Finger User Enumeration Event

From SCADApedia

Jump to: navigation, search

The Finger User Enumeration Event identifies any Finger traffic occurring on the network. The event uses the IPFlow interface to determine if a system is generating any Finger traffic.

When a system generates Finger traffic, Portaledge will generate an Finger User Enumeration Event. This event is part of the Portaledge Enumeration Event Class.

Contents

[edit]

ACE Module Description

The ACE Module for the Finger User Enumeration Event monitors all systems on a network monitored by the IPFlow interface. The PI Interface Node running the IPFlow interface will collect network flow information and return the information back to the PI server. The collected data will be sent to ACE for the Finger User Enumeration Event. Systems that generated Finger traffic will create an event and will be sent to the Portaledge_EnumerationAlert tag, creating a Portaledge Event.

Package Includes: The Finger User Enumeration Event package includes:

  • EnumerationFingerBeta1.vb
  • EnumerationEventHelpers.vb
  • Finger User Enumeration Excel templates
[edit]

Analysis or Impact

The Finger User Enumeration Event will identify a system generating Finger traffic. The Finger traffic may be the result of an attacker scanning the network.

[edit]

Interfaces

The Finger User Enumeration Event gathers data from workstations and servers with the following PI Interfaces:

  • IP Flow: Used to monitor network traffic.
[edit]

Triggers

A Finger User Enumeration Event is generated when the following condition occurs:

  • Finger: This trigger will raise an alarm if a system generates Finger traffic.

The thresholds for the triggers can be modified in the ACE modules.

The trigger is stored as part of the Event and is available for display or analysis.

[edit]

Installation

This section provides specific installation information for the Finger User Enumeration Event. General installation information that applies to all Events is available on the Portaledge Installation page.

PI Tags

Create the PI IP Flow tag for the network being monitored.

  • PI IP Flow Interface
    • Create a PI IP Flow tag for the network being monitored. Refer to the OSIsoft PI IP Flow Interface documentation for creating and configuring the IP Flow tag. (see external links below)

Module Database

Create modules, their associated properties and aliases and the alias' references for the systems to be scanned in the module database. Use either the SMT Module Database interface or the provided Excel templates.

If it doesn't already exist create a Portaledge module in the module database. This module will contain the modules and other information relevant to this and other Portaledge modules. Create the modules manually through the SMT interface or use the templates provided to add through the Excel SMT tool.

  • Modules:
    • Alerts
      • The Alerts module will contain the following alias:
        • Alias Name: EnumerationAlert with the following settings:
        • PI Server: The PI Server where the tag analogous to this system exists.
        • Tag Name: Portaledge_EnumerationAlert (see the Output Tags below).
    • Enumeration: An Enumeration Module needs to be created if it does not already exist.
      • Properties
        • EnumerationSessionInfo_Time = 300: Amount of time, in seconds, the system will scan for new network sessions.
        • EnumerationFinger_Severity = 4: The severity level of the alert. This will be used to calculate the severity levels in the Enumeration Event Class Event and the Meta Event.
    • Flow: The Flow Module will contain aliases for the IP Flow tags.
      • Aliases
        • Alias Name: dst
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: dstIP
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: dstPort
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: octet
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: protocol
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: src
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: srcIP
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.
        • Alias Name: srcPort
          • Tag Name: The name of the tag created to reference the IP Flow tag created in the PI ACE Points/Tags step above.

Output Tag

Create the Output Tag for reporting this Event Module.

Create a Portaledge_EnumerationAlert Point if it does not already exist. The Portaledge_EnumerationAlert Point will have the following settings:

  • Name: Portaledge_EnumerationAlert
  • Descriptor: Portaledge Enumeration Alert
  • Point Type: String
  • The Data Owner, Data Group, Point Owner, and Point Group user in the Security Settings tab should be modified to represent the correct user.

The remainder of the settings can be left as the defaults.

A Script creating this point is available for the Alias Template Excel SMT tool.


Output Alias

Create an Alert Alias referencing the Output tag. The Alias should be named EnumerationAlert. It may already exist as it may have been created as a step for the installation of another event of this event class.

Create an alias under the Portaledge Alerts Module that references the Portaledge_EnumerationAlert and named Portaledge_EnumerationAlert.


ACE Modules


Install the event module VB code and register the module. Configure the module with the ACE Manager to run on an interval of the same size as the EnumerationSessionInfo_Time property. Choose an offset between 1-59 seconds, so that this event does not fire at the same time as other events.

The Finger User Enumeration Event uses the Finger User Enumeration ACE modules. This module is composed of two files:

  • EnumerationFingerBeta1.vb
  • EnumerationEventHelpers.vb

Follow the PI ACE User Guide to install and register the module. It is recommended that this module be set to run every 5 minutes on a different offset then the Enumeration Event Class Event.

[edit]

External Links

PI IP Flow Interface User Manual

PI ACE User Guide

Retrieved from "http://www.digitalbond.com/wiki/index.php/Finger_User_Enumeration_Event"
Personal tools