Select Inquire On Alert Information if you want to review data in the alert file.

+-------------Option--------------+ | Add Alert Information | | Change Alert Information | | Delete Alert Information | | Inquire on Alert Information | |---------------------------------| | Exit | +---------------------------------+

After you select the Inquire option, a menu of alert names is displayed. You can use the mouse to select the alert name you want to review.

+Display Alert Name+ | INVALID_LOGIN | | MGMT | | PAYROLL | | PRIV | | URGENT | |------------------| | Exit | +--------------- --+

If, for example, "PRIV" is selected, the current information for this alert is displayed.

Alert name : PRIV Description : Privilege setting Action : email, record Priority : 1 Incidents : 112 Last incident: 23-Jan-1997 02:47:04 PM

After you review the alert information and press [Return], the alert names menu is displayed and you can select another alert name.

After you have finished inquiring on alert information, select the Exit option to return to the alert file maintenance menu options.

8.3 Rules Maintenance

To perform maintenance or inquire on information in the rules file, select the Rules option from the Maintenance menu.

+---------Maintenance----------+ | Alerts | | Rules | | E-mail Distribution Lists | | Page | | Page Distribution Lists | | Purge and Archive Records | +------------------------------+

After you select Rules, you are placed into the INTOUCH INSA editor. The beginning of the current text is displayed and you use the INTOUCH INSA editor to add, change or delete rules.

When you exit from the editor (by entering Ctrl/Z and then typing EXIT at the prompt), you are returned to the Maintenance menu.

8.3.1 About the Rules File

When INTOUCH INSA finds an incident that matches a rule or rule pattern, the incident is noted and some action is taken if specified.

Each rule is associated with a specific alert name. There can be one or more rules for an alert name. The alert name must exist in the alert file. When you edit the rules file, one of the following messages will be displayed if rules exist for alerts with no alert records or alert records exist with no rules:

Checking rules file... The following alert names exist in the Rules file but do NOT exist in the Alert master file: xxxxxxx xxxxxxxx The following alert names exist in the Alert master file but do NOT exist in the Rules file: xxxxxxx xxxxxxxx

The rules file contains:

• alert rules and rule patterns that describe alert situations
• alert rules that apply or are identified with specific locations, E-mail, etc.
• specific locations --- IP and LAT addresses --- to exclude

A rules file is shown in Example 8-3, Example of a Rules File.

Comments can be included in the alert rules file. Comments are identified with an exclamation mark (!). There are comments in the rules file example.

You can end the alert rules file with the END command. The rules file example ends with this command.

When rules are added or changed in the alert rules file, they are checked for correct format. If an error is found, it is reported and the rule must be corrected before you can exit out of the rules maintenance procedure. The following shows the information that is displayed when the word "alert" is misspelled:

Checking rules file... The following lines in the Rules file are NOT valid: Line Rule text ---- ----------------------------------------------------------------------- 26 aert urgent "SYSGEN>"

After you press [Return], you are placed at the top of the rules file. You can then go to the mentioned error line and correct the invalid rule.

Example 8-3 Example of a Rules File

! Rules for alert generation ! ! Format: ! ! ALERT alert_name "rule pattern" ! EXCLUDE "xxx" (IP address or LAT location) ! ! Example: ! ! ALERT authorize "uaf>" ! ALERT sysgen "sysgen>" ! ALERT priv "set ?*/priv" ! ! The alert names need to be entered into the ALERT datafile using the ! maintenance menu. alert payroll "Corp Internal - Salary Maintenance" alert priv "set ?*/priv" ! Unix hacker patterns alert urgent "passwd" alert urgent "/etc/" alert urgent "root:?*:0:" ! password file (looking at it) alert urgent "root=" alert urgent "chown" alert urgent "chmod" alert urgent "rhost" alert mgmt "UAF>" alert mgmt "SYSGEN>" alert urgent "{|nocase|}{(sylogin)}" alert invalid_login "User authorization failure" alert invalid_login "Login incorrect" end

8.3.2 Alert Rules and Patterns

The following are examples of alert rules:

Example 8-4 Alert Rule Examples

(1) (2) (3) alert priv "set ?*/priv" alert payroll "Corp Internal - Salary Maintenance"

1. alert identifies the beginning of the alert rule
2. in this example, priv is the alert name associated with this rule
   Note: alert names used in alert rules must exist in the alert file
3. "set ?*/priv" is the rule pattern that INTOUCH INSA will look for
   Note: all rule patterns must be enclosed in double quotation marks ("rule_pattern")

Line Continuation

Rules can be continued across text lines --- that is, a rule text line can be broken into several text lines. To continue a rule, end the rule line with a space and an ampersand ( &). For example, the following rule line:

telnet alert payroll "{|bol|}{<Admin|Officer>} Payroll for ?* Page {0-9}*{|eol|}"

can be broken into two or more lines:

telnet alert payroll & "{|bol|}{<Admin|Officer>} Payroll for ?* Page {0-9}*{|eol|}" telnet alert & payroll & "{|bol|}{<Admin|Officer>} Payroll for ?* Page {0-9}*{|eol|}" telnet alert payroll "{|bol|}{<Admin|Officer>} Payroll for ?* & Page {0-9}*{|eol|}"

Rule lines should be broken on a line "element" as shown above.

Location Patterns

Alerts can be set up for specific locations (addresses). For example, you can set up an alert which will send a mail message to INSA Manager if a certain IP or LAT location or domain name is noticed. To do this, you would set up an alert name (i.e. mgmt) with the action of "email" and in the rules file you would have:

alert mgmt "NSA_LOCATION: IP 204.213.121.1:" alert mgmt "NSA_DOMAIN: ttitest.com"

These are the valid location rule patterns that can be used:

"NSA_LOCATION: IP nnn.nnn.nnn.nnn:pppp"

"NSA_LOCATION: LAT nnn.nnn:ppppp"

"NSA_DOMAIN: xxx.yyy.zzz"

The "NSA_LOCATION: IP nnn.nnn.nnn.nnn:pppp" and "NSA_DOMAIN: xxx.yyy.zzz" patterns are checked once --- when a new session starts.

E-mail Patterns

Alerts can be set up for E-mail surveillance. For example, you can set up an alert which will log an incident if E-mail is received or sent by a specific E-mail address. For example, this alert rule:

alert mgmt "NSA_EMAIL_FROM: [email protected]"

would generate an alert when E-mail is sent FROM E-mail address "[email protected]".

This alert rule:

alert mgmt "{<NSA_EMAIL_TO: [email protected]|NSA_EMAIL_TO: [email protected]>}"

would generate an alert when E-mail is sent TO either "[email protected]" or "[email protected]".

These are the valid E-mail rule patterns that can be used:

"NSA_EMAIL_TO: [email protected]"

"NSA_EMAIL_FROM: [email protected]"

E-mail addresses must be in lowercase because INTOUCH INSA processes them in that form.

For additional information on E-mail surveillance, see Chapter 13, E-mail Surveillance.

Alert Rules and Service Types

The alert rules tell the INTOUCH INSA scanner what to look for when it scans the data. You can specify which data to scan by providing a service type --- type of protocol or port access. For example, if you want to check for a certain pattern only in E-mail messages, you would create the following alert rule:

email alert "pattern"

Prefixing "email" to the above alert rule, would cause alert incidents to be generated only if the "pattern" is found in E-mail messages.

The valid service type prefixes that can be used with ALERTs are:

ALL	same as not having a prefix --- all data is checked
TELNET	only TELNET (and LAT) sessions are checked
INTERACTIVE	same as TELNET
EMAIL	only E-mail is checked
FTP	only FTP sessions are checked
URL	only URL names are checked

FTP Alerts and Patterns

FTP sessions are not like other types of sessions which are based on what is seen on the screen. FTP commands are translated (by FTP) from what the user enters to what FTP needs. For example, if a user entered:

GET PAYROLL.TMP

FTP would translate the entered text and the INTOUCH INSA scanner would see:

RETR PAYROLL.TMP

Also, only the commands are scanned --- none of the feedback from the server is scanned.

The following is a snapshot of a FTP session as it is seen by the INTOUCH INSA scanner:

USER tester PASS (hidden by INSA) SITE +VMS+ PORT 205,213,151,3,15,94 NLST PORT 205,213,151,3,15,95 RETR cloud.ra PORT 205,213,151,3,15,96 RETR cloud.ra PORT 205,213,151,3,15,97 STOR login.com

When alert rule patterns are set up for FTP sessions, the patterns need to be based on the FTP translated text and not what the user would enter.

Example 8-5 FTP Rule Example

(1) (2) (3) alert ftp "{|bol|}{<{(STOR)}|{(RETR)}>}"

1. alert identifies the beginning of the alert rule
2. in this example, ftp is the alert name associated with this rule
3. "{|bol}{<{(STOR)}|{(RETR)}>}" is the rule pattern that INTOUCH INSA will look for. In this case, the scanner will look for "STOR" or "RETR" at the beginning of a text line.

You can tell INTOUCH INSA to ignore incidents for a specific location/address.

The format of the exclusion rule is:

EXCLUDE "address"

The following is an example of an exclude rule:

Example 8-6 Exclude Rule Example

(1) (2) exclude "199.4.39.233"

1. exclude identifies the beginning of the exclusion rule
2. in this example, "199.4.39.233" is the address to be excluded; the address can be an IP or LAT location; the address must be enclosed in double quotation marks ("address")

8.3.4 Creating Rule Patterns

Rule patterns can be simple or complex, depending on what text is to be scanned for. Patterns can consist of text, special characters and/or directives. This section explains how to create rule patterns using the various pattern options.

Pattern Options

The following table contains a list of the pattern options --- these are special characters and directives that can be used in patterns.

Table 8-2 Pattern Options

Character or Directive	Examples	Description
?	F?X matches: FIX, FAX, FOX	any single character or space
*	D*12 matches: D12, DD12, DDD12	one or more occurrences of character or group preceding *
**	D**12 matches: 12, D12, DD12	zero or more occurrences of character or group preceding **
~	~| ~?	the tilde (~) denotes that the following character is to be treated as text and not as a command or part of a command; in the examples, ~| and ~?, the | and ? would be treated as text characters
{chars}	{123}{ABC}{D-Gd-g}{4-6} matches: 1CE4, 2Bf5, 3AD6	characters or range of characters; range is x-y format
{^chars}	{^ABC}{D-Gd-g}{4-6} matches: DE4, Kf5, TD6	not these characters or range of characters
{<ccc|ccc>}	th{<is|ere>} area code: {<619|203|714>}	list of optional items
{(word)}	{(computer)} {(Password)}	must be the exact word or set of characters; a word is surrounded by white space or at the beginning of a line or at the end of a line
{|case|}	{|case|}passwd	directive - case is checked; must match case exactly
{|nocase|}	{|nocase|}password	directive - case is ignored, can be upper, lower, mixed case
{|bol|}	{|bol|}To start	directive - starts at beginning of the line
{|eol|}	the end{|eol|}	directive - at end of the line

Using the Pattern Options

The following examples show in detail, how the different pattern options can be used.

NOTE: Patterns are placed inside of double quotation marks and are processed from left to right.

?

Allows any single character or space in this position in the pattern.

Pattern: "Credit Memo: CM?SP"

Result: Will find a match (i.e. log an incident) if the scanned text is:

"Credit Memo: CM"
followed by any single character or space
followed by "SP"

Examples of text that would match:

Credit Memo: CM1SP
Credit Memo: CMzSP
Credit Memo: CMTSP
Credit Memo: CM SP

Examples of text that would NOT match:

Credit Memo: CMSP
Credit Memo: CM
Credit Memo: CM24SP

* and **

* allows one or more occurrences of the character or group preceeding the * in this position in the pattern. For example, "H*" matches on one or more "H"s.

** allows zero or more occurrences of the character or group preceeding the ** in this position in the pattern. For example, "H**" matches on zero or more "H"s.

Pattern: "Memo Y*{2-5}Z**"

Result: Will match if the scanned text is:

"Memo "
followed by one or more "Y"s
followed by 2, 3, 4 or 5
followed by zero or more "Z"s

Text examples that match:

Memo YYY3Z was sent to France.
Memo YY4ZZ69 was sent to Spain.
Memo Y469 was sent to New York.

?* and ?**

? followed by * allows one or more of any characters to be in this position. ? followed by ** allows zero or more of any characters to be in this position. These combinations work like "wildcards".

Pattern: "set ?*/priv"

Result: Matches if the scanned text is:

"set "
followed by one or more characters
followed by "/priv"

Text that matches:

set process/priv=all

To allow ANY case, you could change the pattern to:

"{|nocase|}set ?*/priv"

{chars}

Designates specific characters or a range of characters.

Pattern: "{A-Da-d}{0-9}{E-H}{0-9}{3-6}{x-z}"

Result: Will match if the scanned text is:

an upper or lowercase A, B, C or D
followed by a number from 0 - 9
followed by an uppercase E, F, G or H
followed by a number from 0 - 9
followed by a number from 3 - 6
followed by a lowercase x, y or z

Some matches: B4G75x, c0F04y, D7H86z, abcd6H66xz

{^chars}

Cannot be these characters or range of characters. Is the opposite of {chars}.

Pattern: "{A-Da-d}{^5-7}{^E-H}{0-9}"

Result: Will match if the scanned text is:

an upper or lowercase A, B, C or D
followed by any character except 5, 6 or 7
followed by any character except E, F, G or H
followed by a number from 0 - 9

Some matches: A1A1, a1a1, TC3Z92

{<ccc|ccc|ccc>}

Provide a list of optional items. You can list two or more items.

Pattern: "{<system|operator|user>} password"

Result: Will match if scanned text is:

"system", "operator" or "user"
followed by " password"

Matches will be found in the following:

Now is the time to change system passwords.
Now is the time to change user passwords.

{(word)}

Specifies an exact word and case to match on. For example, if the pattern is "{(password)}", there would be no match on "passwords". A word is surrounded by white space or at the beginning of a line or at the end of a line.

Pattern: "{(urgent)}"

Result: Only the single text word of "urgent" will match. "Urgent", "URGENT" and "urgently" will not match.

To allow any case of the word "urgent", you would use this pattern:

"{|nocase|}{(urgent)}"

Then, "Urgent" and "URGENT" would match.