard returns to its previous state. <br />
<br />
<br />
[[File:Dash13.jpg|700px]]<br />
<br />
<br />
Please Note : If this is just a single search event, donot follow further steps. If you want to save this search for this particular device with the Dashboard, follow steps given further to save the search. <br />
Click on Edit link on the top right of the Dashboard – Save link appears. Click on Save to save this search query with the dashboard. <br />
<br />
<br />
[[File:Dash14.jpg|700px]]<br />
<br />
<br />
The filter currently applied shall continue to be seen on top of your Dashboard. You can remove this filter at any point of time in the future by clicking on the bin icon on your dashboard – as already explained.<br />
<br />
===<div id="Steps to Search and Save on a Dashboard"> Steps to Search and Save on a Dashboard </div> ===<br />
<br />
On the top of the Dashboard, there is a text box for search. Enter your search query for a particular device, for example.<br />
<br />
<br />
[[File:Dash15.jpg|700px]]<br />
<br />
<br />
We have entered server_ip:”10.13.1.3” . This is the syntax for server_ip equals to 10.13.1.3. Click on the rightmost search button in that textbox to search for this particular APV on the dashboard. <br />
All the elements on the Dashboard shall now reflect data for the selected device. <br />
<br />
<br />
[[File:Dash16.jpg|700px]]<br />
<br />
<br />
Please Note : If this is just a single search event, do not follow further steps. If you want to save this search for this particular IP address with the Dashboard, follow steps given further to save the search. <br />
Click on Edit link above the search textbox – Save link appears. Click on Save to save this search query with the dashboard. <br />
<br />
<br />
[[File:Dash17.jpg|700px]]<br />
<br />
<br />
This shall stay with the Dashboard and will be seen every time we open the Dashboard.<br />
To remove the search, select the search query which you can see in that textbox, remove / delete it. Click on Edit and Save the Dashboard again. It changes back to its previous state. <br />
<br />
<br />
[[File:Dash18.jpg|700px]]<br />
<br />
<br />
Go to the next section for [[KHIKA Reports]]<br />
<br />
[[KHIKA Visualizations|<div style='text-align: left;'>Previous</div>]] [[KHIKA User Guide|<div style='text-align: right;'>Back to Index</div>]]</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Dashboards&diff=3092KHIKA Dashboards2020-12-09T10:42:54Z<p>Dhanashree kulkarni: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
<br />
A dashboard displays a collection of visualizations and saved searches. Go to "Dashboards" menu from the left main menu panel in KHIKA and the list of standard dashboards shipped with each KHIKA App installed, comes up here. Click on any one dashboard name to open and check out the report.<br />
<br />
You can arrange, resize, and edit the dashboard content and then save the dashboard so you can share it and use it. This means you can create different visualisations, say, one for Active Directory, one for Firewall, one for Anti Virus etc and club together everything in one single dashboard so that you get consolidated view of all your critical data in one single pane of glass.<br />
A collection of relevant visualizations are pinned to a dashboard. This serves as one live monitoring report that can be refreshed at a desired frequency. <br />
Below is a sample dashboard:<br />
<br />
<br />
[[File:Dash1.jpg|700px]]<br />
<br />
</br><br />
[https://youtu.be/hfySFLxlQAA See Video]<br />
<br />
== Creating a Dashboard ==<br />
<br />
From the left pane of our application screen, click on “Dashboard”. A list of existing Dashboards is displayed on the right. There is an option to create a new Dashboard “+”<br />
<br />
<br />
[[File:Dash2.jpg|700px]]<br />
<br />
<br />
Click on “Add”<br />
<br />
<br />
[[File:Dash3.jpg|700px]]<br />
<br />
<br />
This displays a list of Visualizations which were already created in previous section. From this list, you can click on any one or more visualizations, and they get added to this Dashboard. <br />
Add new visualization to create one. If you have a large number of visualizations, you can search the list.<br />
<br />
<br />
[[File:Dash4.jpg|700px]]<br />
<br />
<br />
To add a saved search, click the Saved Search tab, and then select a name from the list.(Available in Advanced version)<br />
When you’re finished adding and arranging the dashboard content, go to the menu bar, click Save, and enter a name. Optionally, you can store the time period specified in the time filter by selecting Store time with dashboard.<br />
<br />
<br />
[[File:Dash5.jpg|700px]]<br />
<br />
<br />
By default, our dashboards use a light color theme. To use a dark color theme,click Edit option and then click Options and select Use dark theme. To set the dark theme as the default, go to Management > Advanced Settings and set dashboard:defaultDarkTheme to On.<br />
<br />
<br />
[[File:Dash6.jpg|700px]]<br />
<br />
<br />
<br />
== Editing Elements on a Dashboard ==<br />
<br />
The visualizations and searches in a dashboard are stored in panels that you can move, resize, and delete. To start editing, open the dashboard and click on “Edit” from various options on the top right.<br />
<br />
<br />
[[File:Dash7.jpg|700px]]<br />
<br />
<br />
[[File:Dash8.jpg|700px]]<br />
<br />
<br />
'''To move a box of visualization''' - click and hold the header of a panel and drag drop to the new location.<br/><br />
'''To resize a box of visualization''' - click the resize control on the lower right and drag to the new dimensions.<br />
Additional commands for managing each visualization and its contents are in the gear menu in the upper right.<br />
<br />
<br />
== Viewing Visualization data on Dashboard ==<br />
<br />
You can see the precise raw data behind the visualization using the export link at the bottom of the visualisation. There are options for exporting the data in “Raw” or “Formatted” ie. Calculated form as is on the dashboard. <br />
Open the dashboard.<br />
Hover over the visualization and click the Expand button in the upper right.<br />
To export the visualization data as a comma separated values (CSV) file, click Raw or Formatted at the bottom of the data table. Raw exports the response data as provided. Formatted exports the response data using applicable field formatters.<br />
<br />
<br />
[[File:Dash9.jpg|700px]]<br />
<br />
<br />
To return to the visualization, click the Shrink button (the same as Expand button) in the top right corner.<br />
<br />
<br />
== Searching / Filtering data on the dashboard ==<br />
<br />
In the above sections we saw how we can explore our inbuilt Dashboards. If we have added multiple APV devices in KHIKA, then we see data for all of them – on each dashboard. <br />
To see data on the dashboard for only one device, you have to select the required APV on your Dashboard. There are couple of ways to select a device on your dashboard : <br />
*Add a filter<br />
*Enter Search query<br />
The following procedure is applicable to all Dashboards.<br />
<br />
<br />
===<div id="Steps for Adding a Filter on a Dashboard"> Steps for Adding a Filter on a Dashboard </div> ===<br />
<br />
On each dashboard, there is an option, “Add a filter”. Click on the “+” sign to add a new one. Use the simple drop downs in combination, to create your logical filter query. <br />
<br />
<br />
[[File:Dash10.jpg|700px]]<br />
<br />
<br />
[[File:Dash11.jpg|700px]]<br />
<br />
<br />
The first dropdown is the list of fields from our data. We have selected “server_ip” here. The second dropdown is a logical connector. We have selected “is” in this dropdown. The third dropdown has the values of this field. We have selected one device say 10.13.1.3 here. So now, our filter query is : “server_ip is 10.13.1.3”<br />
Click on Save at the bottom of this filter pop up. <br />
Your Dashboard now shows data for only the selected IP address in all the pie charts, bar graphs and summary table – everywhere in the dashboard.<br />
The applied filter is seen on top. <br />
<br />
<br />
[[File:Dash12.jpg|700px]]<br />
<br />
<br />
To remove the filter, hover on the filter icon on top (selected in red in above figure). Icons appear. Click on the bin icon to remove the filter. The Dashboard returns to its previous state. <br />
<br />
<br />
[[File:Dash13.jpg|700px]]<br />
<br />
<br />
Please Note : If this is just a single search event, donot follow further steps. If you want to save this search for this particular device with the Dashboard, follow steps given further to save the search. <br />
Click on Edit link on the top right of the Dashboard – Save link appears. Click on Save to save this search query with the dashboard. <br />
<br />
<br />
[[File:Dash14.jpg|700px]]<br />
<br />
<br />
The filter currently applied shall continue to be seen on top of your Dashboard. You can remove this filter at any point of time in the future by clicking on the bin icon on your dashboard – as already explained.<br />
<br />
===<div id="Steps to Search and Save on a Dashboard"> Steps to Search and Save on a Dashboard </div> ===<br />
<br />
On the top of the Dashboard, there is a text box for search. Enter your search query for a particular device, for example.<br />
<br />
<br />
[[File:Dash15.jpg|700px]]<br />
<br />
<br />
We have entered server_ip:”10.13.1.3” . This is the syntax for server_ip equals to 10.13.1.3. Click on the rightmost search button in that textbox to search for this particular APV on the dashboard. <br />
All the elements on the Dashboard shall now reflect data for the selected device. <br />
<br />
<br />
[[File:Dash16.jpg|700px]]<br />
<br />
<br />
Please Note : If this is just a single search event, do not follow further steps. If you want to save this search for this particular IP address with the Dashboard, follow steps given further to save the search. <br />
Click on Edit link above the search textbox – Save link appears. Click on Save to save this search query with the dashboard. <br />
<br />
<br />
[[File:Dash17.jpg|700px]]<br />
<br />
<br />
This shall stay with the Dashboard and will be seen every time we open the Dashboard.<br />
To remove the search, select the search query which you can see in that textbox, remove / delete it. Click on Edit and Save the Dashboard again. It changes back to its previous state. <br />
<br />
<br />
[[File:Dash18.jpg|700px]]<br />
<br />
<br />
Go to the next section for [[KHIKA Reports]]<br />
<br />
[[KHIKA Visualizations|<div style='text-align: left;'>Previous</div>]] [[KHIKA User Guide|<div style='text-align: right;'>Back to Index</div>]]</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Resources&diff=3091KHIKA Resources2020-10-27T09:19:41Z<p>Dhanashree kulkarni: </p>
<hr />
<div>Topics<br />
== [[Getting Started with KHIKA SaaS]]== <br />
Quick start with KHIKA SaaS<br />
<br />
== [[KHIKA User Guide]] ==<br />
Detailed documentation of KHIKA SaaS<br />
<br />
== [[KHIKA Apps]] ==<br />
Documentation of all KHIKA Apps<br />
<br />
== [[KHIKA Videos]] ==<br />
Easy how-to Videos to get started quicker</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3090MediaWiki:Sidebar2020-10-27T09:18:04Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | KHIKA Videos<br />
* KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=MediaWiki:Sidebar&diff=3089MediaWiki:Sidebar2020-10-27T09:17:41Z<p>Dhanashree kulkarni: </p>
<hr />
<div><br />
** Getting_Started_with_KHIKA_SaaS | KHIKA as SaaS<br />
** KHIKA_Resources | KHIKA Resources<br />
** KHIKA_User_Guide | KHIKA User Guide<br />
** KHIKA Videos | Go to KHIKA Videos<br />
* KHIKA Apps<br />
** KHIKA_App_for_Linux | KHIKA App for Linux<br />
** KHIKA_App_for_Windows | KHIKA App for Windows</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=Building_a_KHIKA_App&diff=3088Building a KHIKA App2020-04-24T02:09:52Z<p>Dhanashree kulkarni: </p>
<hr />
<div>When you decide to integrate a data source for which you do not have a ready made KHIKA App, you will need to develop your own KHIKA App. A KHIKA App consists of following components. <br />
* An Adapter required for parsing the data and converting into KHIKA Data Format<br />
* Enrichment Rules (optional)<br />
* Alerts and Correlations (optional)<br />
* Visualizations and Dashboards (optional)<br />
* Custom Reports (optional)<br><br />
<br />
Except for KHIKA Adapter, all the other components are optional to build an App. There are dedicated sections of documentation explaining the individual components, how to create it, significance, how to use it etc. We encourage you to read it before creating your own KHIKA App. Existing KHIKA Apps should be a great source of reference to start with. If you are stuck, your are welcome to write to us at info@khika.com and someone from our engineering team will surely help you out.</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=Building_a_KHIKA_App&diff=3087Building a KHIKA App2020-04-14T12:06:18Z<p>Dhanashree kulkarni: Undo revision 3086 by Dhanashree kulkarni (talk)</p>
<hr />
<div>When you decide to integrate a data source for which you do not have a ready made KHIKA App, you will need to develop your own KHIKA App. A KHIKA App consists of following components. <br />
* An Adapter required for parsing the data and converting into KHIKA Data Format<br />
* Enrichment Rules (optional)<br />
* Alerts and Correlations (optional)<br />
* Visualizations and Dashboards (optional)<br />
* Custom Reports (optional)<br><br />
<br />
Except for KHIKA Adapter, all the other components are optional to build an App. There are dedicated sections of documentation explaining the individual components, how to create it, significance, how to use it etc. We encourage you to read it before creating your own KHIKA App. Existing KHIKA Apps should be a great source of reference to start with as all KHIKA Apps are open source. If you are stuck, your are welcome to write to us at info@khika.com and someone from our engineering team will surely help you out.</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=Building_a_KHIKA_App&diff=3086Building a KHIKA App2020-04-14T11:09:34Z<p>Dhanashree kulkarni: </p>
<hr />
<div>When you decide to integrate a data source for which you do not have a ready made KHIKA App, you will need to develop your own KHIKA App. A KHIKA App consists of following components. <br />
* An Adapter required for parsing the data and converting into KHIKA Data Format<br />
* Enrichment Rules (optional)<br />
* Alerts and Correlations (optional)<br />
* Visualizations and Dashboards (optional)<br />
* Custom Reports (optional)<br><br />
<br />
Except for KHIKA Adapter, all the other components are optional to build an App. There are dedicated sections of documentation explaining the individual components, how to create it, significance, how to use it etc. We encourage you to read it before creating your own KHIKA App. Existing KHIKA Apps should be a great source of reference to start with as all KHIKA Apps use open source technology. If you are stuck, your are welcome to write to us at info@khika.com and someone from our engineering team will surely help you out.</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Apps&diff=3085KHIKA Apps2020-04-07T10:27:07Z<p>Dhanashree kulkarni: </p>
<hr />
<div>Following Apps are available in KHIKA currently. This list shall be updated periodically<br />
<br />
Servers and OS<br><br />
[[KHIKA App for Linux|KHIKA App for Linux]]<br><br />
[[KHIKA App for Windows|KHIKA App for Windows]]<br><br />
[[KHIKA App for Windows AD]]<br><br />
<br />
<br />
Firewalls<br><br />
[[KHIKA App for Sophos Firewall|KHIKA App for Sophos Firewall]]<br><br />
[[KHIKA App for Checkpoint Firewall|KHIKA App for Checkpoint Firewall]]<br><br />
[[KHIKA App for Fortigate Firewall|KHIKA App for Fortigate Firewall]]<br><br />
[[KHIKA App for PaloAlto Firewall|KHIKA App for PaloAlto Firewall]]<br><br />
[[KHIKA App for Seqrite Utm Firewall|KHIKA App for Seqrite Utm Firewall]]<br><br />
<br />
<br />
Antivirus<br><br />
[[KHIKA App for Symantec Antivirus|KHIKA App for Symantec Antivirus]]<br><br />
<br />
<br />
Network Devices<br><br />
[[KHIKA App for Cisco Switch|KHIKA App for Cisco Switch]]<br><br />
<br />
<br />
Webservers<br><br />
[[KHIKA App for Apache WebServer|KHIKA App for Apache WebServer]]<br><br />
[[KHIKA App for IIS WebServer|KHIKA App for IIS WebServer]]<br><br />
<br />
<br><br />
<br />
[[Load KHIKA App|Previous]] <br />
<br />
Refer the next section for [[Getting Data into KHIKA#Importing an Application|Importing newly available KHIKA Apps]]<br />
<br />
[[KHIKA User Guide|<div style='text-align: right;'>Back to Index</div>]]</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3084KHIKA App for Seqrite Utm Firewall2020-04-07T10:21:54Z<p>Dhanashree kulkarni: /* SEQRITE_UTM-Website Category Wise URL Access Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is time to add the device to the App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After the configuration changes in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in KHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In the "User wise Max Total Usage" visualization we can see maximum of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user IP wise Max daily download which is related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect accross all the visualizations accordingly.In category wise URL, we can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy. Similarly in Contribution IP we can see the IP used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE UTM Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in SEQRITE UTM Website Category Wise URL Access Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly. "Category wise URL" section will show the category and visited URLs in this category with respect to selected User/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3083KHIKA App for Seqrite Utm Firewall2020-04-07T10:18:31Z<p>Dhanashree kulkarni: /* A suggestion for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is time to add the device to the App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After the configuration changes in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in KHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In the "User wise Max Total Usage" visualization we can see maximum of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user IP wise Max daily download which is related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect accross all the visualizations accordingly.In category wise URL, we can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy. Similarly in Contribution IP we can see the IP used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3082KHIKA App for Seqrite Utm Firewall2020-04-07T10:08:17Z<p>Dhanashree kulkarni: /* How to check the output of KHIKA Seqrite UTM Firewall App ? */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is time to add the device to the App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After the configuration changes in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in KHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In the "User wise Max Total Usage" visualization we can see maximum of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user IP wise Max daily download which is related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3081KHIKA App for Seqrite Utm Firewall2020-04-07T10:01:53Z<p>Dhanashree kulkarni: /* Adding the device in the Adaptor */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is time to add the device to the App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After the configuration changes in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in KHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3080KHIKA App for Seqrite Utm Firewall2020-04-07T10:00:00Z<p>Dhanashree kulkarni: /* Adding the device in the Adaptor */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3079KHIKA App for Seqrite Utm Firewall2020-04-07T09:54:00Z<p>Dhanashree kulkarni: /* Enabling Syslog forwarding on the device */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation] page no. 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3078KHIKA App for Seqrite Utm Firewall2020-04-07T09:53:24Z<p>Dhanashree kulkarni: /* Enabling Syslog forwarding on the device */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall documentation]from page no 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3077KHIKA App for Seqrite Utm Firewall2020-04-07T09:50:41Z<p>Dhanashree kulkarni: /* Enabling Syslog forwarding on the device */</p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall]from page no 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to KHIKA Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Seqrite_Utm_Firewall&diff=3076KHIKA App for Seqrite Utm Firewall2020-04-07T09:49:55Z<p>Dhanashree kulkarni: </p>
<hr />
<div>== Introduction ==<br />
Firewalls form an important part of organisations’ networks and hence monitoring your firewall is imperative.<br />
Seqrite UTM Firewall sends the traffic and user activity related information in the form of logs over syslog protocol. KHIKA Data Aggregator is pre-configured with syslog services on port 514.<br />
The key parts to get here are : <br />
#Enabling Syslog forwarding on the device.<br />
#Install the KHIKA App for SEQRITE UTM Firewall.<br />
#Get data from your SEQRITE UTM Firewall into KHIKA Aggregator.<br />
<br />
== Enabling Syslog forwarding on the device ==<br />
Please refer to [https://www.seqrite.com/documents/en/manuals/Seqrite_UTM_Admin_Guide_2.2.pdf#Configur Fortigate Seqrite UTM Firewall]from page no 199 for enabling syslogs on your Seqrite UTM Firewall.<br />
<br />
Example of Steps to forward Syslog to Remote Syslog Server:<br />
<br />
Adding a remote syslog server</br><br />
1. Navigate to Logs and Reports > Settings > Remote Syslog Server.</br><br />
2. Click the + icon to add a new Syslog server. The Add server dialog box is displayed.</br><br />
3. Enter the name and IP address of the server.</br><br />
4. Enter the port number and select the type of protocol using which the log files would be<br />
sent to the Syslog server.</br><br />
5. KHIKA Syslog Server typically listens on UDP 514 Port.Please use UDP protocol and 514 port for log forwarding.<br />
<br />
== Verifying SYSLOG data collection ==<br />
<br />
After you enable the syslog forwarding on the end device, you must verify if the logs are being really received by KHIKA Data Aggregator. Please refer [[Getting Data into KHIKA#Verifying syslog data collection|here]] to understand how to verify syslogs on KHIKA Data Aggregator.<br />
<br />
== How to Install the KHIKA App for Seqrite UTM Firewall ? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Seqrite UTM Firewall - Seqrite UTM Firewall. Installing the application shall put together and activate the adapter (parser) that can handle Checkpoint Firewall data format, the dashboards and the alert rules preconfigured.<br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:seqrite_applicationtab.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:seqrite_selectapp.JPG|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:seqrite_app_installation.JPG|700px]]<br />
<br />
User can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards. <br />
<br />
Visit the sections on [[KHIKA Reports| KHIKA Reports]], [[KHIKA Dashboards| KHIKA Dashboards]], [[KHIKA Alerts & Correlations| KHIKA Alerts & Correlations]] to know more about these topics.<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:seqrite_appinstallaton_successfull.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== Adding the device in the Adaptor ==<br />
After syslogs are enabled on the device and the App is installed into KHIKA, it is the time to add the device to the this App (in Adapter section of KHIKA Web GUI). Please refer [[Getting Data into KHIKA#Adding device details in the Adaptor|here]] to know [[Getting Data into KHIKA#Adding device details in the Adaptor|how to add the device to an App]].<br />
<br />
After making these configuration in KHIKA, you must apply these changes to the Workspace. Go to Configure, select the Workspace and in Workspace tab of configure menu press the Apply button as shown in the screenshot below.<br />
<br />
[[File:seqrite_apply_configuration.jpg|800px]]<br />
<br />
<br />
Wait for a few minutes for changes to apply and data to arrive in kHIKA. With all these steps, we should now expect the data to arrive in KHIKA. Lets discover some live data in KHIKA.<br />
<br />
== How to check the output of KHIKA Seqrite UTM Firewall App ? ==<br />
<br />
===Discovering the logs of Seqrite UTM Firewall===<br />
After doing all the steps given above, we should start receiving live data into KHIKA. Go to "Discover" section in KHIKA GUI and select the index with name "*raw-seqrite_utm_firewall*". Note that the index has a prefix of the customer name and workspace name. After selecting this index, you should see the live data coming in. Spend some time understanding this data and the fields of the data.<br />
<br />
=== SEQRITE UTM Bandwidth Usage Dashboard===<br />
<br />
This Dashboard briefly explains the bandwidth consumption by user.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "Seqrite UTM Bandwidth Usage" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Contribution of top users present in the events. <br />
|-<br />
|User wise Max Total Usage<br />
|X axis : User(s) </br> Y axis : Total usage by the user.<br />
|-<br />
|User IP Address wise Max Daily Download<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Download by the User IP.<br />
|-<br />
|User IP Address wise Max Daily Upload<br />
|X axis : User IP(s) </br> Y axis : Max of Daily Upload by the user IP.<br />
|-<br />
|Daily trend<br />
|Trend of bandwidth events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "User" in Contribution of User donut chart.This selected change will be reflected in all the visualizations accordingly.In next "User wise Max Total Usage" visualization we can see the Max of Total Usage done by the user."User IP Address wise Max Daily Download" shall show user ip wise Max daily download which are related to the selected user.Detailed information can be seen in the detailed "Summary Table".<br />
<br />
=== SEQRITE UTM Intrusion Prevention Dashboard===<br />
<br />
This dashboard shows summary of Intrusion Prevention.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Intrusion Prevention" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution Of Intrusion Signature<br />
|Contribution of different Intrusion Signatures present in the events.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of different Destination IP(s)<br />
|-<br />
|Contribution Of Destination Port<br />
|Contribution of Destination Port(s) like on which port the communication took place.<br />
|-<br />
|Contribution Of Source IP<br />
|Contribution of Source IP(s) from where the communication initiated.<br />
|-<br />
|Daily trend<br />
|Trend of events related to Intrusion Prevention over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on Source IP from "Contribution Of Source IP".This selection will result into reflection of all the visualizations present in the dashboard accordingly.In "Contribution Of Destination IP" we can see the destination(s) in the communication with respect to the selected Source IP.Similarly, "Contribution Of Intrusion Signature" will display the Intrusion Signature for the selected fields captured in the events.Detailed information related to this dashboad can be seen in the Summary Table.<br />
<br />
=== SEQRITE UTM Malicious Communication Dashboard===<br />
<br />
This dashboard shows brief summary of Malicious Communication happening in our network<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Malicious Communication" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Action<br />
|Contribution of Different Actions present in the Communication.<br />
|-<br />
|Contribution of Malicious IP<br />
|Contribution of Top Malicious IP(s) present in the communication.<br />
|-<br />
|Contribution of Source IP<br />
|Contribution of Top Source IP(s) present in the communication.<br />
|-<br />
|Contribution Of Destination IP<br />
|Contribution of Top Destination IP(s) present in the communications.<br />
|-<br />
|Daily trend<br />
|Trend of Malicious Communication related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#Click on "Malicious IP" from Contribution of Malicious IP donut chart. This selection will reflect in all the visualizations accordingly.We can see action in the Contribution of Action visualization to check whether the connection was successfully established or not.To further drill down, We can check the source and destination IP(s) in the communication and check whether the connection was inbound or outbound.<br />
Example : If Malicious IP and Source IP are same then we can say that the connection is inbound and if Malicious IP and Destination IP are same then we can say that the connection is outbound.<br />
<br />
=== SEQRITE UTM Policy Breach Attempts Dashboard===<br />
<br />
This dashboard shows summary of policy breach attempts<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE UTM Policy Breach Attempts" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User IP<br />
|Contribution of Top User IP(s) present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Different types of Categories. </b> Y Axis : Category wise URL(s)<br />
|-<br />
|Contribution of User Name<br />
|Contribution of top User Names present in the events. <br />
|-<br />
|Contribution of User Group<br />
|Contribution of different User Groups present.<br />
|-<br />
|Daily trend<br />
|Trend of Policy Breach Attempt related events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to check the attempts made by user which might be breaking the policies of the organization.Click on any User in Contribution Of User Name visualization.This selection will reflect all the visualizations accordingly.In category wise URL, We can check Category wise URL(s) visited by the user which are not allowed to be visited as per the policy.Similarly in Contribution IP we can see the ip used by the user.For detailed information related to the communication we can use Summary Table.<br />
<br />
=== SEQRITE_UTM-Website Category Wise URL Access Dashboard===<br />
<br />
This dashboard shows distribution of websites accessed as per category<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Elements in "SEQRITE_UTM-Website Category Wise URL Access" Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of User<br />
|Top User(s) present in the events.<br />
|-<br />
|Contribution of IP Address<br />
|Top IP Address present in the events.<br />
|-<br />
|Category wise URL<br />
|X Axis : Types of Website Categories </br> Y Axis : Category wise URL<br />
|-<br />
|Daily trend<br />
|Trend of events over time. Useful to identify unusual spikes at a glance. <br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== A suggestion for useful interaction with this dashboard could be : ====<br />
<br />
#This dashboard can be used to gain the knowledge of URLs and Categories accessed by Users. Click on User or IP Address for deeper investigation. All the visualizations present in the dashboard will reflect accordingly."Category wise URL" section will show the category adn the visited URLs in this category with respect to selected USer/Source IP. For Detailed information we can use Summary Table.<br />
<br />
=== Seqrite UTM Firewall Alerts ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system. Alerts can be monitored in real-time on Alerts Dashboard in KHIKA. Relevant stakeholders can also receive the alerts via emails. The table below explains all the pre-canned alerts shipped with KHIKA App for Seqrite UTM Firewall.<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Seqrite utm firewall sweep scan attack<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall host scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on same destination ip on more than 10 destination port but all the time request is denied .All this happen within 1 minute.<br />
|An attacker tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
Unless it is a known and legitimate IP address performing the scan, it is important to block this IP. You may white-list the known IP addresses (such as designated Vulnerability Scanner, Asset Discovery Tools etc), so as to suppress the false positives.<br />
|-<br />
|Seqrite utm firewall communication with possible ioc or bad ip<br />
|This alert is triggered when any one of the Source or Destination IP is found malicious with accepted action<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall seqrite backdoor activity<br />
|This alert is triggered when traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080).<br />
|This event indicates that a traffic is generated from internal machine on vulnerable ports(3127,3198,6129,7080). Typically, these ports are used by attacker to exploit vulnerable programs listening on these ports. </br></br><br />
Check is these ports are open and on what servers. Do you really need these ports opened?<br />
Check what programs are running on these ports. Check vulnerability reports of the applications<br />
Block these ports for external traffic, unless mandatory to keep them opened.<br />
If you have to keep any of these ports opened, try to restrict the access to legitimate IPs.<br />
If you get a suspicious IP repetitively trying to access these port, block the IP. Check the reputation of the IP on popular website such as ipvoid.com, virustotal.com etc. <br />
|-<br />
|Seqrite utm firewall host communicating with multiple malicious hosts within 1 hour<br />
|This alert is triggered when any one of the internal hosts is communicating with two or more external hosts with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when same internal ip communicates with multiple malicious IPs.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall policy breach attempts<br />
|This alert is triggered when there is a attempt of policy breach from internal hosts.<br />
|This event indicates that a traffic is generated from internal host which might violet the organization's policy.Category of the URLs visited by the user is present in the events.Depending on the category,Some firewall rules are predefined in the organization which states which categories should be accessible to the users/user groups.</br></br>If you see any User/IP_address constantly communicating with the URL(s) with category which are not allowed as per the organization's policy,You may want to take appropriate action on the user or if required quarantine the host.<br />
|-<br />
|Seqrite utm firewall communication between multiple Internal hosts and single malicious ip<br />
|This alert is triggered when communication happens between two or more internal hosts and distinct external host with bad reputation.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated communication happens between multiple internal hosts and same external malicious ip.</br></br><br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same external IP address), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|Seqrite utm firewall communication with suspicious ip<br />
|This alert is triggered when bytes are sent and received during communication with malicious ip within 1 minute.<br />
|Communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check the log for this communication by simply searching the malicious IP in the logs. You can also check which internal IP addresses are communicating with this IP address and track the real users behind those internal IP addresses.</br></br><br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
If required, quarantine the affected internal servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall host scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports within 1 minute and the request is denied.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP address at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary. <br />
|-<br />
|Seqrite utm firewall successful host scan activity by malicious ip <br />
|This alert is triggered when same malicious ip is trying to generate traffic for one destination ip on more than 10 different ports, but all the time request is denied .After that same malicious ip attempt to connect to same destination ip on one more port and this time it successfully connected on that port. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on multiple popular ports (21,22,53,80,443 etc) targeting one single IP addresses at a time with an intention to find the open ports on the target IP address. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on open ports.</br></br> <br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occurred during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall sweep scan attack by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied . All this happens within 1 minute.<br />
|Bad ip addresses tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity by malicious ip<br />
|This alert is triggered when same malicious ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect to one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Bad ip address tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker finds open port on one of ip addresses and is able to establish a connection.</br></br><br />
It is important to check the reputation of the external ip address and block the same if necessary.<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
|-<br />
|Seqrite utm firewall successful sweep scan activity<br />
|This alert is triggered when same source ip is trying to generate traffic on more than 10 destination ip but all the time request is denied .After that same source ip attempts to connect one more destination ip and this time it successfully connects. All this happen within 1 minute.<br />
|Attacker tries to spray connection requests on one of the popular ports (21,22,53,80,443 etc) on multiple IP addresses with an intention to find which ports are opened on what IP addresses. Typically, scan attempt is the first stage of reconnaissance in the attack life cycle and attacker done successful connection on one of ip addresses </br></br><br />
It is important to check the reputation of the suspected ip address. <br />
If the suspected ip address is external, you may consider blocking it.<br />
If the suspected ip address is internal, you may need to verify the sanity of the corresponding device<br />
It is also important to verify the sanity of affected internal nodes by checking if any unwarranted system policy change or software configuration/updates have occured during the affected time period. If required, quarantine the affected servers till the time the issues are resolved.<br />
This may be a false positve. <br />
<br />
<br />
<br />
<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Apps&diff=3075KHIKA Apps2020-04-07T07:44:13Z<p>Dhanashree kulkarni: </p>
<hr />
<div>Following Apps are available in KHIKA currently. This list shall be updated periodically<br />
<br />
Servers and OS<br><br />
[[KHIKA App for Linux|KHIKA App for Linux]]<br><br />
[[KHIKA App for Windows|KHIKA App for Windows]]<br><br />
[[KHIKA App for Windows AD]]<br><br />
<br />
<br />
Firewalls<br><br />
[[KHIKA App for Sophos Firewall|KHIKA App for Sophos Firewall]]<br><br />
[[KHIKA App for Checkpoint Firewall|KHIKA App for Checkpoint Firewall]]<br><br />
[[KHIKA App for Fortigate Firewall|KHIKA App for Fortigate Firewall]]<br><br />
[[KHIKA App for PaloAlto Firewall|KHIKA App for PaloAlto Firewall]]<br><br />
<br />
<br />
Antivirus<br><br />
[[KHIKA App for Symantec Antivirus|KHIKA App for Symantec Antivirus]]<br><br />
<br />
<br />
Network Devices<br><br />
[[KHIKA App for Cisco Switch|KHIKA App for Cisco Switch]]<br><br />
<br />
<br />
Webservers<br><br />
[[KHIKA App for Apache WebServer|KHIKA App for Apache WebServer]]<br><br />
[[KHIKA App for IIS WebServer|KHIKA App for IIS WebServer]]<br><br />
<br />
<br><br />
<br />
[[Load KHIKA App|Previous]] <br />
<br />
Refer the next section for [[Getting Data into KHIKA#Importing an Application|Importing newly available KHIKA Apps]]<br />
<br />
[[KHIKA User Guide|<div style='text-align: right;'>Back to Index</div>]]</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3074KHIKA App for IIS WebServer2020-04-07T07:42:22Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP, which are requested for any URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also show referrer and accessed URLs for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard has information for total time taken, average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The rest of the dashboard shall show total time required for that selected URL, count of most expensive request for that URL and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any top Query. This shall isolate the count of hits for selected query and also server IP for that selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3073KHIKA App for IIS WebServer2020-04-07T07:38:51Z<p>Dhanashree kulkarni: /* IIS webserver loading delays Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP, which are requested for any URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also show referrer and accessed URLs for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard has information for total time taken, average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The rest of the dashboard shall show total time required for that selected URL, count of most expensive request for that URL and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3072KHIKA App for IIS WebServer2020-04-07T07:36:31Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP, which are requested for any URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also show referrer and accessed URLs for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3071KHIKA App for IIS WebServer2020-04-07T07:33:05Z<p>Dhanashree kulkarni: /* IIS Webserver Referrer Detail Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URLs, Referrer, client IP, which are requested for any URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3070KHIKA App for IIS WebServer2020-04-07T07:29:06Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, in the "Contribution of Domain" pie, click on any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3069KHIKA App for IIS WebServer2020-04-07T07:27:03Z<p>Dhanashree kulkarni: /* IIS Webserver Traffic Categorization Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This isolates respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer", click on any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3068KHIKA App for IIS WebServer2020-04-07T07:11:59Z<p>Dhanashree kulkarni: /* IIS Webserver Total Request Per User Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Requests Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3067KHIKA App for IIS WebServer2020-04-07T07:11:11Z<p>Dhanashree kulkarni: /* IIS Webserver Total Request Per User Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URLs which are accessed by users.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and get reflected across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3066KHIKA App for IIS WebServer2020-04-07T07:09:37Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for the requested URL, server names, domain for selected URL across the dashboard making it easier to drill down and analyse. <br />
#In the "Contribution of Domain" pie, click on any one domain, filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URLs for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URL's which are accessed by users .<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3065KHIKA App for IIS WebServer2020-04-07T07:07:45Z<p>Dhanashree kulkarni: /* IIS Webserver Top N URL Dashboard */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URLs requested and their information. It includes details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for requested URL and server names, domain for selected URL across the dashboard etc for the selected URL only making it easier to analyse. <br />
#In the "Contribution of Domain" pie, click on the any one domain, filter gets applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URL's which are accessed by users .<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3064KHIKA App for IIS WebServer2020-04-07T07:03:09Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for the selected server IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and get reflected across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URL's requested and their information. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for requested URL and server names, domain for selected URL across the dashboard etc for the selected URL only making it easier to analyse. <br />
#In the "Contribution of Domain" pie, click on the any one domain, filter gets applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URL's which are accessed by users .<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3063KHIKA App for IIS WebServer2020-04-07T06:59:23Z<p>Dhanashree kulkarni: /* Reload Configuration */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, here IIS_WebServer (or whatever you have named your workspace)<br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for that selected server IP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and reflects across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URL's requested and their information. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for requested URL and server names, domain for selected URL across the dashboard etc for the selected URL only making it easier to analyse. <br />
#In the "Contribution of Domain" pie, click on the any one domain, filter gets applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URL's which are accessed by users .<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_IIS_WebServer&diff=3062KHIKA App for IIS WebServer2020-04-07T06:37:31Z<p>Dhanashree kulkarni: /* Introduction */</p>
<hr />
<div>== Introduction ==<br />
<br />
IIS webserver logs have valuable information like each client's activity, and communication. KHIKA visual analytics make it simpler to identify and pinpoint where risks are introduced so you can exercise preventive measures accordingly. KHIKA app for IIS webserver is aimed to give you insights into the behaviour, errors as well as traffic.<br />
<br />
With KHIKA App for IIS webserver, you can :<br />
*Monitor hundreds of IIS servers at a central place.<br />
*Monitor and see the http error trends.<br />
*Monitor top n URLs serviced / requested and their statistics.<br />
*See user wise request distribution on your servers<br />
<br />
We explain below, steps to configure and interpret the output of KHIKA App for IIS Webserver.<br />
<br />
The key parts to get here are: <br />
#Install the KHIKA App for IIS Webserver<br />
#Get data from your IIS Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for IIS WebServer? ==<br />
<br />
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for IIS Webserver. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:node.jpg|500px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:install_app.jpg|500px]]<br />
<br />
Click on the “+” button next to the IIS WebServer App. A pop up appears.<br />
<br />
[[File:install_app1.jpg|500px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.</br><br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]</br><br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]</br><br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]</br><br />
<br />
Click “Install” to proceed with the installation of the selected Application. <br />
If you have created multiple IIS webserver workspaces in KHIKA, and installed the previously, you will get below pop up. <br />
<br />
[[File:App_alredy.JPG|500px]]<br />
<br />
Click on OK to proceed. If this is not the case, ignore this step. <br />
After successful installation, following status should be displayed. <br />
<br />
[[File:install_status.jpg|500px]]<br />
<br />
Click on Close button.<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your IIS WebServer data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the IIS Webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each server which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)<br />
<br />
The OSSEC agent and server communicate with each other using a unique key for encryption. <br />
The main steps to start getting data from a IIS Webserver are :<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Installing Ossec Agent on Webserver<br />
#Insert this key in the Ossec agent (ie. on your Webserver to be monitored)<br />
#Reload Configuration in KHIKA<br />
#Verify data collection in KHIKA<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Adding the device in the KHIKA ==<br />
<br />
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon. <br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Win7.jpg|500px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:list_device_11.jpg|500px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:iis_adding_device.jpg|500px]]<br />
<br />
Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:iis_10_1.jpg|500px]]<br />
<br />
We get a confirmation message here too, saying, “Changes Applied”<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:iis_manage_device_1.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:iis_12.jpg|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:get_ossec_key_1.jpg|500px]]<br />
<br />
[[File:iis_extract_key.jpg|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Webserver.<br />
<br />
== Installing OSSEC Agent for IIS WebServer ==<br />
<br />
Download [https://goo.gl/86gRQL Windows Ossec Agent from here].<br><br />
For IIS Webserver you will need to select the Windows installer with filename '''ossec-win32-agent.zip'''. This works for both 32-bit and 64-bit windows servers OS versions.<br />
<br />
Copy the downloaded installer on your Webserver (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin.<br />
Select the installer file and Press "Run"<br />
<br />
[[File:Win15.jpg|500px]]<br />
<br />
Click Next<br />
<br />
[[File:Win16.jpg|500px]]<br />
<br />
Select "I Agree" and proceed<br />
<br />
[[File:Win17.jpg|500px]]<br />
<br />
Keep the default selection in the next window and click Next<br />
<br />
[[File:Win18.jpg|500px]]<br />
<br />
Enter the location to install the OSSEC agent on the local drive and let the installation complete<br />
<br />
[[File:Win19.jpg|500px]]<br />
<br />
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your WebServer. (Go to your Service Control Panel and check for OSSEC HIDS Service)<br />
<br />
[[File:Win20.jpg|500px]]<br />
<br />
NOTE :- You will have to repeat these steps on each Webserver that you wish to monitor using KHIKA.<br />
<br />
== Insert unique OSSEC key in Windows OSSEC Agent ==<br />
<br />
Perform following simple steps on the Agent on your Webserver : <br />
In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.<br />
<br />
[[File:Win21.jpg|500px]]<br />
<br />
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. <br />
From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.<br />
<br />
[[File:Win22.jpg|500px]]<br />
<br />
Wait for a few minutes. Repeat above steps for all the agents to be added.<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:reload_conf.jpg|500px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Webservers added is seen here. <br />
<br />
[[File:Win24.jpg|500px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA IIS WebServer App ? ==<br />
<br />
<br />
=== IIS Webserver Http Error Status Dashboard ===<br />
<br />
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Status<br />
|X axis : Server IPs<br/> Y axis : Server IP status codes like 200,400,404, etc.<br />
|-<br />
|Client IP wise Status<br />
|X axis : Client IPs<br/> Y axis : Client IP status code like 200,400,404,504, etc.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Server IP wise Status", click and select any one server IP. This shall isolate respective status codes and URLs accessed for that selected server IP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only.<br />
#Alternatively, in the graph "Client IP wise Status " click and select any one client IP. This shall isolate respective status code and URL accessed for that selected client IP and reflects across the dashboard.<br />
<br />
=== IIS Webserver Top N URL Dashboard ===<br />
<br />
This dashboard shows top n URL's requested and their information. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N URL Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different URLs accessed by server.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Names of Server<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall show the number of hits for requested URL and server names, domain for selected URL across the dashboard etc for the selected URL only making it easier to analyse. <br />
#In the "Contribution of Domain" pie, click on the any one domain, filter gets applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain, server name, etc.<br />
<br />
=== IIS Webserver Total Request Per User Dashboard ===<br />
<br />
This dashboard shows detailed information of users and requested URL's which are accessed by users .<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Total Request Per User Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows contribution of servers.<br />
|-<br />
|User wise Request<br />
|X axis : one or more user<br/>Y axis : Count of request hits for that user.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "User wise Request ", click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one server name. This shall isolate the respective user and requested hits for that server name and reflected across the dashboard.<br />
<br />
=== IIS Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows server IP wise category , top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : Server IPs<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : Client IPs<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL <br />
|-<br />
|Contribution of Category<br />
|This pie chart shows contribution of different types of Category.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one server IP. This shall isolate respective category and its count for selected server IP and also domain and accessed URL for that server IP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server IP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer", click on the any one client IP to select and rest of the elements on the dashboard then show data for that client IP only.<br />
<br />
=== IIS Webserver Top N Referrers Dashboard ===<br />
<br />
This Dashboard shows the top referrers. Also gives the details of domain and top hits on server.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : Server Names<br/> Y axis :Server name wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrers.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== IIS Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different Referrers.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different URLs .<br />
|-<br />
| Server IP wise Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : Client IP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one client IP. This shall isolate request hits and also shows referrer and accessed URL for that client IP reflected across the dashboard.<br />
<br />
=== IIS webserver loading delays Dashboard ===<br />
<br />
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS webserver loading delays Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Total Time<br />
|X axis : URL's<br/>Y axis : Total time required and count of most expensive request for particular URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : Server IP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Server IP<br />
|This pie chart shows contribution of different types of server IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the bar graph "URL wise Total Time" click and select any one URL. The dashboard shall show total time required for that selected URL, count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
#Alternatively, in the bar graph "Server IP Hits" click and select any one server IP. Click on the any one server IP to select and rest of the elements on the dashboard then show data for that server IP only.<br />
<br />
=== IIS Webserver Avg Qtime Dashboard ===<br />
<br />
This Dashboard shows the average time taken by accessed URL and it's query. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''IIS Webserver Avg Qtime Dashboard ''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|URL wise Hits<br />
|X axis :Name of URL's<br/>Y axis : Count of request hits for that URL.<br />
|-<br />
|Server IP Hits<br />
|X axis : ServerIP<br/>Y axis : Count of request hits for that Server IP.<br />
|-<br />
| Contribution of Query<br />
|This pie chart shows contribution of different types of Query.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. <br />
#In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and server name for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.<br />
<br />
=== KHIKA Alerts for IIS WebServer ===<br />
<br />
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|IIS communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com.<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|-<br />
|IIS dangerous content posted to webserver,files with executable extensions<br />
|This alert is triggered when any of the client trying to posted some dangerous files on webserver within one minute.<br />
|Dangerous content is posted on the webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|IIS multiple errors for same URL when it is not accessible<br />
|This alert is triggered when client want to access invalid/unauthorized URL and got multiple errors like 404,405 etc within one minute.<br />
|Getting multiple errors for the same url.<br />
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url.<br />
Kindly check the legitimacy of the requesting users.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_Apps&diff=3061KHIKA Apps2020-04-02T13:01:04Z<p>Dhanashree kulkarni: </p>
<hr />
<div>Following Apps are available in KHIKA currently. This list shall be updated periodically<br />
<br />
Servers and OS<br><br />
[[KHIKA App for Linux|KHIKA App for Linux]]<br><br />
[[KHIKA App for Windows|KHIKA App for Windows]]<br><br />
[[KHIKA App for Windows AD]]<br><br />
<br />
<br />
Firewalls<br><br />
[[KHIKA App for Sophos Firewall|KHIKA App for Sophos Firewall]]<br><br />
[[KHIKA App for Checkpoint Firewall|KHIKA App for Checkpoint Firewall]]<br><br />
[[KHIKA App for Fortigate Firewall|KHIKA App for Fortigate Firewall]]<br><br />
[[KHIKA App for PaloAlto Firewall|KHIKA App for PaloAlto Firewall]]<br><br />
<br />
<br />
Antivirus<br><br />
[[KHIKA App for Symantec Antivirus|KHIKA App for Symantec Antivirus]]<br><br />
<br />
<br />
Network Devices<br><br />
[[KHIKA App for Cisco Switch|KHIKA App for Cisco Switch]]<br><br />
<br />
<br />
Webservers<br><br />
[[KHIKA App for Apache WebServer|KHIKA App for Apache WebServer]]<br><br />
<br />
<br><br />
<br />
[[Load KHIKA App|Previous]] <br />
<br />
Refer the next section for [[Getting Data into KHIKA#Importing an Application|Importing newly available KHIKA Apps]]<br />
<br />
[[KHIKA User Guide|<div style='text-align: right;'>Back to Index</div>]]</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3060KHIKA App for Apache WebServer2020-04-02T12:59:26Z<p>Dhanashree kulkarni: /* Report_Webserver_Referrer_Detail Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Webserver Top N URLs Dashboard ===<br />
<br />
As the name suggests, this dashboard shows top URLs and details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server names, domain for selected URLs across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie, click on any one domain, a filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Webserver Total Request Per Client IP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Total Request Per ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one client IP. This shall isolate the requested hits for that selected client IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and get reflected across the dashboard.<br />
<br />
=== Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization eg. DIRECT or REFERRED. Also it shows client IP wise referrer, top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Webserver Top N Referrers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Webserver Referrer Detail Dashboard ===<br />
<br />
This dashboard shows referrer details, top URLs and client IPs which are requested for URLs and server names.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Referrer Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type. This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type and gets reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#Alternatively, in the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also show referrer and accessed URL for that clientIP.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3059KHIKA App for Apache WebServer2020-04-02T12:56:59Z<p>Dhanashree kulkarni: /* Report_Webserver_Top_N_Referers Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Webserver Top N URLs Dashboard ===<br />
<br />
As the name suggests, this dashboard shows top URLs and details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server names, domain for selected URLs across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie, click on any one domain, a filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Webserver Total Request Per Client IP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Total Request Per ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one client IP. This shall isolate the requested hits for that selected client IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and get reflected across the dashboard.<br />
<br />
=== Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization eg. DIRECT or REFERRED. Also it shows client IP wise referrer, top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Webserver Top N Referrers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N Referrers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3058KHIKA App for Apache WebServer2020-04-02T12:55:46Z<p>Dhanashree kulkarni: /* Report_Webserver_Traffic_Categorization Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Webserver Top N URLs Dashboard ===<br />
<br />
As the name suggests, this dashboard shows top URLs and details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server names, domain for selected URLs across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie, click on any one domain, a filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Webserver Total Request Per Client IP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Total Request Per ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one client IP. This shall isolate the requested hits for that selected client IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and get reflected across the dashboard.<br />
<br />
=== Webserver Traffic Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization eg. DIRECT or REFERRED. Also it shows client IP wise referrer, top URLs and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Traffic Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, in the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3057KHIKA App for Apache WebServer2020-04-02T12:49:32Z<p>Dhanashree kulkarni: /* Report_Webserver_Total_Request_Per_ClientIP Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Webserver Top N URLs Dashboard ===<br />
<br />
As the name suggests, this dashboard shows top URLs and details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server names, domain for selected URLs across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie, click on any one domain, a filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Webserver Total Request Per Client IP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Total Request Per ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one client IP. This shall isolate the requested hits for that selected client IP and get reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and get reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3056KHIKA App for Apache WebServer2020-04-02T12:46:35Z<p>Dhanashree kulkarni: /* Report_Webserver_Top_N_URLs Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Webserver Top N URLs Dashboard ===<br />
<br />
As the name suggests, this dashboard shows top URLs and details about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Top N URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server names, domain for selected URLs across the dashboard. i.e the other pie charts, time trends and summary tables shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie, click on any one domain, a filter gets applied on this selected domain, rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3055KHIKA App for Apache WebServer2020-04-02T12:44:04Z<p>Dhanashree kulkarni: /* Some suggestions for useful interaction with this dashboard could be : */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URLs accessed for that selected serverIP and is reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#Alternatively, in the "Contribution of Server IP" pie, click and select any one server IP. This shall isolate respective server IP and URL accessed for that selected Server IP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3054KHIKA App for Apache WebServer2020-04-02T12:42:47Z<p>Dhanashree kulkarni: /* Webserver Http Error Status Dashboard */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows HTTP status codes for accessed URLs. This dashboard shows top 10 URLs which are accessed most, and related details like server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3053KHIKA App for Apache WebServer2020-04-02T12:01:50Z<p>Dhanashree kulkarni: /* How to check the output of KHIKA Apache WebServer App ? */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Webserver Http Error Status Dashboard ===<br />
<br />
This dashboard shows the information about HTTP status code for accessed URL's.This dashboard shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Webserver Http Error Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3052KHIKA App for Apache WebServer2020-04-02T12:00:32Z<p>Dhanashree kulkarni: /* Verifying OSSEC data collection */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Apache webservers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Report_Webserver_Http_Error_Status Dashboard ===<br />
<br />
This dashboard shows the information about HTTP status code for accessed URL's.This dashboard shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Http_Error_Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3051KHIKA App for Apache WebServer2020-04-02T11:57:00Z<p>Dhanashree kulkarni: /* Insert unique OSSEC key in OSSEC Agent on the Linux Server */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "I" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for each server to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Linux servers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Report_Webserver_Http_Error_Status Dashboard ===<br />
<br />
This dashboard shows the information about HTTP status code for accessed URL's.This dashboard shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Http_Error_Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3050KHIKA App for Apache WebServer2020-04-02T11:47:16Z<p>Dhanashree kulkarni: /* Installing OSSEC Agent for Apache Server */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "i" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for all the servers to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Linux servers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Report_Webserver_Http_Error_Status Dashboard ===<br />
<br />
This dashboard shows the information about HTTP status code for accessed URL's.This dashboard shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Http_Error_Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarnihttp://khika.com/wiki/index.php?title=KHIKA_App_for_Apache_WebServer&diff=3049KHIKA App for Apache WebServer2020-04-02T11:44:27Z<p>Dhanashree kulkarni: /* Installing OSSEC Agent for Apache Server */</p>
<hr />
<div>== Introduction ==<br />
Apache Webserver runs critical business applications in organisations. Monitoring them is important, from both security and operational standpoint.<br />
<br />
With KHIKA App for Apache Webserver, you can :<br />
*Monitor hundreds of servers at one central place.<br />
*Analyse http error status for accessed URLs on your server.<br />
*Can see information like top accessed URL and count of hits on your server.<br />
*Monitor client IP wise total requests on your servers.<br />
<br />
We explain below steps to configure and interpret the output of KHIKA App for Apache Webserver.<br />
The key parts to get here are : <br />
#Install the KHIKA App for Apache Webserver<br />
#Get data from your Apache Webserver into KHIKA Aggregator<br />
<br />
== How to Install the KHIKA App for Apache WebServer? ==<br />
<br />
It is assumed, that you have already configured KHIKA Data Aggregator in your environment. If not, please read [[Getting Started with KHIKA SaaS#Installing and configuring KHIKA Data Aggregator|how to configure KHIKA Data Aggregator]] and perform the pre-requisite steps.<br />
<br />
This section explains how to pick and install the KHIKA application for Apache WebServer. Installing the application shall put together and activate the adapter (parser) that can handle the webserver data format, the dashboards and the alert rules which are preconfigured. <br />
<br />
Go to “Applications” tab in the “Configure” menu. <br />
<br />
[[File:Apache_1.JPG|700px]]<br />
<br />
Check whether the appropriate Workspace is selected.<br />
Note: Application is always loaded in a Workspace. Read the section on [[Accessing the KHIKA Gui#Creating a Workspace|Workspaces]] to know more about KHIKA Workspaces.<br />
Also select your KHIKA aggregator name in the Node dropdown. <br />
This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.<br />
<br />
[[File:Apache_2.jpg|700px]]<br />
<br />
Click on the “+” button. A pop up appears.<br />
<br />
[[File:Apache_install_full.JPG|700px]]<br />
<br />
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. <br />
Similarly you can select contents from Alerts and Dashboards.<br />
<br />
[[KHIKA Reports|What are KHIKA Reports]]<br />
<br />
[[KHIKA Dashboards|What are KHIKA Dashboards]]<br />
<br />
[[KHIKA Alerts & Correlations|What are KHIKA Alerts]]<br />
<br />
Click “OK” to proceed with the installation of the selected Application. <br />
After successful installation, following status should be displayed :<br />
<br />
[[File:Full_app_install.JPG|700px]]<br />
<br />
This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.<br />
<br />
== How to get your Apache Webserver data into KHIKA ? ==<br />
<br />
KHIKA recommends, popular open source OSSEC integration to monitor the Apache webservers. <br />
There are 2 components in OSSEC Integration with KHIKA. <br />
#OSSEC Agent – Installed on each webserver which we wish to monitor<br />
#OSSEC Server – Present on KHIKA Data Aggregator <br />
<br />
The OSSEC agent and server communicate with each other using a unique key pairing mechanism. <br />
The main steps to start getting data from a Linux server are :<br />
#Install Ossec agent on the webserver (for Linux)<br />
#Add the webserver details in KHIKA<br />
#Extract a unique key for this device from KHIKA<br />
#Insert this key in the Ossec agent (ie. on respective webserver to be monitored)<br />
#Reload Configuration<br />
#Verify data collection<br />
<br />
Each of these steps is explained in detail in the further sections.<br />
<br />
== Installing OSSEC Agent for Apache Server ==<br />
<br />
Download [https://goo.gl/86gRQL Linux Ossec Agent from here].<br><br />
For Linux Agent, Please check your OS version and select appropriate downloader file.<br><br />
Version 5: '''ossec_TL_Agent_5.11.tar.gz'''<br><br />
Version 6: '''ossec_TL_Agent_6.x.tar.gz'''<br><br />
Version 7: '''ossec_TL_Agent.tar.gz'''<br><br />
<br />
Copy the downloaded installer on your server that you wish to monitor using KHIKA and run the installer with "root" credentials on the Server. <br />
Please Note : It is extremely important to install the OSSEC agent with "root" privileges as this agent reads the '''/var/log/secure, /var/log/messages''' and some other important files. In order to read it successfully the ossec-agent process must be installed with "root" privileges.<br />
<br />
You will have to run the following command as "root" user to install the Ossec Agent:-<br />
Remove/rename ossec directory if already exists on the agent. ie. our Linux server.<br />
'''mv /opt/ossec /opt/ossec_bak'''<br />
Go to the location where you have copied the Ossec agent installer mentioned above. Extract it using the following command<br />
'''tar –zxvf ossec_TL_Agent.tar.gz'''<br />
<br />
Then go to that directory using the cd command. You shall see a script by the name install.sh<br />
<br />
Then Run following command.<br />
'''"sudo ./install.sh"''' (you need not do sudo if you have already logged in as root)<br />
<br />
[[File:Linux5.jpg|700px]]<br />
<br />
Now, add KHIKA Data Aggregator IP address (OSSEC server IP address) to point the OSSEC agent to the OSSEC server.<br />
<br />
[[File:Linux6.jpg|700px]]<br />
<br />
NOTE: You will have to repeat these steps on each of the Linux Servers that you wish to monitor using KHIKA.<br />
<br />
For getting apache logs we need to add the following section in agent.conf<br />
<localfile><br />
<log_format>apache</log_format><br />
<location>/var/log/httpd/access_log</location><br />
</localfile><br />
<br />
== Adding the device in the Adaptor ==<br />
<br />
Go to Adapter tab in the “Configure” menu.<br />
Next to our “apache_webserver_adapter”, click on the “Manage Devices” icon. <br />
<br />
[[File:Apache_manage_device.jpg|700px]]<br />
<br />
Pop up appears for device details <br />
<br />
[[File:Linux8.jpg|700px]]<br />
<br />
Click on “Add / Modify Device” tab. Another pop up appears for device details.<br />
<br />
[[File:Apache_device_name.JPG|700px]]<br />
<br />
Enter the expected device name. Also, in the field for IP address, enter “any”. <br />
'''Please note : Always enter the IP Address as “any”.''' This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”<br />
<br />
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. <br />
Click on Submit. We get a success message and device is added successfully to this adaptor. <br />
<br />
[[File:Apache_device_add.JPG|500px]]<br />
<br />
== Extract key from KHIKA OSSEC Server ==<br />
<br />
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .<br />
<br />
[[File:Apache_manage_device.jpg|500px]]<br />
<br />
A pop up with device details of the adaptor appears. Select “List of Devices” tab.<br />
<br />
[[File:Apache_list_device.JPG|500px]]<br />
<br />
Click on the “Get OSSEC Key” icon next to this device. <br />
<br />
[[File:Apache_key.jpg|500px]]<br />
<br />
[[File:Apache_extracted_key.JPG|500px]]<br />
<br />
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.<br />
<br />
== Insert unique OSSEC key in OSSEC Agent on the Linux Server ==<br />
<br />
Perform following simple steps on the Apache server Agent <br />
*Login as "root" on the agent server<br />
*Please note OSSEC Server listens on UDP port 1514 and the firewall between the ossec agent and ossec server must be open for UDP protocol and 1514 port.<br />
*In the OSSEC Agent installation directory, run manage-agent script from <br />
sudo /opt/ossec/bin/manage_agents<br />
*You'll be presented with these options<br />
<br />
[[File:Linux14.jpg|700px]]<br />
<br />
Select "i" to import the key (which we created in above section, on the Ossec server)<br />
*Copy and paste the key generated on the server <br />
*Restart the agent using command /opt/ossec/bin/ossec-control restart<br />
*Repeat these steps for all the servers to be monitored.<br />
*Finally, go to Workspace tab and click on “Apply Configuration” icon.<br />
<br />
[[File:Apache_workspace.jpg|700px]]<br />
<br />
== Reload Configuration ==<br />
<br />
Login into the KHIKA portal. <br />
*Go to Configure<br />
*Select workspace, eg. Apache_WebServer <br />
*Go to Node Tab <br />
*Click Reload Config<br />
<br />
[[File:Apache_reload.jpg|700px]]<br />
<br />
This step restarts OSSEC Server.<br />
Wait for a few minutes for server to restart.<br />
<br />
== Verifying OSSEC data collection ==<br />
<br />
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. <br />
Select the appropriate index for the same. Raw (khika formatted) data of all your Linux servers added in KHIKA so far, is seen here. <br />
<br />
[[File:Linux17.jpg|700px]]<br />
<br />
To see the data for our newly added device, enter search string in lower case – <br />
tl_src_host : name_of_the_device_added_in_lower_case <br />
and click on the search icon.<br />
<br />
== How to check the output of KHIKA Apache WebServer App ? ==<br />
<br />
<br />
=== Report_Webserver_Http_Error_Status Dashboard ===<br />
<br />
This dashboard shows the information about HTTP status code for accessed URL's.This dashboard shows top 10 URL's which are accessed most,Server IP and HTTP status code. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Http_Error_Status Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Status<br />
|This pie chart shows different types of status like 403,503.<br />
|-<br />
|Contribution of Server IP<br />
|This pie chart shows contribution of serverIP.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the "Contribution of Status" pie, click and select any one status code. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.<br />
#alternatively,In the "Contribution of Server IP" pie, click and select any one serverIP. This shall isolate respective serverIP and URL accessed for that selected ServerIP and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Top_N_URLs Dashboard ===<br />
<br />
This dashboard shows top URL's. Also gives the detail about domain and top hits on server. <br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_URLs Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows different types of URL accessed by server.<br />
|-<br />
|Server Name wise Request Hits<br />
|X axis : Name of Servers<br/>Y axis : Count of such request hits for each server.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows different types of domain.<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the pie chart "Contribution of URL" select any one URL. This shall isolate the number of hits for requested URL and also shows server Names,Domain for selected URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only. <br />
#In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.<br />
<br />
=== Report_Webserver_Total_Request_Per_ClientIP Dashboard ===<br />
<br />
This dashboard shows Top client IP and and total requests from selected client IP.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Total_Request_Per_ClientIP Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Server Name<br />
|This pie chart shows Contribution of servers.<br />
|-<br />
|Client IP wise Request<br />
|X axis : ClientIP(s)<br/>Y axis : Count of request hits for that clientIP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the graph "Client IP wise Request " , click and select any one clientIP. This shall isolate the requested hits for that selected clientIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.<br />
#In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.<br />
<br />
=== Report_Webserver_Traffic_Categorization Dashboard ===<br />
<br />
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows client ip wise referrer, top URL's and Servers.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Traffic_Categorization Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Server IP wise Category<br />
|X axis : ServerIP<br/> Y axis : count of Category.<br />
|-<br />
|Client IP wise Referrer<br />
|X axis : ClientIP<br/> Y axis : count of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows Contribution of different types of URL.<br />
|-<br />
| Contribution of Server Name<br />
|This pie chart shows Contribution of server name.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows Contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time <br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
#On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only. <br />
#Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.<br />
<br />
=== Report_Webserver_Top_N_Referers Dashboard ===<br />
<br />
This dashboard shows top referrers.Also gives the details of domain and top hits on server.<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Top_N_Referers Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Domain<br />
|This pie chart shows contribution of different types of Domain.<br />
|-<br />
|Server Name wise Hits<br />
|X axis : ServerName(s)<br/> Y axis :servername wise hits.<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#On the bar graph "Contribution of Referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only. <br />
#Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.<br />
<br />
=== Report_Webserver_Referrer_Detail Dashboard ===<br />
<br />
This dashboard shows referrer details. Also it shows top URL's and client ip which are requested for URL and server name.<br />
<br />
==== Elements in the Dashboard are explained below : ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Report_Webserver_Referrer_Detail Dashboard''<br />
|-<br />
|'''Visualization'''<br />
|'''Description'''<br />
|-<br />
|Contribution of Referrer<br />
|This pie chart shows contribution of different types of Referrer.<br />
|-<br />
|Contribution of URL<br />
|This pie chart shows contribution of different types of URL .<br />
|-<br />
| Server Name wise Hits<br />
|X axis : Servername<br/>Y axis : Count of request hits for that Servername.<br />
|-<br />
| Client IP wise Hits<br />
|X axis : ClientIP<br/>Y axis : Count of request hits for that Client IP.<br />
|-<br />
|Time trend<br />
|Trend of login events over time. Useful to identify unusual spikes at a glance.<br/><br/>X axis : date & time<br/>Y axis : count of events<br />
|-<br />
|Summary Table<br />
|Detailed data with timestamp and count<br />
<br />
|}<br />
<br />
==== Some suggestions for useful interaction with this dashboard could be : ====<br />
<br />
#In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows servername and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.<br />
#alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.<br />
<br />
=== KHIKA Alerts for Apache WebServer ===<br />
<br />
Alerts are generated when certain critical behavior is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here <br />
Click on “Alert Dashboard” on left menu.<br />
Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :<br />
<br />
==== Alerts Description ====<br />
<br />
{| class="wikitable"<br />
|+ style="caption-side:bottom; color:#e76700;"|''Alert Details Table''<br />
|-<br />
|'''Alert Name'''<br />
|'''Description'''<br />
|'''Suggested Resolution'''<br />
|-<br />
|Apache excessive web server errors from same source ip<br />
|This alert is triggered when same sourceIP trying to communicate with Apache Webserver and got error message with in one minute<br />
|Getting multiple errors from the same source_ip. Possible DDOS attack.<br />
Denial of service attack (DOS) is an attack where the server is prevented from serving legitimate users with a response to their request. Prevention of DOS attacks from anonymous sources can be ensured by implementing a web server firewall that inspects the entire HTTL traffic and stops any data packet that appears malicious or is generated from a source that is not authorized.<br />
Check the reputation of client ip address and block it if necessary.<br />
|-<br />
|Apache dangerous content posted to webserver<br />
|This alert is triggered when any of the source trying to posted some dangerous files on webserver with in one minute.<br />
|Apache dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver<br />
Kindly check upload activity done by the user and verify the uploaded content for policy violation.<br />
|-<br />
|Apache communication with possible IOC or bad IP<br />
|This alert is triggered when Malicious/bad IPs are trying to communicate with apache Webserver.<br />
|KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.<br />
<br />
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. <br />
You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses.<br />
Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com<br />
If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication.<br />
It is critical to block this rogue communication.<br />
|}</div>Dhanashree kulkarni