4 Replies Latest reply on Mar 4, 2014 4:27 PM by HMote

    Usefulness of these Internal Rules fired from LEM Appliance

    HMote

      Capture.JPG

      I just wanted to question the usefulness of some of the internal rules which are setup to fire.  These come from the LEM appliance and do not have any useful information other than the fact that these rules show up.  I can't really gather any information from the Extraneous Info, as with some, because these only have "Inferred [...]" in that field.

       

      Here are the ones that are like this for me:

       

      • The 'UDPTrafficAudit with Unusual UDP Traffic Inference' rule fired
      • The 'TCPTrafficAudit with possible Unusual TCP Traffic Inference' rule fired
      • The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
      • The 'UDPTrafficAudit with UDP PortScan Inference' rule fired
      • The 'TCPTrafficAudit Missing SYN Bit with possible Inference' rule fired

       

      I know I can turn these off, so that is not my question.  I'd like to know what these are useful for in my monitoring.  I know what a port scan is and to what the SYN bit is referring, but the information presented in the event is not useful, as far as I can tell.  Thanks!

        • Re: Usefulness of these Internal Rules fired from LEM Appliance
          curtisi

          You're looking at the result of a rule firing, which is to create an inference, which shows up in a filter.  If you look at the rule that creates these inferences, you'll see the LEM is basically looking for specific events and then drawing attention to them.  You might want to look at the rule, figure out what's triggering it, and then look for the original event/events that caused the inference.  In the case below, it takes 10 events in 10 seconds to trigger that inference.

           

          2014-03-04 07_12_48-SolarWinds Log and Event Manager Console.png

           

          So in this case, I'd go back to nDepth in the EXPLORE tab, and I'd look for those TCPTrafficAudit.AlertActivityType = TCP missing SYN Flag events from around the detection time (17:56:35 Mon Mar 03 2014±10 minutes in this case) and see if maybe something suspicious was going on.

           

          You could also use the "Explore Event" option on the Rule result that you're seeing, and it should show you all the events that triggered the rule at that time (though I've heard there are some issues with this feature at the moment)

           

          2014-03-04 07_25_31-SolarWinds Log and Event Manager Console.png

            • Re: Usefulness of these Internal Rules fired from LEM Appliance
              cscoengineer

              I agree with the issue with the Explore-Event feature. I had hit and miss with backtracking the inference rule that was fired.

               

              For extremely large amounts of inference rule firing, I would capture that information and turn off the inference.   I have seen cases there several of the default inference rules fired more than 10,000 per minute and  really slowed down LEM to a crawl. 

              1 of 1 people found this helpful
            • Re: Usefulness of these Internal Rules fired from LEM Appliance
              nicole pauls

              To add to what's already been said, the purpose of these out of the box rules is to detect common patterns within network traffic, e.g. many SYN packets = SYN scan type stuff. They also provide some insight into how events are normalized, if you look at those plus the authentication default rules which are similar.

               

              That said, the default thresholds are likely low in many cases, and they may not be useful for you depending on what you want to monitor. You can tweak the thresholds pretty easily to make them fire less frequently, or just disable them if they aren't interesting. If they fire too often or you have a lot of network traffic, you could be impacting load on the appliance (or require more resources than you actually need).

              1 of 1 people found this helpful
              • Re: Usefulness of these Internal Rules fired from LEM Appliance
                HMote

                Ok, now I see how these are used.  I believe I will reduce the threshold and check some of these out to see if there needs to be any action taken.  I just didn't know what they were useful for initially, but now I see the purpose.  Thanks!