IDS/IPS monitoring and security using EventLog Analyzer

Intrusion detection systems and intrusion prevention systems (IDS/IPS) act as vigilant guardians of network traffic from malicious attacks. Their logs offer invaluable insights into attack tactics. ManageEngine EventLog Analyzer centralizes this data, providing comprehensive analysis and actionable reports to protect against such attacks.

This tutorial elaborates on the different IDS/IPS monitoring and security use cases covered by EventLog Analyzer. Please ensure logging is enabled for your IDS/IPS for the syslogs to be forwarded to Eventlog Analyzer.

Threat detection using EventLog Analyzer: Use cases

EventLog Analyzer covers the IDS/IPS security use cases below with its security auditing reports and alerts. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

Use Case Description Why implement? Available Reports
Detecting IP spoofing in SonicWall devices IP spoofing is a type of attack where a malicious actor disguises their IP address to appear as if they are coming from a different source. This allows them to bypass security measures that are based on IP address filtering. Detecting IP spoofing can help prevent attackers attempting to bypass firewalls and other security measures that rely on IP address-based filtering. To detect IP spoof attacks, customize the Critical Attack predefined alert profile by adding an additional filter criteria "Intrusion Name" containing "Spoof". This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out IP Spoof from the Intrusion Name column in the Critical Attacks report.
Detecting land attacks in Cisco devices Land attacks are a type of denial of service (DoS) attack where a malicious actor sends a large number of packets to a target system with the same source and destination IP address and port. This can overwhelm the system and cause it to crash or become unresponsive. Detecting land attacks enables organizations to proactively identify and mitigate threats such as DoS and network disruptions. To detect land attacks, customize the All Attacks predefined alert profile by adding an additional filter criterion "Attack Name" containing "Land". This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out Land from the Attack Name column in the All Attacks report.
Detecting URL filtering log intrusions in PaloAlto devices URL filtering log intrusion attacks occur when malicious actors attempt to bypass URL filtering rules implemented on a Palo Alto firewall. By detecting URL filtering logs, organizations can proactively identify and mitigate threats associated with unauthorized web access, malware downloads, and data exfiltration. To detect URL filtering log attacks, customize the Possible Attacks predefined alert profile by adding an additional filter criterion "Intrusion Name" containing "URL filtering log". This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out URL Filtering Log from the Intrusion Name column in the Possible Attacks report.
Detecting IPv4 source route attacks in WatchGuard devices An IPv4 source route attack is a type of network attack where a malicious actor manipulates the source route field in an IP packet header to force the packet to follow a specific path through the network. This can be used to bypass security measures, launch DoS attacks, or intercept and modify network traffic. By detecting IPv4 source route attacks, organizations can protect against DoS attacks launched using source route techniques. To detect IPv4 source route attacks, customize the All Attacks predefined alert profile by adding an additional filter criterion “Intrusion Name” containing “IPv4 source route”. This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out IPv4 source route from the Intrusion Name column in the All Attacks report.
Detecting spyware download detections in PaloAlto devices Spyware is malicious software that secretly monitors user activity and collects personal information without the user's knowledge or consent. By effectively detecting spyware downloads, organizations can protect their devices, data, and users from the harmful effects of this type of malware. To detect spyware downloads, customize the Possible Attacks predefined alert profile by adding an additional filter criterion “Intrusion Name” containing “Spyware download detection”. This will enable accurate detection and notifications for such attacks. To analyze the attack incident, filter out Spyware Download Detection from the Intrusion Name column in the Possible Attacks report.
Detecting port scanning attacks in NetScreen devices Port scanning is a technique used by attackers to identify open ports on a network device. By scanning a device's ports, attackers can determine which services are running and potentially exploit vulnerabilities in those services. By detecting port scanning attempts, organizations can identify vulnerabilities in their network infrastructure and take steps to address them. To detect port scanning attacks, customize the Possible Attacks predefined alert profile by adding an additional filter criterion “Intrusion Name” containing “Port scan". This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out Port Scan from the Intrusion Name column in the Possible Attacks report.
Detecting SSH brute force login attempts in FirePower devices An SSH brute force login attempt is a type of attack where a malicious actor tries to gain unauthorized access to a system by repeatedly guessing the correct username and password combination. This is done by using automated tools to test various combinations of usernames and passwords until the correct credentials are found. Successful SSH brute force attacks can grant attackers unauthorized access to systems, allowing them to steal data, install malware, or launch further attacks. By detecting these attempts, organizations can protect their systems from unauthorized access and other security threats. To detect SSH brute force login attempts, customize the Possible Attacks predefined alert profile by adding an additional filter criterion “Attack” containing “SSH brute force login attempt”. This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out BAD-TRAFFIC SSH brute force login attempt from the Attack column in the Possible Attacks report.
Detecting SSL enforcement violations in CheckPoint devices SSL Enforcement Violation occurs when a network device attempts to establish an SSL/TLS connection that violates the firewall's configured policies. Detecting SSL enforcement violations can help organizations prevent unauthorized access, data breaches, and man-in-the-middle attacks. To detect SSL enforcement violations, customize the Critical Attacks predefined alert profile by adding an additional filter criterion “Attack” contains “SSL enforcement violation”. This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out SSL Enforcement Violation from the Attack column in the Critical Attacks report.
Detecting bad TCP checksum in F5 devices A bad transmission control protocol (TCP) checksum signals a transmission error, indicating that a packet's data has been corrupted during transit. Malicious actors may intentionally send packets with bad checksums to disrupt network traffic or launch attacks. Detecting bad TCP checksums can help organizations detect and mitigate these threats. To detect bad TCP checksum, customize the All Attacks predefined alert profile by adding an additional filter criterion “Intrusion Name” contains “Bad TCP checksum”. This will enable accurate detection and notifications for such attacks.

To analyze the attack incident, filter out Bad TCP Checksum from the Intrusion Name column in the All Attacks report.

Supported IDS/IPS vendors:

  • Cisco
  • Sophos
  • Barracuda
  • SonicWall
  • Fortinet
  • Juniper
  • PaloAlto
  • WatchGuard
  • Huawei
  • NetScreen
  • CheckPoint
  • pfSense
  • F5
  • Cisco FirePower
  • H3C
  • Stormshield
  • ForcePoint

Compliance use cases

Compliance requirement to solution mapping
EventLog Analyzer reports and alerts Regulations Requirements
  • Possible Attacks
  • Critical Attacks
  • All Attacks
  • Top Attacks based on Source
  • Top Attacks based on Destination
  • Top Traffic based on Severity
  • Attacks Trend
 FISMA
  • Information System Monitoring (SI-4)
  • Access Enforcement (AC - 3)
PCI-DSS Securing applications and systems: PCI-DSS requirements 6.6
SOX
  • Establish safeguards to prevent data tampering: SEC 302.2
  • Periodically report the effectiveness of safeguards: SEC 302.4.D
  • Detect security breaches: SEC 302.5 (A & B)
  • Disclose security breaches to independent auditors: SEC 404.A.2
HIPAA
  • Security standards: General rules: 164.306 (a) (1)
  • Standard: Security management process: 164.306 (a) (1) (i)
  • Information system activity review: 164.308 (a) (1) (ii) (D)
GLBA
  • Transmission Security: Section 314.4(b)(3)
  • Response and Reporting: Section 314.4(c)
ISO 27001:2013
  • System and application access control: Control A 9.4
  • Network controls: Control A 13.1.1
GPG Suspicious Activity at The Boundary (PMC Rule 3)
GDPR
  • Security of processing: Article 32(1)(d)
  • Attention to certain categories of risk: Article 32(2)
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
Cyber essentials Boundary firewalls and internet gateways
COCO 1.D.Protective monitoring and intrusion detection
NERC
  • CIP 005-6 R1.5
  • CIP 007-6 R3.1
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Risk Assessment (ID.RA)
CMMC
  • C013 - CM.2.061
  • C041 - SI.5.222
POPIA Chapter 3 - Section 22 (5) (a)
QCF
  • 5.2.2 Network Access Control Management Service
  • 5.2.3 Network Monitoring Management Service
  • 6.2 Data Protection Service
  • 8.2.1 Security Monitoring
  • 8.2.2 Vulnerability Management and Penetration Testing
  • 8.2.4 Threat hunting
  • 10.2.1 Incident Handling and Response service
  • 12.2 Data Privacy Service
  • 13.2 Identity and Access Management Service
TISAX To what extent is the network of the organization managed?: 5.2.7
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.2 Cyber Security Risk Analysis
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.1.4 Cyber Risk Monitoring and Review
  • 3.3.8 Infrastructure Security
  • 3.3.14 Cyber Security Event Management
  • 3.3.15 Cyber Security Incident Management
ECC
  • 2-2 Identity and Access Management
  • 2-5 Networks Security Management
  • 2-7 Data and Information Protection
PDPL
  • Article 19 - Information Security
  • Article 20 - Controls and Procedures for Dealing with Health Data
  • Article 21 - Controls and Procedures for Dealing with Credit Data
UAE-NESA
  • Access Control: T5.4
  • Reporting Information Security Events: T8.3.2
SOC 2 Configuration and policy monitoring, malware detection, compromise detection: 6.8.04
LGPD
  • Personal data processing: Art 7
  • Technical and organizational measures: Art 46
  • Structuring of data processing systems: Art 49
 

Additional Resource

Monitoring and reporting IDS/IPS logs Cisco IDS/IPS monitoring Juniper IDS/IPS monitoring Network device monitoring Importance of IDS and IPS log monitoring in network security