Reviewing security alert logs

Monitoring security alert log information helps you effectively manage the amount of system and event data. If a serious event occurs, you are able to find the information and solve the problem quickly and immediately block the intruder using single-click blocking.

About this task

Navigating in IPS Local Management Interface: Review Analysis and Diagnostics > Logs > Security Alerts

Note: If you use SiteProtector™ to manage the appliance, view security alerts (event alerts) through the SiteProtector console. See "Monitoring and Analyzing Events" in the SiteProtector Help for information about viewing, filtering, and searching security alerts in SiteProtector.
Tips
  • For convenience, Block Intruders from this page using the single-click blocking feature on any option. The appliance writes a rule to the security policy you can view on the Quarantine Rules page.
  • Filter events using the single-click blocking feature on any option.
  • Expand the event file using the Details column for alert specifics.
  • Click Event Name (Issue ID) and select X-Force Description for an explanation written by the IBM® X-Force team of threat researchers.
  • Click Source and Target IPs to find a Host name Lookup for the event.
  • Use Clear Alerts to delete security alert log files. Find the option in the right upper corner under the appliance model.
Table 1. Risk levels
Level Description
High Security issues that allow immediate remote or local access, or immediate execution of code or commands, with unauthorized privileges.
Examples: Most buffer overflows, back doors, default or no password, and bypassing security on firewalls or other network components
Medium Security issues that have the potential of granting access or allowing code execution with complex or lengthy exploit procedures, or low risk issues applied to major Internet components.
Examples: Cross-site scripting, man-in-the-middle attacks, SQL injection, denial of service of major applications, and denial of service resulting in system information disclosure (such as core files)
Low Security issues that deny service or provide non-system information that could be used to formulate structured attacks on a target, but not directly gain unauthorized access.
Examples: Brute force attacks, non-system information disclosure (like configurations and paths), and denial of service attacks
Procedure
  1. In the Alerts Filter area, expand the area to display Filter criteria settings and the Manage views area.
  2. Click Filter time range to focus a search for a specific time period.
  3. In the Search text field, select an option to filter event lists and type keyword text strings. Choose from many options such as the event name, like Smurf_Attack and SQL_SSRP_Slammer_Worm, and event type, like OpenSignatures, SNORT, and Audit.
    Notes:

    For system and firewall logs, the appliance searches files using approximate string matching. Use this syntax when typing text in the Search text field. For security alerts, the appliance searches files using approximate string matching for only the Event Name option. You must use exact matches for all other Search text options.

    You can search for more than one keyword by clicking the Plus icon or you can delete keyword searches by clicking the Minus icon.

  4. If you want to save searches, click Save Filter.
  5. In the Manage views area, type a name for the search in the Filter tag field and click Save. You can Load or Delete searches.
  6. Use Oldest, Older, Newer, and Newest to navigate through lists of log files.