INTOUCH^® INSA
Network Security Agent

Chapter 4
Getting Started Examples

Once you get familiar with the INTOUCH INSA menu items, what they do and when to use them, you will have no problem using INTOUCH INSA.

To get you started and familiar with INTOUCH INSA, this chapter provides step by step examples of how to use many of the menu items and features. You will learn how to display session information, watch sessions, set up alerts and rules, and play back a recorded session.

As you proceed through the examples, you will see references to various sections of this manual. For example, at some step you might be told to select "ALL" as the sort option and there will be a reference to Section 6.2 xxx. If you look at Section 6.2 xxx, you will see other available sort options that you can try later.

4.1 The INTOUCH INSA Main Menu

Once INSA Manager is initialized, the INTOUCH INSA main menu is displayed. This is the main menu:

Example 4-1 INTOUCH INSA Main Menu

+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ | Security Status Reports Maintenance General Advanced Exit | ++------Security-------+-------------------------------------------------------+ | Sessions | | Playback | | Archive Playback | +---------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help

INTOUCH INSA is now ready for you to select menu items and proceed.

Using the Mouse to Execute Menu Items

Use the mouse to locate the menu item you want to run, and then click once to execute that menu item.

Using the Help System

If you want to see what each of the main menu items does, use the arrow keys to highlight the menu item or type the menu item name and press [Return] to move the cursor to that item, and then press the [Help] key. For example, to see what Reports does, highlight this menu item and press [Help]. There is on-line help for all menu items and prompts (see Section 6.5, On-line Help System).

4.2 Example: Displaying Active Sessions

This example shows you how to display a list of the active sessions on your network.

Here are the steps:

Use the mouse to select the Security option on the INTOUCH INSA main menu. The Security submenu is displayed and looks like this:

Use the mouse to select Sessions on the Security menu.

The Select Sessions menu is displayed. Select All to display all active sessions.

+------Select Sessions-------+ | All | | Sessions with incidents | | User names | | Locations | |----------------------------| | Exit | +----------------------------+

INSA Manager displays a list of the active sessions on your network. The display looks like this:

+-----------------------------------Security-----------------------------------+ | Sessions Clear Exit | +------------------------------------------------------------------------------+ +----------------28 active sessions as of 23-Jan-1997 09:32:55-----------------+ | Refresh | | | | Source Location Destination Loc Type User Last Cnct Ins Status | | LAT 2.22:17 LAT 17.3 INTER ALLEN 09:29 1:24 | | TTITEST.COM TTITEST.COM INTER DAN 09:31 11:13 | | LAT 2.22:97 LAT 97.1 INTER DEBBIE 09:23 1:30 | | IP 204.212.151.105:1634 CAST.TTINET.COM INTER SYSTEM 09:31 15:55 | | LAT 31.144:7 LAT 7.2 INTER HENRY 09:31 1:28 | | LAT 1.182:1 LAT 1.1 INTER JEANNIE 09:31 0:40 | | ASA.COMNET.COM TR.TTINET.COM INTER JODI 09:31 1:04 | | LAT 1.80:1 LAT 1.1 INTER JODI 09:25 1:04 | | LAT 2.22:49 LAT 49.4 INTER MSR 09:31 1:13 | | LAT 1.80:2 LAT 2.2 INTER SUE 09:31 2:46 | | CRL25.CRL.COM TR.TTINET.COM INTER SUE 09:29 2:45 | | . . . | +------------------------------------------------------------------------------+ Sessions watched: 0 EXIT = Exit INTOUCH INSA \ = Back HELP = Help

Each line is an active session and shows: the source and destination locations, login type, user name, time of last activity (keystroke), elapsed connect time, number of incidents during this session, watch and/or recording status.
If there are more active sessions than can be displayed on the screen, select Next... to display the next screen. Previous... displays the previous screen.

Select Refresh to get updated session information. The screen clears and an updated active sessions list is displayed.
When you have finished reviewing the active sessions list, you can exit by selecting the Exit option at the top of the screen. This takes you back to the Select Sessions menu where you can again select Exit and get back to the Security menu.

You now know how to display a list of all the active sessions. Section 9.1, Sessions Option, describes how to use the other Select Sessions menu options and shows the results.

The next example shows how to select and watch individual sessions.

4.3 Example: Watching an Active Session

This example shows how to display more information about an active session and how to watch that session.

Here are the steps:

Before you can select an active session to watch, you must first display a list of the active sessions --- as was done in the previous example. Display All active sessions or use one of the other Select Sessions menu options.

To get more information and watch a session, use the mouse to select one of the active sessions on the list. (The sessions list is actually a menu of active sessions.) In the following example, ALLEN is selected.

The screen clears and more detailed information about the selected session is displayed. For example:

+-------------------------------Session Security-------------------------------+ | Refresh Actions Incidents Exit | +------------------------------------------------------------------------------+ +-------------------Session as of 23-Jan-1997 09:57:54-------------------+ | | | LAT 2.22:17 --> LAT 17.3 | | | | Type : INTER | | User name : probably ALLEN | | Incidents : 0 | | Last login : 23-Jan-1997 08:09:18 | | Last activity : 23-Jan-1997 09:46:49 | | Watch status : none | +------------------------------------------------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help

Depending on the selected session, additional information might be displayed.

To watch this session, use the mouse to select the Actions option from the menu at the top of the screen and then, select the Watch option from the submenu.

+-------------------------------Session Security-------------------------------+ | Refresh Actions Incidents Exit | +-----------+------Actions------+----------------------------------------------+ | Watch | | Unwatch | | Snapshot | | Playback | | Start Recording | | Stop Recording | | Disconnect | +-------------------+

A pop-up window appears and you can watch the user's keystroke activity and see what they see on their screen. For example, if the user was entering data, you would see what they were entering.
If the user is not typing anything when you start watching the session, the pop-up window remains blank until there is keystroke activity.

When you are finished watching the session, use the mouse to select the Unwatch option from the Actions submenu.

+-------------------------------Session Security-------------------------------+ | Refresh Actions Incidents Exit | +-----------+------Actions------+----------------------------------------------+ | Watch | | Unwatch | | Snapshot | | Playback | | Start Recording | | Stop Recording | | Disconnect | +-------------------+

When Unwatch is selected, the pop-up window disappears.
There are several other menu options at the top of the session window. All of the options are described in Section 9.1.2, Selecting Sessions to Review and Watch. You can also get information on the options by using the [Help] key.

When you are ready to return to the active sessions list, use the mouse to select the Exit option from the menu at the top of the screen.

+-------------------------------Session Security-------------------------------+ | Refresh Actions Incidents Exit | +------------------------------------------------------------------------------+

The active sessions list is displayed and you can select another session to review and watch if you wish.

You now know how to get a list of the active sessions, and watch individual sessions.

Next, you will learn how to set up an alert and then see how INTOUCH INSA looks for it.

4.4 Example: Setting Up an Alert

Before INTOUCH INSA can alert you to intrusions or policy violations, you need to define the situations you want to be alerted to.

This example will show you how to set up and identify an alert so INTOUCH INSA can start looking for incidents. When you set up alerts for your network, you will go through these same steps each time you set up an alert.

For each alert, you must:

Define the alert. INTOUCH INSA needs some information about the alert situation so it knows what to scan for. You must determine what information identifies this alert situation.
Provide INTOUCH INSA with a name for the alert and what action (if any) you want to take when an alert incident occurs. (NOTE: all incidents are logged regardless of whether any alert action is specified.)
Provide INTOUCH INSA with information on how to identify an incident.

The following is a generic example that can be used on any system.

4.4.1 Defining the Alert

This is the sample alert situation that you can define and set up:

You have a payroll system and you want to know when someone runs the maintenance program that changes corporate management salary data.

The name of this alert is PAYROLL and INTOUCH INSA will be instructed to send a mail message when an alert incident occurs and also record the remainder of the session which caused the incident.

To identify this alert, INTOUCH INSA will be instructed to scan for the following text:

Corp Internal - Salary Maintenance

This text is used as identification because these exact words are displayed in a heading on the first input screen when the payroll program is run.

After this alert information is set up, INTOUCH INSA will know what to scan for and what immediate action to take if an incident is detected.

4.4.2 Adding Alert Information

Now that the alert situation is defined, you need to give the information to INTOUCH INSA by adding the information to the alert and rules files.

Here are the steps to actually set up the alert:

Use the mouse to select Maintenance from the main menu. The Maintenance submenu is displayed:

Use the mouse to select Alerts from the Maintenance menu.

The Alert File Maintenance screen is displayed and you are asked to select a maintenance option. Since you are going to add alert data, select the Add Alert Information item from the "Option" menu.

INTOUCH INSA Alert File Maintenance 23-Jan-1997 Alert name : Description : Action : Priority : Incidents : Last incident: +-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+

You are asked to enter the alert name. Type in the word PAYROLL in upper or lowercase letters and then press [Return]. For example:
ADD: Alert name? payroll_________________________
You are asked for the alert description.
Type in Audit corp salary maintenance and then press [Return].
ADD: Alert description? Audit corp salary maintenance_______________________
Next, you are asked for the action(s) you want to take when an incident occurs. You want INTOUCH INSA to send a mail message and record the session when an incident occurs. (Note: INTOUCH INSA automatically logs the incident regardless of whether any other actions are specified.)
Type in email,record and then press [Return].
ADD: Action(s)? email,record____________________________
You are asked for a priority code. Type in 2 and then press [Return].
ADD: Priority (1-9)? 2
You have entered all of the alert data and a record is added to the alert file.

You are going to add the information that identifies this alert to the rules file so use the mouse to select Edit Rules File.

+PAYROLL not found in Rules file+ | Edit Rules File | | Continue | +-------------------------------+

The screen clears and you are placed in the rules file where you can add the rule --- the information that identifies this alert --- to the rules text file.
You see some comments in the top portion of the screen which identify the file as the rules file and provide some examples.

! Rules for alert generation ! ! Format: ! ! ALERT alert_name "rule pattern" ! EXCLUDE "xxx" (IP address or LAT location) ! ! Example: ! ! ALERT authorize "uaf>" ! ALERT sysgen "sysgen>" ! ALERT priv "set ?*/priv" ! ! The alert names need to be entered into the ALERT datafile using the ! maintenance menu. alert priv "set ?*/priv" ! Unix hacker patterns . . .

Use the keypad 0 key to space down below the comments (and above: alert priv ...). Type in the following line exactly as shown:

alert payroll "Corp Internal - Salary Maintenance"
and then press [Return]. After you have typed in the line, it should look like this:

! . . . ! ALERT authorize "uaf>" ! ALERT sysgen "sysgen>" ! ALERT priv "set ?*/priv" ! ! The alert names need to be entered into the ALERT datafile using the ! maintenance menu. alert payroll "Corp Internal - Salary Maintenance" <-- line you add alert priv "set ?*/priv" ! Unix hacker patterns . . .

When you are editing the text in the rules file, you are in the INTOUCH INSA editor. Chapter 16, Using the INTOUCH INSA Editor, explains how to use the editor.
In the line you added:

alert --- identifies this as an alert rule entry
payroll --- is the alert name associated with this rule
"Corp Internal - Salary Maintenance"
--- is the text pattern that INTOUCH INSA will scan for

To exit out of the rules file and the editor, hold down the Ctrl key and press Z. At the "Command:" prompt, type EXIT and then press [Return].

You are asked for the next alert name. You are not going to enter any more alert data right now so you can either press the "\" (backslash) key or type in EXIT to return to the maintenance "Option" menu. Then select Exit to return to the "Maintenance" menu.

You have now set up the alert and INTOUCH INSA knows about it and is scanning for incidents. If an incident occurs, INTOUCH INSA will send a mail message to INSA Manager and record the session.
Section 8.2, Alert File Maintenance, describes in detail how to add, change, delete and inquire on alert data. It also describes the different actions that can be set up.
Section 8.3, Rules Maintenance, describes how to edit the rules file and add, change and delete text. It also tells about the different types of rules and how to set them up.
In the next example you will create an incident.

Previous Next Contents Index

INTOUCH® INSA Network Security Agent

Chapter 4Getting Started Examples