+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ | Security Status Reports Maintenance General Advanced Exit | +---------------------------------+---------Maintenance----------+-------------+ | Alerts | | Rules | | E-mail Distribution Lists | | Page | | Page Distribution Lists | | Purge and Archive Records | +------------------------------+

Alerts	Performs maintenance on alert file records. The alert maintenance options allow you to: add new records to the alert file change or update data in the alert records delete alert records from the file review or inquire on alert information
Rules	Allows you to add, change and delete text in the rules file by using the INTOUCH INSA editor. The rules text file contains alert names and alert rules and rule patterns. Basically, the rules describe what incidents (patterns) INTOUCH INSA should scan for. Each rule is associated with a specific alert name. There can be one or more rules for an alert name. The alert name must exist in the alert file. The rules file contains: alert rules and rule patterns that describe alert situations alert rules that apply or are identified with specific locations specify locations --- IP and LAT addresses --- to exclude
E-mail Distribution Lists	Allows you to create and edit E-mail distribution lists. An E-mail distribution list is used to send a message to several users when an alert incident occurs.
Page	Performs maintenance on page file records. The page maintenance options allow you to: add new records to the page file change or update data in the page records delete page records from the file review or inquire on page information
Page Distribution Lists	Allows you to create and edit page distribution lists. A page distribution list is used to page multiple users when an alert incident occurs.
Purge and Archive Records	Allows you to purge and/or archive records from the incident, recordings and/or audit files. You select which records in the files to purge/archive. You can select records by date, user name, location and alert name.

A.1.5 General Menu Options

+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ 
|  Security    Status    Reports    Maintenance    General    Advanced    Exit | 
+------------------------------------------------+--General--+-----------------+ 
                                                 |  E-mail   | 
                                                 +-----------+ 

E-mail

You are placed in the E-mail utility. The screen clears and the MAIL> prompt is displayed. You can read or send mail messages. You can get help on using the mail utility by entering HELP at the MAIL> prompt. When you have finished and want to return to the General menu, enter EXIT at the MAIL> prompt and the menu will be displayed.

A.1.6 Advanced Menu Options

+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ 
|  Security    Status    Reports    Maintenance    General    Advanced    Exit | 
+------------------------------------------------------------------------------+ 
                 +--------Advanced---------+ 
                 |  Configure            [>| +----Configure----+ 
                 |  Control INTOUCH INSA [>| |  TCP/IP Ports   | 
                 |  Software Upgrade       | |  TCP/IP         | 
                 |  System               [>| +-----------------+ 
                 +------------------------+ 
                                             +---Control INTOUCH INSA----+ 
                                             |  Shut down INTOUCH INSA   | 
                                             |  Restart INTOUCH INSA     | 
                                             +---------------------------+ 
 
                                             +---------System----------+ 
                                             |  Change Date and Time   | 
                                             |  System Shutdown        | 
                                             +-------------------------+ 

TCP/IP Ports	Allows you to set up HTTP and/or FTP proxy port numbers and SMTP and/or DUMP port numbers.
TCP/IP	Allows you to shut down, start up and/or configure TCP/IP services.
Shut down INTOUCH INSA	This is a special procedure that shuts down INTOUCH INSA. This procedure should be run only when instructed to do so by TTI technical support.
Restart INTOUCH INSA	This is a special procedure that restarts INTOUCH INSA. This procedure should be run only when instructed to do so by TTI technical support.
Software Upgrade	Upgrades the INTOUCH INSA box with a new version of the INTOUCH INSA software. This procedure performs the software upgrade installation.
Change Date and Time	Allows you to change the system date and time. The current system date and time are displayed and you are asked to enter a new system date and a new time.
System Shutdown	If you select YES, the system is shut down in an orderly manner. If NO, the system is not shut down and you are returned to the System menu.

The following provides information on the INTOUCH Network Security Agent features/procedures. This list can be used as a guide when working with INTOUCH INSA.

Sessions

Once the current active sessions are listed, any session's data can be reviewed and session actions taken. The following session procedures can be performed:

• Display all current active sessions
• Display detail information for a session
• Watch a session's keystroke activity in real-time
• Get a snapshot of a session's current activity
• Record a session's current activity
• Play back a current session that has been recorded
• Disconnect a session having an IP address
• Show summary and detail incident data for a current session

Alerts and Rules

A sample set of alerts and rule patterns has been provided for testing purposes. The Alert Report shows the alerts that have been set up. The incident rule patterns associated with the alerts are contained in the rules file which can be reviewed and updated.

• Alerts can be set up to take the following actions when incidents occur:
  • send E-mail
  • page a user
  • watch the session
  • record the session
  • disconnect an IP session
• Rule patterns can be set up to:
  • scan for specific or generalized text
  • scan for IP, LAT and domain addresses
  • scan for E-mail addresses
  • exclude addresses

INTOUCH INSA Reports

Customized incident, alert and other reports can be created as well as various network activity and E-mail reports.

• Incident Report - shows detected incidents
• Alert Report - shows alert counts, alert data
• Recordings Report - shows recorded sessions
• Active Browsers - browser activity for last thirty minutes
• URL Accesses - URL accesses by browsers since a specified date
• Browser Accesses - browser activity since a specified date
• Audit Report - internal activities of INTOUCH INSA system
• Page Report - shows page counts, page data
• Top Browser Accesses - most active browsers by WWW pages accessed
• Top IP Connections - most active network connections in K bytes
• Top URL Connections - most active IP address and URL connections
• Top IP Address - most active IP addressed systems on network by K bytes
• Top URL Accesses - most accessed URLs
• Top E-mail Reports - most active E-mail addresses by count and volume
• Top E-mail Correspondence Reports - most active sources, destinations by count and volume
• Archive Reports - reports on archived incident, recordings, audit data

TCP/IP Services and Ports

TCP/IP services can be started and configured so that INTOUCH INSA can:

• resolve IP addresses --- get and use domain names
• receive packet data from Transport Agents
• send E-mail from the INTOUCH INSA box to some other CPU
• access the INTOUCH INSA box from another CPU

The following TCP/IP ports can be configured:

• SMTP --- enabling this port allows surveillance of all incoming and outgoing E-mail
• HTTP and FTP --- proxy port numbers can be set up for non-normal port numbers
• DUMP --- set up to dump data for a given service port

Other Features

• Play back previously recorded sessions.
• Create and edit E-mail distribution lists which are used to send messages when an alert incident occurs.
• Create and edit page distribution lists which are used to page users when an alert incident occurs.
• Purge and/or archive records from the incident, recordings and audit files.
• Display INTOUCH INSA status information such as packet counts.
• Status report of ethernet and TCP/IP statistics.
• Access to the E-mail utility without exiting out of INTOUCH INSA.

This appendix contains examples of incident, alert and recordings reports.

C.1 Incident Reports

The following is an example of a Summary Incident Report.

23-Jan-1997 INTOUCH INSA - Network Security Agent 03:16:00 PM Summary Incident Report File: ----- current Selection criteria: ------------------- Begin date : 10-Jan-1997 End date : 20-Jan-1997 Alert names: INVALID_LOGIN Priorities : ALL User names : ALLEN,DAN,JEANNIE Locations : ALL Sort order: ----------- 1) Incident date 2) User name 3) Incident time 4) Alert priority 5) Alert name 6) Location 23-Jan-1997 INTOUCH INSA - Network Security Agent Page 1 Summary Incident Report Date Count Percent ----------- ----------- ------- 15-Jan-1997 1 14.29 17-Jan-1997 1 14.29 18-Jan-1997 1 14.29 20-Jan-1997 4 57.14 =========== ======= =========== ======= 7 100.00

C.1.2 Detail Incident Report

The following is an example of a Detail Incident Report.

23-Jan-1997 INTOUCH INSA - Network Security Agent 03:20:04 PM Detail Incident Report File: ----- current Selection criteria: ------------------- Begin date : 10-Jan-1997 End date : 20-Jan-1997 Alert names: INVALID_LOGIN Priorities : ALL User names : ALLEN,DAN,JEANNIE Locations : ALL Sort order: ----------- 1) Incident date 2) User name 3) Incident time 4) Alert priority 5) Alert name 6) Location 23-Jan-1997 INTOUCH INSA - Network Security Agent Page 1 Detail Incident Report Date User Time P Alert Name Location Count ----------- --------------- -------- - ------------------- --------------- ----- 15-Jan-1997 DAN 10:54:18 5 INVALID_LOGIN TTITEST.COM ===== 1 17-Jan-1997 DAN 14:39:38 5 INVALID_LOGIN TTITEST.COM ===== 1 18-Jan-1997 DAN 23:38:23 5 INVALID_LOGIN TTITEST.COM ===== 1 20-Jan-1997 DAN 00:34:11 5 INVALID_LOGIN TTITEST.COM DAN 00:39:04 5 INVALID_LOGIN TTITEST.COM DAN 00:41:32 5 INVALID_LOGIN TTITEST.COM DAN 00:46:33 5 INVALID_LOGIN TTITEST.COM ===== 4 ===== ===== 7

C.1.3 Session Text Incident Report

The following is an example of a Session Text Incident Report. This report includes text from sessions where incidents were reported. Each text session starts on a new page and the actual incident is flagged with "-->" characters.

23-Jan-1997 INTOUCH INSA - Network Security Agent 03:42:02 PM File: ----- current Selection criteria: ------------------- Begin date : 18-Jan-1997 End date : 18-Jan-1997 Alert names: INVALID_LOGIN Priorities : ALL User names : ALLEN,DAN,JEANNIE Locations : ALL Sort order: ----------- 1) Incident date 2) User name 3) Incident time 4) Alert priority 5) Alert name 6) Location 23-Jan-1997 INTOUCH INSA - Network Security Agent 03:42:02 PM ***************** Session Incident on January 18, 1997 23:38:23 **************** Alert type : INVALID_LOGIN Description: Invalid login attempt Location : IP 204.182.52.233 --> IP 204.214.151.3 Username : Probably DAN ******************************************************************************** . . . Username: DAN Password: -->User authorization failure Username: DAN Password: Last interactive login on Thursday, 18-JAN-1997 23:23 Last non-interactive login on Thursday, 18-JAN-1997 21:13 {bel}{bel}{bel} 1 failure since last successful login . . . ********************************************************************************

C.2 Alert Report

The Alert Report provides information on alert names. The following is an example of an Alert Report.

23-Jan-1997 INTOUCH INSA - Network Security Agent 04:04:58 PM Alert Report Selection criteria: ------------------- Begin date : Earliest End date : Latest Alert names : INVALID_LOGIN,MGMT,PAYROLL,PRIV,URGENT Priorities : ALL Minimum incidents: 0 Sort order: ----------- 1) Alert name 2) Last incident date 3) Last incident time 4) Alert priority 5) Incidents 16-Dec-1995 INTOUCH INSA - Network Security Agent Page 1 Alert Report Alert name Alert description ---------------------------- --------------------------------------------------- INVALID_LOGIN Invalid login attempt Priority : 5 Action : email Incidents: 318 Last incident: 23-Jan-1997 15:53:56 MGMT System management function (authorize, sysgen, ...) Priority : 2 Action : email Incidents: 568 Last incident: 23-Jan-1997 10:19:10 PAYROLL Audit corp salary maintenance Priority : 2 Action : Incidents: 39 Last incident: 23-Jan-1997 11:52:12 PRIV Privilege setting Priority : 1 Action : Incidents: 166 Last incident: 23-Jan-1997 15:49:38 URGENT Urgent action to monitor in realtime Priority : 9 Action : email Incidents: 194 Last incident: 23-Jan-1997 11:17:50

C.3 Recordings Reports

The Recordings Reports provides information on incident recordings. There are several report type options. The options are:

	Summary Report	Shows the count of incidents and percent of total, within your selection criteria, for the first sort field specified.
	Detail Report	Prints one line per incident. The detail report level breaks on the first sort field specified. The report shows incident date and time, user name, alert priority code, alert name, location and count.

C.3.1 Summary Recordings Report

The following is an example of a Summary Recordings Report.

23-Feb-1997 INTOUCH INSA - Network Security Agent 04:24:07 PM Summary Recordings Report File: ----- current Selection criteria: ------------------- Begin date: Earliest End date : Latest User names: ALL Locations : ALL Sort order: ----------- 1) Recording start date 2) Recording start time 3) User name 4) Alert name 5) Location 23-Feb-1997 INTOUCH INSA - Network Security Agent Page 1 Summary Recordings Report Date Count Percent ----------- ----------- ------- 06-Jan-1997 2 50.00 02-Feb-1997 1 25.00 15-Feb-1997 1 25.00 =========== ======= =========== ======= 4 100.00

C.3.2 Detail Recordings Report

The following is an example of a Detail Recordings Report.

23-Feb-1997 INTOUCH INSA - Network Security Agent 04:26:25 PM Detail Recordings Report File: ----- current Selection criteria: ------------------- Begin date: Earliest End date : Latest User names: ALL Locations : ALL Sort order: ----------- 1) Recording start date 2) Recording start time 3) User name 4) Alert name 5) Location 23-Feb-1997 INTOUCH INSA - Network Security Agent Page 1 Detail Recordings Report Date Time User Alert Location Size Count ----------- -------- ------------- -------------- ----------------- ------ ----- 06-Jan-1997 08:07:26 ALLEN URGENT LAT 1.240:1 151 KB 10:03:19 JEANNIE URGENT LAT 1.117:1 4 KB ===== 2 02-Feb-1997 11:23:47 ALLEN PRIV LAT 1.16:1 10 KB ===== 1 15-Feb-1997 14:43:43 ALLEN URGENT LAT 1.8:1 21 KB ===== 1 ===== ===== 4