• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 749 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Usefulness of these Internal Rules fired from LEM Appliance

HMote

Capture.JPG

I just wanted to question the usefulness of some of the internal rules which are setup to fire.  These come from the LEM appliance and do not have any useful information other than the fact that these rules show up.  I can't really gather any information from the Extraneous Info, as with some, because these only have "Inferred [...]" in that field.

Here are the ones that are like this for me:

  • The 'UDPTrafficAudit with Unusual UDP Traffic Inference' rule fired
  • The 'TCPTrafficAudit with possible Unusual TCP Traffic Inference' rule fired
  • The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
  • The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
  • The 'TCPTrafficAudit Missing SYN Bit with possible Inference' rule fired

I know I can turn these off, so that is not my question.  I'd like to know what these are useful for in my monitoring.  I know what a port scan is and to what the SYN bit is referring, but the information presented in the event is not useful, as far as I can tell.  Thanks!

  • 0

    You're looking at the result of a rule firing, which is to create an inference, which shows up in a filter.  If you look at the rule that creates these inferences, you'll see the LEM is basically looking for specific events and then drawing attention to them.  You might want to look at the rule, figure out what's triggering it, and then look for the original event/events that caused the inference.  In the case below, it takes 10 events in 10 seconds to trigger that inference.

    2014-03-04 07_12_48-SolarWinds Log and Event Manager Console.png

    So in this case, I'd go back to nDepth in the EXPLORE tab, and I'd look for those TCPTrafficAudit.AlertActivityType = TCP missing SYN Flag events from around the detection time (17:56:35 Mon Mar 03 2014±10 minutes in this case) and see if maybe something suspicious was going on.

    You could also use the "Explore Event" option on the Rule result that you're seeing, and it should show you all the events that triggered the rule at that time (though I've heard there are some issues with this feature at the moment)

    2014-03-04 07_25_31-SolarWinds Log and Event Manager Console.png

  • 0 in reply to curtisi

    I agree with the issue with the Explore-Event feature. I had hit and miss with backtracking the inference rule that was fired.

    For extremely large amounts of inference rule firing, I would capture that information and turn off the inference.   I have seen cases there several of the default inference rules fired more than 10,000 per minute and  really slowed down LEM to a crawl. 

  • FormerMember
    0 FormerMember

    To add to what's already been said, the purpose of these out of the box rules is to detect common patterns within network traffic, e.g. many SYN packets = SYN scan type stuff. They also provide some insight into how events are normalized, if you look at those plus the authentication default rules which are similar.

    That said, the default thresholds are likely low in many cases, and they may not be useful for you depending on what you want to monitor. You can tweak the thresholds pretty easily to make them fire less frequently, or just disable them if they aren't interesting. If they fire too often or you have a lot of network traffic, you could be impacting load on the appliance (or require more resources than you actually need).

  • 0

    Ok, now I see how these are used.  I believe I will reduce the threshold and check some of these out to see if there needs to be any action taken.  I just didn't know what they were useful for initially, but now I see the purpose.  Thanks!

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.