risk manager »ç¿ëÀÚ ¾È³»¼ - ibmpublib.boulder.ibm.com/tividd/td/trm/gc32-0703-01/... ·...
TRANSCRIPT
Tivoli Risk Manager ��� ���(2001� 10�)
��� ��
Copyright © 2000, 2001 IBM Corporation. All rights reserved. Tivoli Systems ����� ��� ��, UBM ��
��� ��� �� �� IBM �� ���� IBM ��� ��� �� Tivoli ��� ��� ���� ���� ���
� ����. IBM Corporation� �� �� �� �� � ���� �� ��� ��, ��, ��, ��, ��, ��� �
� �� �� ���� ���� ��, ��, ����� �� ���� �� � ��� ��� ��� �� � ���
�. IBM Corporation �� �� ��� ��� �� ����� �� �� ���� ����� ���� ��
� � � �� �� ��� ��� �� � �� �� �����. IBM Corporation� �� �� � ��� �
�� �� ��� ��� ���� ����. � ��� �� ���� �� ���� ��� �� �� “�����”
�����.
�� �� �� ��� �� ��� � ��� ���� ��� � �� �� ��� ��� ���� ����.
��
AIX, DB2, FirstSecure, IBM, OS/2, RS/6000, SecureWay, Tivoli, Tivoli Management Environment, TME 10
Enterprise Console, TME Framework, TME 10� IBM Corporation� ������.
Microsoft, Internet Explorer, Windows, Windows NT � Windows ��� Microsoft Corporation� � �� ��
����.
UNIX� �� �� �� ���� ���� Open Group� ������.
Java � �� Java � �� �� �� �� ���� ���� Sun Microsystems, Inc.� ����.
�� ��, �� � ��� �� � ��� � �� ������.
���� ����� Tivoli Systems �� IBM ��, ���� �� ���� ����� � Tivoli Systems �� IBM�
���� �� �� ���� �� ��� � ��� ����� ����. ��� ��, ���� �� ���� �
���� � Tivoli Systems �� IBM� ��, ���� �� ���� ��� � ��� ��� ����. Tivoli
System �� IBM� ��� �� ��� �� �� ���� �� � �� ��� ���� ��� ��� �� �
�, ���� �� ���� ��� � ����. Tivoli Systems �� IBM� ���� ��� ��� ����, ��
�� ��� �� �� ��� ���� �����.
Tivoli Systems �� IBM� � ��� ��� �� �� ��� � � � ���� ��� �� � �� �� �
����. � � ����� � � � �� ����� ���� � ����. ���� �� ����� 135-270,
����� �� � � 467-12, ����� �, �� ��.�. ����, ������, ����: 080-023-8080�
� ������.
� ��� ���� ���� ���� �� ����� ���� ����.
IBM� ��� �� ��, ��� � �� ���� ���� �� ��� �� ����(, �� ��� ��) ��
��� ���� ��� ��� ���� � � ″�����″ �����. �� ����� �� ��� �� ��
��� ��� ���� ��� ����, � ��� ���� � �� ����.
� ���� ����� ���� ���� ���� ��� � � ����. � ��� ����� ���, � ��
�� ���� �����. IBM� � �� �� �/�� ���� �� ���� ���� � �/�� ��
� ����.
� ���� � IBM� � ���� ��� �� ��, �� ����� �� � ���� ����� �� � ��
��. � � ���� �� � IBM �� �� ��� ����, � � ���� ���� �� ��� ���
��� �� ���.
iiiRisk Manager ��� ���
��
� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix� �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
�� ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Risk Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Risk Manager � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
�� ��� �� � ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
�1� � ��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
����� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Tivoli Management Framework � Tivoli Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
� � � ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
�� �� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
�� ��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
TEC ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
��� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
�2� Tivoli Risk Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Risk Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Risk Manager� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Risk Manager� � �� �� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
�� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Risk Manager� �� ��� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
�� Tivoli �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Risk Manager � Tivoli Enterprise Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
vRisk Manager ��� ���
��� ����� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
TEC ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
TEC ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
BAROC �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
��� �� �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
�� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
�3� Tivoli Enterprise Console�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Risk Manager Web Intrusion Detection System(IDS) ���� . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
TEC ��� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
��� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Risk Manager �� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
����� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
TEC ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Risk Manager � � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
�4� Risk Manager �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
�� ��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Risk Manager ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Risk Manager Event Integration Facility ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Risk Manager � ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
� �� �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Risk Manager Native � ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
� � � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Tivoli ��� ��� Risk Manager ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Risk Manager �� � ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Native �� ��� Risk Manager ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
AIX ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Linux ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Solaris ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Windows ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
��� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
��� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Risk Manager � TME �� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
ACF� ��� Risk Manager �� � � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ACF� � ��� �� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
vi �� 3 ��� 8
ACF ���� ��� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
��� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
� � ��� � Risk Manager � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
� � ��� � ����� �� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
� � ��� ��� �� TEC �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Risk Manager ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
�� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Native ��� ��� �� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
�5� Risk Manager �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Risk Manager �� �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Risk Manager �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Risk Manager � ���� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Risk Manager � �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
�� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Risk Manager � �� �� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
�� ��� ���� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
���� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Trusted Host �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
�� ��� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
�� ��� ��� �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
�� ��� ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
���� ��� �� � �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
���� �� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
�� �� �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
� �� ��� �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
�� �� ���� �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
��� ���� �� ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
���� ��� �� ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
�� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
�� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
�� ��� ��� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
�� ��� � � �� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
��(Storm) ��� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
viiRisk Manager ��� ���
��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
�� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
� �� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
���� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
��� �� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
�� ��� ���� � �� �� ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
�� ��� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
��� � �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Risk Manager � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
�6� Risk Manager Event Integration Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Risk Manager Event Integration Facility �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Risk Manager Event Integration Facility Tivoli Event Integration Facility ��. . . . . . . . . 82
Risk Manager Observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
The Event Integration Facility �� �����. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Perl �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Risk Manager EIF � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Risk Manager EIF � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
�� � ��� �� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Perl �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
TME � � TME ��� �� Risk Manager EIF � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
rmeif_cfg �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Risk Manager EIF � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Risk Manager EIF � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
rmad.conf � �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
��� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
��� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
rmad_summary.rules �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
�� �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
� �� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Checkrules ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
�� Risk Manager EIF �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
�7� Risk Manager TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99TEC ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
UNIX ���� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Windows ���� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
���� ������ �� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
viii �� 3 ��� 8
Risk Manager ��� ��� �� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Risk Manager ��� ���� �� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Check Point FireWall-1� �� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Cisco Secure PIX Firewall� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Cisco Secure IDS� TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
�8� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Web Intrusion Detection System �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
���� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Perl �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
CLF ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
sig.nefarious �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Web IDS ���� TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Web IDS � Risk Manager Event Integration Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
�� �� � �� �� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Web IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
���� � � � Web IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Risk Manager EIF �� ��� � ��� Web IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
TEC �� �� ��� � ��� Web IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
� � ��� �� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Web IDS � ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
�� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Web IDS � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Web IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
� �� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
�� ��� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
� �� �� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
� ��� �� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
��� ��� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
��� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
trusted �� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
��� � ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
�9� Cisco Secure IDS� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Cisco Secure IDS� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Risk Manager EIF �� ��� � ��� Cisco Secure IDS� �� � . . . . . . . . . . . 131
ixRisk Manager ��� ���
Cisco Secure IDS DataFeed ��� �� ��� � ��� Cisco Secure IDS� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
��� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Cisco Secure IDS �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Cisco Secure IDS� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Cisco Secure IDS �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Cisco Secure IDS �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Cisco Secure IDS DataFeed � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Cisco Secure IDS �� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Unix � Linux ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Windows ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
�10� ISS RealSecure� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
SNMP �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
ISS RealSecure� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
ISS RealSecure� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Policy � � ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
��� � ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
TEC SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
UNIX� � Tivoli SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
ISS RealSecure� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
SNMP �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
�11� Cisco ���� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Cisco ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Cisco ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Cisco ���� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
TEC SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Cisco ��� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
UNIX� � Tivoli SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Cisco ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
x �� 3 ��� 8
SNMP �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SNMP �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
SNMP �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
��� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
UNIX ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Cisco ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Cisco ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
� SNMP �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
�12� Cisco Secure PIX Firewall� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Cisco Secure PIX Firewall �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
��� �� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
TEC �� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Cisco Secure PIX Firewall� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Cisco Secure PIX Firewall� ��� ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Cisco Secure PIX Firewall� �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Cisco Secure PIX Firewall� ��� �� � ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Cisco Secure PIX Firewall � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Cisco Secure PIX Firewall TEC ���� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
� �� � ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
�� ��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
�� � �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
�� �� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Cisco Secure PIX Firewall �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
�13� Check Point FireWall-1� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Check Point FireWall-1� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Check Point FireWall-1� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Check Point FireWall-1 � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Risk Manager EIF �� ��� � ��� Check Point FireWall-1� �� � . . . . . . . 167
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
OPSEC � � Check Point FireWall-1 � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
OPSEC ������ Check Point �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
SAM � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
xiRisk Manager ��� ���
OPSEC � � Check Point �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
���� Check Point FireWall-1 �� ����� Policy � . . . . . . . . . . . . . . . . . . . . . . . . 172
Check Point FireWall-1 �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
TEC ���� ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Windows NT�� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Solaris�� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Linux�� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
IP �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
�� � ��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Windows NT�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Solaris�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Linux�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Check Point FireWall-1 �� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Check Point FireWall-1 �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
�� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Check Point FireWall-1 �� �� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
�� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
��� �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
��� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
�14� ��� �� ��� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Host IDS� �� Risk Manager �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Host IDS� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Host IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
�15� McAfee Alert Manager� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185McAfee Alert Manager� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
McAfee Alert Manager � McAfee NetShield �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . 188
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
McAfee Alert Manager� �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
xii �� 3 ��� 8
Windows 2000�� McAfee Alert Manager� �� � ���� . . . . . . . . . . . . . . . . . . . . 189
�16� Norton AntiVirus� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Norton AntiVirus� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
�� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Norton AntiVirus ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Norton AntiVirus� Risk Manager �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
� � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Tivoli ����� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
� Tivoli �� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Windows 2000�� Norton AntiVirus� �� � ���� . . . . . . . . . . . . . . . . . . . . . . . . . 194
�17� Network IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197Network IDS �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Network IDS TEC �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Network IDS �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
���� �� �� ��� � � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
���� �� �� �� � ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Network IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Risk Manager TEC ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Network IDS TEC ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Network IDS �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
nids � ���� ���� Network IDS � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
�� � �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Network IDS �� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
��� ���. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
IP �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
nids � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Network IDS �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
�� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
�� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
�18� Tivoli Decision Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
xiiiRisk Manager ��� ���
Tivoli Decision Support for Enterprise Risk Management �� . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Tivoli Decision Support for Enterprise Risk Management �� . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Tivoli Decison Support � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Tivoli Decision Support for Enterprise Risk Management � . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Risk Manager TEC ������� ���� , �� � ��� � . . . . . . . . . . . . . . . . . . . . 209
Tivoli Decision Support for Enterprise Risk Management� ��� �� . . . . . . . . . . . . . . . . . . . 211
��A. Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213Risk Manager �� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Network Intrusion Detection System �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Check Point FireWall-1 �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Check Point FireWall-1 ��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Cisco Secure IDS �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Risk Manager � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Risk Manager Event Integration Facility �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Risk Manager EIF Observer �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Web IDS �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
��B. ������. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267�� � 3.8 �� �� �� ����� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Risk Manager � 3.7 ���� � ������ ������ . . . . . . . . . . . . . . . . . . . . . 268
Risk Manager � ������ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
��C. Cisco Secure IDS �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
��D. ISS RealSecure �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279���� �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
��� �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
��E. McAfee Alert Manager � McAfee NetShield ��� . . . . . . . . . . . 285
��F. Network IDS �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Network IDS �� �� ��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
xiv �� 3 ��� 8
LOKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
�� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
�� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
�� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
��� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
LOKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
�� �. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
��. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
xvRisk Manager ��� ���
�
1. Risk Manager � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12. Risk Manager Web IDS� � ���� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23. Risk Manager �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184. � � � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355. AIX� �� Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376. Linux� �� Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397. Solaris� �� Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408. Windows ���� Risk Manager ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419. Risk Manager ��� ����� �� native � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10. Risk Manager � �� ��� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5411. �� �� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6412. Risk Manager� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7213. ��� � �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7714. �� �� � �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7715. ��� � �� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9516. �� ��� ��� ��� ��� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9617. Web IDS� � ���� � � . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10718. Check Point FireWall-1� � ���� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17219. �� �� . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
xviiRisk Manager ��� ���
��
� ���� Tivoli® Risk Manager(� Risk Manager�� ��)� �, � � ���� �
� ���. �� � ��� � Risk Manager ���� �� ��� �����.
� �� ������� Tivoli Management Framework � Tivoli Enterprise Console� �� �� ��
� �� �� ���. ���� ��� �� ���� ��� �� ���.
¶ ��� �� �� ������ � � ��
¶ Risk Manager� Tivoli ��� ���� �� ���� ��� �� �� �
¶ Tivoli Adapter Configuration Facility(ACF) � �� � ����(ACP) ��
Risk Manager� ���� � policy(��, �� �� ���(IDS))� ��� �� ��
���. ���� ���� �� �� �� �� TCP/IP(Transmission ControlProtocol/Internet Protocol), ���� ���� �� � ��� ����� �� ��� �
� �� ���.
�� ���� �Tivoli Enterprise Console(TEC) ���� �� ���� � ���.
¶ Tivoli Framework �� � � ��, Tivoli Framework ��� ��, Tivoli Framework��
��� ��� ���, �� ��, ���, policy region, ����, ��, ���, ���
�, �� ����(CLI) �� � ��� ��� �����.
¶ Tivoli Enterprise Console ��� ��
� ���� Enterprise Console ��� � ��� ��� �����.
�� ���� ��� �� ��� �� �� ��� ����.
¶ Tivoli Enterprise Console �� ��
� ���� � ��� ���� ��� � ��� ��� �����.
¶ Tivoli Event Integration Facility User’s Guide
� ���� Event Integration Facility(EIF)� ���� ��� ��� ��� ��� �
��� ��� � �����. �� ��� ��� ���� �� � ���� �� �
� �� �� ����.
¶ Tivoli Enterprise Console ��
� ���� �� �� � ��� ��� �����.
¶ Tivoli Enterprise Console �� ��
� ���� �� �� ��� Tivoli Enterprise Console ��� � ��� �
����.
xixRisk Manager ��� ���
Risk Manager ��Risk Manager�� �� ��� ���� ����.
¶ Tivoli Risk Manager ��� �� �� Risk Manager� �� �����. � ��� �
� CD� �� �� ��� ��� � ����.
\RM38relnotes.pdf
¶ Tivoli Risk Manager ��� �� � 3.8� �� CD�� PostScript DocumentFormat(.pdf) �� ��� �����. � ��� �� �� �� ����.
\books\rm38user.pdf
¶ Tivoli Risk Manager ��� �� � 3.8�� Risk Manager Event Integration Facility��, API � �� ���� ��, ��� Risk Manager �� �� � ��� �
� ��� ���� ����. � ��� �� �� �� ����.
\books\rm38devgd.pdf
¶ Tivoli Decision Support for Enterprise Risk Management Release Notes� �� ��
�� ����.
\books\tdserm11.pdf
� �� ���� � � ��� ���� ��� Tivoli Risk Manager ��� ��� �����.
�� ��
¶ 1 ��� �� ���� � ���� � ������ ���� � ���. ��, �
�� �� ��� �� � ��� � �� �����.
¶ 7 ��� �Tivoli Risk Manager ���� Risk Manager ��� �����.
¶ 31 ��� �Risk Manager ��� Risk Manager ���� ��� ��� � �
����.
¶ 53 ��� �Risk Manager � �� ���� �� ��, ����, �� ���� ��
�� Risk Manager TEC �� ��� �����.
¶ 81 ��� �Risk Manager Event Integration Facility�� ��� Risk Manager �� �
�� ���� ���� � Risk Manager� ���� ��� Risk Manager EventIntegration Facility� ���.
¶ 99 ��� �Risk Manager TEC ����� Risk Manager� ���� TEC ���� �
����.
¶ 105 ��� �� �� ���� Risk Manager� ���� ��� Web Intrusion DetectionSystem(Web IDS)� � ���.
¶ 129 ��� �Cisco Secure IDS� ���� Cisco Secure IDS(���� NetRanger)���� �����.
¶ 135 ��� �ISS RealSecure� ���� ISS RealSecure� ��� �����.
¶ 143 ��� �Cisco ���� ���� Cisco ���� ��� ���.
xx �� 3 ��� 8
¶ 151 ��� �Cisco Secure PIX Firewall� ���� Cisco Secure PIX Firewall� �
�� �����.
¶ 165 ��� �Check Point FireWall-1� ���� Check Point FireWall-1� ���
�����.
¶ 181 ��� ���� �� ��� ���� Host Intrusion Detection System(IDS)� �
�� ���.
¶ 185 ��� �McAfee Alert Manager� ���� McAfee Alert Manager� ���
���.
¶ 191 ��� �Norton AntiVirus� ���� Norton AntiVirus� ��� ���.
¶ 197 ��� �Network IDS�� Network Intrusion Detection (Network IDS) ��
���.
¶ 207 ��� �Tivoli Decision Support�� Tivoli Decision Support for Enterprise RiskManagement� �����.
� ���� �� �� � � �� �� ��� �� ���� ����.
� �� ��� ��� ��� Windows® ���� Windows NT™ �� Windows 2000™ � ��� ����
��� ������. UNIX ���� AIX™, Linux™ �� Solaris™ � �� �� UNIX™
� ��� ���� ��� ������.
� �� �� �� �� �� �� ��� �� �����. ��� �� ����.
�� �
�� �� �� �� ��� �� �� �� ��� �� ����.
������ � � �, ���� � ��, � � �� ����� ��
��.
������ � ��, ��, �� �� ������ ��� ����.
�� �� ������ � Tivoli �� �� �� �� Tivoli ��� � �� ��� �� �� ��
�� ������.
¶ ����: [email protected]
¶ �� ��.�. �� ����: 080-023-8080, 02-3781-7114
¶ � ���: http://www.support.tivoli.com
Tivoli �� ��� ���� ��� �� ��� � �� ��� � ��� ��� ���
�� ����.
xxiRisk Manager ��� ���
Risk Manager � ��Tivoli � IBM Tivoli ��� Tivoli � �� Risk Manager� �� ��� ��� �
� ����.
�� �� ����� �� �� � Risk Manager� �� ��� ��� � � ����
http://www.tivoli.com/support/secure_download_bridge.html ������.
Tivoli Risk Manager ��� �� ��� �� � ���� ������.
http://www.tivoli.com/products/index/risk_mgr/
�� Tivoli security management ��� �� ��� �� � ���� ������.
http://www.tivoli.com/products/solutions/security/
�� ��� �� � ��� ��� �� �� ���� �� �� � ���� �� ��� ��� � ��� ��
� ��� �� �����.
xxii �� 3 ��� 8
� ���� � ��
� ���� �� ��� ��� Risk Manager 3.8 ���� � ���.
�� �� �� ��1� � ����� Risk Manager ���� ���� � �����.
1. Risk Manager � �� ��
AIX 4.3.3 Solaris 2.7 Solaris 2.8 Linux Windows NT4.0
Windows 2000
R i s k
Manager
�
X X X X
Tivoli
Decision
Support
X
Check Point
FireWall-1
X X X RedHat 6.2/
7.0
X
Cisco Secure
IDS ��
X X L i n u x
Kernel 2.2.
16
X X
Norton
AntiVirus
X X
McAfee
Alert
Manager
X X
Host IDS X X X RedHat 6.2/
7.0
X X
Network IDS X X X RedHat 6.2/
7.0
Web IDS X X X RedHat 6.2/
7.0
X X
Cisco Secure
PIX Firewall
��
X X X X
Cisco ��� X X X X
1
1Risk Manager ��� ���
1.�
��
��
��
�
1. Risk Manager � �� �� (� )
AIX 4.3.3 Solaris 2.7 Solaris 2.8 Linux Windows NT4.0
Windows 2000
I S S
RealSecure
X X X X
I S S
RealSecure
� Cisco �
�� ���
TEC SNMP
��
X X X X
R i s k
M a n a g e r
E v e n t
Integration
Facility
X X X RedHat 6.2/
7.0
X X
� �� �� ��2� Risk Manager Web IDS� � ���� � � ���.
2. Risk Manager Web IDS� � ���� � �
�� AIX 4.3.3 Solaris 2.7 Solaris 2.8 Windows NT 4.0
Apache 1.3.17 X X
Apache 1.3.9 X X
Domino 5.0.6 X X
I-Planet 4.1 X X X X
Microsoft ISS 4.0 X
IBM HTTPD 1.3.
12.2
X X
WebSeal 3.7 X X
������ �� ��Risk Manager 3.8� �� ������ �����.
¶ Oracle Database � 8.1.x
¶ IBM DB2 � 6.1 � 7.1
¶ Sybase Adaptive Server Enterprise (ASE) � 11.5, 11.9x � 12.0
2 �� 3 ��� 8
Tivoli Management Framework � Tivoli Enterprise ConsoleRisk Manager 3.8 ���� �� ��� � �������.
¶ Tivoli Management Framework V3.7, V3.7.1
¶ Tivoli Enterprise Console V3.7.1
� � �� ��Risk Manager 3.8� Risk Manager �� ���� �� � � ��� �����. RiskManager ��� �� ��� ��� Risk Manager ���� �� �� ��� � � ��
��. ��� Tivoli Enterprise Console(TEC)�� �� �����.
��� ��� �� ��� � �� � ���� ���� Risk Manager ��� ��� �� � ����.
¶ AIX� installp
¶ Solaris� pkgadd
¶ Linux� rpm
¶ Windows ���� InstallShield
�� unzip �� untar�� ���� ��� ��� ���. SIS(Software Installation Services)� ��� ��� ���� ����.
�� ���� ��� ���
McAfee Alert Manager ���
Risk Manager�� McAfee Alert Manager � 4.5� ��� ����. ��� �
��� ��� 185 ��� �McAfee Alert Manager� ���� �����. �
� McAfee Alert Manager ���� TEC Windows ��� �� ���� ���
��.
Internet Security Systems RealSecure (ISS RealSecure) ���
ISS RealSecure 6.0� ISS RealSecure 6.0 Network Engine � System Agent�� �
�� � SNMP(Simple Network Management Protocol) �� ���� ��
�� �����.
Check Point FireWall-1Check Point FireWall-1� OPSEC(Operations Security) ������ �������.Linux ���� �����.
Cisco Secure IDS ���
Cisco Secure IDS ��� Cisco� SDK(Software Development Kit)� ���� �
� Netranger ��� �� ����. � �� Cisco IDS ��� ��� ��
���.
3Risk Manager ��� ���
1.�
��
��
��
�
Host IDSWindows 2000 ���� ��� ��� � �� � ��� �� Risk ManagerHost IDS� � �����.
Host Intrusion Detection System(Host IDS)� RedHat Linux 6.2 � 7.0�� ���
��.
Web IDSWeb IDS� RedHat Linux � Windows 2000�� �����.
��� ��� � �� �� ��� ��� � ��� ���� � � ���
�� � ����(�� ��, ��� ��). Web IDS� ��� �� � �� ���
��� �� �� �� �� �� �����.
Norton AntiVirus � 7.0 � 7.5� �����.
�� ��Web IDS, Risk Manager Event Integration Facility, Risk Manager Perl, Host IDS � NetworkIDS� � Linux ��� �������.
TEC ����� TEC ���� �����.
���� �� ���
TDS(Tivoli Decision Support)� ���� ��� ���� �� Risk Manager ��
���� ����� � ����.
��� ��� ����
��� ���� �� ��� Risk Manager �� ��� ��� ����� ���
�� � ����.
�� TEC ���� �� � �� ����� ����.
�� � �� ������ � ��� � �� ��� �������.
¶ Risk Manager Event Integration Facility Observer� � ���� �� �� �� ��
�� ���, � �� �� ��� � ���� �� ��� ��� � ��� ���. �
������
v Risk Manager ���� TEC � � ���� ���� ����. �� ���� �
��� ��� �� �� �� �� �� ���� �� � ����.
v ���� � �� ���� ��� ���� TEC � � � �� ���� ��
���� ���� ����.
v Tivoli Management Enterprise(TME) � � TME ������ �� �����.
¶ Native � ��� �� ����� �� � �� ���.
4 �� 3 ��� 8
¶ � ���� �� � �� �� ���� 1� TEC � � �� �� ������ TDS���� ������ �� �� ���� �� � ����.
¶ Tivoli Management Framework 3.7.1� �� � ��� � � �� ��� SSL �
��� �� ������ �� �������.
��� ��
Network Intrusion Detection(Network IDS) ��
Network IDS ��� � ���� ������. ���� ��� �� � ����
� �����.
�� ���
� ���� Risk Manager ���� �� �� ��� ����. Risk Manager ��� ��� 213 ��� �Risk Manager ���� �����.
� ���� ���� ��� �������. � �� �� ���� � ��� ���
� � ���� ����.
5Risk Manager ��� ���
1.�
��
��
��
�
Tivoli Risk Manager ��
�� ... ... ��- e-business� �� ��� �� �� ��� �� �� �� �
�� ���� ��� ������. � ��� �� ��� ���� �� e-business� �
�� ���� �� ���� ��� � � �� ���.
Tivoli Systems, Inc.(Tivoli)� ��� �� �� ���� ��� � �� � �� � �
�� �� ��� ���� ������. Tivoli � ��� e-business� �� � �
����� �����. ��� ������ �� ��� IT ��� � �� � ��
��� � ��� ����.
Tivoli��� ����, ���, ������, ����� e-business� ��� ��� ����
� ��� �� �� �� ��� �����. ������ �� ���� Tivoli ����
� Tivoli Ready �� ���� ����, ���, �����, ������ �� ��
��� ����. Tivoli Ready �� �� ��� Tivoli �� ������ �� ��
� ���� �� ��� ���� ������ ��� ����.
Risk Manager ���� ��� ��� �� � e-business ���� �� � �� �� � �� ��
� �� ���. �� �� ���� � � �� �� ��� ���� �� ���
� ��� �� policy� ���� �� � ��� ����� �����.
Risk Manager� �� �� �� ��� �� ������. Risk Manager� �� ��� �
� �� ������ �� �� ���������� �� �� ��� � �� ��
���. �� �� ���� ����� ��� �� �� �� ��� � �� ��� ��
���� ������. Risk Manager� �� �� �� ��� ��� � ��� �� �
� ��� �� ��� �����. ��� �� ��� �� ����� �� �� �� ��
������ �� ��� �� �� ������.
Risk Manager� ��Risk Manager� ��� � ���� e-business� �����.
¶ ��, ��, ��� �� ���� ���� ��� � �� ���. �� �� ����
��� ��� �����. �� ��� �� ��� � �� �� �� ��� ��� �
�� ��� ���� �����. � �� �� ��� ��� Tivoli EnterpriseConsole� � �� �� ���� ���� �����.
¶ �� �� ��� ���� �� � � ���� �����.
¶ ������, ���, �����, ���� ����, � ��� � ����.
2
7Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
¶ �� � ���� ���� � �� �� �� �� � ����.
¶ � ���� �� ���� ����� � ��� ����� ��� � �� ���.
Risk Manager� �� �� ���� ���� ��Risk Manager� ���� �� �� ��� � ��� �� �� � �� ��� �
� ���� ���� ����� �����. ��, ���� ��� ����� �� ���.�� �� ��� ��, �� �� � �� ��� � �� ���. �����, �� �
� ��� � ����.
Risk Manager� � �� ��� � �� ��� �����.
�� �� �� �. � ��� ��� � �� IP ��� �� ����.
�� �� ��� ��. ��� ���, � � , � �� �� �� ��� ��� � �
����. �� ��� ������ ���� ���� ����� � �� ����.
�� ��
������ �� �� �� � �� �
�� �� ��� ��. �� ���� ��� �� ��, � �� �� � � ����.
��� Risk Manager� �� � �� ��� ��� �����.
�� �������� � �� ��� ��� ��� � ����. Risk Manager� ��� �� ���
������ �����.
�� ��� ��� ���� �, �� ��� ���� � ��� � ����. ��1� �
�� ���� ��� ����� �� ��� �����. ���� ���� ��� ��� �
� ����.
�� ��� �� ���� ��� ���� ��� �� ����. �� � � ����� �
��� ��� �� �� ����� �� ����. 9 ��� ��2� �� ���� �
�� ����� �� ��� �����. 9 ��� ��2�� �� ��� ����� ��
�, ���� � ���� ��� � � ����.
�� 1. ��� ���� ��� ����� �� ��
8 �� 3 ��� 8
�� ����, ��� ��� �� ��� �� ����� � �� ����. �� �� �
�� ������ ���� �� ��� ������ � � ����. ��3� ��� ��
�� �� ����� �� ��� �����. ��3�� �� ��� ����� ���, ��
�� � ���� ��� � � ����.
�����, ��� �� ���� �� ���� ��� � ����. ��4� �� ���� �
� ����� �� ��� �����. ��4��� � ��� ��� ����� ���� �
���� ��� � � ����.
Risk Manager� �� ��� ���� ��� �� �� ��� Risk Manager� �� ��� ���� �� �����. � �� 10��� ��5��� 999�� �� ��� ������. �� ��� �� ���� ����
�� �� ��� �� �� ����. �� � ��� �� �����.
�� 2. �� ���� ��� ����� �� ��
�� 3. ��� ���� �� ����� �� ��
�� 4. �� ���� �� ����� �� ��
9Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
1 �� ��
2 �� ��
3 �� ��. �� �� �����.
��� ���� � �����. ���� �� � ��� ��� ��� ��� �� �
�� ����� �������. � ����� �� ���� � �� �� � ����.��� �� ���� �� ���� 999� ��� � �����.
��� �� �� ��9 ��� �Risk Manager� �� ��� ���� ���� 999��� �� ��� ���
�. Risk Manager �� �� � � ���� ����� 999�� �� ��� TEC� �� �
���, �� ����� ����. ���� � ���� ���� �� ���� � ���
��, �� ��� �� � ����.
�� ��� ���� � ���(1, 2, 3 � ��� ��)� �����.
��, Risk Manager� ���� ���� ��� ���� � � ����. ����, 999�
� ���� �� �����. Risk Manager� 999�� �� ���� ���� ��� ���
� ���� ����.
� ��� �� ��� ��� ��� ��� ���� ��� �� � ���� ��
�� ��� � ����.
Risk Manager ����Risk Manager� �� ���� �����.
�� 5. �� ��
10 �� 3 ��� 8
�� �� �� � �� �
Risk Manager� ��� �� � �� �� � ��� ��� Tivoli EnterpriseConsole�� e-business� � ��� �����. � ��� � �� �� �� �
� ��� �� ������ � �� �� ��� � ��� �� �� ���
�� �����.
��� ��� �� ��
Risk Manager� �� ����� �� ����, ��� ��� ��� ���� �
� ������ �� ��� �� ������. �� �� Risk Manager� �
��� �� ��� ���� Tivoli ����� �����.
Event Integration Facility (EIF) ��
Risk Manager� ��� ��� �� �� ��� Risk Manager Event IntegrationFacility(EIF)� �����. API(Application Programming Interface)� ���� ��
� Risk Manager �� ��� ��� � ����.
���� �� ��� ��� � Risk Manager �� �� �� �� ���� �
� ����� Risk Manager EIF� ��� � ����.
�� �� ��
Risk Manager� �� �� ��� � �����.
�� �� �� ��
Risk Manager�� � � �� �� �� � ���� Web IntrusionDetection System(Web IDS) ��� ����.
��� �� �� �� ��
� ���� � � ���� � � � ���� Host IntrusionDetection System(Host IDS)� Risk Manager ��� ��� � ����.
��� �� �� �� ��
Risk Manager Network Intrusion Detection System(Network IDS) ��� �
��� � �� �� �� � �����.
�� �� ���
Risk Manager� � ��� ��� ���� ��� �� ��� ���� �� �
��� �����.
Risk Manager� ��� �� ���� ���� ���� � �� �� ���
�����.
¶ ISS RealSecure� ��� ISS RealSecure �� ��� �� �� TEC �
��� ������.
¶ Cisco Secure IDS� ��� Cisco Secure Intrusion Detection System(���
� NetRanger) �� ��� �� �� TEC ���� ������.
¶ Cisco ���� ��� TEC SNMP ��� ���� Cisco ���� ���
� �� TEC ���� ������.
¶ Cisco Secure PIX Firewall� ��� Cisco Secure PIX Firewall� ��� �
�� TEC ���� ������.
11Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
¶ Check Point FireWall-1� ��� Check Point™ Firewall-1® ��� ��� �
�� TEC ���� ������.
¶ McAfee Alert Manager� ��� McAfee Alert Manager ��� ��� ��
� TEC ���� ������.
¶ Norton AntiVirus� ��� Norton AntiVirus ��� ��� ��� TEC ��
�� ������.
¶ Host IDS� ��� � ��� ���� ��� ���� TEC ���� ���
���.
Tivoli Decision Support for Enterprise Risk ManagementTivoli Decision Support(TDS) for Enterprise Risk Management� Tivoli Risk Manager�� ������. TDS� ���, ���� ������ � �� �� ���
�� ���� � ���� ��� �� �� ���� ��� � ���.
��6� Risk Manager ��� �� �� �� ��� �����.
�� 6. Risk Manager ��� ��
12 �� 3 ��� 8
�� Tivoli ��Risk Manager� Tivoli Management Enterprise Framework�� ����. Risk Manager� ����� �� Tivoli ��� �����. Risk Manager �� �� �� �� Tivoli��� �� ����.
¶ Tivoli Management Enterprise Framework(��� TME/10 Management EnterpriseFramework), � 3.7.1
¶ Tivoli Enterprise Console, � 3.7.1
¶ Tivoli Management Agent, � 3.7 �� � 3.7.1
¶ Tivoli Adapter Configuration Facility(ACF), � 3.7.1(��)
¶ Tivoli Decision Support, � 2.1.1(��)
Risk Manager��� ��� ���� �� Tivoli �� ���� ����.
� ��� �� � ��� � Tivoli ��� �����.
��� ���� �� ��� Risk Manager �� ��� ���� ���� ����.
��� �� ��� �� �� ��� ��� �� ��, �� ��� ��� ���. RiskManager� ��� �� �� �� � ���.
Risk Manager � Tivoli Enterprise ConsoleTEC� Tivoli Management Framework� � �� �����. TEC� ������ �� �
�� ��� ����� ����� �� ��� �� �����.
Risk Manager� �� TEC ���� �����.
¶ � ���� ���� TEC ��� �
¶ TEC ��� �� �
¶ TEC ��� ��
¶ �� � ��(ACF)
¶ ��
Risk Manager� � �� �� ��� ��� Tivoli Enterprise Console�� e-business� �
��� �����. TEC� �� ��� ��� ��� Tivoli Enterprise Console ���
�����.
TEC ��� ��� � ��� ���� ��� �� � �� �� � ���� ����
�. ���� Tivoli Enterprise Console� ���� �� ���� ��� ��� ��
�� ���� ����. ���� ���� ��� TEC ��� �� ��� ��� ��
�� �� ���.
13Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
TEC� Risk Manager �� ���� ��� ���� �� ���� � �� �� ��
���. ��7� TEC � ��� ��� ����.
Risk Managerr� Tivoli ���� ��� � ��� �� ���� ���� ��� ��� �
����. TEC� ���� �� ���� �� ��� ��� �� ��� �� ��� � �
���.
¶ �� ���
¶ �� ���
¶ trusted host� �
¶ Risk Manager ����
¶ �� Risk Manager �� ���
Risk Manager ��� ��� ����� ���� �� ���� �� �� �����. RiskManager� ���� ��� � �� ���� ��� ��� ���� ����. RiskManager� ��� ���� ��� �� ��� ��� �� � �� � �� ���
��.
�� 7. TEC � ��� ��
14 �� 3 ��� 8
��� ������TEC� � Risk Manager ���� ��� ������� �� RDBMS(Relational DataBaseManagement System)� ����.
TEC ��� ��TEC ��� � � ���� �� ��� ���� ���� ���� ��� �����. �
��� ���� ��� ������ ���� ��� �� �����. ���� ��
���� ��� ��� �� ���� ��� ��� ����. �� �� ����
���� � TEC ��� � � ��� � ����. ��� � ��� �� ��� ��
� ��� �����. �� TEC ��� � � TEC ��� �� �� �� ��� ���
�����.
Risk Manager� TEC ��� � � ���� �� �� ���� ��, �, ����. TEC��� � � �� ��� ��� ��� Tivoli Enterprise Console ��� �����.
TEC ���Tivoli� ���� ����� TEC � � ��� � �� �� TEC ��� �����. RiskManager �� � ��� ���� ��� TEC ��� ���� Risk Manager ����
���� �� Risk Manager � � �����.
��� �� ��� � ��� �� ������. ��� ��� ���� �� �
��� ���� ���� ����� Tivoli ��� � � � ��. ��� ����� ��
�� ���� ��� ������ ���� ��� � �� ��� ��� �� �� �
�� ��� � ��� ���� ASCII �� �� �� � ����.
��� Tivoli ���� �� � Tivoli ����� ���� ���� Tivoli ��� �
� �� � ����. Tivoli ����� Tivoli Management Framework� ���� ���
� ���� �� �����. � Tivoli ����� ��� � �� ��� �� �(IP)�� �� ����� �� �� �� ���� �� �����.
������ � ��� ���� ����� ������ ���, ����� �����
� ��� ���� ��� Tivoli ��� � � �����.
������ � Risk Manager�� ���� TEC ��� UNIX� Tivoli �� �� �
� �� Windows ���� Windows ��� �� �����. SNMP ��� �����.
�: � ���� ��� Tivoli �� �� ��, Windows ��� �� �� �� SNMP���� ��� ���� �� � ��� TEC ��� �����.
��� ���� ���� ���� TEC� ����� ��� TEC ��� � ���� �
�� �� �� � ���� ������. �� ��� Risk Manager TEC �� ��
���� Tivoli ��� � �� �����. Risk Manager TEC �� ��� ���� IDS���� ���� ���� � ��� � �� �� �� �����. 53 ��� �RiskManager � �� ���� �����.
15Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
� TEC ��� �� �� ��� ��� �� �� �� ���� � ��� ����
� �� �����. �� ���� ��� ������ ����.
BAROC ��
BAROC ��� ��� � � � ��� ���� �����. ��� ���
� ��� �����. ����� ��� ���� ��� ��� � � ��� ��
� �� �� Tivoli ��� � � �����. Risk Manager� ���� � ��
���� BAROC �� �����. ��� ��� ��� �BAROC ���
�����.
�� ��
��� ��� �� �� ��� ��� ��� �� ���� ���� ��� � �
�� �� ��(.cds) ��� �� ���� �����. �� ��� ��� ����
��� �� �� �����. �� ��� TEC ��� ��� �� ��(.cds)�� ����� �����. Risk Manager� ���� � �� ���� ��(.fmt)�� �����.
��� � ���(.cds) ��
TEC ��� .cds �� ���� �� ���� ��� ���� ����� ���
� ��� � � ���� �� ��� � �����. Risk Manager� SNMP �
�� ���� ��(ISS RealSecure� �� Cisco ���� ��)� .cds �
� �����.
��� ��� ���� ��� ���� ��, ��, ���� � ����. ��� ���
� � ��� ������ ��� ��� ���� �� ���� �����. �� ���
������ � ��� ��� ���� ��� �����.
BAROC ��� ��� TEC ��� ���� ��� ���� �� BAROC �� �� ����
�. � ��� TEC ��� �� ���� �� �� ��� � � �� ��� ����
�. ��� � � ���� ��� ���� ��� �� � �� �� ���. ��
BAROC ��� .baroc ��� ����.
Risk Manager BAROC ��� TEC ��� �� � ���. �� ���� EVENT����� �����. Risk Manager ��� ��, �� ��� � ��� TEC ��� ��
� ��� �� � BAROC ��� � � ����.
BAROC �� �� ��� ��
riskmgr.baroc �� ��� ��� Risk Manager ���
sensor_abstract.baroc ��� ��, �� �� �� ���. ��� ���� ����
TEC� ��� ����. � ��� ����� riskmgr.baroc ��
� ��� �� ���.
sensor_generic.baroc �� �� �� ���� ��� ���� � �� ���. �
��� ���� sensor_abstract.baroc ��� ���� �� �
����.
16 �� 3 ��� 8
BAROC �� �� ��� ��
realsecure.baroc ISS RealSecure� �� ��� � � ���� � ��� ��
�. � ��� ���� sensor_abstract.baroc ��� ���� �
� �����.
csids.baroc Cisco Secure IDS� �� ��� ���. � ��� ����
sensor_abstract.baroc ��� ���� �� �����.
webids.baroc Web IDS ��� ���. � ��� ���� sensor_abstract.baroc
��� ���� �� �����.
cpfw.baroc Check Point FireWall 1� �� ��� ���. �� ��� ��
� ���� � �� � ��� ���� �����. � ��� �
��� sensor_abstract.baroc ��� ���� �� �����.
pix.baroc Cisco Secure PIX Firewall� �� ��� ���. �� ��� �
�� ���� ��� � ��� ���� �����. � ��� �
��� sensor_abstract.baroc ��� ���� �� �����.
os.baroc Host IDS� �� ��� ���. � ��� ����
sensor_abstract.baroc ��� ���� �� �����.
crouter_snmp.baroc Cisco ���� �� ��� ���. �� ��� ��� ����
� ��� ���� �����. � ��� Cisco ��� ��� �
� �����. � ��� ���� sensor_abstract.baroc ��
� ���� �� �����.
rmvirus.baroc Norton AntiVirus� �� ��� ��� � McAfee Alert Manager
� ��. �� ��� ��� ���� � ���� ����
�����. � ��� ���� sensor_abstract.baroc ��� �
��� �� �����.
nids.baroc Risk Manager Network IDS ��� ���. � ��� ����
sensor_abstract.baroc ��� ���� �� �����.
��� �� ��� ��.cds ��� ���� �� ���� �� ���� ����� ���� ��� � � ���
� �� ��� � ���� � ��� �����. .cds ��� .cds �� ����
��� ���� ��� ���� SELECT, FETCH, MAP �� �����. � ���
���� ��� ����� �� ���� ��� � ��� �� ��� ����. �
�� �� ��� ���� sensor.abstrac.baroc� ������ �� �� ����� �
��� �� ���.
.cds ���� ��� ��� ��� ��, C(.baroc) ��� BAROC(Basic Recorder ofObject)��� ��� ��� ��� ��� � ���. Tivoli Event Integration FacilityUser’s Guide��� ��� �� �� � �����.
.cds ��� �� ���� ���� ��� ���� ��� ���� � � �� �
�� ��� ����(18 ��� ��� ��� �). Tivoli� ��� �� �� �� ��
��� ���� tecad_logfile.fmt, tecad_nt.fmt � tecad_win.fmt �� �����.Risk Manager �� ��� �� TEC �� ��� �� ����� �� TEC �� �� �
� � ����.
17Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
Risk Manager� TEC SNMP �� �� ��� ��� �� �� �� �����.tecad_snmp.cds �� ���� Internet Security Systems RealSecure ISS RealSecure �
Cisco ���� ���� ���� ��� � �� SNMP ��� �����.
�� ������ ��� �� ��� ����, �� � ��� ������.
¶ Risk Manager �� �� TEC ��� �� ��� ���� � �� ������.
¶ �� TEC �� �� �� �� Risk Manager �� ��� ���� �����. �
� Host IDS� ��� �� �� ����.
��� ��� 45��� �����.
TEC SNMP ���� .cds ��� �����.
TEC ��� ��� �� ���� ��� ��� � �� � �� � ��� �� ���
� ����.
��� ��� ���� ����� ���. ��� �� ��� �� �� ���� ���
��. �� �� ��� .fmt ��� ����. �� ��� �� ��� �����.
¶ ��� ���� ��� ����� �� �� ��. ���� � ��� ���� �
���.
¶ .cds �� ��� � ��(17 ��� ���� �� �� ��� �)
Risk Manager �� ��� �� ����.
3. Risk Manager �� ��
Risk Manager �� �
�
Risk Manager ��� ��� �� ���
webids.fmt Web IDS Risk Manager EIF Unix � Windows
���
�� �� �� Unix ���
webids.nt.fmt Web IDS Windows ��� ��
��
Windows ���
pix.fmt C i s c o S e c u r e P I X
Firewall� ��
Tivoli �� �� �� UNIX ���
pix_nt.fmt C i s c o S e c u r e P I X
Firewall� ��
Windows ��� ��
��
Windows ���
csids.fmt Cisco Secure IDS� �
�
Risk Manager EIF Unix � Windows
���
�� �� �� Unix ���
csids.nt.fmt Cisco Secure IDS� �
�
Windows ��� ��
��
Windows ���
os_aix.fmt Host IDS� �� �� �� �� AIX ���
os_solaris.fmt Host IDS� �� �� �� �� Solaris ���
18 �� 3 ��� 8
3. Risk Manager �� �� (� )
Risk Manager �� �
�
Risk Manager ��� ��� �� ���
os_nt.fmt Host IDS� �� Windows ��� ��
��
Windows ���
os_linux.fmt Host IDS� �� �� �� �� Linux ���
rnmac.fmt McAfee Alert Manager
� ��
Windows ��� ��
��
Windows ���
rmnav.fmt Norton AntiVirus�
��
Windows ��� ��
��
Windows ���
cpfw.fmt Check Point FireWall-1
� ��
Risk Manager EIF Unix � Windows
���
�� �� �� Unix ���
cpfw.nt.fmt Check Point FireWall-1
� ��
Windows ��� ��
��
Windows ���
tecad_snmp.cds Cisco ���� ��,
ISS RealSecure
SNMP �� Unix � Windows
���
�: Cisco ��� � ISS RealSecure� ��� Tivoli SNMP ��� �����.tecad_snmp.cds� Risk Manager � ���� � ��� �� ���.
�� �� � BAROC �� �� ������. �� ��� ��� � ��� ��
��. �� � �� ��� � ���� ��� ��� �� IDS �� �� ���� ��
��� ���� ��� �� ��� ���� ����.
Risk Manager �� �� �� ��� � ���� �� �� ��� Tivoli ��� �
� �� ��(.fmt) �� �����.
$BINDIR/../generic_unix/RISKMGR/ACF_REP
��� BINDIR� ��� � ���� � �����.
19Risk Manager ��� ���
2.T
ivoli
Risk
Man
ager
��
Tivoli Enterprise Console�� �� ��
� ��� Tivoli Enterprise Console(TEC)�� Risk Manager ��� ��� ��
���. �� �� ���� �� ��� � �� ��� � �����.
Risk Manager Web Intrusion Detection System(IDS) ����� ��� ��� ����� �����. Risk Manager� Risk Manager Web IDS� ��
�� �� � � � ������ ��� �����. ����� ��� ��� � ���� �
�� �� �� ���� TEC� ���� ���� ���� �� �� ���� �
� �� �����. �� �� �� ���� �� Risk Manager �� �� �� ��
�� ���� �� � � ����.
��� ��� �� �� �� �����? Risk Manager Web IDS ��� � � � ���
��� �� �� ���� � � �� �����. Web IDS� � � ��� ���
�� ���� �� � �� ���� �� �� � �����. ��� ��� ���
� �� ���� � �����. Web IDS ��� �� �� �� �� ���� TEC���� ��� �� �� TEC � � � ��.
� ������ Web IDS� Apache � � �� �� ���� �� �� �� ���� TEC� � ������. TEC� IDS �� ���� ��, ��� �� �� ���� � ���
� ���� �� � �����. TEC �� �� ��� Risk Manager�� ���� ��
� TEC � ����.
Risk Manager �� ��� �� � ��� � � ��� �� �����. � �� ��
��� ��� �����. Risk Manager� � ��, ��� ��, ��� ��, ��� �� �
���� � �� �� ��� �� �� �� � �� ��� ��� ����. �
������� � �� � �� ��� � �����. � �� �� �� ��� � �� IP����, � �� �� �� ��� � �� IP �����.
�� �� ��� ��� � ��� ��� � � � �� ���� ��� ��� �
��� ��� TEC�� �� �����. �� ����� ���. � ���� �� �
� �� � � � ���� ����� �� ��� � ���� ��� ���� ���
�. Risk Manager ��� ��� ���� ��� �������.
�� 1 ���� � ��� �� ��, �� ��� � �� ��� �� � �� ���
�� ���� ����� �����.
�� 2 ���� � �� �� ���� ����� �����. ���� �� ��� � ��
��� � ����.
3
21Risk Manager ��� ���
3.T
EC
��
��
��
�� 3 ���� ��� �� ���� ����� �����.
�� 1 ���� � ��� � � ����� �� �� ��� � � �� ��
��. �� 3-3 ���� �� ��� � �� ����� ��� �� ��� � ��
�. ��� � �� ���, ��, �� ��� � �� ���� �� � ��� �� ��
��� � ���.
TEC ��� ����8� Risk Manager ���� ��� �� TEC ��� ���� ���� TEC ����
�.
“RM ���” ���� ���� �� Risk Manager �� �� ���� �����. � ��
������� ��� � ���� 27�� �� ���� TEC � � ������. “RM �
�” ���� �� �� � �� �� �� ��� � ���� �� �� ����
�����. � �� ������� ��� ��� �������. � ��� ��� �� �
����.
�� ��� ����� trusted host� �� ���� ���� ���� ���� “RMTrusted”� ����. trusted host� ���� �� �� ��� �� ������. “RM �
�” ���� �� ���� ���� “RM ��” ���� Risk Manager ��� ����
���� �����.
��� ������� �� Risk Manager ���� ��� ��� ��� ����� “RM ���” ��� �����. 23 ��� ��9� ���� ���� ��� �����.
�� 8. TEC �� -- �� �.
22 �� 3 ��� 8
�� � ��� ������. � ��� � �� ���� � � �� ������ ��
����. �� ���� ApacheServer� �� ��� � �����. � �� ��� ��
� ��� � WW_InsecureCgi� ����. ����� ��� ��� Web IDS� � �
���� �����. Risk Manager ��� �� ��� � �, ��� �� � ��
��� ��� ��� �� �� �� ���� � �� ����� ����� � ��
� ��� �� 1 ���� �����.
TEC ��� ��� hostname ��� �� �� � ��� ��� ��� ��� �
���.
¶ �� ��� �� �� . � ����, ��� WEB���.
¶ ����� �� ��� � �� IP ��. � ���� ApacheServer� Web IDS �
�� ���� � � � ��� ����.
¶ �� ��� ��� � �� IP ��. ������, ��� �� SourceHost���.
¶ �� ��� ��� � �� IP ��. � ����, ��� �� DestHost1���.
���� �� �� ��� ���� ����.
��� TEC ��� ��
��� ���� ��� �
��� ��
��� hostname �� � � ��� ����.
��� ���� �� �� �� �� ��
��� ��� IP ��
�� 9. TEC ��� ��
23Risk Manager ��� ���
3.T
EC
��
��
��
��� ���
��� ��� �
�����
�� �� ��� �. ������, webids� �����.
�� ���� TEC ��. Risk Manager� �� ���� �� ��� ���.
� �
���� �� ��
Repeat_count���� Risk Manager Event Integration Facility� � ���� �� �� ���
� �� 0� �� ��� �����. 0� �� �� �� ���� � ��� �
� �� ��� �� �� ��.
0 �� ���� �� ���� �� �� ��. � �� ����� rm_Level �
(�� ���� ���� ��� baroc ���� ����� ���)� ����.Risk Manager Server�� �� ���� ��, ���� rm_Level �� ��
����.
(1 + repeat_count) * (initial value of rm_Level)
�� ��, repeat_count �� 299�� �� rm_Level� 0.5� �� ���� rm_Level �� 150.0�� ����.
rm_Level �� �� ���� ������ �����(�� �� ��� �� �
� � � �� �����).
�: repeat_count ��� -1� � �� ���� ����. � �� ���� �
�� �� ���� ��� ��, repeat_count �� 1� ���.
Risk Manager �� ��� ��TEC� ��� �� Risk Manager �� ��� ��� ��� �� Risk Manager�� ��� �� �����.
24 �� 3 ��� 8
��10� �� 1 ���� RM_Situation1� ����� �����. � ���� �� ��
�� ���� �� ��. ��� �� � �� ���(DestHost1)� � � �� ��
�(SourceHost)��� ���� �� �� ��(� ��)� ��� ��� ���. �� 1���� ��� � ��� � �� ����� �� �����.
����� ��� ��� �� ��� ��� �� �� �� �����?
����� ���� �� �� � � ����. Web IDS ��� �� Apache � � ��
� �� ��� � ��� ���� ����� �����. ��� � ��� �� ��� �
�� �� �� ����� �� �� ����� ����� �� ���� ����.
��� ��� ��� �� ���� �� �� ���� � ��� �� �� ���� ���
��.
� �� �� 1 ���� ��� �� � �� ���(DestHost2)� � � �� ���
(SourceHost)��� ���� �� �� ��(� ��)� ��� ��� �� ��� ��
���.
�� 2 ���� �� �� ���(DestHost2)� � �� �� ��� �� ���(DestHost1)��� ��� �����. ����� � �� �� �� ��� ����(� ��) �� ��
���(SourceHost)�� �����.
� ��� �� �� � ��� � ��(�� � ��)� ���� � �������. 26
��� ��11� �� � ��� �� �� ��� �����.
�� 10. �� 1, RM-Situation 1 ��� TEC
25Risk Manager ��� ���
3.T
EC
��
��
��
TEC ��� ���Risk Manager �� ��� �� �����. ��� ��� � ��� �� �� ���
� ���� ����.
RM_Situation1 ���� �� ��� �� ��� ��� �� �� ����.
RM_Situation2 ���� �� ��� �� �� �� ���� �� �� � �� ��
�� ���, ���� � �� �� �� �� �� � ���� ����, �� ��
����.
�� 11. RM ����� ��� ��� TEC
�� 12. � ��� �� ���� ��� TEC ��� ��
26 �� 3 ��� 8
�� ��� � ���� �� ���� �� ��� ��� ���� ��� ��� ���
RM_Situation2 ���� �����(��� ��� ��13 �����). �� �� �
��� ���� ���� �� ��.
Risk Manager � �� �� ���� �� ���� �� ���� �� �� ���� �� ��� �� � �� ���
�. �� ��, � �� ������� RM_Situation2 ���� �� ��� �� ����
�� ��� ��� �� � �� ����. � ��� ��� �� ������.
1. Risk Manager �� ��� ���� RM_Situation2 ���� �����.
�� 13. ��� 1� �� ���� ��� TEC ��� ��
27Risk Manager ��� ���
3.T
EC
��
��
��
2. RM_Situation2 ����� ��� ��� �� ��� ��14� � �� � �
����. �� RM_Situation2 ���� �� �� ��� �� �� ����.
3. �� �� ���� �� �� ��� ���� � ��� �� �� � ����� �
����. �� ��� ����.
RM_Situation2 ��� ��
Situation2 ���� ��� ����.
�� �� �� � �� �
��� ��� �� ��
� ��� �� ���� �� ���
��� �� ��� ��� ���� ���, � �� ���� � ��� �
� � �����.¶ Class¶ Date_Event¶ Severity¶ SensorHostname¶ SourceHostname¶ SourceIPAddr¶ SourcePort¶ DestinationHostname¶ DestinationIPAddr¶ DestinationPort¶ ClassCategories¶ Subsource¶ Message¶ Signature
�� 14. ��� �� ��� ��� TEC ��� ��
28 �� 3 ��� 8
�� �����.
��15� � ��, � ��� �� �� ���� �� ��� �� �
� ���� ����.
�� 15. �� �� ���� �� ��� �� �� ���� �� ��
29Risk Manager ��� ���
3.T
EC
��
��
��
Risk Manager ��
� ��� Risk Manager ��� � ��� � ���. �� ��� �� ��
��� � ���� ���� �� �� �� � Risk Manager� �� � �� ���
��� Tivoli Risk Manager ��� �� � �����.
� ��� 236 ��� �� ���� �����. Risk Manager � ��� �
�� 245 ��� �Risk Manager � ���� �����.
� ��� �� �� �� � ��� ���� ����.
¶ Tivoli �� � ��
¶ TME(Tivoli Management Enterprise) ��
¶ Tivoli Enterprise Console (TEC) �� � ��� �� ��
¶ �� �� ������
� � �� �� ������� Risk Manager ��� � �� �����.
�� ���� ��� �� �� �� � �� �� ���� � �� ���. � �
�� �����. ���� ��� ��� �� ��� � ���. � ���� �
�� � ��� �����.
Risk Manager ��� �� Tivoli �� ���� �� ����. Risk Manager� ���
�� ��� Tivoli �� � ���. ��� ��� �� ��� � Tivoli ��
��� � ����.
�� ��� �� ��Risk Manager� �� ��� � � �����. �� ��� � � ��� ������ �
� ��� �� Tivoli Management Regions(TMR) �� � ����. ����� �
� region� TMR� � ��� � � �� ���.
�� �� ��� ��� � � ���� �� ��� � � �� �� ��� ��� �
����. ��� Risk Manager� ��� �� �� ��� �� � �� ����.
� �� �� ��� � � ��� ����� �� ��� ���� �� ���� ����
��� � � �����. ���� ��� � � �� ���� � ��� ���� ���
� �� ���� ����.
4
31Risk Manager ��� ���
4.R
iskM
anag
er�
�
�� � � ��� ��� ���� �� �� �����.
�� � � ��� ����� ��� 68 ��� ��� ��� ��� �����.
�: � TEC ��� � � �� TMR� ���� � ��� � � ��� ����� �
��� ��� ��� �� ���.
Risk Manager ��� �� �� � ���� �� �� ���� � TEC � � �
�� �� ���.
�� ����� � ��� �����.
Risk Manager ��� ��� ��� ��� ��� ��� �� �����, �� �� ��� ����.
�� ��� �� �� �� �� ���� �� ��� �����.
1. Tivoli Management Framework(��� TME/10 Management Enterprise Framework),
� 3.7.1.
�: Tivoli Management Framework, � 3.7.1� �� ���� TEC � � � �
��.
2. Tivoli Management Agent ����� �����(��� LCF �����), � 3.6.3 �
�
3. ��� ������ ���� �� �� ��� ����� �� ���(RDBMS)
TEC ��� ��� ������ ����. RDBMS ����� ������ TEC� ��� � � ���� ��� ���� � ���. Tivoli Management
�� 16. ��: �� ��� � ��
32 �� 3 ��� 8
Framework� RDBMS Interface Module(RIM) ���� ������ ����� �
�����. ��� ������ �� ��� ��� Tivoli ��� �����. RiskManager� �� ������ �����.¶ IBM DB2, � 6.1, 7.1¶ Oracle Database, � 8.1.x¶ Sybase Adaptive Server Enterprise (ASE), � 11.5, 11.9x � 12.0
4. TEC, � 3.7.1
¶ TEC ��� � , � 3.7.1
¶ TEC ��� ����(UI) � , � 3.7.1
¶ TEC ��� ��, � 3.7.1
¶ Tivoli Adapter Configuration Facility(ACF), � 3.7.1
ACF� ���� ��� � �� ��� �� � �� �� �� �����
� ����� ���. ACF� ���� ���� � ���� �� �������
���� �� �� ��� ���� � ����.
ACF� TME ��� ��� ������ ����� ���� �����. TEC �
�� � � ��� ��� � � �� �� TEC ��� � � ������
�. ���� ���� ��� ����� ��, �� � ��(ACF) �
���.
�: Tivoli Management Region(TMR) � ����� ������ ACF� � �
��.
¶ ��� TME �� - Risk Manager Event Integration Facility� ���� �� �
�
v UNIX ���� Tivoli �� �� ��(syslogd)
v Windows ��� �� ��
v UNIX ��� �� Windows ���� SNMP ��
5. ��� ��, �� ������ �� ������
6. Tivoli Decision Support, � 2.1.1 - Tivoli Decision Support for Enterprise RiskManagement guide� ����� ��
Risk Manager Event Integration Facility ���Risk Manager Event Integration Facility(Risk Manager EIF)� Java Runtime Environment(JRE), � 1.3 ��� ���.
Windows ���
� � ����� ��� JRE ��� � � �� ���� ����.
AIX ���
33Risk Manager ��� ���
4.R
iskM
anag
er�
�
AIX� ��, Risk Manager EIF�� Java130.rte�� �� �� ���� ����. � ���
� Risk Manager CD� usr/sys/inst.images �� �� �����. Java 1.3��� AIX� ��� bos.rte �� 4.3.3.10 ���� ���. � ���� ����, AIX � �
�� ����� � �� ����. ��� ���� ����, �� ��� �� IBM �
�� � �� � ���� ������.
http://techsupport.services.ibm.com/eserver/fixes
Solaris ���
Solaris� ��, Risk Manager EIF� SUNWj3rt Java Runtime ���� ����.SUNWj3rt ���� ���, �� ��� �� Sun� Java � ���� ������.
http://java.sun.com
Linux ���
Linux� ��, Risk Manager EIF� IBMJava2-JRE ��� � 1.3 �� ����. �
���� Risk Manager CD� linux_client �� �� �����.
Risk Manager �� ����Tivoli Risk Manager 3.8 ��� CD� �� �� �� �� � �� Tivoli �� ����
���� ����. 35 ��� �� � � �� ���� Risk Manager ��� �
� �� �����.
�� �� �� ���
¶ Tivoli Risk Manager �� 3.8
Risk Manager � ���� Risk Manager �� � �� �����. ACF� ��
�� ��� ��� � � ��� ���� �� ������ ��� � ����. �
� ��� � ���� Risk Manager native � ���� �����. �� ��
�� �� ACF �� �����.
¶ Tivoli Risk Manager Perl � 3.8
� ���� Tivoli �� ��, Tivoli ����� �� � Tivoli ������ ����
�.
Web IDS, Cisco Secure PIX Firewall� ��� � Risk Manager�� ���� TEC��� �� Risk Manager Event Integration Facility Perl ����� ��� ���
����, Perl �� ���� �����.
Risk Manager Native �� ���
Tivoli Risk Manager Event Integration Facility 3.8� ���� Tivoli �� �� � Tivoli ��� ������ �����. �� ��
��� ��� ���� ����.
34 �� 3 ��� 8
Tivoli Risk Manager Web Intrusion Detection System 3.8� ���� Tivoli �� �� � Tivoli ��� ������ �����. �� ��
��� ��� ���� ����.
Cisco Secure IDS� Tivoli Risk Manager ��� 3.8� ���� Tivoli �� �� � Tivoli ��� ������ �����. �� ��
��� ��� ���� ����.
Check Point FireWall-1� Tivoli Risk Manager ��� 3.8� ���� Tivoli �� �� � Tivoli ��� ������ �����. �� ��
��� ��� ���� ����.
Tivoli Risk Manager Network Intrusion Detection System 3.8� ���� Tivoli ��� ������ �����. �� ����� ��� ���
� ����.
�� � �� ��� ��4� ��� � �� � ��� �����.
4. � � � �� ��
Risk Manager����
�� �
TEC �����
� RiskManager EIF
��
�� �� �� .cds �
�
Tivoli �����������
Native ��
�������
ACF
� � -
Perl �� � � -
Risk ManagerEIF � - rmad.fmt
Check Point
FireWall 1� �
�
� Risk Manager
EIF �� �� �
� �� ��
Windows ���
�� ��
cpfw.nt.fmt cpfw.fmt
Cisco Secure IDS
� ��
� Risk Manager
EIF �� �� �
� �� ��
Windows ���
�� ��
csids.fmt csids.nt.fmt
Host IDS � � �� �� ��
�� Windows �
�� �� ��
os_nt.fmt, os_aix.fmt,
os_solaris.fmt,
os_linux.fmt
M c A f e e A l e r t
Manager� ��
� � Windows ���
�� ��
rmmac.fmt
Norton AntiVirus
� ��
� � Windows ���
�� ��
rmnav.fmt
35Risk Manager ��� ���
4.R
iskM
anag
er�
�
4. � � � �� �� (� )
Risk Manager����
�� �
TEC �����
� RiskManager EIF
��
�� �� �� .cds �
�
Tivoli �����������
Native ��
�������
ACF
Web IDS � Risk Manage r
EIF �� �� �
� � � � �
Windows ���
�� ��
webids.fmt ��
webids.nt.fmt
Cisco Secure PIX
Firewall� ��
� � �� �� ��
�� Windows �
�� �� ��
pix.fmt �� pix_nt.fmt
�� ��
ISS RealSecure
� Cisco ����
��
� � SNMP �� t ecad_snmp.cds �
tecad_snmp.oid ��
Tivoli Decision
Support
InstallShield
Network IDS � � �� �� �� nids.fmt
Native � ��
¶ AIX� installp
¶ Solaris� pkgadd
¶ Linux� RPM
¶ Windows ���� InstallShield ����
Tivoli ����� ��� Risk Manager ���� ��Tivoli ��� ���� �� Risk Manager ���� �� � ����.
¶ Risk Manager �
¶ Risk Manager Perl ��
Tivoli Enterprise Console ��� ��� Tivoli ��� ��� �����.
Risk Manager �� �� ���Unix ������ Risk Manager EIF �� � ��� �� ����� ��� ���
� ����.
/etc/Tivoli/rma_eif_env.sh
� ����� Risk Manager �� �� ��� Risk Manager bin �� �� ���� �
�� �����. Risk Manager EIF �� ���� ��� ��� �� �� ����.
¶ RMADHOME �� ��� � Risk Manager �� �� �����.
36 �� 3 ��� 8
¶ RMJREHOME �� Risk Manager�� Java 1.3 ��� �� ����.
¶ $RMADHOME/bin � $RMJREHOME/bin �� �� PATH� �����.
¶ Risk Manager �� ��� $RMADHOME/bin �� �� �����.
¶ Risk Manager � ��� $RMADHOME/etc �� �� ����.
Windows ������ � � RMADHOME � RMJREHOME �� �� ��� �
�� ��� PATH� �����.
Native ��� ��� Risk Manager ���� ��native � �� ���� Risk Manager� ��� �� � ����.
AIX ���� ��� ��5� AIX� �� ���� �����.
5. AIX� �� Risk Manager ���
Risk Manager�����
�� �� �� �� �� � �� �� (.fmt) ��
(.cds) ��
�� �� ��
Event Integration
Facility
rmgr.eif rmgr.eif.rte Java130.rte r m a d . c o n f
rmad_summary.rules
Perl �� rmgr.perl rmgr.perl.rte
Host IDS �� rmgr.support r m g r . s u p p o r t .
hostids
os_aix.fmt1
PIX Firewall�
��
rmgr.support rmgr.support.pix rmgr.eif.rte pix.fmt1
SNMP �� rmgr.support rmgr.support.snmp tecad_snmp.cds2
tecad_snmp.oid
Web Int rus ion
Detection System
rmgr.web rmgr.web.rte rmgr.eif.rte rmgr.
web.sig
webids.fmt1 webids.cfg
Web IDS �� rmgr.web rmgr.web.sig rmgr.web.rte sig.nefarious
Network IDS rmgr.nids rmgr.nids.bff bos.mp, bos.net,
bos.up
nids.fmt
1. Risk Manager EIF � TEC �� �� �� ��
2. TEC SNMP �� ��
����� Risk Manager ������ Risk Manager ���� �� � ����.
AIX ���� Risk Manager ��� ���� installp� ������.
CD-ROM ����� Tivoli Risk Manager CD� ���� ������. �� �� ��
��� � ����.
mount -v cdrfs -r /dev/cd0 /mnt
AIX � ���� �� � /mnt/usr/sys/inst.images� ����.
37Risk Manager ��� ���
4.R
iskM
anag
er�
�
�� �� ���� Risk Manager � ��� �� �����. ����� installp��� -g� ���� ���� � �� ��� -X� ���� �� ��� ���� �
���. �� ���� dir� AIX ���� ���� �� �� �����.
AIX� Risk Manager Web IDS ���� � ������.
installp -agXd dir rmgr.web
AIX� Risk Manager SNMP �� ��Risk Manager SNMP ���� Cisco ��� � ISS RealSecure� �� ��� �����.
�� � ������.
installp -agXd dir rmgr.support.snmp
AIX� Cisco Secure PIX Firewall� Risk Manager �� ���� � ������.
installp -agXd dir rmgr.support.pix
AIX� Host IDS� Risk Manager �� ���� � ������.
installp -agXd dir rmgr.support.hostids
AIX� Risk Manager Network IDS ���� � ������.
installp -agXd dir rmgr.nids
AIX�� smit� ���� ��� ��smit �� smitty� ���� Risk Manager ���� ���� �� ������.
1. �� ������.
smitty install_latest
2. ����� �� INPUT ���� / ��� ��� CD ����(�: /dev/cd0) �� �
� � � ������.
3. ��� SOFTWARE �� ��� ������.
4. �� �(F4)� ��� CD� �� Risk Manager ���� ������. �� ��
��� �� �����.
rmgr.eif+ 3.8.0.0 Risk Manager Event Integration Facility
rmgr.perl+ 3.8.0.0 Risk Manager Perl ��
rmgr.support+ 3.8.0.0 Risk Manager SNMP ��
+ 3.8.0.0 Cisco Secure PIX Firewall� Risk Manager ��
38 �� 3 ��� 8
+ 3.8.0.0 Host IDS�Risk Manager ��
rmgr.web+ 3.8.0.0 Risk Manager Web IDS ��
+ 3.8.0.0 Risk Manager Web Intrusion Detection Systemrmgr.nids
+ 3.8.0.0 Network Intrusion Detection System
�� ���� ���� � �(F7)� ������.
5. LATEST �� ��� ����� ��� � � ���� ���� Enter� ���
��.
6. Enter� �� � ���� �����.
7. �� � ��� ARE YOU SURE? ������ Enter� �� �����.
Linux ���� ��� ��6� Linux� �� ������.
6. Linux� �� Risk Manager ���
Risk Manager ���
�
�� �� � �� � � ( . f m t ) � �
(.cds) ��
�� �� ��
Event Integrat ion
Facility
rmgr-eif-3.8.0-0.i386.
rpm
IBMJava2-JRE-1.3 ¶ rmad.conf
¶ rmad.err
¶ rmad_summary.rules
Perl �� rmgr-perl-3.8.0-0.
i386.rpm
Host IDS �� rmgr-shost-3.8.0-0.
i386.rpm
os_linux.fmt1
PIX Firewall� �� rmgr-spix-3.8.0-0.
i386.rpm
pix.fmt1
C h e c k P o i n t
FireWall-1� ��
rmgr-cpfw-3.8.0-0.
i386.rpm
rmgr-eif cpfw.fmt1 rma_cpfw.conf
Cisco Secure IDS�
��
rmgr-csids-3.8.0-0.
i386.rpm
rmgr-eif csids.fmt1
SNMP �� rmgr-ssnmp-3.8.0-0.
i386.rpm
tecad_snmp.cds 2
tecad_snmp.oid
Web Intrusion
Detection System
rmgr-web-3.8.0-0.
i386.rpm
rmgr-eif rmgr-perl webids.fmt1 webids.cfg sig.nefarious
Network IDS rmgr-nids-3.8-0.i386.
rpm
nids.fmt
1. Risk Manager EIF � TEC �� �� �� ��
2. TEC SNMP �� ��
rpm ���� Linux ���� Risk Manager ��� �����.
39Risk Manager ��� ���
4.R
iskM
anag
er�
�
1. CD-ROM ����� Tivoli Risk Manager CD� ������.
2. CD-ROM ����� ������.
mount -r /dev/cdrom /xmnt
3. �� � ������.
rpm -i /mnt/cd_drive_name/file_name
���, file_name� �� ���� ����.
4. ���� ��� �� �� �����.
Solaris ���� ��� ��7� Solaris� � ������.
7. Solaris� �� Risk Manager ���
Risk Manager ���
�
�� �� � �� � � ( . f m t ) � �
(.cds) ��
�� �� ��
Event Integraion
Facility
RMGReif SUNWj3rt ¶ rmad.conf
¶ rmad.err
¶ rmad_summary.rules
Perl �� RMGRperl
Host IDS �� RMGRshost os_solaris.fmt1
PIX Firewall� �� RMGRspix RMGReif pix.fmt1
SNMP �� RMGRssnmp t e c a d _ s n m p . c d s 2
tecad_snmp.oid
Web Intrusion
Detection System
RMGRweb RMGReif RMGRperl webids.fmt1 webids.cfg sig.nefarious
C h e c k P o i n t
FireWall-1� ��
RMGRcpfw RMGReif cpfw.fmt1 rma_cpfw.conf
Cisco Secure IDS�
��
RMGRcsids RMGReif csids.fmt1
Network IDS RMGRnids nids.fmt
1. Risk Manager EIF � TEC �� �� �� ��
2. TEC SNMP �� ��
���� Risk Manager ���� ����, CD� CD ����� �����. ����
Solaris ���� ���� CD� �����. �� ��, CD� CD ���� 0� � ��
CD ���� /cdrom/cdrom0�� ��� � ����. � ���, Risk Manager � ��
�� /cdrom/cdrom0/solaris �� �� ����.
�� ���� dir� Solaris ���� ���� �� �� �����.
Solaris� Risk Manager Web IDS ���� � ������.
pkgadd -d dir RMGReif RMGRperl RMGRweb
40 �� 3 ��� 8
Solaris� Risk Manager Network IDS ���� � ������.
pkgadd -d dir RMGRnids
Solaris� Check Point FireWall-1� Risk Manager ��� ���� � ������.
pkgadd -d dir RMGReif RMGRcpfw
Solaris� Cisco Secure IDS� Risk Manager ��� ���� � ������.
pkgadd -d dir RMGReif RMGRcsids
Solaris� Risk Manager SNMP �� ��Risk Manager SNMP ���� Cisco ��� � ISS RealSecure� �� ��� �����.
�� � ������.
pkgadd -d dir RMGRssnmp
Solaris� Cisco Secure PIX Firewall� Risk Manager �� ���� � ������.
pkgadd -d dir RMGReif RMGRspix
Solaris� Host IDS� Risk Manager �� ���� � ������.
pkgadd -d dir RMGRshost
Windows ���� ��� ��8� Windows ���� � ������.
8. Windows ���� Risk Manager ���
Risk Manager �� �� � �� �� (.fmt) �� (.cds) �� �� �� ��
Web Intrusion Detection
System
¶ Risk Manager EIF
¶ Java 1.3 Runtine
¶ Perl ��
¶ Web IDS ��
webids.fmt1 webids.nt.fmt2 webids.cfg
Web Intrusion Detection
System �� ��
sig.nefarious
Cisco Secure IDS� �� ¶ Risk Manager EIF
¶ Java 1.3 Runtine
csids.fmt1 csids.nt.fmt2
CheckPoint FireWall-1�
��¶ Risk Manager EIF
¶ Java 1.3 Runtine
cpfw.fmt1 cpfw.nt.fmt2 rma_cpfw.conf
Risk Manager EIF � TME
����
Java 1.3 Runtine ¶ rmad.conf
¶ rmad.err
¶ rmad.summary.rules
41Risk Manager ��� ���
4.R
iskM
anag
er�
�
8. Windows ���� Risk Manager ��� (� )
Risk Manager �� �� � �� �� (.fmt) �� (.cds) �� �� �� ��
Risk Manager EIF TME �
���
Java 1.3 Runtine ¶ rmad.conf
¶ rmad.err
¶ rmad.summary.rules
��� �� � SNMP ��
Host IDS ��
os_nt.fmt2
��� �� � SNMP ��
PIX Firewall ��
pix_nt.fmt2
��� �� � SNMP ��
Norton Anti-Virus ��
rmnav.fmt2
��� �� � SNMP ��
McAfee Alert ���
rmmac.fmt2
��� �� � SNMP ��
SNMP ��
tecad_snmp.cds3 tecad_snmp.
oid
Java 1.3 Runtime
1. Risk Manager EIF ��
2. Windows ��� �� �� ��
3. TEC SNMP �� ��
InstallShield� ���� Windows ���� Risk Manager ��� �����.
1. CD-ROM ����� Tivoli Risk Manager CD� ������.
2. � ���� ���� �� �� ����.
cd x:\windows
��� x:� ���� CD-ROM �������.
3. Windows InstallShield ���� ����� �� ������.
setup
4. InstallShield ���� ��� �� �� �����.
��� �� ��� ���� �� �� � �� � ��� ���.
¶ Tivoli ��(TME ��� ��) �
¶ Tivoli Entprise Console(TEC) �� � ��� �� ��(.cds) �� �
¶ ��� � �� �
TME ���TME(Tivoli Management Enterprise) ��� ��� ���� �� ��� ���� ��
���� TEC� ��� � �� ���� ��� ����� �������. TME ���
UNIX � ��� Tivoli �� �� ��, Windows ��� �� �� �� SNMP �
�� � ����. TME ��� ��� �� �� ���� TEC ���� �����.
42 �� 3 ��� 8
TME ��� ����� �� � Tivoli ����� ����. TME ����� ���
�� � �� �� ��������.
TME ��� ���� TEC ������ ��� TEC ������ ��� ���� ���
��� � � �����. TME ����� ��� �����. TEC ������ ����
� � � �� �� � ���� �����. �� � ���� ��� ���� �
��� ���� �� ���� � ��� ���� �����. TEC ������
��� �� ��� � ���� Tivoli ACF� �� �� � ����(ACP) �
��� ��� �����.
TME ��� ��� ���� �� 1� �� 2� ��� � � � ��. TEC� ��
���� �����. TEC ������ ����� ����� ���� ���� ��� ��
���� �����. TEC ����� � � ����� ���� ��� �� ��� ��
��� ����. �� �� �� �� ������ ���� � ��� ACF� ��
��� ����� ��� �� ��� � ���. ��� Tivoli ManagementRegion(TMR) � ����� ������ � �� �� ��� ACF� ��� �
�����.
TME ��� � � �� � ���� ��� ����. Risk Manager� ���� �
� �� �� �� �� ��� Tivoli Enterprise Console �� ��� ����
�.
¶ Tivoli �� �� ��(UNIX syslogd)
¶ Tivoli Windows ��� �� ��
¶ SNMP ��
TME ��� �� �� � ��� �� �� �� � ���. ��� TivoliEnterprise Console ��� ��� �����.
��� �� �� ��Risk Manager �� � � ��� Tivoli Risk Manager �� 3.8 � ���� �� RiskManager �� �� �����.
Tivoli ��� � �� ���� TEC ��� � � Risk Manager � � �� � �
���.
��� �� ����� � � �� �� ��� �� �� , �� ���� ��� ��� � �
���� ��, �� ��, ���� �����.
¶ �� ���� Risk Manager ���� ��, �� ��, ���� Tivoli ��� �
� �����.
v � �� � �� �� �� ��
v ��� Risk Manager BAROC �� �
v ��� Risk Manager �� �
43Risk Manager ��� ���
4.R
iskM
anag
er�
�
v �� ���
v ���� � �� ���
v ��� �� ��
v Tivoli ��� � �� � �� �
Risk Manager� ��� ���� ��� � �� TEC �� �� rmcorr_cfg � ��
�� �����. ��� 59 ��� �Risk Manager � �� �� ���� ���
�����.
¶ Risk Manager �� �� ���� TME ��� �� �� �� ������. ��
� �Risk Manager � TME �� �� �� ��� �����.
Risk Manager � TME ��� �� �� ��TME ��� �, � ��, � � ��� �� ��� Tivoli Enterprise Console ��
��� �����.
�� � ��(ACF) ���� �� �� �� TME ��� ���� ��, ���
�� �� �� Risk Manager �� �� � �� ��� ���� ��� ������. ACF� ���� ���� �� � �� �� �� ������.
�� ��� ���� ��� Risk Manager �� �� TME ��� �� �� ����
��� � ����.
TEC Risk Manager �� �� ���� ����� �� ������.
1. ��� � �� TME ��� �� ������ �� �� ������. Risk Manager�� ��� �� �� �(�: \tmp\fmt)� ��� ��� � �� � �� �� ��
�� ������.
2. �� ���� �� �� �� �� Risk Manager �� �� TME ��� etc �
� �� ������.
Windows ���
copy \tmp\fmt\*.fmt TecAdHome\etc
��� TecAdHome� TME ��� �� � �����.
C:\Program Files\Tivoli\lcf\bin\w32-ix86\TME\TEC\adapters\etc
UNIX ���
cp /tmp/fmt/*.fmt TecAdHome/
��� TecAdHome� TME ��� �� � �����.
������ Solaris ���� ��, �� � ��� �� ����.
/opt/Tivoli/lcf/bin/solaris2/TME/TEC/adapters/
������ AIX ���� ��, �� � ��� �� ����.
/opt/Tivoli/lcf/bin/aixr4-r1/TME/TEC/adapters/
44 �� 3 ��� 8
3. �� ���� �� �� ��� etc �� �� �����.
Windows ���
cd TecAdHome\etc
UNIX ���
cd TecAdHome/etc
4. �� ���� �� �� ��� �� �� �����.
Windows ���
copy tecad_nt.fmt tecad_nt.fmt.bak
UNIX ���
cp tecad_logfile.fmt tecad_logfile.fmt.bak
5. ��� �� Risk Manager �� ��(Windows� �� tecad_nt.fmt �� tcad.win.fmt,UNIX� �� tecad_logfile.fmt)� �� �� ��� ������.
��� �� ��� � Risk Manager ��� �� ���, os_nt.fmt, os_aix.fmt� � os_solaris.fmt� �� � � � tecad_nt.fmt , tcad.win.fmt � �
tecad_logfile.fmt ��� �� �� �����.
�� �� �
Windows NT �� ��
cat tecad_nt.fmt.bak > tecad_nt.fmt
cat webids.nt.fmt >> tecad_nt.fmt
cat pix_nt.fmt >> tecad_nt.fmt
AIX �� ��
cat tecad_logfile.fmt.bak >tecad_logfile.fmt
cat webids.fmt >>tecad_logfile.fmt
cat csids.fmt >>tecad_logfile.fmt
cat rmnav.fmt >>tecad_logfile.fmt
cat pix.fmt >>tecad_logfile.fmt
Solaris �� ��
cat tecad_logfile.fmt.bak >tecad_logfile.fmt
cat webids.fmt >>tecad_logfile.fmt
cat csids.fmt >>tecad_logfile.fmt
cat rmnav.fmt >>tecad_logfile.fmt
cat pix.fmt >>tecad_logfile.fmt
6. .cds �� �������. gencds ����� �� ��� �� ����.
Windows ���
..\TME\TEC\adapters\bin\nt_gencds tecad_nt.fmt tecad_nt.cds
45Risk Manager ��� ���
4.R
iskM
anag
er�
�
UNIX ���
../opt/Tivoli/lcf/dat/1/cache/Solaris2/TME/TEC/adapters/bin/
7. Windows ��� ��� ����� �� ���� TME ��� ���� �� �
����.
Windows ���
%LCFROOT%\..\tec\adapters\bin\net stop TECNTadapter%LCFROOT%\..\tec\adapters\bin\net start TECNTadapter
UNIX ���
../bin/init.tecad_logfile stop
../bin/init.tecad_logfile start
ACF� ��� Risk Manager ��� �� � ��ACF� ���� Tivoli ��� ������ ��, �, .cds, �� �� ��� ����
��.
Risk Manager �� �� �� �� ������ ���� � ��� ����� ��
��� �� �� ��� ACF� �����. TMR � ����� ������ �
�� �� ���� ACF� ��� � �����. ��, TMR � � �� ACF� ��
���. Tivoli Enterprise Console ��� ��� ACF �����. ��� ��
� Risk Manager ���� ��� � ACF� ���� �� �����.
1. �� ��� �� ��, �� Risk Manager CD�� � ���� ����� ���
���.
2. ��� �� �� �� ��� �� ���� Tivoli ���� ������ ������.
3. ���� TME ����� TEC Region ��� � � �����.
4. Profiles for Enterprise Risk Management ���� ��� � � ��� ���� �
�� � �����.
5. ���� ��� ���� � � �����. ��� �� � ��� �� �� �
�� �� ��� �� � ���� ��� ������.
6. ��� ���� �����.
7. �� �� �� ����.
8. �� ��� �� �� ��� �����.
9. �� �� ���� �� ��� ���� �� �� �� �����.
ACF� �� ��� ��� � ��ACF� ���� �� Risk Manager �� �� ��� �����.¶ Risk Manager Host IDS� ��
¶ Risk Manager Norton AntiVirus� ��
¶ Risk Manager Cisco Secure PIX Firewall� ��
¶ Risk Manager Check Point FireWall-1� ��
¶ Risk Manager Internet Security Systems RealSecure(ISS RealSecure)� ��
46 �� 3 ��� 8
¶ Risk Manager Cisco ���� ��
¶ Risk Manager Cisco Secure IDS� ��
¶ Risk Manager McAfee Alert Manager� ��
¶ Risk Manager Web IDS ��
¶ Risk Manager Network IDS ��
ACF ��� ��� ��� ��������� Risk Manager ��� ��� ��, ���� Risk Manager ACF ��
�� ���� �� � ��� � ����. �� ��� ACF ����� �� ���
��� TME ��� ��� �� ���.
�� Risk Manager ���� ���� � � �� ���� Risk Manager ��
� �� � ����.
¶ Web IDS� ��
� Risk Manager ���� ���� Web IDS � ��(sig.nefarious � webids.cfg) ������.
¶ Event Integration Facility Web IDS� ��
� Risk Manager ���� ���� Web IDS �� ��(webids.fmt)� Risk ManagerEvent Integration Facility� ������.
¶ Check Point FireWall-1� ��
� Risk Manager ���� ���� ��� � ��(rma_cpfw.conf) �����
�.
¶ Risk Manager Event Integration Facility� � ��
� Risk Manager ���� ���� Risk Manager Risk Manager Event IntegrationFacility � ��(rmad.conf) ������.
¶ Risk Manager Event Integration Facility� �� ��
� Risk Manager ���� ���� Risk Manager Risk Manager Event IntegrationFacility �� ��(rmad.fmt) ������.
¶ Host IDS� ��� ��
� Risk Manager ���� ���� rmt_ntaudit.exe �� �� Windows NT ������� ������.
�: �� ���� �� � ���� Windows NT ������ ��� ����. �� ��, Program Files���.
¶ Network IDS� ��
� Risk Manager ���� ���� ���� �� �� ��� � ��(ids.cfg �
ids.rules) ������.
�� ������ TME �� � �� � �����.
¶ Web IDS� �� ��
¶ Host IDS� �� ��
47Risk Manager ��� ���
4.R
iskM
anag
er�
�
¶ Cisco Secure PIX Firewall� �� �� ��
¶ Cisco Secure IDS� �� �� ��
¶ Symantec Norton AntiVirus� ��� �� ��
¶ Cisco ���� SNMP ��
¶ ISS RealSecure� SNMP ��
¶ Network IDS� �� ��
��� ��Risk Manager ��� �� � ���. ��� �� � ��� ��� ��� ���
��� �� ���. Risk Manager� ��� �� � ��� �� ���� � �
�� �� �� �� �����. �� � �� �� ��� �� ��� ���� ��
�� �����.
��� Risk Manager �� ��� �� ����� ������. �� ��� �� ���
��� Tivoli Enterprise Console ��� ��� �����.
� � � ��� �� Risk Manager ��� �� ��� �����.
��� ���� �� �� � ��� �
RM_Reception RM_SensorEvent �� Risk Manager ���. RM_SensorEvent�� ���� �� �� ���� �����.
RM_Situations RM_Situation �� �� ����� ��� ��� �. ��
� RM_Situation1, RM_Situation2 �
RM_Situation3� �� ���� �����.
RM_TrustedHosts RM_TrustedHost ��� RM_TrustedHost� �� ���� ���
��.
RM_Exceptions RM_Error �� �� �� �� ��� �����.
¶ RM_InputErr¶ RM_SituationErr¶ RM_PrologErr
RM_Sensors RM_Sensor �� ���
�� � � � � ��� �� ����� ��� ��� �� ��� ��� ��
� � ����. ��� ���� �� �� �����.
��� �� �� � �� � � �� �� ��� TEC� Risk Manager ��� �� � �� ��
� �����.
1. Tivoli Enterprise Console �����.
2. �� ��� �� �� �� �� �� ��� �� �����.
3. ���� �� �� ��� TEC � � �� riskmgr_eventgroups.dat �� �
� ����.
48 �� 3 ��� 8
Windows ���
%BINDIR%\RISKMGR\corr
UNIX ���
$BINDIR\RISKMGR\corr
��� BINDIR� ��� � ���� �� �� ����.
4. ��� �� �� � ��� � �����.
RM ���
RM ��
RM ��
RM TrustedRM ��
5. � ��� �� ��� �� ��� �� �����. ��� �� ���� �� �
�� ��� ��� �� � �� ��� � � ����.
6. �� ���� �� ��� �� �� �����.
7. ��� ��� ��� �� � ��� ������.
� �� ��� � Risk Manager ��Risk Manager 3.8� Risk Manager �� ���� �� � � ��� �����. RiskManager ��� �� ��� ��� Risk Manager ���� �� �� ��� � � ��
��. ��� TEC�� �� �����.
� �� ��� � ������ �� ��� ���� ���� �� � � ��� ��� �� ����� ��� ��� ���
� �����. Tivoli Decision Support for Enterprise Risk Management Release Notes� �� ��� ���� �� �� �� ��, �� � ��� �� ��� ��
�� ���� ��� ���.
�: ����� �, ��� ID � �� ��� ��� � ��� �����. �� ���
��� ��� ����� ������.
1. Risk Manager � �� $BINDIR/RISKMGR/corr/sql �� �� �� SQL �� ��
�����.
2. �� ������ � �� ���� � ������. TEC ������ �
����� � ������.
Oracle ���
sqlplus userid/ password@service_name@tds_rm_tec_v_evt.ora.sql
userid ����� ��� ID� �� ��. ���� tec���.
password����� ��� �� �� ��. ���� tectec���.
49Risk Manager ��� ���
4.R
iskM
anag
er�
�
service_nameOracle ����� � ����(″Net8 Assistant″, ″Net8 Configuration Assistant″�� ″Net8 Easy Configuration″)� �� Oracle ������ �� ��� �
�� ������ %ORACLE_HOME%\NETWORK\ADMIN\TNSNAMES.ORA ���� �
�� ���� � ���� � �� ��.
DB2 ���
db2 connect to tec user userid using passworddb2 -t -f tds_rm_tec_v_evt.DB2.sql
userid ����� ��� ID� �� ��. UNIX®� �� ���� db2inst1���.Windows NT®� �� ���� db2admin���.
password����� ��� �� �� ��.
Sybase ���
isql -U userid -P password -Dtec -Sservername -c/ -i tds_rm_v_evt.syb.sql
userid ����� ��� ID� �� ��. ���� tec���.
password����� ��� �� �� ��. ���� tectec���.
server DSEDIT ����� � ����� � �� Sybase ������ �� � �
�� ������� Sybase ���� ��� %SYBASE%\INI\SQL.INI�� � �
� ���� � ���� � �� ��.
� �� ��� ���� �� TEC �� ��Risk Manager � � ��� ���� TEC �� � � ���. �� ����
��.
1. TEC � ���, � �����.
2. ���� ��� � ��� � �� �� �����.
3. ��� �� �� ��� ��� ��� ��� �����.
4. ��� ��� �����.
5. ���� �� ��� /cgi-bin/rmtec_help.pl� ������.
6. �� �����.
�:
DB2®� �� �� �� � ��� ����� ���� ���� �� � ���
� ��� SQL� ������ � ���. � � �� �� � �� ��� �
���� ���� � SQL0101N ���� �� ��� �� ������� ��
��� �� � ����. � ��� ����, �� � ��� 8000 ���� ���
���.
� ��� ����� IBM DB2 � ����� � , �� ������.
50 �� 3 ��� 8
> db2 update db cfg for tec using stmtheap 8000
�� � ��� ��� , ���� ����� IBM DB2 � �� �� ������
� �� �����. ���� �� , SQL0437W � ��� ��� ��� ��
���� ��� ��� � ������ �� ��� �� � ����. � �
�� � �����, �� ��� � ����.
IBM DB2 �, �� � �� �� ��� ��� IBM® DB2 UDB �� ��, ��
1 - 3 IBM DB2 UDB � ��� �����.
Risk Manager ���� ��Tivoli wuninst � ���� �� ���� Risk Manager ��� � Perl �� �
��� ������. ��� ����� native � ������.
�� ���� ��Risk Manager ��� � � Perl �� ���� �� ��� ����. Tivoli wuninst� ���� �� ������.
�� ������.
wuninst tag node_name -rmfiles
��� tag� RISKMGR_CORR �� RISKMGR_PERL�� node_name� �� ����� �� �
����.
Native ���� ��� ��� ����Risk Manager ��� ������ 9� ���� �����.
9. Risk Manager ��� ����� �� native �
��� �� ����
AIX installp -u package_name
Linux rpm -e package_name
Solaris pkgrm package_name
Windows ��� install -u package_name
51Risk Manager ��� ���
4.R
iskM
anag
er�
�
Risk Manager �� �� �
� � ��� � ��(�: ��� �� ���) �� �� ����� ������. ��
� � ��� ��� ���� ��� �����(����� ��). ��� ���� ��� �
�� ��� � �� � �� ��� �� ��.
�� ��� ���� ��� �� ��� �� ����. Risk Manager �� �
� �� ����� ��� � ����. � ��� Risk Manager� �
� ��� �� ���� � ��� � �� ���� � ���. ���� ���
��� ���� � �� ��� �� � �� ���� ����� �� ���.
Risk Manager �� �� ����� ���� �� Risk Manager ���� ���� �
�����. � ��� �� �� ��� � �� ��� ����� ���. ���
TEC ��� ��(TEC)� TEC ���� ����.
�� �� ����� �� ������ �� �� ��� ��� �� ��� � ���
� ���� �� �� � ��� ���� ����.
�� �� �� � �� �� �� ��� � �� ��� ��� 213 ��� �RiskManager �� �� ���� �� ����.
��� ��� �� �� ��� � �� ��� ����� ���. ��� ��� ��
�� �� �����.
¶ ��� ��
¶ �� �� �� �� ���(��� �� ��)
¶ �� �� �� �� ���(���� ���)
Risk Manager � �� ��� �� ��� � �� ��(�: ��� �� � ��, ��)� �����. Risk Manager � �� ��� �� ����� ��� ��� ���� �
���. ���� ���� riskmgr_thresholds.pro � ��� �� ��� ��
�� �� ��� Risk Manager � �� ��� �� ��� � ������.
RM_Situation ���� �� ���� �� ������. �� ���� �� � �� ��
����� ����. �� �� � �� �� ����� � �� �� ���� ��� �
����. �� ��� � ��� ��� ���� ��� �������.
5
53Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
RM_Situation1 ��� �� � �� �� �����.
RM_Situation2 ��� � �� �� �����.
RM_Situation3 ��� � �� �� �����.
Risk Manager � �� ��� �� �� �� �����.
10. Risk Manager � �� ��� � �� ��
�� �� 1 2 3 ��
1 �� ��� �� � �� ����� �� ��� �
��� ���� ���� �� �� �
�� ��.
2-1 ���/ �� ��� �� �� �� � ����� �� ���� ���� �
� ���� � � �� ��.
2-2 ��/ ��� �� ��� �� �� �� ��� �� �� ��� � �
��� ���� �� �� � ��
� �� ��.
2-3 ��/ �� �� �� ��� �� � ���� � �� ��� ��
���� ���� �� � �� �
�� ��.
3-1 �� �� �� �� ��� �� � ���� �� ���� � �
�� ��.
3-2 ��� ��� �� �� �� �� � ��� ���� ���� �� �
� ��� ���� � � �� �
�. � ����� � � �� ���
� � � �� ��� ���� � �
����.
3-3 �� �� ��� �� �� �� �� �� �� ���� �� �� �
��(� ��� ��) � � �
�� ��. � ����� �����
��� � �� �� ���� �� �
�� � ����.
���� ��� ��� �� ���� ��� ��� �����. �, �� 2� �� �� �
� 1 ���� ���� ��� ��, �� 3� �� �� �� 2 ���� ���� ���
� ���. �� ��� �� ��� �� ���� �� ��� ���� �� ��� ��
�� � �� ����. �� ��� ��� �� ��� �� ���� ��� ��
�� �� ����.
� ���� �� ��� ��� ���� ����. � ���� 256���� ��� ���
� ����. � ��� � �� ��� ���, � ��� ����.
���� �� ���� �����. ��� �� � ��� ����. �� �� ��
�, �� �� � ��, � ���� �� ��� �� �� ���� �����. ��
�� ��� �� Risk Manager� �� ���� ����.
54 �� 3 ��� 8
Risk Manager �� � ������ �� Risk Manager �� �� � Tivoli ��� � ���� ����� Tivoli RiskManager �� 3.8 ���� ������.
¶ Risk Manager .baroc ��
¶ Risk Manager .pro ��
¶ Risk Manager .rls ��
¶ Risk Manager .fmt ��
¶ Risk Manager .cds � .oid ��
¶ Risk Manager � ��
Tivoli ���� �� ��� Tivoli Risk Manager 3.8 � ���� Risk Manager TEC�� �� � Risk Manager �� � ���� ���� Tivoli ��� �� ����
��.
Risk Manager �� �� �� �� Risk Manager �� ��� �����.
Risk Manager �� � ����� � � �� �� ��� �� �� �� ���� ��� ��� � � �
��� ��, �� ��, ���� �����.
1. ��� ��, �� �� � �� � ������. ��� �� � �� ��
���.
2. TEC �� �� rmcorr_cfg � ���� �� ���� Risk Manager ��� �
����, Tasks for Enterprise Risk Management ��� ������ ��� � ��
� Profiles for Enterprise Risk Management� �����. ��� 59 ��� �RiskManager � �� �� ���� ��� �����.
3. Risk Manager �� ��� �� ���� ������. �� ��� �� ��� ���
Tivoli Enterprise Console ��� ��� �����.
4. Risk Manager � TME(Tivoli Management Enterprise) �� �� ��� �����
�. ��� 44 ��� �Risk Manager � TME �� �� �� ��� �����.
�� �� ���� ��� � �� ���� � � �� � ����.
� ��� �� ��� ����.
Windows ���
%BINDIR%\RISKMGR\corr\tec
UNIX ���
$BINDIR/RISKMGR/corr/tec
55Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
��� BINDIR� ��� � ���� �� �� ����.
57 ��� �Risk Manager � �� �� ��� � ��� � ��� � �� ���
� � ���� ���� �� �����.
� �� ���� ��, rmcorr_cfg ����� ���� �����.
Risk Manager �� ����Risk Manager � ���� ��� rmcorr_cfg� Tivoli ��� � � Risk Manager ��
�� ��, �� �� � ���� ����.
rmcorr_cfg � � ����� �� �� �����.
-delete �� �� � �� �� �� ���� �� TEC ��� � ��
Risk Manager ���� �����. �� TEC ��� �� �����.
-dir ��� ���� �� �� �����.
-exist Risk Manager �� ��� �� ��� �����.
-install ��� ����.
-new Risk Manager �� ��� � ��� �����.
-reconfig � �� ��� ���� ��� � � �� ����. � �� ��
�� riskmgr_� ��� .pro � �� �� ��� �� ���.
-status Risk Manager ��� ��� ����.
-tasklib Risk Manager ��� ������ ���� �� � ����.
-uninstall �� TEC ��� � �� Risk Manager ���� ����� ��
��� ���� ����.
-update �� ��� �����. BAROC �� � �� ��� �����
�.
��� � �� ��� �� ��� 58 ��� � �� �� �����.
setup_env � ����� ���� Tivoli BINDIR �� �� �����.
��� ��Risk Manager� �� �� ��� TEC �� � �� ���� �� ����. RiskManager� � ��� ��� �� ������ �� ��� � �� �� �����. RiskManager� � � ��� ��� ���� ��� ����.
�� ��(boot.rls)� ���� �� �����. ��� TEC �� ��� �����.
TEC �� ��� ��� ���� ��� Risk Manager� � ��� ��� ���
�. Risk Manager TEC �� ��� ���� ��� � ��� � �� �� ��� ��
�� �� � �� � ����.
56 �� 3 ��� 8
�� ���� ����. �� �� ���� �� ���� TEC �� ��� ���
��.
� �� �� ��
riskmgr_hosts.pro ��� ��� � �� ��� �����. � ��� �� ��
� � �� � ����.
¶ ��� ��
¶ Trusted host ��
¶ �� ���(�� ��� ��� � �� ��)
riskmgr_parameters.pro � �� ��� �� � �� ���� �����.
riskmgr_thresholds.pro �� ��� � �� ��� �����.
76 ��� ��� ��� �� �����.
riskmgr_links.pro �� RM_SensorEvent ����� ��� �����.
riskmgr_categories.pro Risk Manager ��� �����. Risk Manager � �� ���
� �� RM_SensorEvent� ��� �����.
� � �� � �� ��� ����.
¶ �� ���� � � (' ')� �� ���.
¶ ���� � � � ���� ����.
¶ �� ��(.)� � ���� �� ����.
¶ �� � �� �� �� ���.
¶ � ���� ��� �� �� ����.
fact_name (arg1,arg2,...,argN).
�� �� ��� , rmcorr_cfg � � ���� �� �� ���. Risk Manager� �� ���� �� ������.
rmcorr_cfg -reconfig
Risk Manager �� �� � ��Tivoli ���� Risk Manager � �� ��� �� ���(� ��� �)� �����.���� �� ����.
¶ 58 ��� � �� ��
¶ 59 ��� �Risk Manager ��� �� ��
¶ 59 ��� ���� � �� Risk Manager ��� ���
¶ 59 ��� �Risk Manager � �� �� ���� ���
¶ 60 ��� ��� ��� �����
¶ 60 ��� ����� ��� ���
¶ 61 ��� �Trusted Host ���
¶ 61 ��� ��� ��� ���
57Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
¶ 62 ��� ��� ��� ��� �� ����
¶ 62 ��� ��� ��� ��� �� ���
¶ 64 ��� ����� �� � ��
¶ 64 ��� ��� �� �� �� ��
¶ 65 ��� �� �� ��� �� �� ��
¶ 65 ��� ��� �� ���� �� �� ��
¶ 66 ��� ���� ���� �� ��� ��
¶ 66 ��� ����� ��� �� ��� ��
¶ 67 ��� ���� ��
¶ 67 ��� ��� ��� ���
¶ 68 ��� ��� ��� ���
¶ 68 ��� ��� ��� ��� �� ��
¶ 68 ��� ��� ��� � � �� ��� ���
¶ 69 ��� ���(Storm) ��� ��� ���
¶ 70 ��� ���� ���
¶ 71 ��� ��� ��� ���
¶ 72 ��� �� �� � ���
¶ 73 ��� ����� �� ���
¶ 75 ��� ���� �� ��� ���
¶ 75 ��� ��� ��� ���� � �� �� ���� �� ��
¶ 76 ��� ��� ��� ��
� ��� �� ���� Risk Manager ��� �� rmcorr_cfg� ���� ��� � �� ��
� � �� �� ���� ���. Risk Manager ���� � ��� � �� ��
���� �� �� ����.
¶ �� �� � � ��
¶ � �� �
¶ �� �� ��
¶ Risk Manager ��� �� �
¶ ��� � �� Risk Manager ��� ��
��� � � ��� ��� �����, �� � ������.
rmcorr_cfg -status
58 �� 3 ��� 8
�� � ��� �� � ��Risk Manager �� �� ���� �� ��� ��� ����� �� �����
�.
rmcorr_cfg -install -dir directory -exist existing_rulebase
directory� �� �� � �� �� �����.
existing_rulebase�� �� � �����.
� � ��� �Risk Manager �� �� ���� ���� � ��� ���� �� ������.
rmcorr_cfg -install -dir directory -new new_rulebase
directory� �� �� � �� �� �����.
new_rulebase�� � �� � �����.
� � ��� ��Risk Manager BAROC � ��� ���� �� ��� ����� rmcorr_cfg �
��� ������.
rmcorr_cfg -update
Risk Manager ���� �� ��Risk Manager ��� ��� ����, rmcorr_cfg ���� ������.
rmcorr_cfg -status
��� ���� Risk Manager ���� ���� TEC ��� � ��� Risk Manager ���� �����, rmcorr_cfg ����
������.
rmcorr_cfg -uninstall
��,
�� TEC ��� � ��� Risk Manager ���� ���� �� ��� ���
��, rmcorr_cfg ���� ������.
rmcorr_cfg -delete
Risk Manager �� �� �� ���� ��
�: Risk Manager� ���� ��� ��� ����. Risk Manager �� �� �
�� ���� ����� rmcorr_cfg ���� ������.TEC �� ��� ��� Risk Manager �� �� ���� �� ��� �����
Risk Manager �� �� ���� ���� � ��� �� � ����.
59Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
� ��� ��� ��, rmcorr_cfg -exist �� ���� ��� �� ���
��� � ����. � �� Risk Manager� Risk Manager �� ��� ��� �� �
� ��� ��� � ��� ����.
� �� �� �� ��� � 56 ��� �Risk Manager � ������ ���
��.
��� � �� ��� , Risk Manager �� ��� �� ����� ������.�� ��� �� ��� ��� Tivoli Enterprise Console ��� ��� �����.
�� ��� ������� ��� � ���� ���� ���� ���� TEC�� �����. Risk Manager� ��� ���� ���� � ���� �� ��� ���� �� �����. TEC�� �� ���� � � ����.
�� ���� ��� 53 ��� ���� �����.
���� ��� ��Risk Manager� �� �� ���� ��� � ��� ��� ���� ���� �����.��� ��� �� ���� ��� ������. �� ���� IP ��� �� ��� �
�� ��� �� �� IP ��� ��� � ����. riskmgr_hosts.pro ��� set_host�� ���� ����� �� ��� ��� ��� ��� ��(IP �� � ��� �)���� � ����.
set_host �� ���� Risk Manager� ��� ��� ��� ��� ��� ���� ��
���� ���� �� �� �� �� ��� ��� ��� ������.
���� ��� ��� ����� �� ������.
1. riskmgr_hosts.pro �� ���� � ���� ��� ��� � �� ������.
set_host('host_ipaddress','hostname').
host_ipaddress��� ��� IP ��� �����. �: '1.2.111.23'
hostname ��� ��� �� � �����. �: 'machine.company.com'
�� � � � ��� �� ��� � ��� ��( . )� �� ���.
2. ��� �� �� �� ��� � ���� �� ���� ������.
/* Multihomed: */set_host ('1.1.111.11','my.machine1.com').set_host ('10.10.10.11','my.machine1.com')./* Aliases: */set_host ('1.1.111.12','my.machine2.com').set_host ('1.1.111.12','othermachine2com').
�� ��� �� ���� �� ��� ��� ����(GUI)� ��� � �� IP��� ��� �� ��� � �� IP �����.
60 �� 3 ��� 8
3. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
Trusted Host ��Risk Managerr� ��� �� trusted host� � ��� � ����. TEC �� ��
� riskmgr_hosts.pro � ��� trusted� �� �� ���� � ����
RM_TrustedHost ���� �����. TEC �� ��� ��� �� � ��� ��� �
���� ���� trusted��� ��� �� ������ ����.
trusted host� ����� �� ������.
1. �� �� ���� riskmgr_hosts.pro �� ���� � trusted host� � ��
������.
set_trusted_host('host_ipaddress','hostname').
host_ipaddress��� ��� IP ��� �����. �: '1.2.111.23'
hostname��� ��� �� � �����. �: 'machine_name.company.com'
�� � � � ��� �� ��� � ��� ��( . )� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� TEC RM_TrustedHosts ���� �����.
�� ���� ��Risk Manager� ��� �� ���� ��� � ����. ��� Risk Manager �� �
�� ���� ��� ���� ���������. Risk Manager� �� �� ��� �
��� ���� ��� ��� �� �� ����. ��� ��� ���� �� TivoliRisk Manager ��� ��� �����.
��� ����� �� ������.
1. �� �� ���� riskmgr_hosts.pro �� ���� � ��� � �� ����
��.
set_sensor('sensor_type','host_ipaddress','hostname').
sensor_type�� �� �����. �: webids
host_ipaddress��� ��� IP ��� �����. �: '1.2.133.23'
hostname��� ��� �� � �����. �: 'machine_name.company.com'
�� � � � ��� �� ��� � ��� ��( . )� �� ���.set_sensor �� set_host ��� ��� ��� ����.
61Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� TEC ��� �� RM_Sensors ��� ��� �����.
�� ���� ��� �� ���Risk Manager� �� ��� ���� ���� �����. �� �� �� ���
FATAL, CRITICAL, MINOR, WARNING, HARMLESS, UNKNOWN(��� ���
� ����)���.
�� �� ����� riskmgr_hosts.pro ��� ��� �� ��� ��� �� TEC �
� ��� �� ���(RM_Sensor) ���� ���� ���� �� �� WARNING
���� �����. set_sensor � ���� � ��� ��� �����.
��� �� ��� ��� HARMLESS� ���� �� ������.
1. riskmgr_hosts.pro �� ���� �� �� ������.
set_downgrade_sensor_creation('sensor_type').
��� sensor_type� �� �� �����. ��� Risk Manager �� ��� ���
� ��� ���� ���������(�: 'webids').
�� � � � ��� �� ��� � ��� ��( . )� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� TEC RM_Sensor ��� ��� �����.
�� ���� ��� �� ��Risk Manager� ��� �� �� ��� �� ��� ��� �� ��� � ���
�. ���� �� �� ����� ��� ��� �� TEC �� ��� RM_Sensor ��
�� �����.
�� ��� ��� �� ����� �� ������.
1. riskmgr_hosts.pro �� ���� �� �� ��� �� ������.
set_ignore_sensor_creation('sensor_type').
��� sensor_type� �� �� �����.
�� � � � ��� �� ��� � ��� ��( . )� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� ��� ��� �� ������ ���� �� ���� �� ���� �� � �� ��� �� � ���
�.
62 �� 3 ��� 8
�� ����� ����� �� ���� ��� � ���� �� �� �� ����.
TEC �� Risk Manager � �� riskmgr_parameters.pro �� ���� ���� �
�����.
�� ��� �� ����.
attribute_map(attrib_to_set,value_to_use,attrib_to_compare,compare_value,attrib_to_compare,compare_value2).
�� �� ��� �� ����.
attribute_map('severity','HARMLESS','rm_SourceIPAddr','9.3.32.1','rm_SensorType','webids').
rm_SourceIPAddr� 9.3.32.1�� rm_SensorType� webids� � �� � HARMLESS� ����.
��� �� ����.
attribute_map('severity','CRITICAL','rm_SensorType','CPFW','rm_Level','5').
rm_SensorType� CPFW�� rm_Level� 5� � �� � CRITICAL� ����.
� ���� ���� ���� �� �� ID� ��� � ����. �� ��, �� ��
�� ���� ��� � �, �� ���� ��� �� ���� ���� ��� ��
���. � rm_Level � ���� � � �� � ����.
�� ������.
��� � � �� �����, riskmgr_parameters.pro �� ��� �� � �
�����. �� ��� ������.
¶ Cisco ���� ��
attribute_map('severity','WARNING','rm_Level',1,'rm_SensorType','csids').attribute_map('severity','WARNING','rm_Level',2,'rm_SensorType','csids').attribute_map('severity','MINOR','rm_Level',3,'rm_SensorType','csids').attribute_map('severity','MINOR','rm_Level',4,'rm_SensorType','csids').attribute_map('severity','CRITICAL','rm_Level',5,'rm_SensorType','csids').
¶ Internet Security Systems RealSecure(ISS RealSecure)� ��
attribute_map('severity','WARNING','rm_Priority','Low','rm_SensorType','realsecure').attribute_map('rm_Level',1.0,'rm_Priority','Low','rm_SensorType','realsecure').attribute_map('severity','MINOR','rm_Priority','Medium','rm_SensorType','realsecure').attribute_map('rm_Level',3.0,'rm_Priority','Medium','rm_SensorType','realsecure').attribute_map('severity','CRITICAL','rm_Priority','High','rm_SensorType','realsecure').attribute_map('rm_Level',5.0,'rm_Priority','High','rm_SensorType','realsecure').
���� ��� ����� �� ������.
rmcorr_cfg -reconfig
63Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
���� ��� �� ���� � ��� �� �� �� �� � �� ���. ��� �� �� �
���� 11 ������.
11. �� �� � �
� � �
1� 60
5� 300
10� 600
30� 1800
1�� 3600
2�� 7200
12�� 43200
�� 86400
� � 604800
� �(4�) 2419200
Risk Manager� ��� ���� ��� � � ��� � � ���� �� ���
� ����. ��� ��� ����� ���� �� ��� �� ���� � ���
riskmgr_parameters.pro ��� �� � ����.
� ���� �� ���� �� �� ����� ��� � � ��� ���� ��
� ���� �� ��� �� �� ���� ��� �� ����. �� �� ����
� ��� ���� � ���� ���� ��� � �� ����� ���� TEC �
� ��� RM_InputErr ��� �����. Risk Manager� ��� last_timestamp� �
����.
���� �� � ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_timestamp_jitter(seconds).
seconds �� ��� ��� ���� ���� � ��() �����.
�� �� 1��� �� 86400 � �����.
seconds �� ��� �� 0�� ���. ��� � ��� �� ���.
�� � ��� ��� 11 �����.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� TEC RM_Exceptions ��� ��� �����.
�� ��� �� � ��Risk Manager� ��� ��� ��� �� �� ��� � ����.
64 �� 3 ��� 8
�� ��� �� �� �� � ���� ���� �� �� ����� ���� TEC�� ��� ���� �� ���� �� �� �����. Risk Manager� � ��
�� ��� ��� CLOSED� ���� ��� UNKNOWN�� ����.
�� �� �� �� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_situation_expiration(seconds).
seconds �� ��� ��� �� �� �����. �� �� 86400 ���.
seconds �� ��� �� 60�� ��� �� ���. ��� � ��� ��(.)� �
� ���.
�� � ��� ��� 64 ��� 11 �����.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
��� �� ��� �� � ��Risk Manager� ��� � � � �� �� �� ��� � �� ��()
��� � ����. riskmgr_parameters.pro ��� � �()� �� � ����.
�� �� ����� �� ��� ���� ���� TEC �� ��� � ��
�� ��� ��� ����.
� �� �� �� �� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_situation_cleanup_interval(seconds).
��� seconds �� � �� ��� ��� ����� �� � ��() ��
���. �� �� 3600 ���.
seconds �� ��� �� 60�� ��� �� ���. ��� � ��� ��(.)��� ���.
�� � ��� ��� 64 ��� 11 �����.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
� �� ��� �� � ��Risk Manager� ��� �� �� ��� ��� ��� ��� � ��() ���
� ����. riskmgr_parameters.pro ��� � �� ��() ��� � ����.
�� �� ����� �� ��� ���� ���� �� ���� ���� ���
� �� ���� ��� ��� � ���� �� �����.
��� �� ��� �� �� ����� �� ������.
65Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_interface_refresh(seconds).
��� seconds �� � �� ��� ��� ����� �� � ��() ��
���. �� �� 60���.
seconds �� 10�� � ��� ���. ��� � ��� ��(.)� �� ���.
�� � ��� ��� 64 ��� 11 �����.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� ���� �� ��� ��Risk Manager� ��� �� ���� �� ���� � �� ��� �� ���� �
� ����� �� � ����. ratio_down ��� �� 2 �� 3� �� �� 1 �� 2�� ��� ��� �����. � ��� ���� 0.90 �� 0.95 �� 1.0� ��
����.
riskmgr_parameters.pro ���� �� ����� �� � ����.
�� ���� ��� ���� ���� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_ratio_down(0.95).
set_ratio_down �� 1.0�� �� �� �� 0.0 - 1.0 ��� ��� �����. �
�� ��� �� � ����(�: 1.). �� �� 0.95���.
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
���� ���� �� ��� ��Risk Manager� ��� �� ��� �� ���� � �� ���� �� ���� �
� ����� �� � ����. �� 1 �� 2� �� �� �� 2 �� 3(�� ��
2)�� �� � ��� ratio_up ��� �� 1 �� 2� ��� ��� �����. �
��� �� 0.25 �� 0.5 �� 1.0�� �� � ����.
riskmgr_parameters.pro ���� �� ����� �� � ����.
�� ���� ���� ��� ���� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_ratio_up(n.nn).
��� n.nn� set_ratio_up� �� � �����. � ��� 1.0�� �� �� �
� 0.0 - 1.0 ��� �����. ��� ��� �� � ����(�: 1.). �� �� 0.25���.
66 �� 3 ��� 8
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
��� ��Risk Manager� ��� �� ���� � � ���� ���� � � ��� ��
��� ���� �� �� ��� ��� � ����.
�� ��, ���� 600� ��� 50.0 ��� �� ���� ��, 600 � �� ��
�� ���� ��� �� ��� 25.0�� �����. � �� �� �� ��� ����
����.
riskmgr_parameters.pro ��� � �� ���() ��� � ����.
��� ���� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� ��� �����.
set_decay_value(seconds).
seconds �� �� ���� � � ���� ���� � � �� ��� ���
� �� ��� ��() �����. �� �� 7200 ���.
seconds �� ��� �� 0�� ���. ��� � ��� ��(.)� ��
���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
��� ��� ��drop_unsecure_event� ���� ��(� Tivoli) RM_SensorEvent ��� ��� ��
�� �� � ����.
Risk Manager� ��� riskmgr_parameters.pro ��� � ��� ��� � ����.
�� ��� �� ��� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� ���� off�� on�� �� on�� off� �����.
drop_unsecure_events(off).
�� �� off���. ��� ��(� Tivoli) RM_SensorEvent ���� ��� �
� ���� �� �� �����.
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
67Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
�� ��� ��Risk Manager� ��� �� ���� �� TEC ��� � � ��� � ����.riskmgr_parameters.pro ��� �� �� ��� ��� ��� ��� � ����.
�� �� ���� ���� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� ���� off�� on�� �� on�� off� �����.
forward_situations(off).
�� �� off���. ��� �� ���� �� TEC ��� � � �����.
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� ��� ��� �� ��Risk Manager� ��� ���� TEC ��� � � ���� �� ��� ��� ��
��� � ����. riskmgr_parameters.pro ��� � �� ��() ��� � ���
�.
�� ��� ��� �� �� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_forward_interval(300).
seconds �� �� ���� ���� �� ��� ��() �����. �� ��
300 ���.
seconds �� 10�� � ��� ���. ��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� ��� ��� �� ��� ��Risk Manager� ��� �� �� ���� ���� TEC ��� � � ��� � ���
�.
�� ���� ���� TEC ��� � �� � ��� �����. � �� ����
� �� ���� � �� ��� .conf �� � ��� ���� ����. ���
�� 50�� � ��� ����.
riskmgr_parameters.pro ��� � ��� � � ��� � ����.
��� �� ��� �� �� ����� �� ������.
1. riskmgr_parameters.pro �� ���� �� �� ���� �� �����.
set_forward_tec(config_file, sensor_type, tec_ipaddr,tec_hostname).
68 �� 3 ��� 8
config_file�� �� ���� ���� �� TEC ��� � � ����� ���� � �
� �
sensor_type�� �� ��. �� TEC ��� � � �� TEC ��� � � �� ���
� ����. �� ���� ���� ���, �� TEC ��� � ��
ignore_sensor_creation ������.
tec_ipaddr�� TEC ��� � IP �� ��
tec_hostname�� TEC ��� � � ��� � ��
�: �� ���� �� ���. ��, � � � ��� ��� �� ��
�.
�:
set_forward_tec('tec_forward','riskmgr','10.10.40.23','my.tecserver.org').
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
��(Storm) ��� ��� ���� ���� ping �� �� �� �� �� � ��� ���� ���� �����. �
��� Risk Manager� ��� ����� �� ��� �����.
�� �� ��� ��� ��� ���� �� �� ���� � ���� �����. �
�� �� ��� � �� ��� ������. �� ��� ��� �� �� �����
��� ���� ���.
���� �� ���� ���� �� ��� �� �� ���� ��� � ����.
Risk Manager� ��� �� ���� �� ��� �� ��� � ����. �� ���
�� �� ���� �� �� ���� �� ��� �����. riskmgr_links.pro ��
� � �� ��� ��� � ����.
�� ��� ����� �� ������.
1. riskmgr_links.pro �� ���� �� �� ���� � ������.
set_storm_events(Classname, Attribute_List,Block_Threshold_List, Block_Threshold_Increment).
Classname��� � ��. �� � � � �� ����� ���.
69Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
Attribute_List��� ��� ���� ���� ���� � �� ��. � ��� � �
� �� � ���� �� ��� �� �� ���.
Block_Threshold_List�� �� ��� � ���� ��� ��. �� ����� �� ����
���. ��� ��� �� � ����(�: 5.). ��� 0�� �� ���
(�: 25� 25.0�� � ���).
Block_Threshold_Increment�� ��� ��� ��� �� ��� ��� ��� �� � ��. �� ��
� ���. ��� ��� �� � ����(�: 5.). ��� 0�� �� ��
�. (�: 25� 25.0�� � ���.)
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� ��� ��� RM_SensorEvent ���� ���� ����. �� �� �� ��� �
� �����.
set_storm_events('RS_TearDrop',['rm_DestinationToken'], [10,50,100,250],250).
��� ��Risk Manager� ��� ��� ��� �� �� �� ���� ��� ���� ��� �
����. �� ��, ���� WW_Success ���� ��� �� WW_SuspiciousCgi ���
� WW_SuspiciousCgi ����� ��� ���� ���.
���� �� ���� ���� �� ���� ���� � � ����. ���� �
� ���� ���� �� ���� ���� ����.
riskmgr_links.pro ��� � ���� ��� ��� � ����.
���� ������ �� ������.
1. riskmgr_links.pro �� ���� �� �� ���� � ������.
set_linked_events(Classname1, Classname2, Attribute_List,* Severity_Value).
Classname1� ���� ��� � ��. �� � � � �� ���.
Classname2�� ���� ��� � ��. �� � � � �� ���.
Attribute_List���� ���� ���� ���� � �� �����. � �� � �
� �� �� �� �� �����.
70 �� 3 ��� 8
Severity_Value ���� �� �� � �� ��� �� � �����. �� �� �
�� ���(�� �� ��). ��� ��� �� � ����(�: 5.). ���
0�� �� ���(�: 25� 25.0�� � ���).
��� � ��� ��(.)� �� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� �� follow-on ��� �� RM_SensorEvent ���� ���� �� ����
�.
set_linked_events('WW_SuspiciousCgi','WW_Success',['rm_SensorToken','webids_requid'],25.0).
set_linked_events('WW_InsecureCgi','WW_Success',['rm_SensorToken','webids_requid'],20.0).
� �� ���� � ���� �����. ��� ���� WW_SuspiciousCgi �
WW_InsecureCgi � ���� ���� WW_SuspiciousCgi �� ���� WW_InsecureCgi�� �����.
�� ��� ���� ���� ��� ���� �� ���� ������. ���� rm_Timestamp32�
� ��� ���� ��� ���� �� ��� ���� �� ��. rm_Timestamp32 �� ��� �� + �� - 2� �� ����.
�� ���� �� ��� �� ����� ���, �� ��� ��� ���� �� �
� ���� �����. �� ���� �� ��� �� ����� ��� ��� ���
���� ����.
���� �� ��� �� �� ���� ����, �� ���� ���� ����.
Risk Manager� ��� riskmgr_links.pro ���� �� ���� � � ����.
�� ���� ���� �� ������.
1. riskmgr_links.pro �� ���� �� �� ���� � ������.
set_duplicate_events(Classname1, Classname2, Attribute_List).
Classname1��� 1� ��� � ��. �� � � � �� ���.
Classname2��� 2� ��� � ��. �� � � � �� ���.
Attribute_List���� ���� ���� ���� � �� ��. � �� � � � �
� �� �� �� �����.
��� � ��� ��(.)� �� ���.
71Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� ��� RM_SensorEvent ���� ��� ���� ���� ��� � ��� �
� �����.
set_duplicate_events('NR_WWW_bat_File', 'RS_HTTP_IE_BAT',['rm_Timestamp32','rm_DestinationToken','rm_SourceToken','rm_Url']).
� �� �� ��� � ��� � ID ��� ���� � Risk Manager ��� ��� � ����. ��
��� �� ����� ��� �� � ���� ��� �� �� ������.
�� � ����� �� ������.
1. riskmgr_categories.pro �� ���� �� �� ��� � �� �� �� ��
������.
set_category_name(categ_nnnnn,'long_name','short_name').
categ_nnnnn��� �� ��� � ���� ���. � �� ��� �� �� ���
��� �����. �� ��, categ_00001� ��� 00001� � �� ���
�� �� ����. categ_� ��� ��� � � � � ��� �
���. �: set_category_name(categ_00001, 'Web Attack', 'WEB').
long_name��� ���� �� � ���� ���(�: 'Network Management'). ��
� �� �� ���� rm_Key1Str, rm_Key2Str, rm_key3Str �� ���
��.
short_name��� ���� ��� �� � ���� ���. �� ��, 'NETMAN'�
Network Management� �� ����.
�� � � � ��� � �� � ��� �� ��� � ��� ��(.)��� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
����� �� ��� �����.
12. Risk Manager� � �� ��
�� ��� �� �� ��
categ_00001 � �� WEB
categ_00002 ���� Mgmt � NETMAN
categ_00003 �� �� � EMAIL
categ_00004 ��� �� � USER
categ_00005 �� DOS TDOS
72 �� 3 ��� 8
12. Risk Manager� � �� �� (� )
�� ��� �� �� ��
categ_00006 ��� � SERVCMP
categ_00007 ��� �� TROJ
categ_00008 � �� � CMD
categ_00100 ��� �� SERV
categ_00101 ��� �� DOS
categ_00200 ���� � VIRUS
categ_05000 ���� �� �� NETLVL
categ_05001 ��� �� �� HOSTLVL
categ_05002 �� �� RESOURCE
categ_10000 IDS �� IDSLVL
categ_10001 Misc �� MISCLVL
categ_10100 �� � SECAUTH
categ_10101 ��� �� SECACCESS
categ_10102 � Policy SECPOLICY
categ_10103 � Admin SECADMIN
categ_10110 � � CONFIG
categ_10111 � INSTALL
categ_10112 �� � STATECHG
categ_10113 ��� �� SYSERROR
���� �� ����� �� �� ���� RM_SensorEvent ���� ��� ��� � ����. �
� ���� �� � ���� �� ������. � � ��� � ID ��� ���
� � Risk Manager ��� ��� � ����. Risk Manager� ���� �� �� ��
� 72 ��� �� �� � ��� �����.
���� ��� ����� �� ������.
1. riskmgr_categories.pro �� ���� �� �� ��� � �� �� �� ��
������.
category_assign_super(categ_nnnnn, 'class_name').
categ_nnnnn��� �� ��� � ���� ���. � �� ��� �� �� ���
��� �����. �� ��, categ_00001� ��� 00001� � �� ���
�� �� ����. categ_� ��� ��� � � � � ��� �
���.
class_name���� � ���� ���. �� �� ���� ��� ���� ��� �
�� ������ �� �� ���� ��� �����.
73Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
�� � � � � �� ��� � ��� �� ��� � ��� ��(. )� �
� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
����� Risk Manager� �� ���� ��� �����.
category_assign_super (categ_00001, ’RM_WebServer’).category_assign_super (categ_00002, ’RM_SNMP’).category_assign_super (categ_00003, ’RM_Email’).category_assign_super (categ_00004, ’RM_User’).category_assign_super (categ_00005, ’RM_TDoS’).category_assign_super (categ_00006, ’RM_ServiceCompromise’).category_assign_super (categ_00007, ’RM_Trojan’).category_assign_super (categ_00008, ’RM_Command’).category_assign_super (categ_00100, ’RM_Service’).category_assign_super (categ_00100, ’RM_Scan’).category_assign_super (categ_00101, ’RM_Flood’).category_assign_super (categ_00200, ’RM_HostVirus’).category_assign_super (categ_05000, ’RM_IDSNetwork’).category_assign_super (categ_05001, ’RM_IDSHost’).category_assign_super (categ_05002, ’RM_HostResource’).category_assign_super (categ_10100, ’RM_SecAuth’).category_assign_super (categ_10101, ’RM_SecAccess’).category_assign_super (categ_10102, ’RM_SecPolicy’).category_assign_super (categ_10103, ’RM_SecAdmin’).category_assign_super (categ_10110, ’RM_Configuration’).category_assign_super (categ_10111, ’RM_Installation’).category_assign_super (categ_10112, ’RM_StateChange’).category_assign_super (categ_10113, ’RM_SysError’)./* Do NOT change the order of the following three facts.* These must be the last three assignments made.*/category_assign_super (categ_10000, ’RM_IDSEvent’).category_assign_super (categ_10001, ’RM_MiscEvent’).category_assign_super (categ_99999, ’RM_SensorEvent’).
�: category_assign_super ��� ��� �����. ��� category_assign ���� �
��� ���� �� � Risk Manager ��� ���� category_assign_super ���
�� ��� ��� �����. � �� ���� category_assign_super ���
category_assign � ��� ��� �� ��� ���� � �����.
category_assign_super ��� �� ����� ������ ����� �� �����
��� ���. RM_IDSEvent, RM_MiscEvent � RM_SensorEvent ���� ���
��� � �� category_assign_super ���� ���.
74 �� 3 ��� 8
�: ��� ��� �� �� ��� � �� � ����.
��� � �� ���� � ID ��� ��� �� � �� ��� �� �� ��� �� ����
��� �� ���� ��� � ����.
�� ��� ��� ����� �� ������.
1. riskmgr_categories.pro �� ���� �� �� ��� � ��� �� �� �
�����.
category_assign(categ_nnnnn,'class_list').
categ_nnnnn��� �� ��� � ���� ���. � �� ��� �� �� ���
��� �����. �� ��, categ_00001� ��� 00001� � �� ���
�� �� ����. categ_� ��� ��� � � � � ��� �
���.
class_list��� �� �� ���� ���� ��� ��. �� ���� ��� ��
� � ��� ����. �� ���� �� ���� � ���� ���� �
� ������. �� ��, �� ������.
category_assign(categ_00003, (['RS_Email_Expn','RS_Email_Decode','RS_Email_Debug','RS_Email_Wiz']).
�� � � � �� �� �� ��� ��� �� ��� � ��� ��(.)� �
� ���.
2. ���� ��� ����� �� ������.
rmcorr_cfg -reconfig
�� ��� ��� � �� �� ��� �� � RM_SensorEvent�� �� �� ���� �� ��� �� ����� � � ����.
�� �� ����� �� ����� ��� �� ������.
1. ����� ���� �� BAROC �� ������.
2. rm_Correlate ����, �� ��� ���� ���� ��� no� �����.
rm_Correlate : default=no;
���� ����� ���, ��� yes� �����.
rm_Correlate : default=yes;
3. BAROC �� ���� �� TEC �� ��� ����� �� ������.
rmcorr_cfg -update
� � �� ��� �� �� �� ����. ��� ��� �� ��� ����
�.
75Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
��� ��� ����� ���� ���� ��� ��� �� ���� ��� ��� � ����. TEC �
� ��� ��� � ���� ��� ���� �� �����. �� �� ��� �
� �� ���� �� ���.
�� ��� �� ��� �� �� �� �� �� �� ��� �� ��� �
��� � ����. ���� TEC �� ��� ��� ��� ��� ��� � ���
� �� ���� ����. ��� ���� � ��� �����.
rm_Level �� ��� �� �����. �: ��� ��� �� �� � � 20�� �
��� ���� ��� ���� rm_Level=1.0� �� �� � �� �� ��� �
�� ��,
set_threshold('situation1',_,5,20,100,200,_,_,_).
�� �� ����� WARNING �� ��� �� RM_Situation1 ���� �����.
Risk Manager �� ��� riskmgr_thresholds.pro � ��� ��� � �����
� � ���� riskmgr_thresholds.pro �� ���� �� ���� �� �
���� ������. �� ��� �� �� riskmgr_thresholds.pro ��� �� �
� �����.
�: ��� � ��� ��(.)� ���� ���.
set_threshold(situation,situation_type,thresh_closed,thresh_warning,thresh_minor,thresh_critical,arg1,arg2,arg3).
situation �� �. �� �� � ��� ���.¶ ’situation1’¶ ’situation2’¶ ’situation3’
situation_type �� ��
¶ ‘situation1’� �� ��(_)�� ���.
¶ ‘situation2’� �� �� � ��� ���.
v ��(_)
v ‘��/���’
v ‘��/��’
v ‘���/��’
¶ ‘situation3’� �� �� � ��� ���.
v ��(_)
v ‘��’
v ‘���’
76 �� 3 ��� 8
v ‘��’
TEC �� ���� � � (‘ ’)� �����.
thresh_closed CLOSED ���
thresh_warningWARNING ���. �� ��� � � ��, Risk Manager� ���
��� WARNING�� ���� ���� ���� ����.
thresh_minor MINOR ���. �� ��� � � ��, Risk Manager� ��� �
�� MINOR� ���� ���� ���� ����.
thresh_critical CRITICAL ���. �� ��� � � ��, Risk Manager� ���
��� CRITICAL� ���� ���� ���� ����.
arg1 13� � ��� �����.
13. ��� � ��
�� �� arg1 arg2 arg3
1 -- �� �� �� ��� �� ��
2--
�� �� �� ��� �� ��� �� �
�
��(_)�� �
‘��/���’ �� �� �� ��� ��(_)�� �
‘��/��’ �� �� �� �� ��(_)�� �
‘���/��’ �� ��� �� �� ��(_)�� �
3--
�� ��, ��� ��
��
��(_)�� � ��(_)�� �
‘��’ �� �� ��(_)�� � ��(_)�� �
‘���’ �� ��� ��(_)�� � ��(_)�� �
‘��’ �� �� ��(_)�� � ��(_)�� �
arg2 13� � ��� �����.
arg3 13� � ��� �����.
���� ��� ����� �� ������.
rmcorr_cfg -reconfig
14. �� �� � �� ��
�� �� ��� ��
��1 situation_type
��2 arg3
��2 arg2 � arg3
���� �� ���� ��(_) �� ���.
77Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
�� �� ����� ��� �� ��
1. ��� � �� ���� ��� �� 1 ���� ����� � ��� ����.
set_threshold('situation1',_,5,10,100,500,categ_00001,_,_)
2. ��� �� ���(‘1.1.111.11’)� ��� � ����� � �� 1 ���� ���
��.
set_threshold('situation1',_,0.5,5,10,15,_,'1.1.111.11',_).
3. ��� �� ���(‘1.1.111.11’)� ��� � ����� � �� 2 ���� ���
��.
set_threshold('situation2','Category/Destination',0.5,5,10,15,_,'1.1.111.11',_).
4. ��� �� ���(‘1.1.111.13’)�� �� �� 3 ���� � ���� �� �� ��
���.
set_threshold('situation3','Source',5,100,1000,10000,'1.1.111.13',_,_).
5. ��� �� �� 2 ���� �� � ������ �� �����.(��� ��)
set_threshold('situation2',_,0.1,1.0,5.0,10.0,_,_,_).
��� �� �� �TEC ���� � ��� �� � ���� �����. �� �� ���� ����
� � �� � �� ���� ����. ��� �� � �� �� �� �� �� �
��� ��� � ��� �����.
TEC �� Risk Manager � �� TEC ��� �� ��� ���� �� �����
�.
wlsesvrcfg
TEC ��� � ��� ��� �� 3000 �����. ��� � ��� ���� ��
������.
wsetesvrcfg -c 3000
�: ��� � ��� ���� ��� �� ��, TEC � � Risk Manager� � ��
�� ��� � ��� �� ��� � ����. Risk Manager� ��� ���� �
� ��� ��, TEC � � �� ��� ″ � � �: ��� ���″�� ���
TEC_Notice ���� �����. �� � ��� ����, ��� Risk Manager ��
���� �� �� ���.
¶ � � ��� ���� �� ��� � ����. �� ��� �� ���� �
���� �� ���� �� ���� � � ��� �����. �� ����
��� �� ����, �� � ���� ���� ����.
¶ ��� ���� ��� � ����. ��� �� �� ��� �� ���� �
� ���� � � ��� ��� �����. � ��� ��� �� ��� ���
� ��� ���� ��� � � ���� ���� �����. �� �� ��
�� ���� ����(�� ��� �).
78 �� 3 ��� 8
Risk Manager �� �� ���� ��� Risk Manager � � ���� ���� �� � � ��� � �� ����
����� ��� ��� ���� � ����.
1 . riskmrg_baroc.lst ��� �� ���� .baroc ��� ������ .riskmrg_baroc.lst�� Risk Manager� � ���� ��� .baroc ��� ����.�� ��, �� Netranger ��� ISS RealSecure ��� ���� � ��,sensor_baroc.lst ���� �� �� ���.
netranger.barocrealsecure.baroc
2. � �� ��� �� ��� �� ��� �� �� .baroc ��� �� ����
�.
�: riskmgr.baroc � sensor_abstract.baroc ��� .baroc �� ���� � ��
�� ���.
�� ��, Web IDS ���� �� ���� ��� ���� �� Network IDS� ��
�� �� ���� � ��, riskmgr_baroc.lst ��� �� ��� �� ����.
riskmgr.barocsensor_abstract.barocwebids.barocnids.baroc
��� �� ��� � � �� ���� �� �� .baroc ��� ���.
3. riskmgr_categories.pro ���� ���� �� �� �� ����� ���� �
����.
79Risk Manager ��� ���
5.R
iskM
anag
er�
��
��
Risk Manager Event Integration Facility
� ��� Risk Manager Event Integration Facility(EIF)� ���
Risk Manager Event Integration Facility ��� ��� 250 ��� �Risk Manager EventIntegration Facility ���� �����. Risk Manager Observer ��� ��� 258��� �Risk Manager EIF Observer ���� �����.
Risk Manager Event Integration Facility ��� ��� Risk Manager EIF� �, � � ���� �� �����.
Risk Manager EIF� ���� Risk Manager Tivoli Enterprise Console(TEC) ��� �
� �� � �� � �� ��� �����. � ���� C ���� �� API(ApplicationProgramming Interface), Perl ������ ��� Perl ����, ��� �� ��� �
��� ����.
Risk Manager EIF�� �� �� ���� ��� ���� ����� � �� ��� �
�� ��� �� ��� ����. ��� ���� �� ��� ������ Risk Manager� � ���� ��� ��� �����.
Risk Manager EIF� ������ Risk Manager EIF� �� � � TME(TivoliManagement Enterprise) ���� TEC � � � ��. � TME ���� �� ��, RiskManager EIF� � TME ���� TEC � � � ��.
�� Risk Manager �� � ��� ����� Risk Manager EIF� ���� ���� RiskManager � � ���� ����.
¶ Web IDS
¶ Check Point FireWall-1� ��
¶ Cisco Secure IDS� ��
Risk Manager EIF� TEC SNMP ��, TEC Unix �� �� ��, TEC Windows �
�� �� ��, Windows 2000 � Windows NT� TEC Windows ��� �� ��
�� Tivoli� � TME TEC ��� ����, ��� TEC �������� ����
TEC ���� ������ � �� ���� ��� �� ����.
����, Risk Manager EIF �� ��� Risk Manager EIF ����� �� ����
���� ��� � TME TEC ������ ��� �� ����. �� �� �� ����
6
81Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
�(TME) �� ��(� TME) TEC �� � � TEC � � ��� � ����. �� ��� �� �� � TME TEC ��� ���� Risk Manager ��� ��� �
��� � ����.
¶ TEC �� �� � ��� �� ��� ���� Cisco PIX ���� ��
¶ TEC SNMP ��� ���� ISS RealSecure(Internet Security Systems RealSecure)� ��
��17� Risk Manager EIF� ��� ���� ���� ���� � ���� ���� �
� �����. �� ����� rmad_summary.rules ��� �� � � �����.
Risk Manager Event Integration Facility Tivoli Event IntegrationFacility ��
TEC EIF(Event Integration Facility)� ���� TEC� �� � �� ������ ���
� �� �� � ��������. Risk Manager EIF� Risk Manager � � ���� TEC� � ���� ��� �� � ��� �����.
���� TEC � � ��� �� �� API ���, Risk Manager EIF� Risk Manager������ �� ������� ��� � �� �� �� �� �����.
¶ �� ����� ����� TEC ��� �� �, TME �� � TME(�� � � �
�)� �� ���� ������ �����. Risk Manager EIF� TME �� � TME���� ��� ��� ��� �� ��� TEC ��� �� � ����. TME �
� TME ��� �� ��� ������ � ��� ��� ����.
�� 17. Risk Manager Event Integration Facility ��
82 �� 3 ��� 8
¶ Risk Manager EIF API� ��(.fmt) � ��� �� ��(.cds) �� ���� TEC���� ��� � �� ����� �� ��� ��� �����. �� TEC ��
�� ���� ���� �� �����. ��� ��� ���� �� �����.
¶ Risk Manager EIF� ��� �� ��� �����.
¶ Risk Manager EIF� Perl �������� ��� �� �� �����.
Risk Manager ObserverRisk Manager Observer �� RMO�� �� Risk Manager EIF �� ��� ��� ���
��. RMO� ���� ���� �� TEC � ��� ��� ��� � ��� ���� �
����. RMO �� ��� 84 ��� �Risk Manager EIF �� �����.
The Event Integration Facility � ���Risk Manager EIF� C ����� �� �� ���� �� API(Application ProgrammingInterface) ������ ���� ����. Risk Manager EIF �� ������ ��� �
� ���� ��� � Risk Manager ��� �� ���� ��� ��� �����
�����.
Risk Manager �� ����, Risk Manager EIF� ���� ��� �� � �����
���� ����. ��� Risk Manager� ��� �� �, Risk Manager EIF ��
������ ������ ������.
��� API� �� ��� ��� Tivoli Risk Manager ��� ��� �����.
Perl ��Risk Manager� Risk Manager EIF ������ �� Perl �� rmadpm.pm ����
�. Perl �� ����� Risk Manager Perl �� ���� � ���. Risk ManagerEIF Perl �� �� ��� �� Perl ����� ��� � ����.
Risk Manager EIF Perl ��� Perl ��� CPAN(Comprehensive Perl Archive Network)�
�� ����. CPAN� �� ��� ��� �� � ���� �����.
http://www.cpan.org
��� ����� � ���� �� �����. Risk Manager EIF� ���� ��� ��
� �� ����.
rmad_summary.rules��� ���� �����. �� �� � ��� ���� �� ��� �
��. �� � ��� �� ��� 94 ��� �rmad_summary.rules ��� �
����.
�� ��
������� .fmt �� ����� Risk Manager EIF� �� � ����. TEC�� �� ������, Risk Manager EIF� .fmt �� � �� .cds �� ��
�� ����� �� ��� ��� ���� ��� TEC ���� ����.
83Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
CDS ��
Risk Manager EIF�� ���� �� ��� ���� �� .cds ��� � �
��. riskmgr_gencds � ���� � ������.
�� ��
Risk Manager EIF� �� � ��� rmad.conf ��� ����. � ����
��� ��� 88 ��� �Risk Manager EIF � �� ��� �����.
Risk Manager EIF ��Risk Manager Event Integration Facility�� �� ���� �� � ��� ����.
¶ �Risk Manager Observer �� ��
¶ �Risk Manager Observer �� ���
¶ �TEC � � ��� ���
¶ 85 ��� �Risk Manager EIF ���
¶ 85 ��� �Risk Manager EIF CDS �� ��
Risk Manager Observer � ��� � ���� Risk Manager Observer �� �� � ����.
UNIX ���
rmo-init start
Windows ���
net start rmo
Risk Manager EIF� � ����� Risk Manager Observer� ���� ���� ��
��. UNIX �����, Observer� AIX� ���� /etc/inittab ���� �� ���
� ��� �� UNIX ���� ���� init.d �� �� ���� �� ���� ��
��. Windows ������ Risk Manager Observer� �� � ���� ����.
Risk Manager Observer � ���� � ���� Risk Manager Observer �� ��� � ����.
UNIX ���
rmo-init stop
Windows ���
net stop rmo
�� ���
wradmin -kill
TEC ��� ��� �wrmsendmsg � ���� TEC ��� � � ���� ��� � ����. � �� �
� � �� ���� ��� �� ��� �����.
84 �� 3 ��� 8
¶ �� ��� � � � ���� �� ���
¶ Risk Manager EIF .cds � .fmt �� ���� ��� �� �� ��� ���
Risk Manager EIF� TEC ��� � � ���� ��� �� ���� �� ���� �
�� � � �� ������.
��� � � � � ��� ����. -f ���� ���� ����� �� ���� � �
� �� TEC ��� ���� ��� ���� �� ��.
wrmsendmsg -f "NIDS_DOS;date='12:22:23';rm_SensorIPAddr=11.34.65.99;rm_Timestamp=0x39d8e8ff;rm_DestinationIPAddr=10.0.0.3"
��� ����� �� ���� ����. Risk Manager EIF .cds ��� TEC� ����
��� �� ���� � ����, ���� ��� � ��� �� ��� �� �
�����.
wrmsendmsg "Oct 3 12:22:23 2000 syslog NIDS foo.tivoli.com0x39d8e8ff 10.0.0.3"
Risk Manager EIF ��Risk Manager EIF � RMO(Risk Manager Observer)� ����� wrmadmin � ��
����. � ��� �� ��� ����.
-kill Risk Manager EIF �� ������. ������� � ��� ��� RiskManager EIF ��� ���� �� ����.
-info �� �� ��� ����.
-restart� � Risk Manager EIF �� � RMO� ���� �� ����. rmad.conf�� rmad_summary.rules �� �� � � �� ���.
Risk Manager EIF CDS �� �riskmgr_gencds � ���� rmad.cds ��� �� �� ��� ������.
� �� Risk Manager EIF�� ��� .cds �� �����. Risk Manager EIF� ��
.cds �� ��� � ����. .cds ��� �� ��� Risk Manager EIF �������
����� �� ��� �� ��� ��� � �����.
� ��, ��� .fmt ��� ��� .cds �� ���� �����.
Risk Manager EIF ������ � � ��� Risk Manager EIF� ��� �� �� ��� ��� 31 ��
� �Risk Manager ��� �����. Risk Manager EIF� TMR(Tivoli ManagementRegion)�� ������ ���� �� ������ � Tivoli �� Tivoli ������
�� � ����.
Risk Manager EIF� ��� ��, �� ���� Risk Manager EIF� �����.
¶ ��� �� rmad.conf � �� ������.
85Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
�� ��, rmad.conf ��� AdapterCdsFile ���� ��� ���� Risk ManagerEIF .cds ��� �� �� rmad.cds���. �� ��� .cds �� ��� ����
��� �� ���(�� rmad.fmt � rmad.cds).
¶ �� �� ���� .cds �� �������. ��� � ��� �� �� �� ���
� �����.
� Tivoli ����� ���� Risk Manager � �� ���� .fmt � �� .cds ��
�� � ����. Tivoli ����� ACF� ���� � ���� ��� � ���
�. ACF ��� �� ��� ��� 46 ��� �ACF� ��� Risk Manager �� �
� ���� �����.
�� � �� �� ��� �� ��� �� ��� Risk Manager EIF� �� � �� �� � .cds �� ������.
1. ���� �� ������� �� �� �� Risk Manager EIF rmad.fmt �� ���
�� ������. ��� ��� ������ �� ��� �� ��� ��� ��
� � ������(�: rmad.fmt02).
2. ���� ���� rmad.fmt �� �� �� riskmgr_gencds � ���� � .cds�� �����.
riskmgr_gencds rmad.fmt >rmad.cds
rmad.conf ��� AdapterCdsFile ���� ��� ���� Risk Manager EIF .cds��� �� �� rmad.cds���. �� ��� .cds �� ��� ���� ��� ��
���(�� rmad.fmt � rmad.cds).
����� � �� �� $RMADHOME\RISKMGR\adapters\etc �� �� �����.
Perl �� ��Risk Manager EIF� Perl ����� ���� Risk Manager TEC � � ���� �� �
���� �����. Perl ������ Risk Manager EIF� ������, Risk ManagerPerl ��� � ��� Risk Manager Perl ��� ���� ����� �� ���.
Risk Manager� UNIX � Windows ���� Perl �� �����.
TME � � TME ��� �� Risk Manager EIF ��Risk Manager EIF� TME� � TME ���� ��� �� �� Risk Manager EIF ��
� �����. Risk Manager� UNIX ����� rmeif_cfg � ���� TME ��
� TME ���� ����� Risk Manager� ����.
� ����� TME ������ � �� ���� lcf_env.sh� � ��, TME ��
�����. �� lcf_env.sh ��� ����, ����� �� ��� �����. �
� � �� � ���� rmeif_cfg � ������.
TME �� � TME ���� ����� Risk Manager EIF� ���� rmeif_cfg �
������. � �� �� ����.
86 �� 3 ��� 8
rmeif_cfg { -n | -t [ -d directory ] }
-n � TME �� ������.
-t TME �� ������.
-d �� �
TME ����� lcf_env.sh �� ����� �� �� �� �����.
� �, 0� ���� �� ����, �� �� ��� �� ��.
� TME ������� ����� Risk Manager EIF� ���� -n �� ������.� ���� ���� $RMADHOME/bin/rmad_cad �� ��� Risk Manager EIF ��� �
TME �� $RMADHOME/bin/nontme/rmad_cad� ����� ����. Risk Manager �
� ����� /etc/Tivoli/rma_eif_env.sh� TME ����� �� ����� ��� �
��� �� ���� ����.
TME ���� ����� Risk Manager EIF� ���� -t �� ������. � ���
� ���� $RMADHOME/bin/rmad_cad �� ��� Risk Manager EIF ��� TME ��
$RMADHOME/bin/tme/rmad_cad� ����� ����. Risk Manager �� �����
/etc/Tivoli/rma_eif_env.sh� TME ����� �� ����� ��� ���� �� �
���� ����.
� � -d direc tory ���� - t ��� � � ��� �� , rmeif_cfg ��
directory/lcf_env.sh �� TME ����� �� ����� �����(� ��� �
��). -t ��� �� -d ���� ���� � ��, rmeif_cfg �� /etc/Tivoli/lcf�� �� �� ���� ��� lcf_env.sh �� �����. �� lcf_env.sh ��� �
�� ��, �� TME ������ �� ������ ����� �� �� �����.� ��� ���� TME ������ ��� �� ����� �� �� ����.
�: �� ����� ���� ���� ���� �� ������ �� �� ���� �
� lcf_env.sh �� ����� ��� � ����. ���� �� lcf_env.sh ��
(/etc/Tivoli/lcf ���� �� �� �� ��� �� �� � ���)� � �
�, -d ���� -t �� ���� TME ������ ��� �� ����� RiskManager ����, /etc/Tivoli/rma_eif_env.sh� ��� ����� ���.
Risk Manager Event Integration Facility� � ���� rmad.conf �� � �
��. rmad.conf �� �� �� ��� 88 ��� �Risk Manager EIF � ��� �
����.
rmeif_cfg ��� ���� rmeif_cfg � �� ����.
1. � TME ���� ����� Risk Manager EIF� ����, �� ������.
rmeif_cfg -n
2. TME ���� ����� Risk Manager EIF� ����, �� ������.
rmeif_cfg -t -d /etc/Tivoli/lcf/1
� ���� lcf_env.sh ����� /etc/Tivoli/lcf/1 �� �� ����.
87Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
Risk Manager EIF �� ��Risk Manager EIF� � �� � ��� ��� ��� rmad.conf �� �����. �
��� �� Risk Manager EIF ��� � �����. � �� ��� ���� RiskManager EIF� ��� � ����. � ��� ����� Risk Manager EventIntegration Facility� ���� �� �����.
rmad.conf ��� �� �� �� ����.
$RMADHOME/etc
Installation_dir� Risk Manager EIF� �� ����.
Risk Manager EIF �� �� ���� ��� �� ��(#)� ����. �� ����. �� ��� ��� �� ���
����.
¶ � �� ����� �� ������.
keyword=value
¶ ��� � ��� ���� ���� ��� ��� ����� �� ������.
Filter:CLASS=class_name;attribute=value;
�: attribute=value� ��� slot =value����
¶ ��� � ��� ���� ���� ��� ����� �� ������.
FilterCache:CLASS=class_name;attribute=value;
�� ��� �## Communication Parameters#ServerLocation=ravelServerPort=5529EventMaxSize=4096ConnectionMode=CO# Event Filters#Filter:Class=disk_eventFilter:Class=su_login; origin=126.32.2.14
rmad.conf �� �� ������� �� �� �����. keyword=value
� � �� �� � ��� �� �� ���� ����. � ���� .baroc ���
���� �� ��� � ���� ����. �� ��� �� ��� ��� �� ��
�� �� ��� � ���� � ���� ����.
Risk Manager EIF rmad.conf � ���� �� ���� �����. ��� ���� �
��� ��� ���� �� ��� � �� �� ����.
AdapterCdsFile=Path.cds ��� �� �� � �����. .cds ��� � �� ��� �� ��
�� �� �� � ���� �����.
88 �� 3 ��� 8
AdapterErrorFile=Path�� ��� �� �� � �����. �� ��� � �� ��� �� ��
�� �� �� � ���� �����.
AdapterSpecificFile=Path�� �� � ��� �� �� � �����. �� �� ��� � ��
��� �� �� �� �� �� � ���� �����.
AdapterTimeOutUNIX� �� Risk Manager Event Integration Facility �� ��� �� �
����.
BufEvtMaxSize��� �� ��� �� ��(KB)� �����. ���� 64���.
BufEvtMaxSize ���� �����.
BufEvtPath��� �� ��� �� �� � �����. UNIX ��� ����
/etc/Tivoli/tec/cache���. Windows ��� ���� cache.dat���.
BufEvtPath ���� �����.
BufEvtRdblkLen� ��� �� �� �� ��(KB)� �����. � ��� ��� ���
���� �� ��� ���. ���� 64���.
BufEvtRdblkLen ���� �����.
BufEvtShrinkBlk�� �� ��� ���� ���� � ��� �� ��(KB)� ����
�.
BufEvtShrinkBlk ���� �����.
BufEvtShrinkSizeBufEvtMaxSize� �� � ��� �� �� ��� �� �(KB) �
����. ���� 8���.
BufEvtShrinkSize ���� �����.
BufferEvents��� �� �� ������� ��� �����. ���� YES���.BufferEvents� YES�� �� ��� � �� ���� �� ����. ��
����� ��� ����.
BufferEvents ���� �����.
BufferFlushRate�� �� ��� �� �����. � ��� ��� �� ��� � �
��� ��� �� � ��� ��� ���� �����. ���� 0�� ����
� ��� �����.
BufferFlushRate ���� �����.
89Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
BuffersEventsLimit=Limit��� � � � ���� � �� ��� �� �����. ���� ��
��(Limit� �� ���� ��)���. �� �� ��� �� ���� �
�� ���� �����. � �� ��� �� �� � �� ���
� �� �� ���� �� �� ����.
ConnectionMode��� � � ����� ��� �� ��� �����. ���� �� ����.
connection_oriented�� ��� ��� ���� �� ���� � ��� �����.
� ��� ��� ���� � ��� �����. ��� ���� ��� �
����.
�� �� �� ���� ���� ��� ��, connection_oriented, CO�� co ��� � ���� ��� ��� � ����.
connection_less���� � ����� � ��� �����. (�� �����.) �� ��
����.
ConnectionMode ���� �����.
EnableTraceRisk Manager Observer�� �����. Observer� ��� � ��� ��� � �
YES� �����. ���� NO���. EnableTrace=YES��, ���� TraceFile���� �� ��� �����(� ��). ��� ��� �� ����
��� �����.
EventMaxSize���� �� ��� �����. ���� 4096���.
EventMaxSize ���� �����.
Filter ���� ���� �� �����. Filter �� �� ���� ��� � � ��
�� �� ���� ��� ��� � FilterMode� � �����. ���� Filter�� � attribute=value � ���� � attribute=value ��� � Filter� �����. Filter �� ��� ���� �� �� ��� ���� ��
�� attribute=value ��� � ����. Filter � ��� �� ���
�.
Filter:Class=class_name;attribute=value;...;attribute=value
� Filter �� ��� 512 ��(���) ��� �� ���.
Filter ���� �����. ��� ���� ��� ���� ��� � � ����
�.
FilterCache ���� ���� �� �����. ���� ��� � � ��� � ��
BufferEvents=yes� ������ ����� �� �� ���� �� ����.���� FilterCache �� � attribute=value � ���� � attribute=value
90 �� 3 ��� 8
��� � FilterCache � �����. FilterCache �� ��� ����
�� �� ��� ���� �� �� attribute=value ��� � ����.FilterCache � ��� �� ����.
FilterCache:Class=class name;attribute=value;...;attribute=value
� FilterCache �� ��� 512 ��(���) ��� �� ���.
FilterCache ���� �����. ��� ���� ��� ���� � �
���.
FilterModeFilter �� FilterCache � ���� ���� ������(FilterMode=IN)
�����(FilterMode=OUT) ��� �����. ���� OUT���.
FilterMode ���� �����. FilterMode� ���� �� �� Filter ��
FilterCache � ���� �� ���� ��� � � �����.
�: FilterMode=IN �� ��, �� ��� Filter �� FilterCache �� ��
���� �� ��� � � ����� ���� ���� ��� ������.
LocalEventPortRisk Manager Observer�� �����. ���� � � observer�� ���� �
� �����. �� �� ��� 5529���. Risk Manager EIF� ��� �� �
� LocalEventPort� � � �� ����. Risk Manager EIF� �� � �
�� ��� ����, LocalEventPort� �� ��� ��� �� �� �� �
����.
�: Windows NT � �� RMO� �� ���, TEC � � �� �� �� ��
��� �����.
LocalEventProcessingRisk Manager Observer�� �����. Risk Manager EIF ������� � �
�� ��� ����� LocalEventProcessing=YES� �����. Risk ManagerEIF ������� rmad_send_message API� ���� ���������. ���
� Check Point FireWall-1 � Cisco Secure IDS �� �� ������� ��
���, ���� rmad_summary.rules� �� � ����. ��(�� ���) �
��� TEC � � �����. LocalEventProcessing=NO��, �� �� ����
�� TEC � � �����. �� Risk Manager EIF� ���� ��� ��� �
� � ��� LocalEventProcessing=NO� �� � ����. �� ��, Web IDS�� �� � ����. � ��, Web IDS� Risk Manager EIF� ���� ���
������� �� LocalEventProcessing=NO� �� � ����.
RetryIntervalConnectionMode=connection_oriented� �� ��� � � ��� ���� �
�� 2� � � ����� ���� ��� �� �� ��() � ����
�. ��� � ��� ��� ���� � ��� � ���� ���� ����.
91Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
� ���� ��� 1� ��� � � �� �� ���� ���� 1� ��� �
� �� � ����. �� � ��� ��� � �� � � � �� �
����.
� �� ���� ��� � �� � ���� ��, ��� � � ���� �
� ���� ��� �� � ���� � � ���.
���� 120���.
RetryInterval ���� �����.
RmadLoggingRisk Manager EIF �� �� ��� �� ���� ���. RmadLogging=YES �
� RmadLogging=Yes� ��� Risk Manager EIF ��� rmad.log ��� ��
����.
Rmo_AcceptNonLocalEventsRisk Manager Observer ��� �� ����������� �� ����� ��
� YES� ������. ���� NO���. ��� �� ����������� �
� ���� Risk Manager EIF� TME � ���� ���� TEC� ����
� ��� �� ���� �����.
Rmo_EnableTraceRisk Manager Observer ��� ��� � ��� ���, Rmo_EnableTrace=YES� �����.
Rmo_TraceFileRmo_EnableTrace=YES��, � ���� ��� �� ���� ��� �� �
�����. Rmo_TraceFile ���� ���, ���� ��� �����.
Rmo_WorkingDirRisk Manager Observer� � � �� �� �� ������. ����� RiskManager Observer ��� � �� ���� � � �� �� ��, UNIX �
��� ���� /var/RISKMGR , Windows ���� ���� %TEMP%� �����.
ServerLocation��� � � � ��� � �����. Risk Manager EIF ��� �
�, ��� ��� � �� ���� ��, ��� � � Tivoli ManagementRegion (TMR)� ���� ��� �� � �� �� �� �� � ��� ���.
�� ��
TME @EventServer
���� TMR� TME @EventServer#RegionName
� TME, �� host name �� IP_address
IP_address�� �� �� ������.
� TME ��� �� ServerLocation� �� �� �� 8�� � �� � �
���. � �� ��� 1� ��� � �� ���� 1� � � � ���� �
��� 2� � ���.
92 �� 3 ��� 8
����� ��(TME ��)� �� ServerLocation� 1� ��� � � ���
� ����. TEC ����� � ��� �� 2� ��� � � �����.
ServerLocation ���� �����.
�: ServerLocation� TestMode ��� �� ��� � ��� � �� ���
� ��� ��� �� � � �����.
ServerPort��� � � ���� ���� �� ��� �����. portmapper� ��� � �
� �� ���� ��� � ��� � 0(���)�� � ���. �� ��� 0�� ������ ���� �� ��, portmapper� ���� �� ��� �����.
ServerPort� � � �� � � 8� � � � � � � � � � � . � �
ServerLocation �� ���� ��� �� ��� ������. �� ��� �� �
�� ���� � ServerLocation �� � �� ��� �� ���.
���� 0���.
��� � � UNIX ����� ���� ��� ServerPort ���� �����
Windows ����� ���� ������.
�: ��� ���� �� ��� �� � �� Windows NT ���� portmapper��� ����. ��� � � �� � �� �� � �� �� ��
(.tec_config� tec_recv_agent_port)� �����. ServerPort� $BINDIR/TME/TEC�� �� �� .tec_config��� tec_recv_agent_port �� ��� �����.
TestMode��� ��� � �� ��� ��� �����. TestMode=Yes� ��,ServerLocation ���� ��� � � ��� �� ���� ���� �� ��
���. ���� ����� ��� �� Yes � No���. ���� No���.
TestMode ���� �����.
��� ������� Risk Manager EIF� ���� ��� � � � ��. ���� ��� � �
�� ��� ��� ���� ���� ��� � ����. ���� ���� tuple ���
�� �� ��� � ����. tuple� ��� ��� ��� ���� �� ��, ��
�� �� attribute=value �� ��� �����.
� ��� �� ��� rmad.conf � ��� 512 ��(���)� ��� � ��� ��
���. � ��� ��� �� ��� �� �� ��� � ����. ��� �� ��
� �� ��� �� �� ��� � �� ���.
��� �� ��� �� �� �� ����.
Filter:Class=ClassName;attribute=value;...;attribute=value
93Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
FilterMode �� �� ���� Risk Manager EIF� ��� � �� � ����. �
���� FilterMode� OUT�� ����. FilterMode=IN � ��� ���� ��
���� ���� ��� � � �����. ���� �� ��� ��� Tivoli EnterpriseConsole �� ��� �����.
��� �� ���Risk Manager EIF� ��� � �� TEC ����� ��� � � � ��� ��
�� ��� ��� Risk Manager EIF ��� ���� � ��. � ���
BufferEvents=yes� ��� ��� � �� ���� ���. ��� BufEvtPath��� �� �����.
��� � � �� ��� ��� ���� ��� ���� ���� ��� � ���
�. � ��� �� ��� �� � ��� �� ��� �� ���. � ��� �
�� �� ��� �� �� ��� � ����. ��� �� ��� �� ���
�� �� ��� � �� ���.
�� ��� ��� ����.
��� �� ��� �� �� �����.FilterCache:Class=ClassName;attribute=value;...;attribute=value
rmad_summary.rules ��rmad_summary.rules �� ���� ��� � ��� �� ��� � ����.
�� �� ���� � rmad_summary.rules ��� ���� ����. � � �� �
�� �����.
¶ ��� ��� ���� �
¶ �� � ���� ���� �� ��� ���� � ���� �� ��
¶ � �� ��� � �� �� �� � �(�� ��� ���� �)
¶ ��� ����� �� �� �� ���. � �� � �� ����� �� � ���
�.
�� ��, �� ��� ���� �� � ����.
FW_connection_denied���� ��� � ��
FW_source_IPAddr���� � �� �� �� IP �� ��
FW_destination_IPAddr���� � �� �� �� IP �� ��
30000 TEC� ���� ���� �� �� ��� � ���� �� ���� �� � �
��� �� �� �� �
94 �� 3 ��� 8
Set FW_source_port = *�� ����� ���� �� ��� �� ��� ��
Set FW_dest_port = *�� ����� ���� �� ��� �� ��� ��
Set msg=″Summarized port scan″�� ����� ���� msg �� �� ��� ��
� �� ��� �� ���� FW_connection_denied ��� ��� �����. � ���
�� �� ���� � �� �� �� � ����.
Risk Manager EIF� FW_connection_denied ���� ���� ��, � ����, �
� �� ���� ���, ���� ����. �� �� ���� �� ���� (��� �
�� � � ��� ���) ���� �� ���� � ��, � ���� TEC� �
����. ��� �� ���� �� ��� ��� � � �� ���, ���� � �
� ���� TEC� �����.
�� 30 ��, � FW_source_IPAddr � FW_destination_IPAddr ��� ��� �
�� ��� ��� �� FW_connection_denied ���� �����. Risk Manager EIF�
repeat_count �� ����� � � ����� ���� �����. 30� ��� �
, EIF� �� ���� ��� �� ���� TEC� � ��. �� ���� ��� �
� ��� � ��� �����. FW_source_port, FW_dest_port � msg �� ��
��� ���� ��, �� ����� � �� ����.
�: repeat_count ����� �� ���� � ��� �� ��� �� ����. � �
��� TEC � � ���� �� ���� �����.
�� �� �� ���� FW_connection_denied ���� �� �� �����. � ����, Risk ManagerEIF� 30 �� FW_connection_denied ���� � 10�� � ���� �����.
�: � ����� 30� ������ �� �� �� ��� � � � ����.� ����, ��� ���, �� IP ��, ��� IP ��� � �� �� ��� �����,� ��� �� �� �� �� ���� Risk Manager EIF�� �������. � ��� �
�� � � ���� � ��� �� ���� ���. � �� ���� �� � � ����
���� EIF� � ���� � ���� TEC� �����.
15� Risk Manager EIF� � ���� ���� �� �����. � �� ���
�, msg �� ��� �� �� ��� ����� ���. � �� ���� �� �
�� ���� fw_connection_denied���.
15. ��� � �� ���. � �� ����, � ���� msg �� ������ ���� � ���. � �� ���� �� ��� ����
fw_connection_denied���.
�� ��� �� IP �� ��� IP �� �� �� ��� ��
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.88.99 6000 1000
95Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
15. ��� � �� ��� (� ). � �� ����, � ���� msg �� ���� �� ���� � ���. � �� ���� �� ��� ����
fw_connection_denied���.
�� ��� �� IP �� ��� IP �� �� �� ��� ��
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.77.88 6000 1001
2 44.55.66.77 66.77.77.88 6000 1002
1 23.56.78.99 32.11.22.33 5432 389
3 11.11.11.11 22.22.22.22 10000 9999
1 23.56.78.99 32.11.22.33 5432 389
2 44.55.66.77 66.77.77.88 6000 1001
2 44.55.66.77 66.77.77.88 6000 1002
16� Risk Manager EIF� ��� ���� ���� �� �����
16. �� ��� ��� ��� ���. � �� ����, msg �� ��� ���� ��� ����� ���. � �� ���� �� ��� ����
fw_connection_denied���.
�� ��� ID �� IP �� ��� IP �� �� �� ��� �� repeat_count
�� 1 23.56.78.99 32.11.22.33 ″*″ ″*″ 3
�� 2 44.55.66.77 66.77.88.99 ″*″ ″*″ 4
�� 3 11.11.11.11 22.22.22.22 10000 9999 0
�: repeat_count �� 0� �� ��� ��� �� ����� ��� �� ��� �
� ����. repeat_count �� ��� �� ���� ��� 1� ���. �� ��,10�� ���� �� ��, repeat_count �� 9� ����. ���� ���� ��
��, repeat_count� 0�� ����.
� �� � ��� ��� rmad_summary.rules ��� � �� ��� � ��� � �� ���
����.
� � 5�� ��� ��� �����. �� �� �� ���� �� �� � ���
����� ��� ��� �� ����.
1. � ��� � �� �� ������. � ���� �� �� � � ��� ���
��� � ����. � ���� �� ���� PIX_Portscan_In�� ��� ���
� �� ��.
2. � ��� ��� ���� ��� ����. � ���� ��� ��
PIX_TCP_in_conn_denied���.
3. �� PIX_TCP_in_conn_denied ���� �� ����. ���� ���� �� �
� �� ���� ��� � �� � �� ���. � ���� �� �� �
� �� �� ����. pix_sev, pix_code, pix_ifname, rm_SourceIPAddr,rm_DestinationIPAddr, rm_SensorIPAddr� � �����.
96 �� 3 ��� 8
4. �� �� �� ��� �� ����. � ����, 30000 ��� ����
�.
5. �� SET �����, ��� ���� �� �� �� ��� �����. ����
� ���� �� ���� �� ��� ���� � msg �� � �����. �� �� �� ����� ��� �� ���.
�� ��� �� 5�� �� �� �����.
(PIX_PortScan_In # Element 1{PIX_TCP_in_conn_denied} # Element 2[cloneableattributeSet=&pix_sev, # Element 3
&pix_code,&pix_ifname,&rm_SourceIPAddr,&rm_DestinationIPAddr,&rm_SensorIPAddr
]statemachine.collector 30000 # Element 4(true
)!(SummarySET:rm_SrcPort=*,rm_DstPort=*,
msg=SUMMARY_Multiple_TCPIP_Inbound_connections_denied_by_Cisco_PIX_firewall # Element 5);
�: � �� �� �� ��( ), ��� [ ] � ��� { }� �� ��� ����
�� ���. SET ��� �� �� ������ ��� ��� ����. ���
�� ��� ��� �� ��, SET ��� � ��� � ����. �� ��� SET���� �� � ����.
(PIX_Generic_Minor_Evt{PIX_Generic_Minor}[cloneableattributeSet=&rm_SensorIPAddr,
&pixm_code,&msg
]statemachine.collector 30000(
true)
)!Summary);
Checkrules ���� ��Checkrules(Windows�� checkrules.cmd) ����� ��� � ���� ���.�����, � ����� $RMADHOME/etc/rmad_summary.rules �� ����. �� �
�� �� � � ���� ��� �� � ����� ��� ���.
�: checkrules ����� � �� ����. � �� �� �� SET:attr=value ��� �� �� ���� .baroc ��� �� � ������ ���� ����.��� � �� BAROC ��� � ��� ���� ����� �� ���. ��
� ���, �� �� ���� � ��� ��� � �� ��� ��� ��� �
97Risk Manager ��� ���
6.R
iskM
anag
erE
vent
Integ
ration
Facility
�� � ����. Risk Manager �� �� ���� �� �� �� �� �
�� ��, BAROC ��� Risk Manager � � $BINDIR/RISKMGR/corr/tec �� �
� ����.
�� Risk Manager EIF ��Risk Manager Event Integration Facility� � ��� ������.
BAROC (.baroc) ��: Risk Manager EIF� ���� ���� ������� Risk ManagerEIF� ���� ��� ���� �� .baroc �� �����. ��� � � RiskManager EIF��� ���� ���� ��� �� � �� �� ���. .baroc �
�� ��� � � �� � ���� ��� �����.
��� � ���(.cds) ��: ��� �� �� ��� ���� ��� � � ���� �
� ���� �� ���� �� ���� ���� ��� � ���� � Risk ManagerEIF� �����.
�� ��: ���� Risk Manager EIF� ��� ������� ����� �� ��� �
�� � ����. ���� �� ��� ���� ���� ���. ��� �� ���
�� �� ���� �����. �� �� ��� .fmt ��� ����.
�� ��: rmad.err�� �� Risk Manager EIF �� ��� ����� �� ��� ��
��� � �� �� �����. � ���, �, �, � � � �� RiskManager EIF� ��� �� �� �� �� ��� �� � � ���� ��� �
����. � �� � �� � � ��� �� �� ��� � ����. ��� � � �
�� ��� ��� �� �� ��� � ����. ��� � ��� ��� ����
rmad.err ��� �� /dev/null� �� ���� /tmp/fileneame.err(Windows ���
��� %TEMP%\filename.err)� �����.
98 �� 3 ��� 8
Risk Manager TEC ���
� ���� Risk Manager� Tivoli Enterprise Console(TEC) ����� �� ��� ��
���, Tasks for Enterprise Risk Management� �����. Risk Manager� �� TEC policyregion� TEC Region� ��� ������ ����.
� � TEC�� ���� ����� �� �� � �����. � ���� �� ��� �
�� �� ��� �� � ����.
TEC ��� ��Tivoli Enterprise Console ���� TEC�� ���� ������. �� ��� � �
���� ��� � �� �� �� ����. � �� �� �� �� �� ��
� ����.
� TEC ���� � �� �� ���.
¶ ��� �� �� �(�� �� �� �)
¶ ���� ��� �����
UNIX ���� TEC ��� UNIX ��� ���� ���� � TEC ���� ����� �� �� ����.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. �� ���� ����� TEC ���� �����.
Deactivate_Unix_User_Account� TEC ���� ���� ��� ID� ���� ���� �� ������
�.
List_Active_Unix_Processes� TEC ���� ���� ��� ������ ���� ID(PID) � �� �
� ��� �� ��� ������. ��� ���� ��� � ����� ��
���.
View_Component_Status_for_Unix� TEC ���� ���� UNIX �� ��� Risk Manager � ��� ��
���.
7
99Risk Manager ��� ���
7.R
iskM
anag
erT
EC
��
�
Kill_Unix_Process� TEC ���� ���� ����� ����� ���� ID(pid)� �����
�.
Run_Unix_Command����� UNIX � ������.
Windows ���� TEC ���Windows ���� ��, � �� �� ���� �� �(��� ���)� ��� � �
��� � ���� ����� ��� ��� � ����. ���� Windows ��� ��
����� � ��� ��� ����� ��� � �� ���.
��� ����� rmt_ntaudit.exe ���� ��� � �� ���. Risk Manager �
� �� Windows� Tivoli Host IDS ����� ��� �� ���� � ���� �
������.
Windows ��� ���� ���� � TEC ���� ����� �� �� ���
�.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. �� ���� ����� TEC ���� �����.
Run_Windows_NT_Command����� Windows ��� � ������. ��� � ���� ��, Windows����� PATH� �� Perl �� ��� Perl� ��� �� ���.
Enable_Windows_NT_Event_Auditing� TEC ���� ���� Windows ����� ��� ��� �� ���� �
���.
�� �� �� � �����.¶ �� � ��
¶ ��
¶ ��
¶ ��� ��� ��
��� �� �����.¶ ��� � ����
¶ �� � ���� ���
¶ ��� �� ��
¶ ��� � �� ��
¶ � Policy �
¶ �� �, � � ���
¶ ���� ��
100 �� 3 ��� 8
Disable_Windows_NT_Event_Auditing
� TEC ���� ���� Windows ����� ��� ��� �� ����� �
���.
Deactivate_Windows_NT_User_Account� TEC ���� ���� ��� �� ������ Windows ��� ���
ID� ������.
List_Active_Windows_NT_Services� TEC ���� ���� Windows ����� �� Windows ��� ��
�� ������.
View_Component_Status_for_Windows NT� TEC ���� ���� Windows ��� ��� � � Risk Manager � �
�� �����.
��� �� � �����.
rmcorr_cfg:Info: ---------------------------------------------rmcorr_cfg:Info: Checking Status of Risk Manager Components...rmcorr_cfg:Info: ---------------------------------------------rmcorr_cfg:Info: TMR Host: myTMRserverrmcorr_cfg:Info: TMR install dir: f:/Tivoli/bin/w32-ix86rmcorr_cfg:Info: Region name: myTMRserver-regionrmcorr_cfg:Info: Risk Mgr install dir: f:/Tivoli/bin/w32-ix86/
RISKMGR/corrrmcorr_cfg:Info: Current rulebase: rm1002rmcorr_cfg:Info: Current rulebase path: f:\myrulebasermcorr_cfg:Info: Event cache size: 2000rmcorr_cfg:Info: Class RM_SensorEvent is definedrmcorr_cfg:Info: Rules files in rulebase:
Rule Set files--------------normalization.rlssensorevent.rlssituation.rlstimer.rlsboot.rls
Start_Windows_NT_Service� TEC ���� ���� ���� Windows ��� ��� � �����
�.
�� ��, Apache � � � ���� �� ��� ��� apache� ����
��. �� Check Point FireWall-1� ��� ���� �� ��� ���
rma_cpfw� ������.
Stop_Windows_NT_Service� TEC ���� ���� ����� Windows ��� ��� � �����
�.
101Risk Manager ��� ���
7.R
iskM
anag
erT
EC
��
�
���� ������ � TEC ���Risk Manager TEC ���� TEC ������ ���� ����� ��� � ����.�� ��� Tivoli Decision Support� �� � ���� ����, �� ���� �
�� � ����. Tivoli Decision Support� �� ��� Tivoli Decision Support for EnterpriseRisk Management� �����.
TEC ������� Risk Manager ���� � � ����� Archive_Sensor_Events� �����.
����� �� ��� ���� Schedule_Event_Archiving �����.
���� ������ ���(���� ���� ����), TDS ���� ���� ���� �
���. TDS� ��� ��� ���, ���� ����� ��� ����. TDS ���� �
��� ���, ���� ���� ��� �� ���. ���� ������ � TEC���� ����� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. �� ���� ����� TEC ���� �����.
���� �� ���
Tivoli Decision Support��� ��� ���� � Risk Manager �� ���
���� ������� � ���� �����. ���� ��� ���, � �
��� ��� ������ �� Risk Manager �� ���� TEC ��� �
��� Risk Manager ���� � �����. �� ��� �� ����� �
���. ��� ��� Decision Support Guide for Enterprise Risk Management� �����.
Schedule_Event_Archiving����� ����� ���� ��� ���� � ���� �����.
Archive_Sensor_Events� � � �� � �� �����. ���� �
�� ����� ����.
�� �� ��� �����. ���� ��� 1�(60���)���. ��� ��
���, ��� ������ �� �� Risk Manager �� ���� TEC ���
���� Risk Manager ���� � �����.
�� ��� �� ����� ����. ��� ��� Decision Support Guidefor Enterprise Risk Management� �����.
Risk Manager ���� ���� � TEC ���Risk Manager� Tivoli ����� Risk Manager ��� ��� �� ���� ���
��. TEC ���� ���� �� ������ ��� ���� ������.
Risk Manager� Risk Manager ��� ��� �� �� �� TEC ���� ����
�.
102 �� 3 ��� 8
Start_Cisco_Secure_IDS_Adapter
Start_CheckPoint_FW-1_Adapter_on_Windows_NT
Start_CheckPoint_FW-1_Adapter_on_Solaris
Start_NIDS_Adapter
Risk Manager ���� ���� � TEC ���Risk Manager ��� ���� � TEC ���� ��� � ����. TEC ���� �
��� �� ������ ��� ���� ������.
Risk Manager� Risk Manager ��� ���� �� �� �� TEC ���� ����
�.
Stop_Cisco_Secure_IDS_Adapter
Stop_CheckPoint_Firewall_Adapter_on_Windows_NT
Stop_CheckPoint_Firewall_Adapter_on_Solaris
Stop_NIDS_Adapter
Check Point FireWall-1� �� TEC ���Windows ��� � Solaris�� Check Point FireWall-1� ��� ��� ���� ��
� ��� Risk Manager� ��� � ��� � �� TEC ���� �����.
CheckPoint_FW-1_by_IP_Address��� 174 ��� �IP �� �� ��� �����.
CheckPoint_FW-1_by_Source_and_Destination��� 175 ��� ��� � ��� �� ��� �����.
Cisco Secure PIX Firewall� TEC ���Risk Manager Cisco Secure PIX Firewall� ��� Cisco Secure PIX Firewall �� �
� �� ��� �� ��� � �� TEC ��� �� �� �����.
Risk Manager� Cisco Secure PIX Firewall� ��� �� �� TEC ���� ����
�.
Configure_PIX_Firewall_Access� ���� �� �����(�� � � ��) �� ���(�� �� �)� �
��� PIX Firewall � �����.
Configure_PIX_Firewall_Logging� ���� ���� �� � Risk Manager ��� ��� � ��� PIX Firewall�� � �����. ��� 160 ��� ��� �� � ��� �����.
Show_PIX_Firewall_ConfigurationPIX Firewall� �� � ����. �� ���� ���� � policy� �
��� � ����. ��� 159 ��� ��� � �� ��� �����.
103Risk Manager ��� ���
7.R
iskM
anag
erT
EC
��
�
Cisco Secure IDS� TEC ���Risk Manager� Cisco Secure IDS� ��� � ��� Configure_Cisco_DataFeed TEC���� �����. ���� Cisco Secure IDS� Risk Manager �� � �� ��� �
� ����. ��� 129 ��� �Cisco Secure IDS� ���� �����.
104 �� 3 ��� 8
� �� �
� ��� �� ��� �����.
¶ �Web Intrusion Detection System ���
¶ 107 ��� ����� � � �
¶ 112 ��� �Web IDS ���� TEC �� ���
¶ 113 ��� �Web IDS ��
¶ 118 ��� ��� ����
Web Intrusion Detection System ��� ��� 259 ��� �Web IDS ���� �
����.
Web Intrusion Detection System ��Web Intrusion Detection System(Web IDS)� � � �� ���� ��� �� �� ��
���. � ���� � �� ���� � � �� �����.
Web IDS� �� � ��� ���� ��� �� � �����. � � ��� �
�� �� ���� Web IDS� ���� �� ��� � ����. �� ��� �� �
�� ���(�: phf) �� Perl � ���� �� � ����. �� �� �� ���
�.
(?i)count\.cgi
Risk Manager� � � ��� �� �� ���� sig.nefarious �� �����.
� � � ��� ��� Web IDS� ������. � � � � �����.
Web IDS� ���� �� ������.
¶ ��� �� �� �� ���� ��
�� ��
��� �� ��� � �� �� ��� �����. � �� ��� �� ���
���� ��� �����. ��� ��� �� ����� � � � �� WebIDS� ���� ���. Web IDS� �� �� �� �����. 112 �
�� ��� �� � �� �� ��� ���� �� �� ���� ���
���� � Web IDS� ��� ��� � �����.
8
105Risk Manager ��� ���
8.�
��
�
�� ��
Web IDS� � � �� ��� ��� ����. Web IDS� ���� ���
� �� �� �� ����.
¶ � ���� ��� �� ��� ��� �� ����� ��. � �� ��� ��
�� �� ��� � �� ��� � ����. �� �� ��� �� ��� 122 ��
� �� �� ��� ��� �����. �� � � �� �� �� �� �� � ��
�� ��� �� ��� 123 ��� �� �� �� �� �� ���� �����.
¶ �� �� �� ����� ��. �� ��� ��� trusted� ��� � ����. WebIDS� trusted host�� �� ����, ��� ��� �� �� ��� �����.��� ��� trusted ���� ���� ������ ��� ��� ������ ���
� ��� � ����. � ��� �� �� �� �����. 125 ��� �trusted�� �� �� ���� �����.
¶ �� � ����� ��� � ��(��, �� �� ��) ����� ��. ��
� 125 ��� ���� � �� ��� �����.
¶ ����� �� ��� ��� �� ����� ��. ��� 124 ��� ����
��� �� �� ���� �����.
Web IDS� ��� ��� ��� ��� � ����. ��� 126 ��� ���� � �
�� �� �����.
��18� � � , Web IDS � Tivoli Enterprise Console(TEC) � ��� ��� �
�����.
�� 18. Web IDS� �� � � �� TEC � �� ��� �
106 �� 3 ��� 8
���� � ��Web IDS� �� � � �� �� �� ���� ���� � ����.
17. Web IDS� � ���� � �
Web IDS� � ��� �� � �� ��
Windows ���, AIX, Linux� Apache � � CLF ��� �� �� ��
Windows NT, AIX, Solaris � Linux�� Lotus
Domino �
CLF ��� �� �� ��
Windows NT, AIX, Solaris � Linux�� IBM
HTTPD �
CLF ��� �� �� ��
Windows NT, AIX � Solaris�� Tivoli Policy
Director WebSeal �
CLF ��� �� �� ��
Windows NT, AIX, Solaris � Linux� iPlanet �
� , Enterprise Edition(���� Netscape
Enterprise � ), � 4.1
CLF ��� �� �� �� �� ���� �� �
� ��� �� �� ��
Windows NT� Microsoft Internet Information �
(IIS)
�� ��
¶ W3C Extended Format(W3C)
¶ Internet Information Server(IIS)
¶ Open Database Connectivity(ODBC)
¶ National Center for Supercomputing
Applications(NCSA)
��� �� � � � � ���(115 ��� �� � ��� �� �� �� �).�� ��, Web IDS �� W3C � �� ���� �� � �� ��� � �� ��
�� � ���(�� ��� 116 ��� �Microsoft Internet Information �
�� �).
Perl ��Web IDS� ����� ���� � ���� �� Perl ��� ��� ��� �� ��
�. Risk Manager� ��� Perl ��� �����.
�� Risk Manager Perl ��� Risk Manager EIF ������ �� Perl �� rmadpm.pm �����. ���� Web IDS �� � �� ���� ���.
�� �� ��� ���� �� �� ����� � ���� ��� � � �� �� �
���.
CLF ��� �� ��� � � ��� �� ���� �� �����. � � � ��� �� ��� �� �
��. � � � �� ��� �� ��� � � � �� ��� �� ���� ��� � �
� �� �� �����. Web IDS� � � � ��� �� �� ����.
� � � �� ��� �� ��� �� �� ���� ������. Apache � � iPlanet� � (���� Netscape Enterprise � )� ���� CLF� �� ��� �� � ���
��. Web IDS� �� �� �����.
107Risk Manager ��� ���
8.�
��
�
Web IDS� �� �� ��(CLF) �� �� � �����. CLF� ��� CLF� ��
� �� ��� ��� ���� ����. �� ��� � ��� CLF� ��� ��,Web IDS� � ��� �� ��� �����.
��� �� �� �� ����� ��� ��� � � � � ���.
�� ��� �� ��� �� � �� �� � �� ��� ��, Web IDS� � �� ��
�� ��� � ��� �����.
�� � �� �� � ���� �� ��, �� �� ���� � Web IDS� ����
� �� ��� �� � ��� warning ���� ����. �� ��, �� � � �
�� ���� ���� � � �� ��� � �� ��� �� �� ����. ��
��� ��� �� ��� CLF �� ��� �� ��� Web IDS� �� ���� ���
��.
ALERT :parser(readAccessLog)==><line1>:Malformed line in the logfile. the other tests skipped.
sig.nefarious �� ��Risk Manager sig.nefarious ��� � ��� �� �� ����. Web IDS� � �
� ���� ��� � � � � ������.
� , �� sig.nefarious ��� �� �� �� ����.
Windows ���
Tivoli\lcf\bin\w32-ix86\RISKMGR\adapters\etc\
AIX ���
/opt/Tivoli/lcf/bin/aix4-r1/RISKMGR/adapters/etc/
Solaris ���
/opt/Tivoli/lcf/bin/solaris2/RISKMGR/adapters/etc/
Linux ���
/opt/Tivoli/lcf/bin/linux/RISKMGR/adapters/etc/
��� �� �� ��� � Risk Manager� �� � �� �� �� �� ��
��� �� Tivoli �� � ����� �� �� �� �� ���� � ����.
http://www.tivoli.com/support/secure_download_bridge.html.
webids.cfg � �� ���� ����� �� ��� � �� � � �� ���.��� �� �� signatureFilePath_value=���.
�� ���� Perl � ��� �� ��� �����. �� �� ���� ��
� �� �� �� �����.
¶ �� �� �� sig.nefarious ��� �� ���� � �����.
108 �� 3 ��� 8
¶ webids.cfg � �� ���� � �� ��� �� �� ������.�:
signatureFilePath_value = \Fully_Qualified_Path\new_filename
¶ ���� ��� �� �� ���� ��� ���.
¶ � ��� � �� �����.
¶ �� ���� � �� ��� ����.
1. Perl � �� ��� ��� ��
2. �� � ���� ��� ���
3. � ID(��� �� ��)
4. CVE �� Bugtraq�� ��� ���� �� �� ��
¶ 4�� ��� 4�� ��� �����. �:
(?i)showcode\.asp showcode.asp [CAN-1999-0737] [CVE]
¶ � �� ��� � �� ��(#)� �� �� ��� ���� ����. �� ��
�� ���� �����.
¶ �� �� ��(#), [engine= ��� �� [class= ����� ��� ��� ���
� �����.
¶ Web IDS� ���� �� �����.
¶ ���� �� ��� �� ���� ��� ��� � ��� � ����. ��� �
� � �� �� ��� �� ���.
¶ Web IDS� �� ��� ���� ���� ��� ��� ���� ��� �� �� �
����. (�� ��, ��� ���� ��� cgi ����� �����.)
¶ ��� �� [class= ���� �� [engine= �� [class= ���� ��� ��� �
� ���� �����.
¶ ����(;)� ���� �����.
sig.nefarious ���� � ��� ��(���� ���) ���� �� �� ����. �
���� ���� �� �� ��� �����.
����� �� ��� �� �� �� ��� �� �� ���� ���� �� �� �� ���
��. ��� �� �� �� ��� 16�� �� � � ����.
� ��� ��� �� �� ��� URL(Uniform Resource Locator) � ����
� ��, ���, �� � ���� ��� ���� �����.
¶ �� ��� �� ��(�: �� ��� �� ��)
¶ �� � �� ��� �� � ��
¶ ���� URL ��
¶ �� URL ��
109Risk Manager ��� ���
8.�
��
�
¶ URL ��� �� ���� �� 16�� �
¶ � ��� �� ���� �� 16�� �
¶ URL ��� �� ��� 16�� �
¶ � ��� �� ��� 16�� �
�� ���� �� ���� ����. ���� ����� ��� � ����.
��� ��� �� �� ����.
[class=classname; level1=count1; level2=count2; k=decay_param]
�� ���� �� � ����.¶ level1=count1;¶ level2=count2;¶ k=decay_param
���� ��� ��� ���� ��� ��� �� ��� 126 ��� ���� � �
�� �� �����.
�� �� ��� �� �� ��� �� ���� �� �� ����. � ��� ���� �
� ��� �� �� ����.¶ url¶ ��
¶ �
¶ ��
��� ��� �� �� ����.
[class=classname; field=fieldname; level1=count1;level2=count2; k=decay_param]
���� ���� � ��� �� ��� � ���� �����. ���� ��� ���
� �� ��� ���� � �� ���� ��� � ����.
¶ ��� ��� � ��� ��� ��� ���� ��� ��
¶ ��� ��� ����� ��
¶ ��� ��� 16�� �(16�� �) ���� ��� ��
�� ���� �� ��� ��� �� �� ����.
[class=classname; field=field; requires=class; level1=count1;level2=count2; k=decay_param]
��� �� ��� ��, �� �� �� �� � ��� �� ��� ���� ���.�� � �� ������ ���� � �� ����� � �� ������.
Web IDS � �� ���� sig.nefarious ��� � �� � ������. �
����� ��� �����.
110 �� 3 ��� 8
¶ 123 ��� �� �� �� �� �� ���
¶ 122 ��� ��� ��� �� �� ���
¶ 126 ��� ���� � ��� ��
¶ 123 ��� �� ��� �� � ��
�� �� ��� ��� �� ���� ���� �����. ����� Web IDS� �� ��
��� ���� �� �� ��, sig.nefarious ��� ��� � ���� � �� �
��� � �� ��� � ����.
��� ��� �� �� ����.
[class=suspiciousHosts; printLvl=level]
Web IDS� ���� sig.nefarious ��� � �� � ������. � �����
��� �����.
¶ 124 ��� ���� ��� �� �� ���
¶ 125 ��� ���� � �� ���
� ��� ��� ��� trusted� ��� � ����. trusted host�� �� ����, �� �
�� �����. ��� ��� trusted ���� ���� ������ ��� ��� ���
��� ��� � ��� � ����. �� �� ��� �����.
�� �� ��� trusted� ��� � ����. ��� �� ���� � �� �� ��
�� ���� �����. ��� �� �� � ���� ��� �� ��� �
�� � ����. � ���� �� �� �� ���� � ����. �� ��� trusted�� ��� �����. � �� � �� ���� �� �� �� �����.
��� ��� �� �� ����.
[class=classname; field=fieldname; cancels=class]
�:
[class=trustedSig; field=url; cancels=all]/cgi-bin/fortune/cgi-bin/here
Web IDS� ���� sig.nefarious ��� � �� � ������. � ���� 125��� �trusted �� �� �� ���� ����.
���� ��� ��� � �� �����. � ��� �� ��� (�� ����) ���
� ����. � � ���� ��� Web IDS�� ���� ����. �� �� �
�� ��� ��� ����� �����. � �� ��� ��, ��� � ��� ��
���� ���� �� �����. ��� �� �� ���� ��� ��� �� �
111Risk Manager ��� ���
8.�
��
�
�� � �� � ���� ����. �����, Web IDS� gif �� jpg ���� ��
�� �� �� �� ���� ����. � ���� ��� ��� �� �� ����
�. �:
[class=pictures; field=url]\.gif$ gif\.jpg$ jpg
Web IDS ���� TEC �� ����� ���� Web IDS� ���� ���� �� � ��� ���� �� TME ��
� ������.
¶ ��� �� ��(UNIX syslog �� Windows ��� �� ��)
¶ Risk Manager EIF ������ Perl ��
Tivoli ��� � � ���� ��� �� ���� �� ����� � ��� �� ��
���� ����. �� �� ����� ��� �� ��� ���� �� �� ��
� ���� �� ���� ��� � �� �� ��� ���� ��� �����. �� ��
��� �� ��� � �� �� ������ �� ��� �� ��� ���� ��
�� �� ����. Risk Manager ��� �� ��� �� ��� ��� 53 ��� �RiskManager � �� ���� �����.
Web IDS � Risk Manager Event Integration FacilityWeb IDS� �� �� �� Risk Manager EIF� ���� Web IDS ���� Risk Manager� � ���� Web IDS� ����. Web IDS� Risk Manager EIF� ���� ���
� Risk Manager � � ���� �����, webids.cfg�� librmad_value=1 ���
��.
Web IDS ���� � �� ��� ���� Web IDS� �� �� ����. Web IDS� ���� � ��� ��� ������ �����, webids.cfg�� librmad_value=0 �����.
UNIX ���
���� syslog� �����. TEC �� �� ��� ���� ��� ���� WebIDS ���� ��� �� Risk Manager � � ������.
Windows ���
���� ��� ��� �����. TEC Windows ��� �� ��� ���� �
�� ���� Web IDS ���� ��� �� Risk Manager � � ������.
��� �� � �� �� ��� ����� ��� � (�: ��) �� �� ��� ��� � ��� ���� � � ���
�� � ����. Web IDS� ��� �� � �� ��� ��� �� ����. webids.cfg�� �� �� ��� � ��� �� ������.
filePattern_value��� �� �� ���� � Web IDS� �� �� �� �����. WebIDS� � � ���� �� �� � ��� �� �� �����.
filePath_value�� ��� ���� �� �� �����.
112 �� 3 ��� 8
fileMatch_value
1 �� �� �� �����.
0 �� �� �� ���� ����. Web IDS� filePattern_value �
filePath_value �� �����.
�� ��, UNIX ����� Apache� �� ����.
filePattern_value = access_log.*filePath_value = /usr/local/apache/logsfileMatch_value = 1
-i �� �� ��� ��� ��� webids.cfg� ��� � �����. ��� � ��
� � ��� ����, ��� ���� �� � ��� ��� ����.
Web IDS ��Tivoli ����� �� � Tivoli ���� Web IDS ��� � �� �� � ��
��. ���� TEC� ���� � ��� �� �� ���� TEC ��� ��� ��
� ��� 31 ��� �Risk Manager ���� Web IDS � � ��(Risk Manager Perl� Risk Manager EIF� ����) �� �� ��� ��� �����.
���� � ��� Web IDS ��Web IDS� �� ��� �� � �� � �� webids.cfg � �����. � �
���� Risk Manager Web IDS� ���� � � � � �� �� ����.
�: ���� � � ��� �� � ��� ��� � ���� ��� ������.
�� �� �� �� �� ���� � � � �� ���. CLF� �� ���� ��
�� �� ���� ���� CLF �� �� ���� �� � � ��� �� � �
�� ��� � ����. ��, �� ��(#)� ���� �� �� �����.
Web IDS � �� ���� �� ��� � ����.
¶ Risk Manager �� ����� ��� �� ��� ��� �����.
¶ -p ��� ���� ��, ���� TME ��(UNIX syslog �� Windows ��� �
� ��) �� Risk Manager EIF� ���� �� �����.
¶ � � � �� �� � �����.
¶ �� ��� ��� �� �� � �����.
¶ ���� ��� �� ��� ��(CLF�� ����� CLF� ��) �����.
¶ �� � � �����.
¶ �� ��� ��� �� �����.
¶ �� � �����.
¶ � � � � � ���� ��� ����� ���� ��� ��� �����.
¶ ��� �� ���� �����.
113Risk Manager ��� ���
8.�
��
�
� �� � ��� �� ��� ��� 119 ��� �Web IDS � �� ��� ��
���.
Risk Manager EIF� �� ��� � ��� Web IDS ��Web IDS� �� �� �� Web IDS ���� Risk Manager � � ��� Risk ManagerEIF� Web IDS ���� � ��. Web IDS �� �� ���� Web IDS ����� RiskManager TEC ����� ��� �� ����� Risk Manager EIF� ���� �� ��
���.
�: Unix ���� WebIDS� ��� �� Risk Manager �� ����� �� ��� �
�����.
. /etc/Tivoli/rma_eif_env.sh
Web IDS ���� ����� Risk Manager EIF� ����, webids.fmt �� RiskManager EIF rmad.fmt �� ��� �� ������. �� ���� rmad.fmt �� �
��� ��� �� ��(.cds) �� �����. rmad.cds �� ��� �, ��
�� ������.
1. rmad.fmt ��� �� webids.fmt� ������.
Windows ���
webids.fmt >> rmad.fmt
UNIX ���
cp webids.fmt >> rmad.fmt
Risk Manager EIF� Windows � Unix ��� ���� webids.fmt �� �����.
2. ��� �� ��(.cds) �� � �� � riskmgr_gencds � ������.
riskmgr_gencds rmad.fmt >rmad.cds
3. Web IDS� � ���� �� rmad.cds �� �� ������.
ACF� ���� Web IDS�� ��� � ��� rmad.cds� ���� ��� ��� 46��� �ACF� ��� Risk Manager �� � � ���� �����.
TEC ��� � ��� � ��� Web IDS ����� ���� � ��� ��(UNIX� syslog, Windows� ��� ��)� ���� WebIDS� �� � ����. � ���� Web IDS� ���� �� �� ������.
1. webids.cfg�� librmad_value=0 �����.
2. TEC �� �� ��(�� Windows� TEC ��� �� ��)� Web IDS ����
��� ��� ������.
3. Web IDS �� �� TEC ��� �� ��(tecad_logfile.fmt �� tecad_nt.fmt)�� ������.
UNIX ��� �� �� ��
webids.fmt
114 �� 3 ��� 8
Windows ��� ��� �� ��
webids.nt.fmt
4. ��� �� ��(.cds) �� �������. �� ������.
UNIX ���
../bin/logfile_gencds ../etc/tecad_logfile.fmt >../etc/tecad_logfile.cds
Windows ���
\bin\nt_gencds ...\etc\tecad_nt.fmt > ..\etc\tecad_nt.cds
5. Web IDS � TEC ��� � ���� �� tecad_logfile.cds �� tecad_nt.cds�� �� ������.
� �� ��� �� �� ��Web IDS� ���� �� � � ��� �� �� � ���. � � � �� �
���� �� �����.
¶ CLF� �� �� � � �
v Windows NT, AIX, Solaris �� Linux ����� Apache � � �
v Windows NT, AIX, Solaris �� Linux ����� IBM Lotus Domino � �
v Windows NT, AIX, Solaris �� Linux ����� IBM HTTPD (WebSphere) �
�
v Windows NT, AIX, Solaris �� Linux ����� Tivoli WebSeal(Policy Director)�
¶ Windows NT, AIX, Solaris �� Linux ����� iPlanet � � (Netscape Enterprise� ) �
¶ �� �� �� �� ���� Microsoft Internet Information � �
v W3Cv IISv NCSAv ODBC
�� �� ���� � �� ��CLF ���� ��� �� �� ��� � � �� ��� �����.
¶ Windows NT, AIX �� Solaris ����� IBM Lotus Domino �
¶ Windows NT, AIX �� Solaris ����� IBM WebSphere� ���� IBMHTTPD(WebSphere) �
¶ Windows NT, AIX �� Solaris ����� Tivoli WebSeal(Policy Director) �
¶ Apache � �
Netscape iPlanet � � � �� �� �� �� ���� CLF� �� � �� �� �
����. �� � ��� 116 ��� �iPlanet � � (Netscape Enterprise � ) ��
�����.
115Risk Manager ��� ���
8.�
��
�
Tivoli WebSeal(Policy Director) �� ��Tivoli WebSeal� ��, �� � ���� �� ��� �� ��� �� � �� ��
�. ��� Web IDS� �� �� ��� ����. WebSeal �� �, �� � ��
�� �� ��� ��� �� �� ��� �����. WebSeal � ��� wand �
�� � �� ��� �� ��� �� �� �� � � ��� � ����.
iPlanet � ��(Netscape Enterprise ��) ��iPlanet � � (���� Netscape Enterprise � )� ���� �� ������.
1. /*/netscape/server4 �� �� �� startconsole.sh ���� �� ������. �
���� ��� Netscape � ������ ��� �� ����.
2. �� ��� �� �� �� �� � ��� �� � � � �����.
3. ��� ��� � � ��� ������.
4. ��� �����.
5. � �� �� ��� ��� �� � ��� �����.
6. ��� �� ��� �� �� �����.
7. �� � �� �� �� ��� �� �� �����.
�� ��� �� �� � � ��� �� ����.
/*/netscape/server4/https-hostname.domain.com/logs/access
Microsoft Internet Information �� ��Web IDS �� ��� ��, IIS(Internet Information Server)� � �� �� ��� �
� � �� �� ����� � ���. �� ��� � ��� �� �� ���
�� IIS� ��� �� �����.
1. Microsoft �� ���, � � � � ��� ��� �� �����.
2. � ��� ��� ��� � �����.
3. �� ���� �� �����.
4. � � ��� �� ��� �����.
� �� ��� ��, IIS� ��� �!�� �� �� �� ��� ��� �����.
IIS W3C � ��� �� Windows� � �� ��� �� ��� � ���. IIS�
���� �� ��(�: National Center for Supercomputing Applications(NCSA))� ��
� �� ��� � �� �� ��� ��� ����.
W3C ��� � �� ��� �� �� ��� � ���.¶ ��
¶ ��
¶ ����� IP ��
¶ ��
¶ URI ��
¶ URI �
116 �� 3 ��� 8
¶ �� ��� �
¶ HTTP ��
¶ �� � �
�� ��(�: Cookie �� Server Port) ��� ��, Web IDS� Risk Manager EIF�� Windows ��� �� ��� ��� �� �� ��� �� ��� �����. logPattern�� �� ���� �� ignore� �����.
� ��� �� �� ��� �� ������.
1. Microsoft Personal WebServer → Internet Service Manager� �����.
2. ���� Default Web Site� �����.
3. ��� �� ��� ���� ��� �����.
4. � �� → �� � �� �����.
5. � �� ���� W3C �� � �� �� �����.
6. � �� → �� �� � �����.
�� ��� �� ��� �� ���� �����. �� ��, �� ��� � ����.
#Fields: date time c-ip cs-method cs-uri-stem cs-uri-query sc-statussc-bytes cs-version
��� �� �� ��� �� �� Web IDS� ��� ������. ��� Web IDS�
�� �� �� ��� �� ��� ���� �� ���� �����.
ALERT :parser(readAccessLog)==>nnnn:Malformed line in the log file.the other tests skipped.
�� ��� �� � ��� ��� �� ��, �� ��� (-)�� �����.
IIS � � ��� �� ��� �� �� YYMMDD ��(�: ex000530.log) ���� �
���.
c:\winnt\system\logfiles\w3svc1\exYYMMDD.log
NCSA(National Computer Security Association) ��� ���� �� �� ��� ��
ncYYMMDD.log ���.
Web IDS �� ��� �� � � �� � �� ��� ��� �� ��� � ��. Web IDS� � � � ��� �
� �� ����.
��� �� �� ��� �� ����.
some.host.org - - [03/May/2001:03:42:23 + 0000] "GET /cgi-bin/test-cgiHTTP/1.1" 500 345
�� �� �� ���� �� �����.
¶ ��� �� ��� �(�: some.host.org)
117Risk Manager ��� ���
8.�
��
�
¶ ��� ��(�� ��� ��)
¶ �� ��� �� ��
¶ �� ��. ��� URL�� ��� � �� ��� �����. �� ��, �� ���
�� �����.
"GET /cgi-bin/test-cgi HTTP/1.1"
¶ �� �. �� �� 2nn���. 4nn �� 5nn� �� �� ��� �� ��.
¶ �� ��� �
Risk Manager� Web IDS� ����� �� �� ��� �����. ��� ��� ���
�����.
¶ test.log
¶ test.result
¶ Windows ���� test.results.evt
¶ UNIX ���� test.syslog
Windows ������ ��� ��� ���� �� �����.
���� � ��� ��� ��� � ��� � �� ��� �� ������ �
� �(�: test.myresult) ��� � ����.
test.log �� ����� �� ���� ��� ���� � �� ����.
webids.bat -i test.log
��� � ��� ��(�: test.myresult)� ��� �� ������.
webids -i test.log > test.myresult
��� test.results� ��� ��� �� �����.
# 956066584_1some.host.org - - [03/May/2001:03:42:23 +0000] "GET /cgi-bin/test-cgi HTTP/1.1" 500 345WARNING : pattern(serverError) ==> 5xxWARNING : pattern(cgi) ==> test-cgiALERT : pattern(cgi) ==> class 'cgi': lvl=1.00 >= 1!DECODED :REQUEST : GET /cgi-bin/test-cgi HTTP/1.1HOST/USR: some.host.org - -STATUS : 500BYTES : 345METHOD : GETURL : /cgi-bin/test-cgiQUERY :VERSION : 1.1DATE : 03/May/2001:03:42:23 +0000-------------------------------------------
�� ���� ���� Web IDS� ��� �� ���� ���.
118 �� 3 ��� 8
Web IDS �� �� �� �� ���� �� 113 ��� ����� � � � Web IDS ��� �� ���
�����.
webids.cfg � ��� Web IDS� ���� �� �� ���� �� ��� � �� �
� �� ��� ��� �����.
� � ��� Risk Manager Web IDS� ���� � � � �� � �����.
���� � ��� �� � � ���� �� ��� ����. ��� �� ���
�� ���� ����.
�: ���� � � ��� �� ��� � ���� ��� ������.
TEC ��� ��� ��� �� ��Web IDS� wbindmsg ���� ���� � ��� �����. webids.cfg ���
path_value ���� � ����� ��� �����. path_value ���� �� �� WebIDS � � � � ���� ����.
path_value = path
��� path� wbindmsg ����� �� ��� �� �����. wbindmsg ����� RiskManager EIF �� ����.
��� �� ���� �� �� �� �� ���� ��, ��� ��� ����� NLS(NationalLanguage Service) ��� � ���. �� NLS ��� Web IDS � � � ���
� ���� ����. nlsPath_value ���� ���� �� �� ����.
nls_Path_value = nlspath
��� nlspath� Web IDS �� ���� �� webids.cat� �� ��� �� ����
�. �� ��, nlsPath_value� �� �� ����.
nlsPath_value = x:\webids\%L\%N.cat
x:� ���� �� �(%L) �� ���� �� � �(%N.cat)� ��� ����
�����.
%L � %N� ���� ���.
��� �� ��Web IDS� Risk Manager EIF Perl ����� ���� ���� Risk Manager � �
�� ��, webids.cfg ��� �� librmadPath_value ��� ���� � ���� �
����� ����. � ���� Web IDS � � � ��� ���� ���� ��
��. �� ��, Web IDS� Windows� �� ��, �� ���� ����.
librmad_value=1librmadPath_value=x:\Program Files\Tivoli\RISKMGR\bin
119Risk Manager ��� ���
8.�
��
�
��� librmad_value=1� Web IDS� ���� Risk Manager EIF� ����� �
�� librmadPath_value� Risk Manager EIF�� �� ��� �� ������ �� �
�� �����.
sig.nefarious �� ��� �� ��Risk Manager sig.nefarious ��� � ��� �� �� ����. Web IDS� � �
� ���� ��� � � � � ������. sig.nefarious ��� �� ��� ��
� 108 ��� �sig.nefarious �� ��� �����.
�: Risk Manager� ���� �� sig.nefarious �� ���� ����. � ��� �
� ��� � ��� �� ������.
webids.cfg � �� ���� ����� �� ��� �� � �������:
signatureFilePath_value = Path\SignaturesFileName
Path\SignaturesFileName� �� � �����.
¶ �� sig.nefarious ��� ��� �� � �� �
¶ Risk Manager� ��� sig.nefarious �� ��, �� � ��, ��� �� �
�� ��� �� ��� �� �� ��. �:
signatureFilePath_value = g:\webids\sig.mysignatures
�� �� sig.nefarious �� �� ������ Tivoli Risk Manager � ���� �
����.
http://www.tivoli.com/support/secure_download_bridge.html
�� �� ��� �� ��� �� ���� �� ��� �� �� �� �� ���� �� �� ���
��.
exit_value = n
�� ��� ��� ��� ����� �� � ��� �����.
0 ��� ����.
1 � �� �� �� ����.
n �� �� �(��� �� ���� �� ��� �� �� �� �)�� ���
�. ��� �� �� �� �� (2**53)-1(�, 9007199254740991) � � ��
��.
Web IDS ��� �� Windows NT ���� ���� �� �� Risk Manager ��� �� Perl���� �� ���� Web IDS� ������. Web IDS� Apache � � � ����
� Apache � � � ���� Web IDS� �����.
120 �� 3 ��� 8
Windows ����� Web IDS ��� � ���� Windows ����� Web IDS� �����.
webids.bat [-etdvh -i input_file -c configuration_file]
-e Windows ������ ��� �� �� Risk Manager EIF� ��� ���
��.
-h Web IDS� �� �� ��� ����.
-t ����� ��� �� ��� ��� ��� �����.
-d � � ��� �����. ����� ��(STDOUT)�� ���� �
� ��� ���� � ����.
-v � ��� �����.
-i input_file ��� �� ��� ��� �� � �����.
-c configuration_file� ��� ��� �� � �����. ���� �� ����.
%RMADHOME%\etc\webids.cfg
�� ��, Windows 2000�� Web IDS� ��� � � � ��� ��(webserver.accesslog)�� �� �� �� TEC ��� �� ��� ���� �� ������.
webids.bat -e -i webserver.accesslog
UNIX ����� Web IDS ��� � ���� UNIX ����� Web IDS� �����.
webids [-etdvh -i input_file -c configuration_file]
-e syslog �� Risk Manager EIF� ��� �����.
-h Web IDS� �� �� ��� ����.
-t ����� ��� �� ��� ��� ��� �����.
-d � � ��� �����. ����� ��(STDOUT)�� ���� �
� ��� ���� � ����.
-v � ��� �����.
-i input_file ��� �� ��� ��� �� � �����.
-c configuration_file� ��� ��� �� � �����. ���� �� ����.
$RMADHOME/etc/webids.cfg
�� ��, UNIX ����� Web IDS� ��� � � � ��� ��(webserver.accesslog)�� �� �� �� TEC ��� �� ��� � ��.
webids -e -i webserver.accesslog
�: Unix ���� Web IDS� ���� ��, Risk Manager �� ����� �� ��� �
�����.
. /etc/Tivoli/rma_eif_env.sh
121Risk Manager ��� ���
8.�
��
�
� ��� ��Web IDS� �� ��� � ��� �� ��� �����. ��� �� ��� ����.
956066584_1some.host.org - - [03/May/2001:03:42:23 +0000] "GET /cgi-bin/test-cgi
HTTP/1.1" 500 345WARNING : pattern(serverError) ==> 5xxWARNING : pattern(cgi) ==> test-cgiALERT : pattern(cgi) ==> class 'cgi': lvl=1.00 >= 1!DECODED :REQUEST : GET /cgi-bin/test-cgi HTTP/1.1HOST/USR: some.host.org - -STATUS : 500BYTES : 345METHOD : GETURL : /cgi-bin/test-cgiQUERY :VERSION : 1.1DATE : 03/May/2001:03:42:23 +0000-------------------------------------------
������� �� ��� ��� ���� Web IDS� � ���� �� �����. �
�� ��� �� ��� ���� �� �����(sig.nefarious ��)� � �� ��
�� ���� ��� � ��� ��� � ����.
������ �� ��� ��� ��� � ����. �� � ������ ������
����� �� ���.
��� �� ��� ��, �� �� �� �� sig.nefarious ��� �� ��� ��
�� ���. � ��� ��� ���� �� � �� ������ ���� � �
� ����� � �� ������.
��� ��� ������ �� � �� �����.
¶ Bugtraq � ���: http://www.securityfocus.com
¶ Common Vulnerabilities Enumeration(CVE) � ���: http://www.cve.mitre.org
��� �� ��� ���� ���� �� ���� � � �� �� ��
���.
�� �� �� �� ��sig.nefarious ��� �� � �� �� �� ��� �� �� � �� ��(���)��� �� ����. ��� ���� ��� �����.
� ���� ��� �� �� � ��� ��� ��� �� ���.
� �� ��� ���� �� �� ����� �� ������.
1. sig.nefarious� ENGINE PATTERN �� ������.
2. ���� ����� ��� �� ������.a. [class=classname; field= fieldname; level1=count1;
level2=count2; k=decay_param]
122 �� 3 ��� 8
class=classname� ��� �� ��� ��� �
field=fieldname�� ���� �� ��. � ��� ��� ��� host, method,url, status �� query���.
level1=count1 ��� 127 ��� ��� �� �� �����.
level2=count2 ��� 127 ��� ��� �� �� �����.
k=decay_param��� 127 ��� ��� �� �� �����.
� �� ���� �� �� �� ����� ������. � �� ��� �
� ��(#)� � ���.
3. ����� �� ��� �� �� ��� �� �� ���� ������.
4. � �� ��� �����.
�:
[class=directory; field=url; level1=2; level2=1; k=1000]# Some servers are sensitive to directory tricks like specifying /./# in the path name./\.\.//\.\
� �� �� �� ��� �� �� ����� ����� �� ������.
1. sig.nefarious �� ������.
2. � ��� ENGINE PATTERN �� ������.
3. [class=cgi; field=url; �� ��� ��� � �����.
4. �� � ��� ������.
a. �� ��� 4�� �� �� �� ���� � �� �����.
# CVE-1999-0067, Bugtraq ID 629, input validation errorphf phf [CVE-1999-0067] CVE
� �� �� �� ��(�� ��(#)� �) ������. ��� �� BugtraqID ��(��� ��), CVE ID ��(��� ��) � �� ������.
b. ����� �� �� �� ��� �� � �� �� ������.
5. � �� ��� �����.
�� ��� �� � ��sig.nefarious ��� � �� ��� �� �� ��� �� �� �� ��(���) �
�� �� ����.
123Risk Manager ��� ���
8.�
��
�
�� � ��� �� ��� �� ��� � �� �� ��� ���� ��� �� ���
� �����. �� ��, �� �� ��� ��� ��� cgi ����� �� ��
� ����� ��� ���� � � �� ���� ��� ����� � � ����.
�� ���� � requires= class � ���� ���� ���� ��� � ���
�. � �� Web IDS� ��� ���� ���� �� �� ��� �� ���� ��
���. ��� ���� sig.nefarious ��� ���� �� � � �� �� ����
��. �� ��, �� ����.
requires=pattern(cgi)requires=parser(suspiciousHexCodesUrl)requires=parser(suspiciousHexCodesQuery)requires=pattern(cgi)|pattern(directory)requires=(pattern(cgi)|pattern(directory))&(parser
(suspiciousHexCodesUrl)|parser(suspiciousHexCodesQuery))
classname� ��� �� �� �� �� ��. ��� ���� �� �� ���
� ��� � ����. requires=class � ��� � �� �� �� ���� ���
��.
| := OR& := AND! := NOT
��� �� ����� ���� �� ������.
1. sig.nefarious �� ������.
2. � ��� ENGINE PATTERN �� ������.
3. �� � ��� ������.
a. �� �� ��� � ��� �� � ��� ������.
[class=classname; field=fieldname; requires=class; level1=count1;level2=count2; k=decay_param]
� ���� �� �� �� ����� ������. � �� ��� �� �
�(#)� � ���.
b. level1=, level2= �� k= � ����� �����. ��� ��� ��� 126��� ���� � ��� �� �����.
c. ����� ��� �� �� ��� �� �� ���� ������.
4. � �� ��� �����.
���� ��� �� �� ��� �� �� ��� ���� ��� � ����. ���� ��� �� ��� ���
��� � � � ��� � �� IP ��� sig.nefarious ��� ������.
Web IDS� ���� ��� �� �����. ��� ���� �� � ��� ��
�� � ��� �� ��� � ���� ����.
a - z ��, 0 - 9 ��, ��(.), ��(-) ��� ������.
124 �� 3 ��� 8
��� ��� ��� IP ��� ����� �� ��� �� ������.
9.37.47.192 # suspicious host
�� �� ��� ���� ��� �� �� �� ������.
possible.attack.org # suspicious host
�� �� ��� ��� �� �� � ��� �����.
[class=suspiciousHosts; printLvl=level]
class= � ��� �� ��� ���� ��� �
printLvl= ����� �� ��. ��� �� ���� all, alerts �� warning� ���
�. ��� ��� ��� ���� � �� ��� �����.
��� ���� ����� sig.nefarious �� ���� � ���� ��� � �
� IP ��� ���� �� ������.
���� �� �� ���� � ��� ��� � ��(��, �� �� ��) ��� � ����.
��� ��� �� �� ����.
[class=suspiciousHosts; printLvl=level]
���� �� �� ���� �� printLvl= �� �� ������. ��� �� ��
� �� ����.
all � �� ��� �� � �� ��
warnings �� � �� ��
alerts ��� ��
trusted �� �� �� ��� � � Web IDS� ���� �� � ��� ��� �� ��� ���� � �
����. ��� �� �� ��� � ��� �� ��� � ����. ��� trusted��
���� � �� � ��� ���� �� �� �� �� � ����.
��� ��� �� �� ����.
[class=classname; field=fieldname; cancels=class]
class=classname� ��� �� �� ���� ��� �
field=fieldname�� ���� �� ��. � ��� ��� ��� host, method, url �� query���.
cancels=class�� ���� ���� ��� ��� �� �� ��� ���� ����(���).����� ���� ��� ����� ��� �����.
125Risk Manager ��� ���
8.�
��
�
all ���� �� �� � ��� �����.
engine_name(class_name)�� �� � ��� �� �� ���� �� � ��� �����.
engine_name(class_name),engine_name(class_name)�� �(,)� �� �� � ��� �� ��� �� ���� �� �
��� �����.
��� �� �� ����.
[class=trustedHosts; field=host; cancels=all]friendly\.computer\.org
[class=linuxDistr; field=url; cancels=pattern(cgi),pattern(file)]|\xlinus/mirro/linux
��� � ��� ��Risk Manager Web IDS� ��� ��� ��, �� � ��� ����. ��� ����
� �� �� ���� �� TEC ��� ��� ���� ����. ��� ��� ���
�� �� ���� ��� ��� ����. �� ��, ��� ����� �� ��� �
� ��� ���� ���� �� ��� ��� ��� �� �� ��� �� �� �
�� � � ��� �����.
�� ��� ���� ��� ��� ��� ���� �� ����� Web IDS�
�� � ����.¶ level1¶ level2¶ k
� ��� � �� ��� ���� ��, ��� ���� � ������.sig.nefarious ��� Web IDS � ��� � � �� � ���� ��� ����
�����
� �� ��� �� ��� ���� �� ������.
1. sig.nefarious �� ������.
2. sig.nefarious �� ������.
3. ��� ENGINE PATTERN �� ������.
4. level1=, level2= �� k= � ��� �� ��� ��� �������. ���
��� 127 ��� ��� �� �� �� 127 ��� ��� �� �� ��
���.
5. � � ��� �� �� �� ������. � �� ��� �� ��(#)� �
���.
6. � �� ��� �����.
126 �� 3 ��� 8
�� ��� ��Risk Manager Web IDS� ��� ��� ��� ��� ��� ��� ��� ��� ��
�� ���. ��� ��� Web IDS� ��� �����. ���� �� � �� ���
��� �� ����.
level1=count1��� � �� �� ��� ��� ��� ��� ��� �� �. level1 �� level2� ��� ��� �� ���.
level2=count2��� ���� �� ��� ��� ��� ��� ��� �� �
���� ���� ��� � � �� ��� ����� ��� �� ����(�� ��
www.austin.tivoli.com ��� � ��).
¶ � �� level1 ��� �����(�: tivoli.com).
¶ ��� �� �� �� ��� level2 ��� �����(�: www � austin).
level1 �� level2 ��� � ���� ��� ���� Web IDS ASCII ��� ��
sig.nefarious �� ������. ��� ���� ���� �� �����. ��� �
��� � �� ���� ���� ��� �� �� ��� �� �� �����.
�� ��� ��Web IDS� �� � �� �� ��� ��� �� �� ����. ��� ��� �
� �� ��� �� �� �����. �� ���� � �� ��� ��� ���
�.
Risk Manager TEC �� ��� �� ��� ��� ���� ����� �� �� ��
��.
��� ���� ���� � �� �� Q� �� �� �� 1� ���� � ���
�� ��� �� �����.
Q = Qn+ n11+2
- rk
Q(n) n�� ��� �� �� �� �� �
Q(n+1) � �� ��� �(�: n+1�� ��� �� �� �)
∆r ��� ��� �� �� ��� �� �
k �� �� ��
��� ��� ∆r k� �� ��� �� �� ����.
¶ ��� �� �(∆r)� ����� �� �� �� �����. ��� ��� ��
�� ��� ��� ������ ��� ��� �� ��� � � ���� �
�� ��� ���� �� �� � �� �����.
127Risk Manager ��� ���
8.�
��
�
¶ �� ���(k)� ���� ��� ��� ��� �� �� �� � � � �� �
����. � ���� ���� � ��� ���� ��� � ��� ��� �
�� � ����.
�� ��, k=100� �� 100�� ��� �� � �� �� Q �� ����.
sig.nefarious ��� ��� �� ���� k �� ���� ��� �� �� �
�� � ����.
128 �� 3 ��� 8
Cisco Secure IDS� ���
� ��� �� ��� �����.
¶ ����
¶ 131 ��� �TEC �� ���
¶ 31 ��� �Risk Manager ��
¶ 133 ��� �TEC ����
Cisco Secure IDS �� ��� �� ��� 271 ��� �Cisco Secure IDS �� ���
�����.
Cisco Secure IDS ��� �� ��� 242 ��� �Cisco Secure IDS ���� �
����.
��Risk Manager� Cisco Secure IDS�� Cisco Secure �� �� ���� ��� ���� TivoliEnterprise Console(TEC) ���� ����� Cisco Secure IDS� ��� �����. �
� Cisco Secure IDS ���� ���� ��� � ����.
Cisco Secure IDS 4210 ��
� ��� ��� �� ���� �� � ���� ���� � ��, 45Mbps�� �����.
Cisco Secure IDS 4230 ��
� ��� ��� �� ���� �� � ���� ���� � ��, 100-Mbps�� �����.
Cisco Catalyst 6000 � �� �� �
Cisco Catalyst 6000 IDS ��� Cisco Catalyst 6000 � ��� �� �� �
�� ����� ������. � ��� �� ��� �� � � �� ���
� ��� �� � �� �� �� � �� ��� �����.
Cisco Secure IDS� Risk Manager ��� �� � ���� �����.¶ 128 MB �� ��� ��� � 6.0 ��� Windows NT 4.0¶ 128 MB �� ��� 500 MHz ����� ��� Windows 2000¶ 128 MB �� ��� Sun Solaris 2.6, 2.7 � 2.8
v Solaris libCrun ��
v Solaris 2.6 �� # 105591-09
9
129Risk Manager ��� ���
9.C
iscoS
ecure
IDS
��
��
v Solaris 2.7 �� # 106327-08v Solaris 2.8 �� # 108434-01
�: ��� ��� �� Cisco SDK� ��� �� ��� �� �� ���.¶ Linux(Intel) Kernel 2.2.16, Libc 6, 128 MB ��
¶ Cisco Secure IDS� �� � ����� � � 1GB� ��� �� ����.
¶ ����� �� � ��� �� �� ���� � ���.
Cisco Secure IDS ��� �� � ����� �� �����.
http://www.cisco.com
�� ��Cisco Secure �� �� ���(���� NetRanger)� ����� � ��� �� � �
�, �� � ���� � � ������ ��� ��� �� �� ������. CiscoSecure IDS� ��� ����� �� �� �� ��� �� �� ��� � ��� ��
��� � �����. Cisco Secure IDS� ��� �� �� �� ���� �����.
¶ �� - ����� ���� IP ���� ��� ���� ��� � ���� ����
���� ���� �
¶ ��� - �� ������ � ���� � �� ��� ��� ����� ���
��
¶ Policy ��� - ��� �� �
¶ Post Office - ��� �� � �� � ���� Cisco Secure IDS �� NetRanger���� �� ��
�� 19. Cisco Secure IDS� �� ��
130 �� 3 ��� 8
TEC �� ��Cisco Secure IDS� ���� � ����� � � ��� ��� �� � ��
����. Cisco Secure IDS ��� ��� ���� ��� ��� ��� ���. CiscoSecure IDS� Risk Manager ��� � �� ���� ���� ��� � � � �
�.
Risk Manager� �� ��� ���� �� �� ���� Cisco Secure IDS ��� ��
����� Risk Manager ����� �� �� ���� �� ���� �� �����.
Cisco Secure IDS� ��� �� � ������ native � �� ���� Cisco Secure IDS� ��� �� � ����. �
��� 37 ��� �Native �� ��� Risk Manager ��� ��� �����.
�: Unix ���� Cisco Secure IDS� Risk Manager ��� ��� �� Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
Cisco Secure IDS� ���� ���� Cisco Secure IDS DataFeed ���� UNIX �
Linux �� �� �� �� ����� ″netrangr″ ��� �� ����. Cisco SecureIDS� ��� ��� ��, ��� �� ���� � �� ���� � ����.
Risk Manager EIF � ��� � ��� Cisco Secure IDS� ��� ��
Cisco Secure IDS� ��� �� �� Cisco Secure IDS ���� Risk Manager � �
��� Risk Manager EIF� Cisco Secure IDS ���� � ��. Cisco Secure IDS ��
��� Risk Manager TEC ����� ��� �� ���� � Cisco Secure IDS� �
�� ����� Risk Manager EIF� ���� �� �� ���.
Cisco Secure IDS ���� ����� Risk Manager EIF� ����, csids.fmt ��
Risk Manager EIF rmad.fmt �� ��� �� ������. �� ���� rmad.fmt ��
���� ��� �� ��(.cds) �� �����. rmad.cds �� ��� �, �
� �� ������.
1. rmad.fmt ��� �� csids.fmt� ������.
Windows ���
cat csids.fmt >> rmad.fmt
UNIX ���
cp csids.fmt >> rmad.fmt
Risk Manager EIF� Windows � Unix ��� ���� csids.fmt �� �����.
2. .cds �� � �� � riskmgr_gencds � ������.
riskmgr_gencds rmad.fmt >rmad.cds
3. Cisco Secure IDS� ��� � ���� �� rmad.cds �� �� �����
�.
131Risk Manager ��� ���
9.C
iscoS
ecure
IDS
��
��
�� � �� ���� Cisco Secure IDS� �� �� ��� � ��� rmad.cds� ���� ��� �� ��� ��� 46 ��� �ACF� ��� Risk Manager ��
� � ���� �����.
Cisco Secure IDS DataFeed ���� � ��� � ��� CiscoSecure IDS� ��� ��
Cisco Secure IDS� ��� � Cisco Secure IDS DataFeed ���� ���� ��
�� ������. csidsDataFeed ���� Cisco Secure IDS� �� �� ��� �
� �������.
�� ���� ��� �� Cisco Secure IDS ��� � ���.
1. csidsDataFeed ��� ��� �� IP � ��� ��� ������. ��� ����
�� ��� �� ���. �� � �(��� �� Policy ���)�� ��� ��
� � ����.
2. �� ���� �� ��� ���� � csidsDataFeed � ������.
csidsDataFeed cfg_remote add-ip IP_Address[-po po_number][-on orgname][-oi orgnumber]]-hn host_name][-hi n][-hb nnn]
3. �� �� ���� �� ��� ���� � csidsDataFeed � ������.
csidsDataFeed cfg_local update[-po po_number][-on orgname][-oi orgnumber]]-hn host_name][-hi n]
Risk Manager � ��� �� ��� � ACF� �� ���. ��� 46 ���
�ACF� ��� Risk Manager �� � � ���� �����.
��� ���Tivoli ���� Cisco Secure IDS� Risk Manager ��� � � �� �� ����
�����.
Cisco Secure IDS ��� �� �� , Risk Manager TEC ���� ���� Cisco Secure IDS� ��� �
����. ��� 133 ��� �Cisco Secure IDS �� �� ��� ���� ��
� ���� �� ������.
Linux ���
/etc/rc.d/init.d rma_csids-init start
Solaris ���
/etc/init.d/rma_csids-init start
132 �� 3 ��� 8
Windows ���
netstart rma_csids
Cisco Secure IDS� ��� ��Risk Manager� Cisco Secure IDS� ��� ��� ��� �� �� ��� ���
� ����. Cisco Secure IDS� ��� ���� �����, �� ������.
Linux ���
/etc/rc.d/init.d rma_csids-init stop
Solaris ���
/etc/init.d/rma_csids-init stop
Windows ���
net stop rma_csids
TEC ���Risk Manager� ��� ��� ������ Tasks for Enterprise Risk Management� ��
���. Risk Manager� �� TEC policy region� TEC Region� ��� ������ �
���. TEC ���� ���� �� ������ ��� ���� ������.
Risk Manager� Cisco Secure IDS� ��� �� TEC ���� �����.
¶ Start_Cisco_Secure_IDS_Adapter
¶ Stop_Cisco_Secure_IDS_Adapter
¶ Configure_Cisco_Datafeed
Cisco Secure IDS ��� �Risk Manager TEC ���� ���� Cisco Secure IDS� ��� �� � ����.
TEC ���� ���� Cisco Secure IDS� ��� ���� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Start_Cisco_Secure_IDS_Adapter TEC ���� �����.
Cisco Secure IDS ��� ��Risk Manager TEC ���� ���� Cisco Secure IDS� ��� ��� � ����.
TEC ���� ���� Cisco Secure IDS� ��� ����� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Stop_Cisco_Secure_IDS_Adapter TEC ���� �����.
133Risk Manager ��� ���
9.C
iscoS
ecure
IDS
��
��
Cisco Secure IDS DataFeed ��� ���� �� Cisco Secure IDS� Risk Manager �� ��� �� ����. TEC���� ���� �� ������ ��� ���� ������.
TEC ���� ���� Cisco Secure IDS� ��� �� DataFeed� ����, �� �
�����.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Configure_Cisco_DataFeed TEC ���� �����.
Cisco Secure IDS ��� �� � ����� ″ � ��″ ��� �� �� ��� �� ��, �� � ���� �� ��
���.
Unix � Linux ���% cd $NETRANGER/bin% csidsDataFeed stop% removeSemas
� �� ���� ��, �� � ���� %NETRANGER%/tmp � %NETRANGER%/tmp/queues �� ��� ��� � ���� �� �� �����.
% cd $NETRANGER/tmp% rm *.*% cd queues% rm *.*
Windows ���% cd %NETRANGER%\bin% csidsDataFeed stop% cd %NETRANGER%\tmp
� �� ���� ��, �� � ���� %NETRANGER%/tmp � %NETRANGER%/tmp/queues �� ��� ��� � ���� �� �� �����.
% del *.*% cd queues% del *.*
134 �� 3 ��� 8
ISS RealSecure� ���
� ��� �� ��� �����.
¶ ����
¶ 137 ��� �TEC �� ���
¶ 137 ��� �SNMP ���
¶ 137 ��� �ISS RealSecure� �� � � ��
¶ 140 ��� �ISS RealSecure� �� ���
Internet Security Systems RealSecure(ISS RealSecure) �� �� ��� ��� 279 �
�� �ISS RealSecure �� ��� �����.
SNMP ��� �� ��� ��� Tivoli Enterprise Console �� ��� �10 �
����.
ISS RealSecure ��� �� ��� �� � ����� � � ����.
http://www.iss.net
��Internet Security Systems(ISS)� �� �� �� ���� ISS RealSecure� �����. ISSRealSecure� ���� ��� ��� �� �� ���� ����� ��� �� ��
�� � ��� �����. ISS RealSecure� �� ���� � ��� �� ���
��� �����.
ISS RealSecure � 5.5 �� 6.0 ��� ���� � �� �� ��� ���� �� �
��� SNMP �� � ��. ISS RealSecure� ��� Tivoli SNMP ��� ����
�� Tivoli �� � Tivoli ��� ������ �� Windows ��� �� UNIX ����
� ��� SNMP �� �� �� � ����.
ISS RealSecure ���� ���� �� ��� � ��� � � ��� � ��� RiskManager ISS RealSecure� ��� Tivoli SNMP ��� ��� ��� ����. �
� �� �����.
¶ tecad_snmp.cds
¶ tecad_snmp.oid
10
135Risk Manager ��� ���
10.IS
SR
ealSecu
re�
��
�
ISS RealSecure� �� ��� TEC SNMP ��� ���� ������ �����.
�� ��� Risk Manager ISS RealSecure� �� ��� � �� �� �� ��� �
����.
�� ��ISS RealSecure ���� ���� �� ���� �� �� ���� ����. ��
���� ���� �� � ����.
ISS RealSecure ��� �� �� �����.
¶ ���� �� ��� ��
�� 20. ISS RealSecure� �� �
136 �� 3 ��� 8
¶ �� ��� �� ����� ���
¶ ��� ��� ����� ��� ����
��� �� ���� � ��� �� ���� ���� ��� ��� ��� �� ����
������.
Tivoli Risk Manager �� 3.8 � ���� ISS RealSecure �� TEC ���� ���
� SNMP ��� ���� ���� Risk Manager .cds � .oid � �� �����.���� �� �� �� ����.
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.oid
��� BINDIR� ��� � ���� �� �� ����.
SNMP � Risk Manager tecad_snmp.cds �� �� � ��, SNMP ��� SNMP ��� �
�� ��� �����. ISS RealSecure ��� ���� ����� ��� �� ����
��.
¶ ��� �� ��
����� � ���� ��
279 ��� ����� �� ���� �� Risk Manager�� ���� ���� � �
�� �� ISS RealSecure SNMP ���� �����.
¶ �� ���� ��
����� �� �� ���� � ���� ��
281 ��� ���� �� ���� �� Risk Manager�� ���� ��� ���� �
�� �� ISS RealSecure SNMP ���� �����.
TEC �� ��TEC SNMP ��� Windows NT�� ���� ISS RealSecure �� ��� �� SNMP�� �����. SNMP ��� ��� SNMP ���� TEC ���� ������. �
� �� TEC ���� �� ��� � ��� � � �����.
ISS RealSecure� ��� �� � ��� ��� 31 ��� �Risk Manager ��� �����.
ISS RealSecure� ��� ��ISS RealSecure ��� ��� SNMP ���� �� �� ���� �� � ����. ISSRealSecure ��� ���� policy �� ���� �� ���� ��� �� ���
�.
�: Unix ���� ISS RealSecure� Risk Manager ��� ��� ��, Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
137Risk Manager ��� ���
10.IS
SR
ealSecu
re�
��
�
��� ISS RealSecure� ����, ��� � �� ��� �� Tivoli AdapterConfiguration Facility(ACF)� ���� ��� �� �� �� � ��� � ����. ��
� 46 ��� �ACF� ��� Risk Manager �� � � ���� �����.
1. ��� ��, ISS RealSecure� �� ��� �� ��(.cds) tecad_snmp.cds ��
������. � ��� �� ���� �� �� ���� �� ���� ISS RealSecure� ��� �� � ����.
2. tecad_snmp.cds � tecad_snmp.oid �� ���� TME ��� �����
Policy �� � ��ISS RealSecure� �� IDS ��� �� ���� �� � �� ���� �� ����
� ��� policy �� �����. �� policy ��� ���� � ��� ���� ���
� �� �����. ISS RealSecure policy ���� ���� ��� �����(logdb)� ���� �� ���� � policy� ���� �� policy� ������. ���� ISSRealSecure ��� ������ � ���� ISS RealSecure� ��� ���� ��
�� ���.
���� ��� IP ��� ISS RealSecure� ��� IP ��� ��� ��� �� ��
� ISS RealSecure ��� �����. �� ISS RealSecure� �� tecad_snmp.cds �
�� ���� � ���� � TEC SNMP ��(�� ���)� IP ��� �� ��
� ��� �� ��� �����.
��� � ���� ISS RealSecure ����� ���� ��� ��� ���� ��� ��� �����
� ���� �� �������. �� ����� TEC ��� ����� ��� ���
��� �����.
� ��� ��� �� ��� ISS RealSecure ��� �����. ��� �� 5000�� �� �� ��, ����� �� highwater mark� 1%, �� ����� ���
������.
TEC SNMP ��� ��Risk Manager� TEC SNMP �� ��(tecad_snmp.cds � tecad_snmp.oid) ����
���� �� ���� ���� �� ���� �����.
ISS RealSecure� SNMP ���� ���� �� TEC SNMP ��� �� �� �
����. � ����� SNMP ��� ����� ������ TEC �� ISS RealSecure� ���� ��� ����� SNMP ��� �� ����.
�� �� ���� ISS RealSecure �� Risk Manager� ����� TEC SNMP �
�� �����.
1. ���� TME ����� �� TEC region� TEC Region ��� � � ����
�.
2. Profiles for Enterprise Risk Management ���� ��� � � ��� ���� �
�� � �����.
138 �� 3 ��� 8
3. ISS RealSecure� SNMP ��� ��� � � ��� �� � ���� � ��
��.
4. �� ��� �����.
5. �� ��� tecad_snmp� �� ��, � � ��� �����.
6. �� � �� ��� �� �� ��� ��� �� �� �����.
����� �� ��� Risk Manager� ���� SNMP �� �� TEC SNMP ��
�����. Risk Manager � �� �� �� �� � �� �� TEC � RiskManager � �� ��� �� ��� Tivoli ��� �����.
�� ��� Risk Manager� ���� tecad_snmp.cds � tecad_snmp.oid �� ��
Risk Manager �� �� �� ���� ��� ������.
7. �� �� � ��� �����, �� �� ������.
¶ ������ �� ��� � � � �����.
¶ �� ��(=) "� �� �� �� ��� �����. ��� �� ����.
$BINDIR/../generic_unix/RISKMGR/ACF_REP/
BINDIR� ��� � ���� �� �� ����.
8. �� � ���� � ��� �����.
9. �� � �� �� �����.
UNIX� � Tivoli SNMP ��� ��ISS RealSecure� �� Cisco ���� ��� �� Tivoli SNMP ��� ����
�. �� ISS RealSecure� ��� �� ��, Cisco ���� ��� � ��� �
� ��� ����.
Tivoli SNMP �� � ��� �� ��� ��� Tivoli Enterprise Console �� �
�� �����. �� �� � ���� �� TEC ��� � � ���� � ��� �
�����.
� Tivoli ���� SNMP ��� ���� �� ������.
1. SNMP ��� �����. �� ��, /test/riskmgr/snmp/ �� ��� Solaris �
��� packadd� ���� SNMP ��� �� � ����. 40 ��� �Solaris �
��� �� ��� �����.
2. SNMP ��� �� �� �� ����.
cd /test/riskmgr/snmp/etc
3. tecad_snmp.conf � �� ���� ServerLocation ���� �� �����.
4. � �� �� �� �����.
ServerLocation=1.2.3.4
��� 1.2.3.4� TEC ��� � � IP �����.
139Risk Manager ��� ���
10.IS
SR
ealSecu
re�
��
�
5. ��� � � Windows NT ����� � Tivoli SNMP ��� ���� �� ��
������.
ServerPort=5529
6. SNMP �� ����� /etc/services ��� �� �� �����. ��
/etc/services ��� ������.
snmp-trap 162/tcpsnmp-trap 162/udp
7. TEC ��� � tecad_snmp.cds � tecad_snmp.oid �� ���� ��� RiskManager� ��� ��� ������
ISS RealSecure� ��� ��Tivoli ���� ISS RealSecure� ��� � � �� �� ���� �����.
SNMP ��� �ISS RealSecure� �� Cisco ���� ��� �� Tivoli SNMP ��� ����
�. ISS RealSecure� SNMP ��� ��� ��, Cisco ���� SNMP ��� �
���.
Tivoli SNMP �� ������ �� �� �� ����. ���� �� �� ��� �
� ����.
Windows ���
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net start tecsnmpadapter
Windows NT� �� ��� ��� SNMP ��� �� � ����.
AIX
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
SNMP ��� ��ISS RealSecure� �� Cisco ���� ��� �� Tivoli SNMP ��� ����
�. ISS RealSecure� SNMP ��� ���� �� Cisco ���� SNMP ��� ���
��.
Tivoli SNMP �� ������ �� �� �� ����. ���� �� �� ��� �
� ����.
Windows ���
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net stop tecsnmpadapter
AIX ���
$LCFROOT/bin/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
140 �� 3 ��� 8
Solaris ���
$LCFROOT/bin/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
141Risk Manager ��� ���
10.IS
SR
ealSecu
re�
��
�
Cisco ��� ���
� ��� �� ��� �����.
¶ �Cisco ��� ���
¶ 144 ��� �TEC �� ���
¶ 145 ��� �Cisco ���� �� ��
¶ 148 ��� �Cisco ��� ���
¶ 149 ��� �Cisco ��� ���
Cisco� Cisco � ����� Cisco ��� �� ����� ����. mibs, traps, oid �
�� ��� �� Cisco � ���� ����.
http://www.cisco.com
�� Tivoli Enterprise Console �� ��� �� SNMP ��� �� ����
�.
Cisco �� ��Cisco ���� �� ���� SNMP ���� �����. ���� Tivoli SNMP �
�� ���� �� Tivoli �� �� � Tivoli ��� ������� Windows ��� ��
UNIX ����� �� SNMP ���� �� � ����.
Cisco ���� Risk Manager �� Cisco ��� ���� ���� �� ��� � ��
� � � ��� � ��� Tivoli SNMP ��� ��� ���� ����. �� ��
�����.
¶ tecad_snmp.cds
¶ tecad_snmp.oid
Cisco ���� �� ��� TEC SNMP ��� ���� ������ �����.
11
143Risk Manager ��� ���
11.C
isco�
�
��
��
TEC �� �TEC(Tivoli Enterprise Console) SNMP ��� Cisco ���� �� SNMP �� ���
� ��� SNMP ���� TEC ���� ������. SNMP ��� TEC ���� ��
��� � ��� � � � ��.
Risk Manager� �� ��� ���� �� �� ���� Cisco ��� ��� �� ���
�� Risk Manager ����� �� �� ���� �� ���� �� �����.
SNMP �� ���� sensor_abstract.baroc riskmgr.baroc ��� ���� �� �
����. crouter_snmp.baroc ��� Cisco ��� ��� �� �����.
�� 21. Cisco ���� �� �
144 �� 3 ��� 8
Cisco ��� ��� ��Tivoli Risk Manager 3.8 � ����� Cisco ���� ��� �� ACF(AdapterConfiguration Facility) �� � ��� ����. �� � ���� crouter_snmp.baroc �
�, Cisco ���� ��� �� �� �� � ���� �� �����. �� TECSNMP �� � �� ��� �� ��(.cds) .oid ��� �����. �� , ��
�� �� �� �� ����.
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.oid
��� BINDIR� ��� � ���� �� �� ����.
��� ���� ��� �� �� �� �� �� SNMP ��� ���� � � ��
����� ���� ����. ��� ��� Tivoli Enterprise Console ��� ���
��.
�� ����� ��, ����� ���� �� �� �� � �� � ��� ��� Tivoli RiskManager ��� �� � �����.
�: Unix ���� Cisco ���� Risk Manager ��� ��� ��, Risk Manager �
� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
���� ���� �� Tivoli SNMP ��� ��� �� Cisco ���� � ��
�. SNMP ��� Windows ��� �� UNIX ���� � ���. � ��� TivoliEnterprise Console �� ��� �����.
TEC ��� � � ��� ��� � � �� �� TEC ��� � � ������
�.
��� ����� � Risk Manager� ���� ���� ���� ��, ACF� ��
� �� ���. ACF ��� ��� 46 ��� �ACF� ��� Risk Manager ��
� � ���� �����.
Risk Manager �� ���� Cisco ���� ��� Cisco ���� SNMP �� TEC���� ���� � SNMP ��� ���� ��� tecad_snmp.cds �
tecad_snmp.oid ��� ����.
�� ���� ���� Tivoli ���� Cisco ���� ��� ��� �����.
�� ������ native � ���� ���� Cisco ���� ��� �� � ����. ��
� 31 ��� �Risk Manager ��� �����.
�� �� ������.
145Risk Manager ��� ���
11.C
isco�
�
��
��
1. ��� �� Cisco ���� �� ��� �� ��(.cds) tecad_snmp.cds �� �
�����. � ��� �� �� ���� �� ���� Cisco ���� ��� �
� � ����.
2. tecad_snmp.cds � tecad_snmp.oid �� ���� TME ��� �����.
Cisco ��� ��� ���� � � � Cisco ���� ��� �����.
1. ��� �� Cisco ���� ��� SNMP ����� �� UNIX� �����. 147��� �Cisco ��� �� �����.
2. ��� �� TEC SNMP ��� ��� Cisco ��� �� Risk Manager� ���
���. 147 ��� �UNIX� � Tivoli SNMP �� �� �����.
TEC SNMP ��� ��Risk Manager� TEC SNMP �� �� tecad_snmp.cds � tecad_snmp.oid� ����
�� ���� �����.
Cisco ���� SNMP �� ���� ���� �� TEC SNMP ��� �� ��
�����. � ����� SNMP ��� ����� ������ TEC �� RiskManager� ���� ��� ����� SNMP ��� �� ����.
�� �� ���� Cisco ��� �� Risk Manager� ����� TEC SNMP ��
� �����.
1. ���� TME ����� �� TEC region� TEC Region ��� � � ����
�.
2. Profiles for Enterprise Risk Management ���� ��� � � ��� ���� �
�� � �����.
3. Cisco ���� SNMP ��� ���� � � ��� �� � ���� � ���
�.
4. �� ��� �����.
5. �� ��� tecad_snmp� �� ��, � � ��� �����.
6. �� � �� ��� �� �� ��� ��� �� �� �����.
����� �� ��� Risk Manager� ���� SNMP �� �� TEC SNMP ��
�����. Risk Manager � �� �� �� �� � �� �� TEC � RiskManager � �� ��� �� ��� Tivoli ��� �����.
�� ��� Risk Manager� ���� tecad_snmp.cds � tecad_snmp.oid �� ��
Risk Manager �� �� �� ���� ��� ������.
7. �� �� � ��� �����, �� ������.
¶ ���� ���� ���� ��� �� � � �����.
¶ �� ��(=) "� �� �� �� ��� �����. ��� �� ����.
hostname/usr/local/Tivoli/bin/generic_unix/RISKMGR/ACF_REP/
146 �� 3 ��� 8
¶ �� � ���� � ��� �����.
8. �� � �� �� �����.
Cisco � � ����� �� Cisco ���� SNMP ��� � ��� �� ���� ��� ����
��.
Cisco ���� Risk Manager ��� � ���� Cisco ���� ���� �� �
�����.
1. Cisco ���� �� ��� Telnet�� secret � ������.
2. config � ������.
3. �� ������.
snmp-server host 5.6.7.8
��� 5.6.7.8� SNMP ��� � ��� IP �����.
4. �� ������.
snmp-server enable traps
5. SNMP ��� � �� �� SNMP �� MyCommun� ���� ��
������.
snmp-server community MyCommun
6. �� �� � �� � � � ������.
UNIX� � Tivoli SNMP ��� ��Internet Security Systems RealSecure(ISS RealSecure)� �� Cisco ���� ���
�� Tivoli SNMP ��� �����. �� ��, �� ISS RealSecure� ��� ��
��, Cisco ���� ��� �� ��� �� ��� ����.
Tivoli SNMP �� � ��� �� ��� Tivoli Enterprise Console �� ��� �
����. �� �� ����� �� TEC ��� � � ���� � ��� �����
�.
� Tivoli ���� SNMP ��� ���� �� ������.
1. SNMP ��� �����. �� ��, /test/riskmgr/snmp/ �� ��� AIX ��
� SNMP ��� �� � ����
2. SNMP ��� �� �� �� ����.
cd /test/riskmgr/snmp/etc
3. tecad_snmp.conf � �� ���� ServerLocation ���� �� �����.
4. � �� �� �� �����.
ServerLocation=1.2.3.4
��� 1.2.3.4� TEC ��� � � IP �����.
147Risk Manager ��� ���
11.C
isco�
�
��
��
5. ��� � � Windows NT ����� � Tivoli SNMP ��� ���� �� ��
������.
ServerPort=5529
6. �� /etc/services ��� ������.
snmp-trap 162/tcpsnmp-trap 162/udp
7. TEC ��� � tecad_snmp.cds � tecad_snmp.oid �� ���� ��� ���
������
Cisco �� ��� ���� Cisco ���� ��� �� ���� ���.
SNMP ��� �Internet Security System(ISS) RealSecure� �� Cisco ���� ��� �� TivoliSNMP ��� �����. ISS RealSecure� SNMP ��� ��� ��, Cisco ���
� SNMP ��� ����.
SNMP ��� ���� ���� Tivoli SNMP �� ������ �� �� �� �
���. ���� �� �� ��� �� ����.
Windows NT ���
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net start tecsnmpadapter
Windows NT� �� ��� ��� SNMP ��� �� � ����.
AIX ���
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp start
Solaris ���
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp start
SNMP ��� ��ISS RealSecure� �� Cisco ���� ��� �� Tivoli SNMP ��� ����
�. ISS RealSecure� SNMP ��� ���� ��, Cisco ���� SNMP ��� ��
���.
���� ���� tecad_snmp.cds tecad_snmp.oid �� ���� ��� SNMP �
�� ���� Cisco ���� ��� �����.
SNMP ��� ���� ����� Tivoli SNMP �� ������ �� �� �� �
���. ���� �� �� ��� �� ����.
Windows NT ���
%LCFROOT%\bin\w32-ix86\tme\tec\adapters\bin\net stop tecsnmpadapter
Windows NT� �� ��� ��� SNMP ��� ��� � ����.
148 �� 3 ��� 8
AIX ���
/$LCFROOT/aix4-r1/TME/TEC/adapters/bin/init.tecad_snmp stop
Solaris ���
/$LCFROOT/solaris2/TME/TEC/adapters/bin/init.tecad_snmp stop
SNMP � ��ISS RealSecure� �� Cisco ���� ��� �� Tivoli SNMP ��� ����
�. ISS RealSecure� SNMP �� ���� ��, Cisco ���� SNMP ��� ����
�.
SNMP �� ����� �� ������.
1. SNMP �� ID� ���� �� ������.
ps -ef | grep snmpd
2. ��� pid� SNMP �� ID���. �� ������.
kill -9 pid
��� �� ��� Tivoli ��� ��, tecad_snmp.conf � �� ���� ���� ��� � � ��
����.
� �� ����� �� ������.
1. TEC SNMP �� ������ �� /etc �� �� ����.
2. tecad_snmp.conf �� ���� �� �� �����.
ServerLocation=ip_address
ip_address� ��� � � IP �����.
UNIX ��� �� �UNIX /etc/services ���� �� �� ��� SNMP �� ������.
snmp-trap 162/tcp # snmp monitor trap portsnmp-trap 162/udp # snmp monitor trap port
Cisco �� �SNMP TEC ��� SNMP � 1 �� �����.
Cisco � � �� � ��� ��� � � �� Risk Manager ���� ���� Cisco �� ��� �����.
���� �� ��
1.3.6.1.4.1.9.2.11.1 logonIntruder
1.3.6.1.4.1.437.1.1.3 logonIntruder
1.3.6.1.4.1.437.1.1.3 broadcastStorm
1.3.6.1.4.1.9 reload
1.3.6.1.4.1.9 tcpConnectionClose
149Risk Manager ��� ���
11.C
isco�
�
��
��
�� � ��� �� ��(�: �, ���, ��, �� ���)� � �� �����.
1.3.6.1.4.1.9.9.43.2 ciscoConfigManEvent
1.3.6.1.4.1.9.5 sysConfigChangeTrap
1.3.6.1.2.1.47.2 entConfigChange
1.3.6.1.2.1.17 newRoot
1.3.6.1.2.1.17 topologyChange
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnNewRoot
1.3.6.1.4.1.9.1.111.1.2.3 cat2600TsDmnTopologyChange
1.3.6.1.4.1.9.2.11.1 ipAddressChange
1.3.6.1.4.1.437.1.1.3 ipAddressChange
1.3.6.1.4.1.9.5.14.1.1 ciscoEsStackCfgChange
1.3.6.1.4.1.9.5.14.4 ciscoEsPortStrNFwdEntry
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANNewRoot
1.3.6.1.4.1.9.5.14.8 ciscoEsVLANTopologyChange
�� SNMP �� �� � ��� � SNMP �� �� ��� � �� �����.
1.3.6.1.2.1.11 authenticationFailure
150 �� 3 ��� 8
Cisco Secure PIX Firewall� ���
� ��� �� ��� �����.
¶ �Cisco Secure PIX Firewall ���
¶ 153 ��� ���� �� ����
¶ 154 ��� �Cisco Secure PIX Firewall� �� � � ��
¶ 157 ��� �TEC ����
Cisco Secure PIX Firewall ��� �� � ����� �� �����.
http://www.cisco.com
Cisco Secure PIX Firewall ��Cisco Private Internet Exchange(PIX) Firewall � 5.1.2� � policy� �� �� ���
���� ��� ���� ��� ������. Risk Manager� Tivoli �� �� ��
(UNIX) Windows ��� �� ��(Windows NT)� �� � �����.
� ����� �� ��� �����.
¶ Tivoli �� �� ��(UNIX) Windows ��� �� ��(Windows NT)� �� �
� Cisco Secure PIX Firewall� ��� ���� ����.
¶ Cisco Secure PIX Firewall� Risk Manager ��� �����.
Cisco Secure PIX Firewall� ��� Tivoli �� �� �� �� �� � Windows ��
� �� �� �� ��(�� pix.fmt � pix_nt.fmt)� ����. Risk Manager� ��
� �� �� ���� Cisco Secure PIX Firewall ��� ��� ���� ���� ��
�� ��� TEC ���� ������ TME ��� ����.
Cisco Secure PIX Firewall� ��� �� ��� ���� Cisco Secure PIX Firewall��� � ���� ����. � ���� UNIX ��� �� Windows ������. CiscoPIX Firewall Syslog Server(PFSS)� Windows ��� ���� ����� �����.
Risk Manager� �� �� ��� �� �� ��� TEC ��� ��� �����
�.
12
151Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
Cisco Secure PIX Firewall � ��� ��� TEC ��� ���
7 � �
HARMLESS6 ��
5 ��
4 �� WARNING
3 �� MINOR
2 ��CRITICAL
1 ��
0 �� FATAL
�� ��Cisco Secure PIX Firewall �� 506 ��� �� ������ � ��� � ��� ��
�� ��� ���� �� ��� � ����. ���� � ����� � �� ���
�� ���� ���� ��� � ���. � �� ���� TME(Tivoli ManagementEnterprise) �� � �����. TME ��� Risk Manager � ���� CiscoSecure PIX Firewall �� ��� ���� �� �� ������. UNIX �����, ��
��� Tivoli �� �� ��� syslogd� ����. Windows ������ �� �
�� Cisco PIX Firewall Syslog Server� ����.
�� ��� Risk Manager � �� ��� �� � ���� TME ��� ��
���� ��� ��� ��� ��� � � Risk Manager ����� �����.
PFSS� Cisco Secure PIX Firewall �� 506 �� ���� ����. Cisco � ����
� ��� ���. PFSS� ���, �, � ��� �� ��� Cisco Secure PIXFirewall � 5.1 � ��� �����.
�: Cisco PIX Firewall Syslog Server (PFSS)� ���� ��, Cisco��� Windows NT��� � 6 �� ����.
TEC �� ��Cisco Secure PIX Firewall� UNIX� Tivoli �� �� ��(� syslogd) �� WindowsNT� Windows ��� �� ��(� PFSS)� ���� ���� �����. TME ��
� Windows NT, AIX �� Solaris ����� Cisco Secure PIX Firewall� �� ��� �
� ���� �����. Cisco Secure PIX Firewall� ��� �� ���� TEC ����
������. Risk Manager �� ��� ��� ���� Risk Manager ���� �����
��� � � Risk Manager ���� �� ������.
Risk Manager� ��� � � pix.baroc �� ����. � BAROC ��� ��� �
� ���� Cisco Secure PIX Firewall ���� ���� ��� � ����. Cisco SecurePIX Firewall ���� �� ��� ��� �����.
¶ �� ��
¶ ��� ��
152 �� 3 ��� 8
Risk Manager� RM_IDSEvent ���� �� �� ���� �����. ��� �� ���
� RM_MiscEvent ���� ���� ����.
��� �� ������� ��� �� �� �� ����� �����. ���� ��� �� ��� ���
�� ���� �����. ��� �� ���� �� ��� � ����.
¶ �� ��
¶ �� ��
¶ �� ��
¶ ���� �� �(NAT) � �� �� �(PAT) ��
TEC � � � �� ��TEC ��� ��� � �� �� ��� �� ����.
¶ �� IP ��
¶ ��� IP ��
¶ �� ��
���� ���� �� ��� ��� ��� ��� IP ��� �� ��� �� ���
���� �� �� ��� �����. UNIX��� Tivoli �� �� ��(syslogd)�
���� �� � ��� �� ��� �� ��� IP ��� �����. Windows��
� �� ��� PFSS� �� � ����.
Windows NT�� Cisco Secure PIX Firewall� ��� ��, rm_SensorHostname �
rm_SensorIPAddr �� Cisco Secure PIX Firewall ��� ��� � IP �� �� RiskManager �� PFSS� ���� �� ���� ��� � IP ��� ����.Windows NT�� Cisco Secure PIX Firewall� ��� Risk Manager �� � PFSS�
���� �� ��� � ���� ��� �� ��� ��� ���� ��� ��
� ��� ��� ���� � ����. �, �� ���� ��� � � ���� ��� ��
� Risk Manager �� ��� �����.
PFSS� ��� �� 10�� Cisco Secure PIX Firewall ���� �� ��� ��� �
����. � ��� 10�� Cisco Secure PIX Firewall ���� �� ���� �� ��
� ����� �� �� �����.
UNIX ���� ��, rm_SensorIPAddr �� Cisco Secure PIX Firewall ��� IP ��
� syslogd ���� ��� ��� ����. Cisco Secure PIX Firewall ��� ��� �
� �� ���� �� ��� rm_SensorHostname �� N/A ��� ��� UNIX�Cisco Secure PIX Firewall� ��� � �� � �� �� �� ��� �����.
UNIX � Windows NT �����, Cisco Secure PIX Firewall� ��� ���� ���
� �� �� ��� �� ��� ���� ����. ���� IP ��(��) ���� ���
�� ��� ��� ���� IP �����. ��� ��� �� ��� IP ���� �
153Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
�� �� �� ��� ����. � ��� Cisco Secure PIX Firewall� ���
rm_SourceHostname �� rm_DestinationHostname ��� ����. ��� ���
�� ���� N/A� �����.
PIX Firewall ��� ���� ����� �� ��� �� rm_SourceIPAddr �
rm_DestinationIPAddr(���� � � ���)� ����.
���� Cisco Secure PIX Firewall �� ��� IP ��� ����� �� ��
����� ����(��� � ����� ���� �� ��� �� ���).
�� �� ���� Cisco Secure PIX Firewall ������ Cisco Secure PIX Firewall �� ��� IP ��� ����� �� ���
���� ����. �� �� Cisco Secure PIX Firewall �� ��� ��, Risk Manager�
��� �� �� ��� ��� �����.
fw_conn_deny ��� �������.
fw_pkt_modified Cisco Secure PIX Firewall� �� ��� ����.
fw_xlate_deny ���� �� �(NAT) � �� �� �(PAT) ��� � ���
�������.
fw_tunn_deny �� �� �� �� �������.
fw_acl_deny ��� �� �� ��� � ��� �������.
fw_auth_deny �� ��� � ��� �������.
fw_ipsec IPSEC VPN ���� �� ��� ��� ��� � ����.
��� �� ���� Cisco Secure PIX Firewall ������ ���� �� Cisco Secure PIX Firewall ���� ��, Cisco Secure PIX Firewall� ��� RM_MiscEvent�� �� ��� �� ���� � ��. Cisco Secure PIXFirewall� ��� �� �� ��� �� �� ��� ���� ����.
fw_pixfw_signature Cisco Secure PIX Firewall ��� ��
fw_snmp SNMP(Simple Network Management Protocol) ���
fw_conn_permit �� �
fw_xlate_permit ���� ��(NAT) �� �� ��(PAT) �
fw_failover � ����� � ���� �� �(���� ��)� ������.
fw_authentication �� ���
fw_routing ���� ��� ��
fw_configuration ��� �� ���� ��� ��� ����.
fw_internal ���� �� ��
Cisco Secure PIX Firewall� ��� �� � ��� ���� � � � ����� � ���.
154 �� 3 ��� 8
Cisco Secure PIX Firewall� ���� ���� ����� ��, ����� ���� �� �� �� � �� � ��� ��� Tivoli RiskManager ��� �� � �����.
Cisco Secure PIX Firewall� ��� ��� �� Cisco Secure PIX Firewall ���
��� �� ���.
�� ��� ���� �� TME ��� �� ��� �� ���. � ��� TivoliEnterprise Console �� ��� �����.
TEC ��� � � ��� ��� � � �� �� TEC ��� � � ������
�.
Risk Manager� ���� ���� ���� ��� ����� ��, �� � ��(ACF) � ���. ACF� � ��� 46 ��� �ACF� ��� Risk Manager �
� � � ���� �����.
Cisco Secure PIX Firewall TEC ���� �� ��� ���� Risk Manager Perl�� � ���.
Tivoli �� �� � Tivoli ��� Tivoli ������� ��� �� � ����.
�: Unix ���� Cisco Secure IDS� Risk Manager ��� ��� ��, Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
Cisco Secure PIX Firewall� ��� ���� ���� ���� Tivoli ����, Cisco Secure PIX Firewall� ��� �����.
1. ��� �� Cisco Secure PIX Firewall �� ��� ��� ������. �� ���
�� �� ���� �� ���� Cisco Secure PIX Firewall� ��� �� �
����.
UNIX ���
pix.fmt
Windows ���
pix_nt.fmt
2. 44 ��� �Risk Manager � TME �� �� �� ���� �� ��� Risk Manager�� �� �� Tivoli �� �� �� ���� ��� �� ��(.cds) �� �
�����.
UNIX ���
pix.fmt �� �� tecad_logfile.fmt ��� � ��� ������.
Windows ���
pix_nt.fmt �� �� tecad_nt.fmt ��� � ��� ������
3. ��� �� ������.
155Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
UNIX ���
pix.fmt
Windows ���
pix_nt.fmt
ACF� ���� ��, 46 ��� �ACF� ��� Risk Manager �� � � ���� �
����.
Cisco Secure PIX Firewall� ���� �� �� ���Cisco Secure PIX Firewall� ��� ��� ��, Tivoli��� TEC �� �� ��(�
� Windows ��� �� ��)� PIX ���� Risk Manager Event Integration Facility �� ���� �� TCP/IP ��� ������ �� ����. ��� PIX ��
�� Risk Manager EIF� �� ��� � �����. �� ��� �� PIX ���� ��
TCP/IP ��� ����� � ����.
1. Unix �� �� ��� � TME � �� Windows ��� �� ��� � TME
� ����� ������.
2. Risk Manager EIF� ��� ��� ������.
3. Unix �� �� ��� PIX �� �� pix.fmt� ����� � �� Windows ��
� �� ��� pix_nt.fmt �� �� ����� �����.
4. Unix �� �� ��� Risk Manager EIF� ����� �� �� �� �� ��
��� ����� �����(�� Windows ��� �� ��). ��� ����, �
�� � ��(tecad_logfile.conf �� tecad_win.conf)�� �� � ���� ��
���.
ServerLocation=localhostServerPort=5529
5. Risk Manager EIF� � TME � �� �� ��, EIF � ��(rmad.conf)�� ��
���� �����.
ServerLocation=tecserver (where tecserver is the hostname of TEC Server in your environment)ServerPort=5529 (or 0 if the server is a Unix server)
�: Risk Manager EIF� TME ���� � ���� ��� ��� ���.
Cisco Secure PIX Firewall ���� � � ACF � � �� �� ��� Cisco Secure PIX Firewall �����.
1. Configure_PIX_Firewall_Logging TEC ���� ���� Cisco Secure PIX Firewall��� � ���� ���� �� �����. ��� 160 ��� ��� �� � �
�� �����.
2. Cisco Secure PIX Firewall� ��� ���� �� ��� ����� �� �� ��
� �����.
clock set hh:mm:ss month day year
156 �� 3 ��� 8
3. Windows ��� �� ��� ���� ��, tecad_nt.conf � �� ������.��� 162 ��� �� �� ��� �����.
4. � ���� ��� � ��� TME ��� ��� �� �� �����.
TEC ���
�: Cisco Secure PIX Firewall TEC ���� AIX � Solaris ���� ��� �� ��
���.Risk Manager� Cisco Secure PIX Firewall� TEC ���� �����.
¶ Configure_PIX_Firewall_Access� �� ��� � �����.
¶ Show_PIX_Firewall_Configuration� �� � ��� ����.
¶ Configure_PIX_Firewall_Logging� �� �� �� � �����.
Cisco Secure PIX Firewall TEC ���� ��� ��Cisco Secure PIX Firewall TEC ���� ���� ��� ��, �� �� �����
�.
¶ Cisco Secure PIX Firewall TEC ���� �� ��� ���� Risk Manager Perl�� � ���. �� Risk Manager� �� CD� AIX � Solaris� Cisco SecurePIX Firewall� ��� � Risk Manager� ���� TEC ���� ��� Perl ��
�����.
¶ TEC ���� ���� privileged � ��� � �� �� ��� ��� ��� IP��, �, �� �� �� �� �� ���. �� � ������ ��� �� �
���� ����� ��� ���� ���� ��� �� ��� �� ���.
¶ TEC ����� ��� �� ��� ���� ��� ���� TEC ���� �� ��
��� ����. ��� ���� TEC ���� ��� �� ���� � ��
�� � ����. ��� ���� ��� �� �� �� TEC ���� ��� �
policy� ��� ���� �� ���. ����� ��� ���� ���� ���
�� TEC ���� � TEC ���� ��� ��� �� � ��� � �� ��
��� ����. TEC ���� �� ��� ��� ���� �� � ����.
�� �� � ��� �� �� ��� � �� ���� ���� ����� Cisco Secure PIX Firewall �� �
��� �����. �� ���� �� �� � ��� �� ��� TEC ����
���� ��� Cisco Secure PIX Firewall �� ��� VPN(Virtual Private Network) �
� ���� ������. VPN �� �� � ��� �� ��� Configuration Guidefor the Cisco Secure PIX Firewall Version 5.1 �����.
�� ��� �� ��� TEC ���� ���� �� �� ��� ��� � ��� � ��� � ����.TEC ���� ���� �� ������ ��� ���� ������.
�� ��� � ����� �� ������.
157Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Configure_PIX_Firewall_Access TEC ���� �����.
3. ��� �� ���� �����. �� � �� ����� ��� �����.
IP �� ����� ��� �� �� Cisco Secure PIX Firewall ��� IP
��� �����. � ���� �����.
�� � Cisco Secure PIX Firewall ��� �� ��� �� ��� ��
�� �����. � ���� �����.
� (�� ��) � Cisco Secure PIX Firewall ��� � ��� � �� �� ��
�� �� �� �� �����. � ���� �����.
� � � ���� �����. �� �� � � ��� �����.
¶ � �� ��
¶ �� �� ��
��� ���� ��� ��� �� ��� ��� ���
�� ���.
¶ �� Cisco Secure PIX Firewall ��� � �
� ���� �� �� ��� ��� �� �����
��� � �� Cisco Secure PIX Firewall� ��� ��, ���
�� � � � ����.
���� � �� �����. � ���� �����.
��� �� ��� ����� ��� Cisco Secure PIX Firewall ��� ��� �
� �����.
��� ��� �� ���� ��, �� ��� �� �� � ��
�� ���� ��� ��� �� �����.
��� ��� ���� �� �� , � � ���� ���� �
� � �� ����� ����. Cisco Secure PIX Firewall ���
� ���� ���� �� ���. ���� �� ��� ���
� ���� ����.
� ���� �����.
�� � �� �� IP �� � �����.
Cisco Secure PIX Firewall ��� ���� IP �� � ��(�: 6)
�� IP �� � ��! �(�: tcp) ��� � ����.
� ���� ���� ��, IP �� � TCP, UDP � ICMP� �
����.
� ���� �����.
158 �� 3 ��� 8
�� IP �� �� �� �� IP ��� �����.
�� IP �� ��� ���� ���� � � ��� �� �
������ ��� � ����.
�� IP ���� ���� ���� �� �� �����, � ��
�� �� ���� ��� �� �� Cisco Secure PIX Firewall �
�� ��� �� ������.
� ���� ���� ��, �� IP ���� ��� IP ���� �
�� �����.
� ���� �����.
�� IP �� ��� �� �� �� IP �� ���� �����.
������ IP �� ���(�: 255.255.255.240)� ���� �� �
������ ��� ��� � ����.
� ���� ���� �� �� IP �� ���� ����, ��
IP ��� � ���� ��� �� �����.
� ���� �����.
��� IP �� �� �� ��� IP ��� �����.
��� IP �� ��� ���� ���� ��� IP ��� � �
�� �� ������� ��� � ����.
�� IP ���� ���� ���� �� �� �����, � ��
�� �� ���� ��� �� �� Cisco Secure PIX Firewall �
�� ��� �� ������.
� ���� ���� ��, �� IP ���� ��� IP ���� �
�� �����. � ���� �����.
��� �� �� �� ��� ��� �����.
�� �� �� ��� ��� � ����.
Cisco Secure PIX Firewall ��� ���� �� ��(�: 80) �� �
� ��! �(�: www) ��� � ����.
� ���� �����.
�� �� �� ��� TEC ���� ���� ��� �� � �� � ����. �� ���� ���� �
policy� ��� ����� ��� � ����. TEC ���� ���� �� �����
� ��� ���� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Show_PIX_Firewall_Configuration �����.
3. ��� �� ���� �����. �� ���� �����.
159Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
IP �� ���� �� �� Cisco Secure PIX Firewall ��� IP ��
�� � Cisco Secure PIX Firewall ��� �� ��� �� ���� ��
�
� (�� ��) � Cisco Secure PIX Firewall ��� � � � �� �� ���
� �� �� �
� � �� ��� Cisco Secure PIX Firewall ��� �� � � �
����. ���� �, �, �� ��, ����, ����, ��
�� �����.
�� � �� ��� Cisco Secure PIX Firewall ��� �� �� ��
� � ����.
��� �� � �� ��� Cisco Secure PIX Firewall ��� �� ��� �� �
�� � � ����.
�� � �� ��� Cisco Secure PIX Firewall ��� ��(��� �
��) �� �� �� � � ����. � ��� ���� Cisco
Secure PIX Firewall ���� ����. ���� � TEC ����
�� �� ��� �����.
�� �� �� ������ � Risk Manager ��� ��� � ��� ��� �� � ����� � TEC���� ������. TEC ���� ���� �� ������ ��� ���� ���
���.
Cisco Secure PIX Firewall �� ���� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Configure_PIX_Firewall_Logging �����.
3. ��� �� ���� �����. ���� �� ����.
IP �� ��� �� � ��� �� Cisco Secure PIX Firewall ��� IP
��� �����.
� ���� �����.
�� � Cisco Secure PIX Firewall ��� �� ��� �� ��� �
� �� �����.
� ���� �����.
� (�� ��) � Cisco Secure PIX Firewall ��� � ��� � �� �� �
��� �� �� �� �����.
� ���� �����.
160 �� 3 ��� 8
�� ��� ���� �
�� � � � Cisco Secure PIX Firewall� ���� ����
� � �����.
Cisco Secure PIX Firewall� ��� �� � � ��� ���
�� �� ��� � � �����.
���� inside���. � ���� �����.
�� ��� IP �� Cisco Secure PIX Firewall� ��� � ����� �� � �
IP ��� �����.
� ���� �����.
�� �� �� �� � � �� �� Cisco Secure PIX Firewall� ��� ��
� � � ���� �� �� �� �����.
�� ���(�: errors) �� ��(�: 3)� ��� � ����.
���� errors���.� ���� �����.
�� �� �� �� �� ���� syslog �� ��� �����.
���� 20���. �� �� ��� LOCAL4 ��� ��� �
�� 20� �����.
� ���� �����.
�� �� ��� Cisco Secure PIX Firewall ���� �� ����� Yes� �
����.
No� �� ��� � �� ���. �� ��� �� � � ��
��� Cisco Secure PIX Firewall� ��� � ��� � � �
��� ����.
���� Yes���. � ���� �����.
Cisco Secure PIX Firewall ��Cisco Secure PIX Firewall� ���� �� ���� ��� � ����.
��� ��� ��� ��Risk Manager� ���� TEC ���� ���� ��� Cisco Secure PIX Firewall ���� ��� �� ��� TME ��(UNIX ���� ���� Tivoli �� �� �
�(syslogd) �� Windows NT ���� ���� Cisco PIX Firewall Server(PFSS))� �
� � ����.
����� Cisco Secure PIX Firewall � ���. Risk Manager� �� ��� �
� Tivoli �� �� ��� �� �� ���� �� ��� ����� ������.
Cisco Secure PIX Firewall � � � � �� ����.
logging on �� ��� �� ���� ��� ����.
logging host [if_name] ip_addr �� ��� �� ���� �����. �
TME �� �� Cisco Secure PIX Firewall� �
�� ���� ���� ����.
161Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
logging trap level Cisco Secure PIX Firewall� ��� ����
�� 3(��)�� �� 0(��)�� ����� �
� 3�� ����.
logging facility facility �� ��� ���� syslog � �� ���
��. �� ��� LOCAL4 ���� ���� �
�� 20 ������.
timestamp logging �� � �� ��� ���� � ��� ��
���. � �� clock set �� ��� �
���.
no logging message log_id Cisco Secure PIX Firewall�� �� �� ���
�����. %PIX-6-302010 �� � ��,
log_id� 302010�� ������.
� �� �����.
clock set hh:mm:ss month day year Cisco Secure PIX Firewall�� �� �� # �
��� � � ���� Cisco Secure PIX
Firewall� ��� �� # ��� � ���
��.
�� �� �Windows ��� �� ��� ���� ��, tecad_nt.conf �� ���� �� ��
������. ���� ���� �� � ���� ������. � ���� ��� ���
� � �� ���� �������.
LogSources=pfss_install_dir\monday.log,pfss_install_dir\tuesday.log,pfss_install_dir\wednesday.log,pfss_install_dir\thursday.log,pfss_install_dir\friday.log,pfss_install_dir\saturday.log,pfss_install_dir\sunday.log
�� �� �� ��� �� �� ������.
PollInterval=1
��� ��� � � ��Cisco Secure PIX Firewall� �� � �� ��� ������ ���� ��� ��
���. ��� Tivoli wtll � ���� Tivoli policy region �� ��� ������ �
��� � ����.
��� ������ ���� ���� wtll � ���� ���� ���� policy region ������.
Windows ���
wtll -r -p TEC-Region -P $CPP_LOCATION%BINDIR$\RISKMGR\corr\tasks\rmt_tasks.tll -P
UNIX ���
wtll -r -p TEC-Region -P $CPP_LOCATION$BINDIR/RISKMGR/corr/tasks/rmt_tasks.tll -P
162 �� 3 ��� 8
��� CPP_LOCATION � BINDIR� �� cpp ����� �� �� � ��� � ��
�� �� �� �� ���������. �� .dsl ��� .tll �� �� �� �� ��
���.
cpp ����� �� ��� �����(�� ������ �����) ������.
/usr/ccs/lib/cpp
�� cpp �� �� �� �� ��� PATH �� �� ������.
163Risk Manager ��� ���
12.C
iscoS
ecure
PIX
Firew
all��
��
Check Point FireWall-1� ���
� ��� �� ��� �����.¶ �Check Point FireWall-1� �� ���
¶ 167 ��� �Check Point FireWall-1� �� � � ��
¶ 173 ��� �Check Point FireWall-1 �� ���
Check Point FireWall-1 ��� ��� 238 ��� �Check Point FireWall-1 ���
� �����.
Check Point FireWall-1� ��� Check Point FireWall-1 ���� ���� ��� ��
�� ���.
Check Point Software Technologies OPSEC SDK� �� ��� ��� �� � ����
����.
http://www.checkpoint.com/opsec/cp_products/opsec_sdk.html ��
http://www.checkpoint.com/opsecsdk.
Check Point FireWall-1� ��� ��Risk Manager� Check Point FireWall-1 �� ��� ��� �� �� �� ��� � �
���� ���� ����� Check Point FireWall-1� ��� �����.
���� ��� �� �� �� ��� �� ����� ��� � ��� ������. �
��� ��� �� ��� ��� �� ���� �����. ��� �� ���� �� �
�� � ����.
¶ �� ��
¶ �� ��
¶ �� ��
¶ ���� �� �(NAT)/�� �� �(PAT) ��
Check Point FireWall-1� ��� Check Point Open Platform for Secure EnterpriseConnectivity(OPSEC) � ��� �� API(LEA)� ���� ��� ��� �����.
Check Point FireWall-1� ��� Risk Manager Event Integration Facility(EIF)� ���
� ���� �� ��� � ��� � � ����� Tivoli Enterprise Console(TEC) ��
13
165Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
� �� ��� �����. Check Point FireWall-1� ��� Risk Manager ���� �
� ��� ��� ��� ��� ���� ��� ��� � ��.
�� ��Check Point FireWall-1� �� �� ��� ���� �� ����� ���� Check PointFireWall-1 �� �� ��� ���� ��� ���.
Check Point FireWall-1 ��
¶ �� ���� VPN-1/FireWall-1� ��� �� �� �� � �� ��� ����
�.
¶ � ��� �� � ��� �����.
¶ Risk Manager �� ������ ��� ��� �� ����.
LEA �� �� ������ � policy� FW1_lea �� ���� ��� �� ���. VPN-1/FireWall-1� �� �� �� �� ��� � ����.
¶ �� ���
¶ �� ��
¶ SSL(Secure Sockets Layer) ��� �� ��
��� �� ���Risk Manager� Risk Manager� ���� ��� � � ���� ��� ��� �� ��
� �����. ��� ��� �� ��� ��� ������ �� �� �� �� ���
��� ��� �� �� �� �����.
Risk Manager� Tivoli Risk Manager �� ��� �� � cpfw.baroc ��� �
��� ��� ���� �����.
������ �� ��� ��� ��� Risk Manager ��� ��� ���� ���� RiskManager� ��� �� � ����.
��� ����� �� ���� ����� � � policy �����. ��� ���� ��� � �
� ��� � policy� ���� �� � �� �� �� �����. Check PointFireWall-1� Risk Manager ��� ��� ���� � �� �����.
�� ���
CPFW_Control
��� �� ���
CPFW_Auth_DenyCPFW_Auth_Permit
166 �� 3 ��� 8
ICMP(Internet Control Message Protocol) ���
CPFW_ICMP_DenyCPFW_ICMP_Permit
�� ���
CPFW_Service_DenyCPFW_Service_PermitCPFW_FTP_DenyCPFW_FTP_PermitCPFW_HTTP_DenyCPFW_HTTP_PermitCPFW_Telnet_DenyCPFW_Telnet_PermitCPFW_Login_DenyCPFW_Login_Permit
Check Point FireWall-1 �� Risk Manager ��� ������� Risk Manager� Check Point FireWall-1 �� �� � WARNING� ��
Risk Manager ���� ����� �� ��� �� � HARMLESS� �� Risk Manager���� ������. cpfw.baroc ���� � �� � ����.
Check Point FireWall-1� ��� �� � ��� ���� Check Point FireWall-1� ��� ��� ��� �� ���.
Check Point FireWall-1� ��� ��� �� Check Point FireWall-1 �� ���
��. Check Point FireWall-1� �� �� �� ��� 31 ��� �Risk Manager
��� �����.
Check Point FireWall-1 ��� ���� � � ����� �� ��� � ���.
�: Unix ���� Check Point FireWall-1� Risk Manager ��� ��� ��, RiskManager �� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
Risk Manager EIF � ��� � ��� Check Point FireWall-1� ��� ��
Check Point FireWall-1� ��� �� �� ���� Risk Manager EIF� � ��. �
�� Risk Manager EIF� ��� ���� Risk Manager � � � ��. ��� ��
��� Risk Manager TEC ����� ��� �� ���� � Check Point FireWall-1� �� �� �� ����� Risk Manager EIF� ���� �� �� ���.
167Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
Check Point FireWall-1 ���� ����� Risk Manager EIF� ����, cpfw.fmt �
� Risk Manager EIF rmad.fmt �� ��� �� ������. �� ���� rmad.fmt�� ���� ��� �� ��(.cds) �� �����. rmad.cds �� ��� �
, �� �� ������.
1. rmad.fmt ��� �� csids.fmt� ������.
Windows ���
cat cpfw.fmt >> rmad.fmt
UNIX ���
cp cpfw.fmt >> rmad.fmt
Risk Manager EIF� Windows � Unix ����� �� cpfw.fmt �� �����.
2. .cds �� � �� � riskmgr_gencds � ������.
riskmgr_gencds rmad.fmt >rmad.cds
3. Check Point FireWall-1� ��� � ���� �� rmad.cds �� �� ���
���.
�� � �� ���� Check Point FireWall-1 �� ��� � ��� rmad.cds �
� ���� ��� �� ��� ��� 46 ��� �ACF� ��� Risk Manager ��
� � ���� �����.
�� ��Check Point FireWall-1� �� �� � ��� �� �����.
¶ Check Point FireWall-1 � � ��
¶ Check Point FireWall-1� Risk Manager �� � ��
Check Point FireWall-1 �� �� ��Check Point fwopsec.conf � ��� Check Point VPN-1/FireWall-1� �� OPSEC �
����� ���� �� ��� ��� � � �� �����.
fwopsec.conf ��� ��� ������ ���� ��� $FWDIR/conf/ �� �� ���
��� FWDIR� ��� ������ � �� ����.
Check Point FireWall-1� ��� �� ��Check Point FireWall-1� �� rma_cpfw.conf � ��� �� ��� �� ����
�.
lea_server ip 127.0.0.1lea_server auth_port 18184lea_server auth_type ssl_opseclea_server auth_type auth_opsec
� �� �� ���. � �� ���� ��� fwopsec.conf ��� � � �
� �� ��� �� �����. ��� � ��� 167 ��� �Check Point FireWall-1�� �����.
168 �� 3 ��� 8
Check Point FireWall-1 � Check Point FireWall-1� ��� ���� �� ����
��.
1. Check Point FireWall-1 OPSEC � � �����. �OPSEC � � Check PointFireWall-1 �� �����.
2. OPSEC ������ �����. 170 ��� �OPSEC ������ Check Point �
� �� �����.
3. SAM � � �����. 171 ��� �SAM � �� �����.
4. Check Point FireWall-1� ��� OPSEC � � ������. 171 ��� �OPSEC� � Check Point �� ��� �����.
5. Check Point Policy ���� ������.
¶ FW1_lea �� ���� ��� � policy� ������.
¶ ���� �� �(NAT) �� ���� ����.
�� ��� Check Point VPN-1/Firewall-1 �� ��� � policy �� � �
NAT � �����.
� Tivoli ����� 37 ��� �Native �� ��� Risk Manager ��� ��� �
� �����.
OPSEC ��� Check Point FireWall-1 ����� �� Check Point VPN-1/FireWall-1 �� ��� �����.
OPSEC � � FireWall-1 ����, fwopsec.conf � �� ������
fwopsec.conf �� ���� �� OPSEC � � ��� �� �� ��� ���� �
���� ���.
Risk Manager Check Point FireWall-1� �� rma_cpfw ��� � � lea_server� �����.
�� ��, �� 18184�� LEA ����� ���� � ������ �� �� �
����� �� ��� � ����.
lea_server auth_port 18184lea_server auth_type ssl_opsec
fwopsec.conf� OPSEC ������ �� ����� ��� �� ��� �� ��
� �� � ��� ������.
��� ��� �� �� ������.
lea_server port port_number
�� ��� �� �� ������.
lea_server auth_port port_numberlea_server auth_type auth_opsec
169Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
���� �� ��� �� �� ������.
lea_server auth_port port_numberlea_server auth_type ssl_opsec
OPSEC ���� Check Point ��� ��Risk Manager ������ rma_cpfw.conf � �� ���� ������ OPSEC�
���� �� ������.
1. �� ���� � ��� OPSEC � � ����� �� ������.
Windows NT ���
%RMADHOME%\RISKMGR\adapters\etc\rma_cpfw.conf
UNIX ���
$RMADHOME/RISKMGR/adapters/etc/rma_cpfw.conf
2. � � OPSEC � ��� ���� ��� ��� ����� 127.0.0.1� ����
��.
3. �� � � ��� ������.
��� ��� �� �� ������.
lea_server ip ip_addresslea_server port port_number
�� ��� �� �� ������.
lea_server ip ip_addresslea_server auth_port port_numberlea_server auth_type auth_opsec
�� ��� �� �� ������.
lea_server ip ip_addresslea_server auth_port port_numberlea_server auth_type ssl_opsec
�:
�� ��(���� �� ���� ��) � IP �� 143.193.22.5� �� LEA � �
� 18184�� ����� �� ��� � ����.
lea_server ip 143.193.22.5lea_server port 18184
���� �� �� � IP �� 143.193.22.5� �� LEA � �� 18184�� ���
�� �� ��� � ����.
lea_server ip 143.193.22.5lea_server auth_port 18184lea_server auth_type auth_opsec
���� �� SSL � �� � IP �� 143.193.22.5� �� LEA � �� 18184�� ����� �� ��� � ����.
lea_server ip 142.193.22.5lea_server auth_port 18184lea_server auth_type ssl_opsec
170 �� 3 ��� 8
SAM �� ��Check Point FireWall-1 ���� ���� � SAM � � � ���. �� TEC �
��� Check Point FireWall-1� �� ���� ��� Risk Manager �� ����
�.
¶ CheckPoint_FW-1_by_IP_Address
¶ CheckPoint_FW-1_by_Source_and_Destination
��� ���� ���� ����� �� SAM � � ��� OPSEC Suspicious ActivityMonitoring(SAM) API� ��� � ����.
SAM � �� �� ��� ��� OPSEC ��� �����. SAM � � ��
SAM � � ��� ���� ������.
Windows NT ���
%RMADHOME%\etc\rma_cpfw.conf
Solaris ���
$RMADHOME/etc/rma_cpfw.conf
�:
sam_server ip 127.0.0.1sam_server auth_port 18183sam_server auth_type auth_opsec
OPSEC ��� Check Point ��� ��� �� ���� � � �� OPSEC ������ ��� �� ������� ��
���.
Risk Manager� Check Point FireWall-1� Risk Manager �� �� ��� ��
opsec_putkey ���� �����. Risk Manager� � �� ����.
Windows ���
%RMADHOME%\bin
UNIX ���
$RMADHOME/bin
� �� ��(machine1 � machine2)� ��� ������. � �� ��(machine1)� ��
� �� �����. � �� ��(machine2)� Risk Manager CheckPoint FireWall-1 �
��� �����. ��� �� Risk Manager CheckPoint FireWall-1 ��� �� ��
�� ���� ��� � ����.
1. Check Point FireWall-1 � ��, �� � � ��� ������.
�� ��� �� �� ������.
fw putkey -opsec machine2
SSL ��� �� �� ������.
171Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
fw putkey -opsec -ssl machine2
2. ����� �� �� � ��� ������. � �� �� 6��� ���.
3. �� � � ��� ���� ��� � �� �����(machine2)� �����.
�� ��� �� �� ������.
opsec_putkey machine1
�� ��� �� �� ������.
opsec_putkey -ssl machine1
4. ����� �� 2 ��� ��� ��� �� � ��� ������. � �� �
���� machine1� ��� ��� �� � �� ����� machine2�� ��
���.
Check Point ��� $OPSECDIR �� �� authkeys.C ��� � ��� ����.
Windows ���
%RMADHOME%\etc
UNIX ���
$RMADHOME/etc
5. � � ��� � �� �����(machine3...machineN)� ��� �� machine2� �
�� ��� ���� � �� �� �� �� ������.
�� ��, machine1 � machine2 machine3 �� ���� ��, machine1 machine2��� � �� ���� machine1 machine3 ��� �� �� �����.
� �� �� Risk Manager TEC ���� ���� ��� �����. �� �
�� 174 ��� �Windows NT�� �� �� 174 ��� �Solaris�� �� ��
���.
����� Check Point FireWall-1 ��� ����� Policy ��Check Point FireWall-1 policy� �� ��, policy�� policy� ���� � ���� �
� ���� �� ����. ��� � ����� ���.
���� �� � ��� ���� ���� ��� �� ����.
18. Check Point FireWall-1� � ���� ��
� ���� � �� ��
� ���
�� ���
�� ���
�� �
� �
SNMP �
��� �
172 �� 3 ��� 8
Policy� Risk Manager � � � ������ ����� ��� ��, �, SNMP ��
��� ��� �����. �, �� � �� ��� ������ ���� ����.
��, �, SNMP � ��� ��� � ��� ����� Check Point �� ��� �
� ����.
�� �� �� ��� �����.
1. Check Point FireWall-1 Policy ���� ���� ��� ���� �� ��� �
�, �, SNMP �� �� ��� ��� �����. ��, � �� �� �� ���
� ���� ����.
2. ��� ��� ��� �� ������.
Check Point FireWall-1 ��� ��� ���� TEC ��� ��� �� �� � ���.
TEC ���TEC ���� �� ��� �� � ����. �� �� � � ���� �� ��
� � ��� ����. �� �� ��� ��� ��� � � �� �� �
�� � ����. ��� ���� ���� � policy� ��� ���� � ����
��� � ����. Risk Manager ��� ���� ������� � policy� �� �
����.
Risk Manager ��� ������ ���� ���� ��� ���� �����.
Risk Manager� ��� ��� ������ Tasks for Enterprise Risk Management� ��
���. Risk Manager� �� TEC policy region� TEC region� ��� ������ �
���.
Risk Manager� Check Point FireWall-1� ��� �� TEC ���� �����.
¶ Start_CheckPoint_FW-1_Adapter_on_Windows_NT
¶ Start_CheckPoint_FW-1_Adapter_on_Solaris
¶ Start_CheckPoint_FW-1_Adapter_on_Solaris
¶ CheckPoint_FW-1_by_IP_Address
¶ CheckPoint_FW-1_by_Source_and_Destination
¶ Stop_CheckPoint_FW-1_Adapter_on_Windows_NT
¶ Stop_CheckPoint_FW-1_Adapter_on_Solaris
¶ Stop_CheckPoint_FW-1_Adapter_on_Solaris
TEC ���� ���� ��Check Point FireWall-1� ��� ��� �� ���� ��� ������ �����
������.
173Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
Windows NT�� �Check Point FireWall-1� ��� ���� �� ������.
1. Check Point FireWall-1� ��� ��� �� �� Check Point FireWall-1 �� �
� �� ������. Check Point FireWall-1 �� ���� �� �� �� ��
� �����.
2. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
3. Start_CheckPoint_FW-1_Adapter_on_Windows_NT TEC ���� ��� Risk Manager��� �����.
Solaris�� �Check Point FireWall-1� ��� ���� �� ������.
1. Check Point FireWall-1� ��� ��� ��, �� Check Point FireWall-1 �� �
� �� ������. Check Point FireWall-1 �� ����, �� �� �� ��
� �����.
2. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
3. Start_CheckPoint_FW-1_Adapter_on_Solaris� ��� Risk Manager ��� ��
���.
Linux�� �Check Point FireWall-1� ��� ���� �� ������.
1. Check Point FireWall-1� ��� ��� ��, �� Check Point FireWall-1 �� �
� �� ������. Check Point FireWall-1 �� ����, �� �� �� ��
� �����.
2. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
3. Start_CheckPoint_FW-1_Adapter_on_Linux� ��� Risk Manager ��� ���
��.
IP �� �� ��SAM ����� �� SAM � � ���� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. CheckPoint_FW-1_by_IP_Address� �����.
3. OPSEC SAM � �� ��� �� �����.
�: OPSEC SAM � NOTIFY �� �����, Watch ���� ������.
174 �� 3 ��� 8
CheckPoint_FW-1_by_IP_Address ���� �� SAM �� �� IP ��� � �
���. IP ��� ��� ��, ��� �� �� � ��� ���� ��� ��� �
����.
IP �� �� �� �����.
1 : ICMP (Control Message Protocol)
2 : IGMP (Group Management Protocol)
3 : GGP(Gateway 2 Protocol -- �� �)
6 : TCP (Transmission Control Protocol)
12 : PUP
17 : UDP (User Datagram Protocol)
22 : IDP (Internet Datagram Protocol)
77 : UNOFFICIAL Net Disk Protocol
255 : �� IP ��
4. ��� �� �� �� ���� ��� �� � �� �� �����.
Long Log AlertLong Log No AlertShort Log AlertShort Log No AlertNo Log No Alert
5. ��� ��� ��� �� �� ��� ������.
� �� �� ���� � ���� 0���. ��� 0� �� �� ��� �� �
� ��.
IP �� �� � ��� �� �����.
¶ ��
¶ ���
¶ �� �� ���
IP �� ���� 0.0.0.0���.
6. �� � �� �� ��� SAM ����� �� SAM � � �����.
�� � ��� �� ��SAM ����� �� SAM � � ���� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. CheckPoint_FW-1_by_Source_and_Destination �����.
3. OPSEC SAM � �� ��� ����� �� �����.
�: OPSEC SAM � NOTIFY �� �����, Watch ���� ������.
175Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
SAM �� � �� TEC ��� � �� �
WATCH �� IPaddr ���� �� ��� �� �
� ���� ���� ���.
INHIBIT � IPaddr ����� �� ��� ��
� �� �� ���� ���� ��
�.
INHIBITCLOSE � � �� �� ����� IPaddr� �� ��
� ����. � � ���� �� ��
�� ���� �� ��� ��
���(�� ��).
CANCELWATCH �� �� �� �� �� � �� �� ��
���.
CANCELINHIBIT � �� �� �� �� � �� �� �� �
����.
�� � ��� �� �� ��� ��
��� ����. � ���� �� ��
�� ���� ��� �� ���
(�� ��).
CANCELALL �� �� ��� �� �� �����.
4. �� �� ���� ��� �� � �� �� �����.
Long Log AlertLong Log No AlertShort Log AlertShort Log No AlertNo Log No Alert
5. ��� ��, ��� ��� ��� �� �� ��� ������.
� �� �� ���� � 0 - 300� � ������. ���� 0���. ���
0� �� �� ��� �� �� ��.
�� IP �� ���� 0.0.0.0���.
��� IP �� ���� 0.0.0.0���.
TEC ��� ��� �� ��� �� ���� 8080���.
IP �� � ���� TCP���.
����� TCP, ICMP, IGMP, GGP, PUP, UDP,
IDP, Net Disk Protocol �� �� IP ��� �����.
6. �� � �� �� ��� SAM ����� �� SAM � � �����.
Windows NT�� ��� ��Windows NT�� Check Point FireWall-1� ��� �����, �� ������.
176 �� 3 ��� 8
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Stop_CheckPoint_Firewall_Adapter_on_Windows_NT� ��� ��� ������.
3. Check Point FireWall-1� ��� �� ��� ��, �� Check Point FireWall-1 �� �� �� ������. Check Point FireWall-1 �� ���� �� �� ��
��� �����.
Solaris�� ��� ��Risk Manager� ��� TEC ���� ���� Solaris�� Check Point FireWall-1� �
�� ����� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Stop_CheckPoint_Firewall_Adapter_on_Solaris� ��� ��� ������.
3. Check Point FireWall-1� ��� �� ��� ��, �� Check Point FireWall-1 �� �� �� ������. Check Point FireWall-1 �� ���� �� �� ��
��� �����.
Linux�� ��� ��Risk Manager� ��� TEC ���� ���� Linux�� Check Point FireWall-1� �
�� ����� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Stop_CheckPoint_Firewall_Adapter_on_Linux� ��� ��� ������.
3. Check Point FireWall-1� ��� �� ��� �� �� Check Point FireWall-1 �� �� �� ������. Check Point FireWall-1 �� ���� �� �� ��
��� �����.
�� ��Check Point FireWall-1� ��� � ���� �� ��� � ����.
Check Point FireWall-1 � �Solaris�� Check Point FireWall-1� �� �� ���� �� ���� �� ���
���.
/etc/init.d/rma_cpfw-init start
Windows NT�� Check Point FireWall-1� �� ���� ���� �� ���� ��
������.
net start rma_cpfw
Linux�� Check Point FireWall-1� �� �� ���� �� ���� �� ���
���.
/etc/rc.d/rma_cpfw-init start
177Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
Check Point FireWall-1 � ��Solaris�� Check Point FireWall-1� �� �� ���� ����� �� �����
�.
/etc/init.d/rma_cpfw-init stop
Windows NT�� Check Point FireWall-1� �� ���� ���� ����� �� �
�����.
net stop rma_cpfw
Linux�� Check Point FireWall-1� �� �� ���� ����� �� ������.
/etc/rc.d/rma_cpfw-init stop
� ��Windows NT� ���� ��� Windows NT ��� ��� � ��. Solaris� ���
syslog ���� � ��.
Check Point FireWall-1 �� ��� � ��� �� �� � ��� � �� �� ��� �� ����.
¶ �� IP ��
¶ ��� IP ��
¶ �� ��
Risk Manager ��� ��� � ��� �� ��� �� ��� � ���� ����
�. Cisco Secure PIX Firewall� ��� �� ��� �����. Check Point FireWall-1� ��� �� ��� ���� ����. �� policy� � �� ��� �����.
Risk Manager� Risk Manager �� �� Check Point FireWall-1 ��� WARNING�� ����� �� ��� HARMLESS� ������. cpfw.baroc ���� �� ��
� ����.
�� �� �� ������� Check Point FireWall-1 �� ��� IP ��� ����� �� ��� ��
�� ����. �� �� Check Point FireWall-1 �� ��� �� Risk Manager� ��
� �� �� ��� ��� �����.
fw_conn_deny ��� �������.
fw_conn_permit ��� ������.
fw_auth_deny ���� ��� �����.
fw_auth_perint ���� ��� ����.
��� �� �� ������ �� Check Point FireWall-1 �� ��� ��, Risk Manager� ��� �� �
� ��� ��� �����.
178 �� 3 ��� 8
fw_control Check Point � ��
fw_log_switch Check Point �� �� �� �� ��
fw_log_eof Check Point �� ��� �
��� �� ���� �� ��� RM_Service � � ����� RM_ICMP �� ��� ���
RM_MiscEvent� � cpfw.baroc ��� �� �� ���� ��� ��� ���
�� � ����.
��� �� ��� �� �� �����.
�� �� ���
cpfw_action ���� �� � Check Point �� �� �����.
drop
reject
accept
control (ctl)
�
cpfw_additional_info �� ��� �� ��
Check Point ��
cpfw_alert Check Point �� �� ![alert]
![userauthalert]
cpfw_ifdir ���� �� inbound
outbound
cpfw_ifname ���� � ether (Ethernet)
token (Token Ring)
fddi (Fiber Distributed Data
Interface)
ppp (point-to-point
protocol)
atm (asynchronous
transfer mode)
cpfw_len �� ��(���)
cpfw_lognum ��� �� ��� �� �
� �
Check Point �� �� �� �
cpfw_protocol �� � �� �� �� � � ������.
TCP
UDP
ICMP
�
cpfw_reason � � �� � � Check
Point ��
cpfw_rule � ��� ���� Check
Point policy ��
179Risk Manager ��� ���
13.C
heck
Po
int
FireW
all-1�
��
�
�� �� ���
cpfw_type Check Point ��� �� ��� ��� �� �����.
control
alert
user
cpfw_user � ��� �� ���
Risk Manager� Risk Manager �� �� Check Point FireWall-1 ��� WARNING�� ����� �� ��� HARMLESS� ������.
180 �� 3 ��� 8
��� �� �� ���
� ��� �� ��� �����.
¶ �Host IDS� �� Risk Manager �� ���
¶ �TEC �� ���
¶ 182 ��� �Host IDS� �� � � ��
¶ 184 ��� �TEC ����
Host IDS� �� Risk Manager ��� ��Risk Manager��� � ��� �� �� �� ���� �� �� � �� � ��
�� � � � ���� ��� � �� ��� �� ��(Host IDS)� ��� ���
��.
Host IDS� Risk Manager ��� Windows ��� �� UNIX ���� � ���� �
�� �� ���� Tivoli Enterprise Console(TEC) ���� �����. Risk Manager HostIDS� ��� UNIX ���� Tivoli �� �� ��(syslogd) �� Windows ����
Windows ��� �� ��� ���� ���� TEC � � � ��.
Host IDS� Risk Manager ��� � ��� ��� ��� ���� ���� �� ��
� � ��� � � ��� � ��� Tivoli �� �� ��� ��� �� ��� ��
� �� ��� ����.
Host IDS� ��� ��� TME(Tivoli Management Enterprise) ��� � ����
�����.
TEC �� �Host IDS� ��� � ��� ��� � � ���� ������. ���� ���
� � ��� ��� ��� ��� ����.
Host IDS� ��� Tivoli �� �� ��� ���� ��� ��� ��� ��� ��
���� Risk Manager ���� ����. �� �� ���� �� ��� � ���
� � �����.
��� Tivoli ��� �����.
14
181Risk Manager ��� ���
14.�
��
��
�
��
��
Windows ���
Risk Manager� ��� �� �� os_nt.fmt� ��� �� ���� �����
Windows ��� �� ��� �����.
AIX ���
Risk Manager� ��� �� �� os_aix.fmt� ��� �� ���� �����
Tivoli �� �� ��(syslogd)� �����.
Solaris ���
Risk Manager� ��� �� �� os_solaris.fmt� ��� �� ���� ���
�� Tivoli �� �� ��(syslogd)� �����.
RedHat ���
Risk Manager� ��� �� �� os_linux.fmt� ��� �� ���� ����
� Tivoli �� �� ��(syslogd)� �����.
Risk Manager� �� Risk Manager ��� ��� ��� � �� ���� �� ��
��� ����� �� �� ���� �� ���� ��� �����.
Host IDS� ��� �� � ��� �� �� �� �� Host IDS� ��� ��� �����.
�� �Tivoli Risk Manager �� 3.8 � ����� Host IDS� ��� ��� ��� ���
�.
����� ���� �� �� �� � �� � ��� ��� Tivoli Risk Manager �
�� �� � �����.
�� ��� ���� �� TME ��� �� ��� �� ���. � ��� TivoliEnterprise Console �� ��� �����.
�� ��
TEC ��� � � ��� ��� � � �� �� TEC ��� � � ������
�. Risk Manager� ���� ���� ���� ��� ����� ��, �� � �
�(ACF) � ���. Tivoli Management Region(TMR)� ������ ���� ��
�� ������ ����� �� � Tivoli ����� ��� �� � ����.
Tivoli �� �� � Tivoli ��� Tivoli ������� Host IDS� ��� �� � �
���.
182 �� 3 ��� 8
Host IDS ���� , ���� �� �� �� ����.
$BINDIR/../generic_unix/RISKMGR/ACF_REP/tecad_snmp.cds
��� BINDIR� ��� � ���� �� �� ����.
� ���� �� �� �� ��� �� �� �����.
�: Unix ���� ��� �� ��� Risk Manager ��� ��� ��, Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
�� �� ���� Tivoli ���� Host IDS� ��� �����.
1. �� ��� �� �� ���� �� ���� Host IDS� ��� �� � ���
�. Host IDS� �� �� �� ������.
2. 44 ��� �Risk Manager � TME �� �� �� ���� �� ��� Risk Manager�� �� �� Tivoli �� �� �� ���� ��� �� ��(.cds) �� �
�����.
AIX ���
os_aix.fmt �� �� tecad_logfile.fmt ��� � ��� ������.
Solaris ���
os_solaris.fmt �� �� tecad_logfile.fmt ��� � ��� �����
�.
Windows ���
os_nt.fmt �� ��� tecad_nt.fmt ��� � ��� ������.
Linux os_linux.fmt �� �� tecad_logfile.fmt ��� � ��� ������.
3. ��� � �� �� �� ����� ��� Tivoli Adapter ConfigurationFacility(ACF)� ���� � �� �� ����� ������. ��� 46 ���
�ACF� ��� Risk Manager �� � � ���� �����.
4. TME ��� � �� � ��� ������.
¶ Windows ����� os_nt.fmt �� ���� Windows ��� �� ���
�����.
¶ os_aix.fmt �� ���� AIX� Tivoli �� �� ��(syslogd)� �����.
¶ os_solaris.fmt �� ���� Solaris� Tivoli �� �� ��(syslogd)� �
����.
¶ os_linux.fmt �� ���� Linux� Tivoli �� �� ��(syslogd)� ���
��.
183Risk Manager ��� ���
14.�
��
��
�
��
��
ACF� ���� Host IDS� ��� ��� �� ��� ���� ����. �
��� �� ��� ����. ��� ��� ��� ���� �� �� �� ����
���� Host IDS� ��� �� � ����. � ���� �� �� �� ��� �
� �� �����.
Risk Manager� ��� Risk Manager� ���� ��� � � ��� ��� �����.Host IDS� ��� ���� os.baroc ��� ���� ����.
TEC ���TEC ���� ���� Windows ��� ������� � ��� ��� �� �����
�� �� ����� � � ����. ��� � �� Risk Manager� ���� �� TEC �
�� �� ��� 99 ��� �Risk Manager TEC ����� �����.
Windows ���� �� � �� �� ���� �� �(��� ���)� ��� � �
��� � ���� ����� ��� ��� � ����.
TEC ���� ���� �� rmt_ntaudit.exe �� ���� ������ ���� �
��. Risk Manager �� �� Tivoli Windows Host IDS ����� ��� �� �
��� � ���� �������.
184 �� 3 ��� 8
McAfee Alert Manager� ���
� ��� �� ��� �����.
¶ �McAfee Alert Manager� �� ���
¶ 189 ��� �McAfee Alert Manager� �� � � ��
McAfee Alert Manager� ��� ��Risk Manager�� McAfee AntiVirus ��� ��� ���� McAfee Alert Manager�� �
� �� TEC ���� ���� McAfee Alert Manager� ��� ����.
����� Anti-Virus ��� ��� ��� McAfee Active Virus Defense(AVD) ��� �
��� McAfee Alert Manager� ��� �� � ��� �� � ����.
�� ��McAfee Alert Manager� ���� ��, ���� �� ���� � �� ��� ���� �
� ���� McAfee AntiVirus ��� ���� ���� �� ��� �� �� ��� �
���. Risk Manager ��� �� ��� Windows ������ ��� ���� � �
�� �� �� Tivoli Enterprise Console(TEC) ���� �����.
Alert Manager� Windows NT � Windows 2000� McAfee NetShield, Windows NT �
Windows 2000� McAfee WebShield SMTP �� �����. McAfee Alert Manager�
�� McAfee AntiVirus Point of Entry ���� ���� �� ��� �����.
VirusScan�� ��! � ActiveX ����� �� ��� ��, �� �� ��, ��� �
��, ��� ���� �� �� �� ��� ���� ��� � �� ��
�����.
� VirusScan��� ��� � ���� ��� � �� �� �����.
NetShield� ��� ���� ��� � �� �� �����.
GroupShieldLotus Domino � Microsoft Exchange ���� � � �� ���� ��� �
�� �� �����.
WebShieldSMTP ������ �� ���� ��� � �� �� �����.
15
185Risk Manager ��� ���
15.M
cAfee
Alert
Man
ager�
��
�
McAfee Alert Manager� ���� ��� ���� � �� ��� ��� ���� �
�� ���� ����� ��� �� � ��� � �� �����. ���� �� �
� � ��� Alert Manager� � Alert Manager � �� Windows ��� ��� ��
�� ���. � ���� � ��� Alert Manager � � �����.
McAfee Alert Manager� McAfee NetShield �� ��� � ���� �� ��� �
� �� ����. ����� McAfee NetShield ���� ���� ��� �� ����
���� ��� ��� �� ������ ����.
McAfee Alert Manager � McAfee Active Virus Defense ��� �� ��� �� �
� �� Network Associates, Inc. � ��� � ���� � � ����.
http://www.mcafeeb2b.com or http://www.nai.com.
186 �� 3 ��� 8
��� ��
McAfee Alert Manager� Risk Manager ���� TEC Windows ��� �� �� TEC�� �� ��� �����. �� �� ����� �����.¶ Windows NT �
¶ Windows 2000 �
¶ Windows 2000 �� �
TEC Windows ��� �� ��� Windows ������ ��� ��� �� McAfeeAlert Manager ���� ��� ���� �����. McAfee Alert Manager� �����
Windows ��� ���� � ���� ��� ���� �����.
Risk Manager �� �� �� rmmac.fmt� �� �����.
�� 22. McAfee Alert Manager� ��� ���
187Risk Manager ��� ���
15.M
cAfee
Alert
Man
ager�
��
�
¶ ��� ���� ��� McAfee Alert Manager �� �� �����.
¶ � ��� TEC ��� ��� �������.
¶ ��� ��� TEC � �� ���� ���� ������.
Risk Manager�� McAfee Alert Manager �� ���� � ���� �� ��� �
��� ���� BAROC ��� rmvirus.baroc� �����. � ��� Risk Manager �
3.8 � ���� ��� ��� TEC ��� ��� �� �����.
��� ��� ���� ���� ��, ���� �� ���� ���� ��� ��� ��
���� �� �� McAfee AntiVirus �� � �� ���� �� ��. � ��� ��
�� � ������ ��� �� � �� ���� ���� ��� � ����.
McAfee Alert Manager � McAfee NetShield �� ���Risk Manager �� ��� McAfee Alert Manager � McAfee NetShield� �� ���
��.
McAfee Alert Manager� �� McAfee AntiVirus Point of Entry ���� ���� ��
�� �� �� ��� �����. McAfee Alert Manager �� ��� � ���� �
��� �� ��� � ����.
�:��� ��� � � ������. ���� � � ��� �����. ��� �
�� ��� � �� �� �� ��� ���� �� ����.
Risk Manager� McAfee Alert Manager � 4.5�� ���� �� Alert Manager ��
��� �����. �� �� ���� �� �� ��� rmmac.fmt� ���� �
� ���.
McAfee Alert Manager� ���� �� ��� ����� ��� � ��� �� ���
� ��� ��� ��� �� � �� ���.
Risk Manager� �� McAfee NetShield 4.5�� ���� �� �� ��� �����.� ���� McAfee NetShield ���� ��� ���� ���� ��� � ��
��.
��� ��� ��� 285 ��� �McAfee Alert Manager � McAfee NetShield ��
���� �����.
TEC �� ��TEC ��� �� ��� McAfee Anti-Virus ��� ���� �� ��� ���� AlertManager � � �����. McAfee Alert� ��� ��� ���� TEC ���� ���
�� �� ��� � ��� � � � ��.
�� ���� ���� riskmgr.baroc � sensor_abstract.baroc� �� RiskManager ��� ����� �����.
188 �� 3 ��� 8
McAfee Alert Manager� ��� �� � ��McAfee Alert Manager� Risk Manager ��� Windows � �� �����.
�� �McAfee Alert Manager� Risk Manager ��� ��� �� �� �� ������.
1. ����� ��� � � ��� ��� ‘Tivoli Risk Manager ��� ��’� �
����.
2. McAfee Alert Manager� ��� ��� �� McAfee Alert Manager �� �
���. McAfee Alert Manager �� McAfee NetShield �� WebShield �� �
� �����. � ��� ��� � �� �� ���� ��� �����.
3. McAfee Alert Manager� ��� ��� �� TME ��� � ���. �
��� Tivoli Enterprise Console �� ��� �����.
�: Unix ���� McAfee Alert ���� Risk Manager ��� ��� ��, Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
Tivoli ����� �� � ��Risk Manager �� �� �� Windows ��� �� �� �� �� ���� ��,rmmac.fmt ���� �� �� �� ��� ���� ���� Windows ������ �
�� ���� �� McAfee �� ��� �� � ����. ��� Tivoli EnterpriseConsole �� ��� �����.
�� ��� ���� Tivoli ���� McAfee Alert ���� ��� ��� ����
�.
1. 44 ��� �Risk Manager � TME �� �� �� ���� ��� �� Risk Manager�� �� �� TME �� �� �� �������. Tivoli Windows ��� �
� ��� ���� ��, rmmac.fmt �� ��� tecad_win.fmt ��� � ���
������.
2. Tivoli Adapter Configuration Facility(ACF)� ���� ��, �, CDS � �� ��
Tivoli ������ ��� ������. 46 ��� �ACF� ��� Risk Manager �
� � � ���� �����.
� Tivoli �� �� � ��Tivoli Management Region(TMR)� ������ ���� �� �� ������ � Tivoli��� McAfee Alert Manager� ��� ��� � � �� � ����. 37 ���
�Native �� ��� Risk Manager ��� �� � Tivoli Enterprise Console ��
��� �����.
Windows 2000�� McAfee Alert Manager� �� �� ����Windows 2000 ����� ��� ��, McAfee Alert Manager � 4.5� � ����
� �� ���� �� �� �� ���� ��� ��� �� Windows ��� ��
� �����. �����, Windows ��� �� ��� �� Windows ��� �����
���� �����. ��� � ���� ��� �� ���� ���� �� ��� � �
189Risk Manager ��� ���
15.M
cAfee
Alert
Man
ager�
��
�
� �� ���� Risk Manager ���� TEC � � �����. ��� �� ����,Windows ��� �� ��� ������, � � ��� ��� ��� ������
�����. �� �� �� ��� ������.
¶ tecad_win.conf �� � ��� ��� �� �� ���� ������.
WINEVENTLOGS=ApplicationLog, SecurityLog, SystemLog
¶ ���� ��� �� ��� � �� � -L ������.
tecad_win.exe -L ApplicationLog SecurityLog SystemLog
�� �, DNS � �� �� �� � ��� �� �� Windows ��� �� ���
� ����� � ��, Risk Manager� ���� �� ��� �� ��� ���
� ����. �� ��� �� �� ��� �� ��� ��� Tivoli Enterprise Console�� ��� �����.
190 �� 3 ��� 8
Norton AntiVirus� ���
� ��� �� ��� �����.
¶ �Norton AntiVirus� �� ���
¶ 193 ��� �Norton AntiVirus� Risk Manager �� � � ��
Norton AntiVirus� ��� ��Risk Manager� Norton AntiVirus �� ��� ��� �� TEC ���� ����� NortonAntiVirus� ��� �����.
�� ��Symantec Norton AntiVirus™ Corporate Edition 7.0 �� 7.5 ��� ��� �� �� ��
� ��� �� ActiveX � � �� ��!���� ��� ���� ��� ���� �
� �����. ��� ����� ��� ���� ������ ��� ��� ����
�.
Norton AntiVirus ���� Symantec � ����� ����� ����.
http://service1/symantec.com/SUPPORT/nav.nsf/
Norton AntiVirus Corporate Edition Event ID� � ��� ������.
16
191Risk Manager ��� ���
16.N
orto
nA
ntiV
irus
��
��
��� ��
Norton AntiVirus� Risk Manager ���� TEC Windows ��� �� �� � TEC�� �� ��� ����.
�� �� ����� �����.¶ Windows NT¶ Windows 2000
TEC Windows ��� �� ��� Windows ������ ��� ��� �� NortonAntiVirus ���� ��� ���� �����. Norton AntiVirus� ����� ���� �
�� ���� ��� ��� �����.
�� 23. Norton AntiVirus� ���� ��� �
192 �� 3 ��� 8
Risk Manager �� �� �� rmnav.fmt� �� �����.
¶ ��� ���� ��� Norton AntiVirus �� �� �����.
¶ � ��� TEC ��� ��� �������.
¶ ��� ��� TEC � �� ���� ���� ������.
� ��� Norton AntiVirus � �� ����� TEC �� �� ����.
Risk Manager�� Norton AntiVirus ��� ���� � ���� �� ��� ���
� ���� BAROC ��� rmvirus.baroc� �����. � ��� Risk Manager �
� �� ��� TEC ��� ��� �� �����.
��� ��� ���� ���� ��, ���� �� ���� ���� ��� ��� ��
���� �� �� Norton AntiVirus �� � �� ���� �� ��. ��� ����
� ������ ��� �� � �� ���� ���� ��� � ����.
Norton AntiVirus ���Risk Manager� Norton AntiVirus � 7.0 �� 7.5�� ���� ��� ��� ����
�. ��� ID ��� � ���� �� �� Norton AntiVirus ���� Risk Managerrmnav.fmt �� ��� � �����.
��� � ��� ��� �� ��
2 �� ���� ��� ������.
3 �� ���� ��� ������.
5 �� �� ��� �������.
6 �� �� �� � � ��� ������.
7 �� ���� ��� �������.
13 �� Norton AntiVirus ��� �
14 �� Norton AntiVirus ��� �
16 �� �� �� ���
21 �� ���� ��� ������.
TEC �� ��Tivoli ��� �� ��� Norton AntiVirus� � �� ���� �� ���� ���
��. Norton AntiVirus� ��� ��� ���� TEC ���� ����� �� ��� �
��� � � � ��.
�� ���� ���� riskmgr.baroc � sensor_abstract.baroc� �� RiskManager ��� ����� �����.
Norton AntiVirus� Risk Manager ��� �� � ��� ���� Norton AntiVirus� Risk Manager ��� ��� ��� ��� � ��
���.
�� �Norton AntiVirus� Risk Manager ��� ��� �� �� �� ������.
193Risk Manager ��� ���
16.N
orto
nA
ntiV
irus
��
��
1. ����� ���� �� �� � � ��� ��� Tivoli Risk Manager ��� �
�� �����.
2. Norton AntiVirus� Risk Manager ��� ��� �� Symantec Norton AntiVirus�� �����. �� �� ���� ���� �����.
3. Norton AntiVirus� ��� ��� �� ���� ���� TME ��� ����
�. � ��� Tivoli Enterprise Console �� ��� �����.
�: Unix ���� Norton AntiVirus� Risk Manager ��� ��� ��, Risk Manager�� ����� �� ��� ������.
. /etc/Tivoli/rma_eif_env.sh
Tivoli ����� �� � ��Risk Manager �� �� �� Windows ��� �� �� �� �� ���� ��,Windows ������ ��� ���� �� Norton AntiVirus ���� �� � ���
�. rmnav.fmt �� ���� ���� �� �� �� ��� ��� �� �����
�. ��� Tivoli Enterprise Console �� ��� �����.
�� ��� ���� Tivoli ���� Norton AntiVirus� ��� ��� �����.
1. Risk Manager �� �� �� TME �� �� �� �������. ��� 44
��� �Risk Manager � TME �� �� �� ��� �����. Tivoli Windows��� �� ��� ���� ��, rmnav.fmt ��� �� ��� tecad_win.fmt �
� ������.
2. Tivoli Adapter Configuration Facility(ACF)� ���� �� �, CDS � �� ��
Tivoli ������ ��� ������. 46 ��� �ACF� ��� Risk Manager �
� � � ���� �����.
� Tivoli �� �� � ��Tivoli Management Region(TMR)� ������ ���� �� �� ������ � Tivoli��� Norton AntiVirus� ��� ��� � � �� � ����. 37 ��� �Native�� ��� Risk Manager ��� �� � Tivoli Enterprise Console �� ���
�����.
Windows 2000�� Norton AntiVirus� �� �� ����Windows 2000 ����� ��� ��, Norton AntiVirus � 7.5� � ���� � �
��� ��� � �� ���� �� �� �� ���� ��� ��� �� Windows��� ��� �����. �����, Windows ��� �� ��� �� Windows ���
����� ���� �����. ��� � ���� ��� �� ���� ���� �� �
�� � �� �� ���� Risk Manager ���� TEC � � �����.
��� �� ����, Windows ��� �� ��� ������, � � ��� ���
��� ������ �����. �� �� � ��� ������.
¶ tecad_win.conf �� � ��� ��� �� �� ���� ������.
WINEVENTLOGS=ApplicationLog, SecurityLog, SystemLog
¶ ���� ��� �� ��� � �� � -L ������.
194 �� 3 ��� 8
tecad_win.exe -L ApplicationLog SecurityLog SystemLog
�� �, DNS � �� �� �� � ��� �� �� Windows ��� �� ���
� ����� � ��, Risk Manager� ���� �� ��� �� ��� ���
� ����. �� ��� �� �� ��� �� ��� ��� Tivoli Enterprise Console�� ��� �����.
195Risk Manager ��� ���
16.N
orto
nA
ntiV
irus
��
��
Network IDS
� ��� ���� �� �� ��� ���. ���� �� �� ���(Network IDS)�
���� � �� �� �����. � � �� �� ��� �����.
¶ �Network IDS ���
¶ 198 ��� �Network IDS TEC �� ���
¶ 200 ��� ����� �� �� ��� � � ��
¶ 201 ��� �Risk Manager TEC ����
¶ 203 ��� �nids ��
¶ 205 ��� �Network IDS �� ���
Network IDS �� ��� 291 ��� �Network IDS �� ���� ���� ����.Network IDS ��� 222 ��� �Network Intrusion Detection System ���� ��
��.
Network IDS ��Network IDS� �� �� �� �� �� �� ���� �� �� ����� ����
��� �����. ���� ��� �� �� ����� � �� ���� Network IDS� ���� ������� ���� �� �����. Network IDS� UNIX ����� �
����.
Network IDS� �� ���� Tivoli Management Enterprise(TME) ��� � ��.TME� UNIX ���� Tivoli �� �� ��(syslogd)���. Network IDS �� ��
(nids.fmt)� �� �� ��� ��� �� TEC ���� ����� Tivoli �� ��
��� ����.
Network IDS� Tivoli �� �� �� �� ������ �����.
��� ���� Network IDS� ���� ����� ��� ���� ����� ���� �
�� ��� � ����. Network IDS� �� ���� ��� �� ����. � � ��
��� �� ���� ���� � �� ���� ���. �� ��� ���� � � �
��� ��� �� � �� �� �� ����� ��� ������ �����.
17
197Risk Manager ��� ���
17.N
etwo
rkID
S
Network IDS TEC �� �Network IDS� ���� � ����� � � ��� ��� �� �(��) �
���. Network IDS� ��� ���� ��� ��� ��� ���. Tivoli �� ��
��� ��� � � ���� �����.
Risk Manager� �� ��� ���� �� �� ���� Network IDS ��� �� ��
��� Risk Manager ����� �� �� ���� �� ���� ��� �����.
Network IDS ��Network IDS��, �� ��� ���� �� �� ��� ����.
¶ ��� �� ��
¶ �� ��
¶ ���
�� 24. ���� �� �� ��� �
198 �� 3 ��� 8
Network IDS� ��� ���� ��� � ID ��� �����. ID ��� CVE(CommonVulnerability Entry) ��� ��� ����. Network IDS� ���(�: � ��, ���,��� �)�� �� � ��� � ����� �� ��� ��� �� ���� �
����.
�� ��, Network IDS�� ��� � ��� ���� �� � �� ��� ���
�. � � ��� ��� ����� CVE �� � ��� �� �����. NetworkIDS� ��� � �� �� CVE� ���� �� ��� �� � ���� �����,
� ���� ��� � ����. ��� � �����, Network IDS� �� �
� ��� ��� ���� �� � ����.
���� ��, �� ��� ��� �� �� ��� ���� ��� �� � � �
����.
���� CVE ��� ��� Network IDS ��� �, Network IDS� �� ���� �
�� CVE � ID� �����. ��� � CVE ID� �� ��� ��� �� �����
� � ����.
http://csrc.nist.gov/icat
Network IDS� �� �� �� ��� �����. 0� � �� �� ���� �
��� ��� � �� �� �� ��.
� ��� �� ��� � ��� ����� ���� ����. �� ��� �� �
���.
� ��
CVE CVE ������ �� ��� ���
ALERT CVE� ���� �� � ��
DOS ��� ��� �� ��
SCAN �� �� �� �� ���� ��� �
CONFIG � �� � ��� ����� ��
AUTH �� ��� �� �� �� ��
BACKDOOR ��� ��� ����� �� ���
STEALTH ��� �� ��� ��� ���
Network IDS� � ��� �� ��� ����.
�� ��
�� �� ��� �� �� �� ����� �� � � � Network IDS�
��� � �� ��� � ����. ��� ����� �� � ��� ��� ��
��� ��� �� ��� �� �� ���. Network IDS� ��� ��
�� �� ���. � ��� � ����.
Network IDS� ids.msg ���� ��� �� �� ��� �� �� ��� �
� �� �����.
199Risk Manager ��� ���
17.N
etwo
rkID
S
�� ��
�� � ���� Network IDS� ��� �� � ��� �� �� �� ��� �
���� �� � ����. Network IDS� ids.rules ���� ��� �� �
, �� ��� � �� ��� �����.
Risk Manager� Tivoli �� � ����� ids.rules �� ����� ����� � ��
��� �� ��� �� � ����. ��� 202 ��� ��� �� ��� ���
��.
��� �� � ��� �� � ��Network IDS �� � �� �� � �� ��� ���.
���� �� �� � �� ������� �� �� ��� ���� CD� �� �� �� �� � ���� ����. ��
� � � ��� �����.
¶ ��� �� �� �� 3.8
� ���� Network IDS� �����. �� �� Network IDS � Risk Manager �
� �� ��� � ��� ����.
v �� �� ��, ���� �� � � ��
v �� �� ��� ��� �� �� ��
v �� � ��
�: Network IDS BAROC(nids.baroc) ��� Tivoli � ���� ����.
� ���� Tivoli ��� ������ �����. � Tivoli ��� ��� ��, ���
� ��� �� � ���� ������.
� Tivoli ����� Risk Manager �� �� ��� Tivoli Risk Manager ��� ��
� �����.
�� ����� ��, ����� ���� �� �� �� � �� � ��� ��� Tivoli RiskManager ��� �� � �����.
nids.fmt �� ���� TME ��� ��� �� Network IDS ��� � ��
�.
Tivoli �� ��� �� ��� �� ���. � ��� Tivoli Enterprise Console �
� ��� �����.
Network IDS� ��� Tivoli ����� �� � Tivoli ��� �� � ����.
Network IDS ��Network IDS� ��� � �� �� ������.
200 �� 3 ��� 8
�� ��Network IDS� ��� ���� ACF(Access Control Facility)� ���� �� � ��
��.
¶ ��� ��, ids.cfg � �� ������. �� ���� �� �� �� ����
� ACF� ������.
¶ ��� �� �� �� ��� �� ����, �� ��(ids.rules) ��� ����
��. ��� 202 ��� ��� �� ��� �����
¶ � ��� ��, Risk Manager�� ���� Tivoli Enterprise Console(TEC) ��
�� ���� Network IDS� �����. �Network IDS �� �� �����.
Risk Manager TEC ���Risk Manager� ��� ��� ������ Tasks for Enterprise Risk Management� ��
���. Risk Manager� �� TEC policy region� TEC Region� ��� ������ �
���.
Network IDS TEC ���Risk Manager� Network IDS� � � ���� � TEC� �����.
Network IDS ��� �Network IDS� ���� �� ������.
1. ���� ������ �� ���� ��� Network IDS� �� ���. �� �
��� ���, �� ��� ���� ����.
2. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
3. Start_NIDS_Adapter TEC ���� �����.
Network IDS ��� ��Network IDS� ����� �� ������.
1. Tivoli ����� Tasks for Enterprise Risk Management�� TEC ��� ���
��� �����.
2. Stop_NIDS_Adapter TEC ���� �����.
Network IDS ��Tivoli ���� � ���� �����.
nids �� ���� ���� Network IDS �Network IDS �� ���� �� � Network IDS� ���� ���� Inittab ��
� �� �����. � ����� �� �� rc �� �� ����� ��� NetworkIDS� ���� ����� ���.
cd /usr/opt/Tivoli/nids; ./nids -q -d
201Risk Manager ��� ���
17.N
etwo
rkID
S
-q �� ��� ��� ��� �� �� ��� �����. �� ��� ���
��� ���� ���.
-d ����� ���� ���� �� � �����. ���� ���� ���, init��� Network IDS ����� ����� � ����� ���� ����� ��
����.
�� � ��Network IDS �� Network IDS� ���� ���� Inittab ��� � ����
�.
Network IDS� �� � ����, Inittab ���� ��� � �� ��(:) ����
� ��� ���� �����.
�� �� ��Risk Manager� ���� ���� Tivoli �� � ���� ���� Network IDS �� �
� ����� �����.
Tivoli ���� ���� �� �� ���� �� ������.
1. Tivoli �� � ����� ids.rules ��� �� �� �������.
http://www.tivoli.com/support/secure_download_bridge.html
2. �� ��� �� � ���� � ��� ���� ACF� ������.
� Tivoli ���� ���� �� �� ���� �� ������.
1. �� ���� �� ���� Network IDS �� ������.
stopnids
2. Tivoli �� � ����� ids.rules ��� �� �� �������.
http://www.tivoli.com/support/secure_download_bridge.html
3. �� ���� �� ���� Network IDS �� �� �����.
startnids
Network IDS �� � �� ��Network IDS� �� � �� ��� � �� �� ��� �� � ����.
¶ Syslog
¶ �� ��
¶ ��(����� �� �� ��)
�� ids.cfg � ���� ��� �� ��� ��� � ����. ids.cfg ���
�� �� ��� ����. ���� �� ��� ��� ���� ��� ���.
Network IDS� ids.cfg ��� ��� �����, �� nids -y �� ���� ���
���� syslog �� �� ���� nids -q ���� �� �� �� � ����.Risk Manager�� ��� ��, �� ��� syslog� �� Network IDS� /usr �� ��
� �� �� ��� ��� ��� ���� �����.
202 �� 3 ��� 8
���� �� ��� syslog�� ��� ���.
��� � ����� ���� ����� ��� �� ���� � ����. ��, �� ISA � �
� PCMCIA �� ��� ������ �$��� ���� ����. tcpdump� �
��� �� ���� ��� �� ������ ��� � ���� ������� �� ��
��� ��� � � ����� ���� � ����.
IP �� ���� ���� Network IDS� �� �� ����(�, �� ���� �� ������ �
� �� ����)� ����� ��� � � ����. �� �� ����� ��, ���
����� ����� ��(��� ��) ����� ���� �� � �� ����� �
� ������ ���� Network IDS ��� ��� ��� Risk Manager� ���� �
�� �� ����.
Network IDS� �� ������ ����� ���, up ��� � ����� �
��� IP(Internet Protocol) ��� ���� ����.
IP �� �� ����� ifconfig up � ������. ����� up ��� � �
�, � ����� ����� �� IP �� ��� ��� �� ���� �� ���� �
���. Network IDS� down ����� ���� ����.
��� �� ��Network IDS� �� ���� IP �� ��� ��� �(�: host.company.com) RiskManager� ��� ��� ������ ���. ��� ��� �� Risk Manager� �� �
� �� ��� ����� �����. Network IDS� ��� ��� � �����
���, �� ���� ��� � gethostbyaddr( ) �� ���� � ���.DNS(Domain Name System) �� NIS(Network Information Services) ��� ��� �
� ���, ��� /etc/hosts ��� �� ���� � ����. ����� resolver manpage� �����.
nids ��Network IDS� ���� ���� �� �� �����, �� ��� nids � ��
����.
nids [-a]
[-c config_filename]
[-d]
[-f filename]
[-i interface]
[-m msgfile]
[-o outfile]
[-q]
[-y]
[-r sigfile ]
[-s char]
203Risk Manager ��� ���
17.N
etwo
rkID
S
[-v value]
[-M size]
[-K]
[-P]
[-S num_packets]
[-R]
[-T]
[-V]
-a ��� �� �� ���� �� MAC(medium access control) ��� �
���. ���� OFF���. ����, Network IDS� �� � ��
IP(Internet Protocol) �� ��� �����. � ��� MAC(�� �� �
�) ��� �����.
-c config_filename�� � �� � ������. ���� ./ids.cfg���.
-d ����� ���� ���� �� � �����. ���� ���� ��
�, init ��� Network IDS ����� ����� � ����� ���� �
���� �� ����.
-f filename Network IDS� ����� ����� �$��� �� ���� ���� �
� �� ���. Network IDS� tcpdump �� ����, nids -o �� ��� � �� �� � � ����. �� , �� ��� � �
� �����.
-i interface ����� �� ����� ������. ���� � �� ��� �� �
������. Network IDS� ��� �� �� ���� ��� �
�� � ����. ���� �� ����� ���, �� Network IDS �
� ��� � ����(������ ���� ������ ���).
-m msgfile �� �� �� �� ������. �� �� ��� ./ids.msg���.ids.msg ��� �� �� ��� �� �� �� ��� �����.Network IDS� ids.rules ���� �� � ��� �� �� ���
�����, ids.rules �� ��� �� ����.
-o outfile �� �� �� �� � ������. ���� �� �� ���� ��
���. nids -f �� ���� �� �� ��� ��� ��� � ���
�.
-q �� ��� ��� ��� �� �� ��� �����. �� ��� �
�� ��� ���� ���.
-y ��� syslog� ��� syslog ��� �����. ���� ��� syslog� �
�� �� ���. ����� Risk Manager� ��� ��, ids.cfg ��
� ��� syslog� ����� �����. ids.cfg� �� �� ��
�� �����. ��� syslog� ��� �����, ids.cfg �� �
� ���.
204 �� 3 ��� 8
-r sigfile �� �� � ������. �� ��� ids.rules �� ids.cfg��� �� �����. ��� �� �� � �� ���� �
� ��� �����.
-s char �� �� �� ��(�: \n \t \0x0a �)� �����. �� �� ��� \n���.
-v value �� ��� �����(>= value). ���� 0��, �� Network IDS� ��
� ��� �����. �� ����� ���� ��� ��, � ��� �
�� ��� ��� �� �� �� �� � ����.
-M size ����� �� �� �(MTU)� �����. ���� 1500 MTU���.
-K �� ���� ���� Network IDS� kill��� ��� ����.
-P �� ���� �����. ���� ��� ���� ���� ���. ��
��� ��� ���� ���� ��� ���� � �� ���� NetworkIDS� �����. �� � �� �� ��� Network IDS� ��� �� �
���. � ��, Network IDS� �� ���� �� ��� ����. ��
���� ����, Network IDS� �� ������ ��� ��� �� �
����.
-S num_packets�� � ���� ��� ����. ���� �� ��� �� �� ��
�.
-R Network IDS �� ����� �� �����. Network IDS ����� �
��� �� �� ��, nids -R � �� ���� Network IDS �� �
���� �� ��� � �� nids �� ����.
-T ���� �� ��� �� ���� �� ��� �� ��� �� ��
��� �� ������. ���� Network IDS� ����� ���
� ���� �����. �� ���� ��� ��� ��� � � ���
�. ���� � �� ���� ��� �� ��� � ����.
-V Network IDS � � �� ��� ��� � ������.
Network IDS �� ��Network IDS� ID ��� ���� ��� ���� ����. � ��� CVE(CommonVulnerability Entry) ��� ��� ����. Network IDS� ���(�: � ��, ���,��� �)�� �� � ��� � ����� �� ��� � ��� �� ���
� �����. ���� CVE ��� ��� ��� Network IDS ��� �, NetworkIDS� �� ���� � �� CVE � ID� �����.
��� � CVE ID� �� ��� ��� �� ����� � � ����.
http://csrc.nist.gov/icat/vulnerabilities/CVE_IDnumber
Network IDS� �� �� �� ��� �����. 0� � �� �� ���� �,��� ��� � �� �� �� ��.
205Risk Manager ��� ���
17.N
etwo
rkID
S
Network IDS� �� �� �� � �� � ��� � �� �� ��� ����.
�� � ���� �� ��� �� �� �� ����� �� � � � ���� �� ��� �
����. ��� ����� �� � ��� ��� �� ��� ��� �� ��� �
� �� ���. ���� ��� � ����.
Network IDS� ids.msg ���� ��� �� �� ��� �� �� ��� �� ��
�����.
�� �� �� ��� �� ��� 291 ��� �Network IDS �� �� ���� ���
��.
�� �� ���� � ����, Network IDS� ��� �� � ��� �� �� �� ��� ����
� �� � ����. Network IDS� ids.rules ���� ��� �� �, �� �
�� � �� ��� �����.
�� � �� ��� �� ��� 293 ��� ��� � ���� �����.
206 �� 3 ��� 8
Tivoli Decision Support
� ��� �� ��� �����.
¶ Tivoli Decision Support for Enterprise Risk Management ��
¶ � � � ��
¶ ��� � �� �� ��
Tivoli Decision Support for Enterprise Risk Management ��Risk Manager� Tivoli Decision Support for Enterprise Risk Management ����
TEM(Tivoli Event Consol)� �� Risk Manager ���� �� �� �� � ��� ��
���.
Tivoli Decision Support for Enterprise Risk Management� ���� �� ��� � ��
��.
¶ ��� ������� � ��� ��� ��� ���
¶ �� � ��� ��, �"�, �� ��, ��� ��, ��� ��� �� ��� ��
¶ ��� ��� ���� �� � �� ��
Tivoli Decision Support for Enterprise Risk Management� �� ���� ����.
��� �� � �� ��� ���� ���� �����. �� �� Tivoli Decision Support�� �� �����.
18
207Risk Manager ��� ���
18.T
ivoli
Decisio
nS
up
po
rt
Tivoli Decision Support for Enterprise Risk Management� ��� ���� ���. �
� ��� �� �� ��� �Tivoli Decision Support for Enterprise Risk Management �
��� �����. ‘Tivoli Decision Support for Enterprise Risk Management Release Notes’� �� ��� � ���.
¶ Tivoli Decision Support for Enterprise Risk Management ��
¶ � ��� � � �� �� �� � ��
¶ TEC ������ ����� ���� ���� �� �� ��
¶ �� � �� � �� �� ��
¶ ��� ����� ��, ���� � �� ��
¶ ��, ��, �� ���� ��� ��, Enterprise Risk Management ���� , TivoliDecision Support �� ����� �� ����
Tivoli Decision Support for Enterprise Risk Management ��Risk Manager CD� Tivoli Decision Support for Enterprise Risk Management� TivoliDecision Support for Enterprise Risk Management� � ���.
Tivoli Decision Support � 2.1.1� �� ��� ��� �� ��� �����.
¶ Tivoli Decision Support Installation Guide, GC32-0438
¶ Tivoli Decision Support Administrator Guide, GC32-0437
¶ Tivoli Decision Support User’s Guide, GC32-0436
�� 25. Tivoli Decision Support �� � ��
208 �� 3 ��� 8
Tivoli Decison Support ����� ��, Tivoli Decision Support for Enterprise Risk Management� ���� ���
�� ��� � Risk Manager� �� �� ��� ��� Tivoli Risk Manager ��� �
�� �����.
Tivoli Decision Support for Enterprise Risk Management� ���� �� ������.
1. CD-ROM ����� Tivoli Risk Manager CD� ������.
2. Tivoli Decision Support � ���� ���� �� �� ����.
cd x:\tds_guide
x:� CD-ROM �������.
3. Windows InstallShield ���� ����� �� ������.
setup
4. InstallShield ���� ��� �� �� �����.
Tivoli Decision Support for Enterprise Risk Management ���� ���� ��� � ��� � ��� ��� Tivoli Decision Support forEnterprise Risk Management� �����.
¶ ODBC(Open Database Connectivity) ��� �� �� � � ODBC ��� � �
�
¶ TEC ��� ������� ���� , �� � ��� � ��� �Risk Manager TEC������� ���� , �� � ��� �� �����.
¶ �� �� �� �� �
¶ Enterprise Risk Management �� � � �
¶ ��� �� �� � ��
¶ TEC ���� ��� ��� ���� ���. ��� � ��� 102 ��� ��
��� ������ �� TEC ����� �����.
Risk Manager TEC �������� ���� �, �� � ��� ������ , �� � ���� ��� ��, ����� ��� ����� �� ��� �
� �����. �� , �� SQL ��� ��� Oracle, DB2 � Sybase� ����
, �� � ���� �����.
1. SQL �� �� �����. � ��� TDS_Share\Util\Tivoli Decision Support forEnterprise Risk Management� ����. (TDS_Share� Tivoli Discovery Administrator���� ���� ��� �� ��� �� ��� �� ��.) � ���� Risk ManagerUNIX � ���� $BINDIR/RISKMGR/corr/sql �� � �� Risk Manager Windows� ���� %BINDIR%\RISKMGR\corr\sql �� �� ����.
2. TEC ������ ���� ����� SQL �� �� ������.
209Risk Manager ��� ���
18.T
ivoli
Decisio
nS
up
po
rt
�: ��� ��, �� �� ���� �� TEC ���� ������.
3. Oracle� ��, �� ������.
sqlplus userid/password @ service_name @ tds_rm_tec_t_arc.ora.sqlsqlplus userid/password @ service_name @ tds_rm_tec_v_evt.ora.sqlsqlplus userid/password @ service_name @ tds_rm_upd_trigger.ora.sql
userid ����� ��� ID� �� ��. ���� tec���.
password����� ��� �� �� ��. ���� tectec���.
service_nameOracle ����� � ����(″Net8 Assistant″, ″Net8 Configuration Assistant″�� ″Net8 Easy Configuration″)� �� Oracle ������ �� ��� �
�� ������ %ORACLE_HOME%\NETWORK\ADMIN\TNSNAMES.ORA ���� �
�� ���� � ���� � �� ��.
DB2� ��, �� ������.
db2 connect to tec user userid using passworddb2 -t -f tds_rm_tec_t_arc.DB2.sqldb2 -t -f tds_rm_tec_v_evt.DB2.sqldb2 -t -f tds_rm_upd_trigger.DB2.sql
userid ����� ��� ID� �� ��. UNIX� �� ���� db2inst1���.Windows NT� �� ���� db2admin���.
password����� ��� �� �� ��.
Sybase� ��, �� ������.
isql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_t_arc.syb.sqlisql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_v_evt.syb.sqlisql -Uuserid -Ppassword -Dtec -Sserver -c/ -i tds_rm_upd_trigger.syb.sql
userid ����� ��� ID� �� ��. ���� tec���.
password����� ��� �� �� ��. ���� tectec���.
server DSEDIT ����� � ����� � �� Sybase ������ �� �
� �� ������� Sybase ���� ��� %SYBASE%\INI\SQL.INI�� � �� ���� � ���� � �� ��.
�: ����� �, ��� ID � �� ��� ��� � ��� �����. �� �
�� ��� ��� ����� ������.
210 �� 3 ��� 8
Tivoli Decision Support for Enterprise Risk Management� �����
�� ���� ��� ��� Decision Support for Enterprise Risk Management ���
�����.
¶ Enterprise Risk Management �� ��
¶ ��� ��
¶ ��� ��� ��
¶ �� �
¶ �� ��
211Risk Manager ��� ���
18.T
ivoli
Decisio
nS
up
po
rt
Risk Manager ���
� ���� Risk Manager�� �� � �� ���� ���� ����. ��� ���
��� HRMAAnnnnS ���� �� ����.
HRM Risk Manager ��� �����.
AA ��� ���� Risk Manager ���� �����.
CI Cisco Secure IDS
NI Network Intrusion Detection System(Network IDS)
nnnn �� �� ��� �����.
S �� �� �����.
��� �� ��� ���� ���� ������ �� ����.
Risk Manager �� � ����� �� ��� �� Risk Manager �� �� ��� �� �� ����.
Error processing configuration file riskmgr_hosts.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_host( )
The set_host predicate in the riskmgr_hosts.pro file is not valid.
��� �: The host fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_hosts.pro file. Then use the rmcorr.cfg --reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_host.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_trusted_host( )
A
213Risk Manager ��� ���
A.
Risk
Man
ager
��
�
The set_trusted_host predicate in the riskmgr_host.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_host.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_host.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_sensor( )
The set_sensor predicate in the riskmgr_host.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_host.pro file. Then use the rmcorr.cfg --reconfig command to
restart your Event Server with your corrections.
Error processing configuration file riskmgr_host.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = downgrade_sensor_creation( )
The set_downgrade_sensor_creation predicate in the riskmgr_host.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_host.pro file. Then use the rmcorr.cfg --reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_host.pro. rm_ErrFile = ‘riskmgr_hosts.pro’ rm_ErrLine = ‘unknown’
rm_ErrMethod = set_ignore_sensor_creation( ).
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = ignore_sensor_creation( )
The set_ignore_sensor_creation predicate in the riskmgr_host.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_host.pro file. Then use the rmcorr.cfg --reconfig command
to restart your Event Server with your corrections.
214 �� 3 ��� 8
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_hosts.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_forward_tec( )
The set_forward_tec predicate in the riskmgr_parameters.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg --reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_thresholds.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_threshold( )
The set_threshold predicate in the riskmgr_thresholds.pro file is not valid.
��� �: The fact setting is not included in the Risk Manager correlation processing. Risk Manager correlation
might be adversely affected.
��� �: Fix the statement in the riskmgr_thresholds.pro file. Then use the rmcorr.cfg --reconfig
command to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_parameters.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_timestamp_jitter( )
The set_timestamp_jitter predicate in the riskmgr_parameters.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing. The default is used.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg --reconfig
command to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_parameters.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_situation_expiration( )
The set_situation_expiration predicate in the riskmgr_parameters.pro file is not valid
215Risk Manager ��� ���
A.
Risk
Man
ager
��
�
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg --reconfig
command to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_situation_cleanup_interval( )
The set_situation_cleanup_interval predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_interface_refresh( )
The set_interface_refresh predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_forward_interval( )
The set_forward_interval predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
216 �� 3 ��� 8
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_decay_value( )
The set_decay_value predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_ratio_down( )
The set_ratio_down predicate in the riskmgr_parameters.pro file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_ratio_up( )
The set_ratio_up predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_storm_events( )
The set_storm_events predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
217Risk Manager ��� ���
A.
Risk
Man
ager
��
�
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_linked_events( )
The set_linked_events predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_duplicate_events( )
The set_duplicate_events predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
Error processing configuration file riskmgr_parameters.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_thresholds.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_duplicate_events( )
The set_duplicate_events predicate in the riskmgr_parameters.pro file is not valid
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the riskmgr_parameters.pro file. Then use the rmcorr.cfg -reconfig command
to restart your Event Server with your corrections.
218 �� 3 ��� 8
Error processing configuration file riskmgr_categories.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_categories.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = set_category_name( )
The set_category_name predicate in the configuration file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the configuration file. Then use the rmcorr.cfg -reconfig command to restart
your Event Server with your corrections.
Error processing configuration file riskmgr_categories.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_categories.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = category_assign( )
The category_assign predicate in the configuration file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the configuration file. Then use the rmcorr.cfg -reconfig command to restart
your Event Server with your corrections.
Error processing configuration file riskmgr_categories.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_categories.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = category_assign_super( )
The category_assign_super predicate in the configuration file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
��� �: Fix the statement in the configuration file. Then use the rmcorr.cfg -reconfig command to restart
your Event Server with your corrections.
Error processing configuration file riskmgr_categories.pro.
���: Minor
��:
¶ rm_ErrFile = ‘riskmgr_categories.pro’
¶ rm_ErrLine = ‘unknown’
¶ rm_ErrMethod = attribute_map ( )
The attribute_map predicate in the configuration file is not valid.
��� �: The fact is not included in the Risk Manager correlation processing.
219Risk Manager ��� ���
A.
Risk
Man
ager
��
�
��� �: Fix the statement in the configuration file. Then use the rmcorr.cfg -reconfig command to restart
your Event Server with your corrections.
Prolog files not loaded. Check that *.wic files exist.
���: Fatal
��:
¶ rm_ErrFile = ‘boot.rls’
¶ rm_ErrLine = nnnn
¶ rm_ErrMethod = Rule start_RM_boot
The Risk Manager rules did not load successfully.
��� �: Risk Manager correlation fails.
��� �: Check your Risk Manager server to ensure that it is installed correctly.
Unexpected fallback to date_reception as a timestamp for class class_name.
���: Fatal
��:
¶ rm_ErrFile = ‘normalization.rls’
¶ rm_ErrMethod = Rule process_timestamp
¶ Timestamp: value
¶ TimestampFmt value
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
The event from the sensor identified in the hostname attribute has sent an invalid timestamp.
��� �: The current time is assigned to the event for Risk Manager correlation purposes.
��� �: Check the adapter.
Invalid sensor information for class class_name.
���: Fatal
��:
¶ rm_ErrFile = ‘normalization.rls’
¶ rm_ErrMethod = Rule process_sensor_info
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
The event originated from a sensor that Risk Manager correlation is not able to process.
��� �: This error message is generated. The event is not included in correlation processing.
��� �: Check the adapter.
220 �� 3 ��� 8
Failed to process class categories for event of class class_name.
���: Fatal
��:
¶ rm_ErrFile = ‘normalization.rls’
¶ rm_ErrMethod = Rule process_class_categories
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
The event received cannot be processed as part of the Risk Manager correlation.
��� �: This error message is generated. The causing event is not included in correlation processing.
��� �: Check the Risk Manager configuration files.
Error processing RM_SensorEvent of class: class_name.
���: Fatal
��:
¶ rm_ErrFile = ‘normalization.rls’
¶ rm_ErrMethod = Rule process__ids_srcdst
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
¶ IPaddr: ipaddr
The event received does not have sufficient information to be included in Risk Manager correlation.
��� �: This error message is generated. The causing event is not included in correlation processing.
��� �: Check the Risk Manager configuration files.
Error processing raw event for class: class_name.
���: Fatal
��:
¶ rm_ErrFile = ‘sensorevent.rls’
¶ rm_ErrMethod = Rule process__raw_events
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
The event failed to be processed as part of Risk Manager correlation.
��� �: The causing event is not included in correlation processing.
��� �: Follow your local procedures for support.
221Risk Manager ��� ���
A.
Risk
Man
ager
��
�
Error processing exchange event. Sensor type: host_name IPaddr.
���: Fatal
��:
¶ rm_ErrFile = ‘sensorevent.rls’
¶ rm_ErrMethod = Rule process_external_situation
¶ hostname = Sensor type type
¶ hostname = Sensor token: host_token
The exchange event from another TEC or Risk Manager server failed to be processed correctly.
��� �: The exchange information is not included in the TEC or Risk Manager server correlation.
��� �: Follow your local procedures for support.
Network Intrusion Detection System ����� ��� Network IDS �� ��� � ����.
HRMNI10002E ���� �� � �� �� : hostname
��: Error occurred while attempting to establish a socket to a remote host for the purpose of logging alerts.
��� �: Try to ping the subject host.
HRMNI10003E � ���� ��� � ������. �� �: error number
��: Error occurred while attempting to connect to a remote host for the purpose of logging alerts.
��� �: Check route to host. See documentation for your Operating System for more information on
connect error code. Try to ping the subject host.
HRMNI10004E ���� ��� ��� �� : hostname
��: Error occurred while attempting to send data to a remote host for the purpose of logging alerts.
��� �: Check route to host. Try to ping the subject host.
HRMNI10006E �� - file name, � - line number, �� - signature text BEGIN � � ���.
��: Missing beginning time definitions in the NIDS configuration startup file ids.cfg.
��� �: Try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10007E �� - file name, � - line number, �� - signature text END � � ���.
��� �: Try a re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
222 �� 3 ��� 8
HRMNI10009E �� �� ���� ����.
��: The system separator has not been set or has not been detected.
��� �: Set the system default separator on the command line or in the NIDS configuration startup file
ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10011E �� ��� ���� ����.
��: No file has been specified as the default log file for NIDS alerts.
��� �: Set the system default log file on the command line or in the NIDS configuration startup file
ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10012E ��� ��� �� address�(�) ���.
��: An incorrect setting for host address has been detected.
��� �: Verify the host address setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10013E �� ���� ����.
��: No host address specification found.
��� �: Verify the host address setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10014E ��� NET �� address�(�) ���.
��: No network address specification found.
��� �: Verify the network address setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10016E ��� MASK address mask�(�) ���.
��: An incorrect setting for network mask has been detected.
��� �: Verify the network mask setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
223Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10017E MASK ���� ����.
��: No network mask specification found.
��� �: Verify the network mask setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10018E maxbyte_entropy �� ���� ����.
��: No maxbyte_entropy value has been found for NOCRYPT signature directive.
��� �: Verify the MAXBYTE_ENTROPY setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10019E minbyte_entropy �� ���� ����.
��: No minbyte_entropy value has been found for CRYPT signature directive.
��� �: Verify the MINBYTE_ENTROPY setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10020E maxbit_entropy �� ���� ����.
��: No maxbit_entropy value has been found for NOCRYPT signature directive.
��� �: Verify the MAXBIT_ENTROPY setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10021E minbit_entropy �� ���� ����.
��: No minbit_entropy value has been found for CRYPT signature directive.
��� �: Verify the MINBIT_ENTROPY setting in the NIDS configuration startup file ids.cfg.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10023E ��� �� ��� �����.
��: A memory allocation error has occurred during configuration load process.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10024E �� - file name, � - line number, �� - signature text � � ���� ���.
��: Parsing error while loading ids.msg file.
��� �: Try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
224 �� 3 ��� 8
HRMNI10025E �� - file name, � - line number, �� - signature text MSG � ���� ���.
��: Parsing error while initializing from configuration files.
��� �: Try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10026E �� - file name, � - line number, �� - signature text MSG ���� ���.
��: Parsing error while initializing from configuration files.
��� �: Try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10030E �� - file name, � - line number, �� - signature text MAXPACKET �� ���� ���.
��: Error occurred while loading Session signatures.
��� �: Validate syntax of Session signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10031E �� - file name, � - line number, �� - signature text RPC �� ���� ���.
��: Error occurred while loading RPC signatures.
��� �: Validate syntax of RPC signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10032E �� - file name, � - line number, �� - signature text � � � RPC ��: service identifier
��: Error occurred while loading RPC signatures.
��� �: Validate syntax of RPC signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10034E �� - file name, � - line number, �� - signature text SECURITY �� ���� ���.
��: Error occurred while loading IP signatures.
��� �: Validate syntax of IP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10035E �� - file name, � - line number, �� - signature text � � � IP ��: IP option
��: Error occurred while loading IP signatures.
��� �: Validate syntax of IP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
225Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10037E �� - file name, � - line number, �� - signature text MIN/MAX �� ���� ���.
��: Error occurred while loading IP signatures.
��� �: Validate syntax of IP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10039E �� - file name, � - line number, �� - signature text � � � FRAG ��: fragmenation option
��: Error occurred while loading IP signatures.
��� �: Validate syntax of IP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10042E �� - file name, � - line number, �� - signature text FAIL �� ���� ���.
��: Error occurred while loading IP signatures.
��� �: Validate syntax of IP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10044E �� - file name, � - line number, �� - signature text � � � TCP ��: TCP option
��: Error occurred while loading TCP signatures.
��� �: Validate syntax of TCP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10046E �� - file name, � - line number, �� - signature text � ���� ���.
��: Error occurred while loading ICMP signatures.
��� �: Validate syntax of ICMP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10047E �� - file name, � - line number, �� - signature text ��� : � number�� �� � number
�() � ���.
��: Not a valid token or tokens detected while parsing signatures.
��� �: Validate syntax of ICMP signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10050E �� - file name, � - line number, �� - signature text - ��� AUTH ��
��: Error occurred while processing Authentication related Access Control Lists (ACL’s).
��� �: Validate syntax of Authentication related ACL’s in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
226 �� 3 ��� 8
HRMNI10052E �� - file name, � - line number, �� - signature text SRCDST � ���� ���.
��: Error occurred while processing Session signatures.
��� �: Validate syntax of Session signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10053E �� - file name, � - line number, �� - signature text ���� USER/PASSWD/AUTHFAIL � ��
�� ���.
��: Error occurred while processing Session signatures.
��� �: Validate syntax of Session signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10055E �� - file name, � - line number, �� - signature text � ���� ���.
��: General error occurred while processing signatures.
��� �: Validate signature syntax in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10056E �� - file name, � - line number, �� - signature text ��� ��
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10059E �� - file name, � - line number, �� - signature text PROC �� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10061E �� - file name, � - line number, �� - signature text token� �� ��� �� ��
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10062E �� - file name, � - line number, �� - signature text ��� ��� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
227Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10065E �� - file name, � - line number, �� - signature text HOST �� DIR � ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10066E �� - file name, � - line number, �� - signature text FILE � ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10067E �� - file name, � - line number, �� - signature text FILE� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10068E �� - file name, � - line number, �� - signature text UID �� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10069E �� - file name, � - line number, �� - signature text GID �� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10070E �� - file name, � - line number, �� - signature text MODE �� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10071E �� - file name, � - line number, �� - signature text sigfname� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
228 �� 3 ��� 8
HRMNI10075E �� - file name, � - line number, �� - signature text � � ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10076E �� - file name, � - line number, �� - signature text NFS ��� ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10077E �� - file name, � - line number, �� - signature text NFS � ���� ���.
��: Error occurred while processing RPC services signatures.
��� �: Validate usage of RPC services signatures in ids.rules.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10079E �� - file name, � - line number, �� - signature text ALLOW/NOTIFY � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10080E �� - file name, � - line number, �� - signature text SRC/DST/SRCDST � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10081E �� - file name, � - line number, �� - signature text TIME �� HOST/NET � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10082E �� - file name, � - line number, �� - signature text TIME �� HOST � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
229Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10083E �� - file name, � - line number, �� - signature text �� ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10084E IP address�(�) ��� � - ids.cfg �
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10085E �� - file name, � - line number, �� - signature text ���� �� ��� �� IP address
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10086E �� - file name, � - line number, �� - signature text ��� �� ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10087E IP address�(�) ��� � - ids.cfg �
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10088E �� - file name, � - line number, �� - signature text ���� �� �� ��Network address
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10089E �� - file name, � - line number, �� - signature text ��� ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
230 �� 3 ��� 8
HRMNI10090E �� - file name, � - line number, �� - signature text ���� �� �� ��� network mask
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10091E �� - file name, � - line number, �� - signature text HOST/NET/PEAK/OFFPEAK/ANY/NEVER
� ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10092E �� - file name, � - line number, �� - signature text TOKEN � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10093E �� - file name, � - line number, �� - signature text ��� : � number�� �� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10095E �� - file name, � - line number, �� - signature text �� ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10096E �� - file name, � - line number, �� - signature text VALUE|TOKEN � ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10097E �� - file name, � - line number, �� - signature text ASCII �� TCPDUMP � ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
231Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10098E �� - file name, � - line number, �� - signature text RAW|SESSION|TCPDUMP � ���� ��
�.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10099E �� - file name, � - line number, �� - signature text FILE|HOST � ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10100E ��� �� ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10101E �� � ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10106E CONSOLE|SYSLOG|PATH|HOST ���� ���.
��: Error occurred while processing Event or Log configuration data.
��� �: Validate syntax of EVENT and LOG processing directives.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10109E � � � ��� �� �� hex device type, decimal device type�() �������.
��: The system detected an unknown device type.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10110E ���� FDDI�� ���� �� ����.
��: Your version of the Software does not support the FDDI adapter.
��� �: NIDS failed to initialize. Program stopped.
232 �� 3 ��� 8
HRMNI10111E getIPFrag� �� ��� ����.
��: An error occurred while attempting to process an IP fragment.
��� �: NIDS will stop and restart.
HRMNI10112E � �� � : packets� � packets� ���. RATIO, Curr: ratio �: overall ratio, � �: interval
in seconds, �: dropped per second
��: Report on packet throughput statistics.
HRMNI10114E ���� PPP�� ���� �� ����.
��: Your version of the Software does not support PPP.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10115E ���� RAW IP�� ���� �� ����.
��: Your version of the Software does not support RAW IP processing.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10116E ���� SLIP�� ���� �� ����.
��: Your version of the Software does not support SLIP.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10157E �� -option name�(�) ��� ����.
��: An incorrect command line option has been detected.
��� �: Check product documentation for correct usage or specify ‘-h’ option.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10158E PID ��� ��� � : file name
��: NIDS is unable to create a process id file.
��� �: Check file permissions of install directory.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10159E �� �� � ��: file name
��: An error occurred while trying to load the startup configuration file.
��� �: Check file permissions or try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
233Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10160E �� �� � ��: file name
��: An error occurred while trying to load the signature file.
��� �: Check file permissions or try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10161E ��� �� � ��: file name
��: An error occurred while trying to load the messages file.
��� �: Check file permissions or try re-install of the NIDS product to correct the problem.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10163E process - �� ���� ���.
��: The NIDS process attempted to start but does not have sufficient authority.
��� �: Logon as root and restart the NIDS process.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10166E PID ��� � � : file name
��: An attempt was made to KILL NIDS but the process id could not be determined.
HRMNI10167E PID ��� �� � : file name
��: An attempt was made to KILL NIDS but the process id could not be determined.
HRMNI10171E ��: ��� ��� ���.
��: An attempt was made to KILL NIDS with an incorrect signal.
HRMNI10172E ��: PID �� � ���.
��: An attempt was made to KILL NIDS with an incorrect PID.
HRMNI10173E ��: �� ���. ‘root’ �� ������.
��: An attempt was made to KILL NIDS with insufficient permissions.
HRMNI10174E ��: � � � ��
��: An error occurred during an attempt to KILL NIDS. Unable to determine reason code.
��� �: �� ������.
234 �� 3 ��� 8
HRMNI10175E ��� NIDS PID� ��: number
��: An attempt was made to KILL NIDS with an incorrect PID.
HRMNI10176E �� �� ��: file name
��: Error occurred during an attempt to open the subject file.
��� �: Check permissions and try again.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10177E �� �� ��: file name
��: Error occurred during an attempt to read the subject file.
��� �: Check permissions and try again.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10179E �� - file name, � - line number, �� - signature text SRCDST � ���� ���.
��: An error occurred while parsing ACL’s
��� �: Check usage of SRC and DST fields.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10180E �� - file name, � - line number, �� - signature text SERVICE � ���� ���.
��: An error occurred while processing an SMB signature.
��� �: Ensure proper usage of SERVICE directive.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10181E �� - file name, � - line number, �� - signature text ACL � ���� ���.
��: Error occurred while processing supported signatures ACL’s.
��� �: Validate usage of supported ACL’s.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10182E ��� ���� ��� � ���.
��: Adapter specified on the command line is not available.
��� �: Check for available adapters using ifconfig -a.
��� �: NIDS failed to initialize. Program stopped.
235Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMNI10184E �� � ���� /etc/inittab ��� ������.
��: Attempt to update /etc/inittab file to provide auto respawn capability failed.
��� �: Ensure root is used to install NIDS. Check permissions on /etc/inittab.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10185E ���� � ���� /etc/inittab ��� ������.
��: Attempt to update /etc/inittab file to remove entries added during the install procedure failed.
��� �: Ensure root is used to uninstall NIDS. Check permissions on /etc/inittab.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10186E � �� �� : �� %1$s
��: The depth of included files in ids.rules has been exceeded.
��� �: Reorganize your signature rules to eliminate recursive includes.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10187E ��� ���: %1$s
��: The regular expression parser was unable to evaluate an expression.
��� �: Validate all REGEX entries in ids.rules file.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10188E �� �� ��
��: NIDS encountered an error while processing a regular expression found in ids.rules.
��� �: Validate all REGEX entries in ids.rules file.
��� �: NIDS failed to initialize. Program stopped.
HRMNI10189E %1$d ��� ��� ��� � ���.
��: A memory allocation error has occurred during IP fragment processing.
��� �: NIDS will stop and restart.
�� ���
HRMIN0011E � ��� ����� Tivoli �� �� ��� ��� ManagedNodes ���� �� ��� ����
���.
��: This error occurs when you attempt to uninstall the Risk Manager Server (RISKMGR_CORR) or the
Risk Manager Perl Support (RISKMGR_PERL) from a managed node if you do not have the Tivoli environment
set or if you do not have the authority to run uninstall.
��� �: Processing halts.
��� �: Use the setup_env.sh script to source in the Tivoli environment. Be sure that you are running
under a login that has Tivoli administrator authority for uninstall.
236 �� 3 ��� 8
HRMIN0012E parameter_name ��� ��� filename �� ��� ��� � ���.
��: The configuration file could not be updated with the value for the parameter shown. The most likely
reasons for this problem are that there was not enough space in the file system to update the file or that
there was a problem with the file permissions.
��� �: Processing halts.
��� �: Correct any problems, and try executing the command again.
HRMIN0013E ��� ��� � ���. file_name
��: A configuration file that is created during the installation could not be created. The most likely reason
for this problem is that there was not enough space in the file system to create the file or that there was a
problem with the file permissions.
��� �: Processing halts.
��� �: Correct any file system related problems, and then try the installation again.
HRMIN0014E � ��� ���� �� ��� /etc/inittab� ��� � : executable_name
��: An entry to start the executable could not be inserted into the inittab.
��� �: Processing halts.
��� �: Correct any problems, and try the installation again.
HRMIN0016E � ��� �� � ���. executable_name
��: The daemon was not stopped.
��� �: If the daemon is still running, use the kill command to stop the process.
HRMIN0017E �� ��� ��� � ���. filename
��: During a reinstall the user’s current copy of the configuration file shown could not be saved. The most
likely reason for this problem is that there was not enough space in the file system to create the file or that
there was a problem with the file permissions.
��� �: Processing stops.
��� �: Correct the problem, and try the install again.
HRMIN0018E �� ��� ���� filename �� ��� �� � ���.
��: When the Risk Manager Event Integration Facility is reinstalled, an attempt is made to copy the saved
versions of the rmad.conf and rmad_summary.rules configuration files back to the RISKMGR/etc directory at
the end of the installation. This could not be done.
��� �: The installation completes.
��� �: View the specified file in the RISKMGR/etc directory and any copy of the file located in the
RISKMGR/etc/backup directory. If there are differences in the files and if you decide that you would prefer
to use the file located in the backup directory, then copy the file you want to use to the RISKMGR/etc directory
(rename it if needed).
237Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMIN0019E RMEIF �� TME ��� �� filename �� �� ��� � ���.
��: The program was unable to create the symbolic link in RISKMGR/bin to point to the file in
RISKMGR/bin/tme.
��� �: The installation completes.
��� �: Correct any known problems, and then use the rmeif_cfg command to set the RMEIF configuration
for TME or non-TME.
HRMIN0020E RMEIF �� TME �� ��� �� filename �� �� ��� � ���.
��: The program was unable to create the symbolic link in RISKMGR/bin to point to the file in
RISKMGR/bin/nontme.
��� �: The installation completes.
��� �: Correct any known problems, and then use the rmeif_cfg command to set the RMEIF configuration
for TME or non-TME.
Check Point FireWall-1 ���
HRMCP0001E Risk Manager ��� ��� ��� ��� ������.
��: The Risk Manager Event Integration Facility may not be configured.
��� �: Try reconfiguring the Risk Manager Event Integration Facility.
HRMCP0002E Risk Manager ��� �� ����� �� ������.
��: Risk Manager Event Integration Facility shared library was not found.
��� �: Try reinstalling the Risk Manager Event Integration Facility.
HRMCP0003E message
��: OPSEC specific error message.
HRMCP0004E message1: message2
��: OPSEC specific error message.
HRMCP0005E NT ��� � ��� ������.
��: Unknown and unexpected adapter error.
��� �: Try reinstalling and reconfiguring the adapter.
238 �� 3 ��� 8
HRMCP0006E Windows NT ������� variable name ��
��: The adapter failed to create a new Windows registry entry.
��� �: Make sure adapter has Administrator authority.
HRMCP0007E message1 �: message2
��: Unknown and unexpected adapter error.
��� �: Try reinstalling and reconfiguring the adapter.
HRMCP0009E adapter name� �� ��� ������.
��: Adapter failed to locate itself.
��� �: Try reinstalling the adapter.
HRMCP0010E �� ��� ������. adapter name
��: The adapter failed to install itself as a Windows service.
��� �: Try running rma_cpfw -r to remove it as a service.
HRMCP0014E Failed to remove service: adapter name.
��: The adapter failed to remove itself as a Windows service. The adapter currently may not be installed
as a Windows service.
��� �: See if the adapter is listed in the Windows Service Control Panel.
HRMCP0026E --debug �� -d ��� � �� �������.
��: --debug or -d option given more than once.
��� �: Remove the second instance of the option.
HRMCP0027E --event-output �� -e ��� � �� �������.
��: --event-output or -e option given more than once.
��� �: Remove the second instance of the option.
HRMCP0028E --warning-output �� -w ��� � �� �������.
��: --warning-output or -w option given more than once.
��� �: Remove the second instance of the option.
239Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMCP0029E --install-service �� -i ��� � �� �������.
��: --install-service or -i option given more than once.
��� �: Remove the second instance of the option.
HRMCP0030E --remove-service �� -r ��� � �� �������.
��: --remove-service or -r option given more than once.
��� �: Remove the second instance of the option.
HRMCP0031E � � � ��: option letter
��: Unknow command line option given.
��� �: Try running rma_cpfw --help or -h for list of command line options.
HRMCP0034E OPSEC ��� ��� �����. � ���
��: Connection was lost or not established with the OPSEC server.
��� �: Make sure the OPSEC server is running and the network connection is working.
HRMCP0035E Risk Manager ��� �� �� �� ��� ������.
��: Risk Manager Event Integration Facility shared library was not found.
��� �: Try reinstalling the Risk Manager Event Integration Facility.
Check Point FireWall-1 ��� ���
HRMSM0001E SAM ��� ������. � SAM ��� ��� � ���.
��: The task to use the CheckPoint FireWall-1 SAM interface could not establish communication with the
SAM Server.
��� �: Try to run the task again. If failure is repeated, check your SAM Server configuration.
��� �: The task fails to perform the requested command.
HRMSM0004E SAM ����� ��� ������.
��: The task to use the CheckPoint FireWall-1 SAM interface failed.
��� �: Try to run the task again. If failure is repeated, check your SAM Server configuration.
��� �: The task fails to perform the requested command.
240 �� 3 ��� 8
HRMSM0006E parameter�() ��� � ���.
��: The task to use the CheckPoint FireWall-1 SAM interface failed to execute.
��� �: The task fails to perform the requested command.
��� �: Try to run the task again. Check your CheckPoint FireWall-1 SAM Server.
HRMSM0007E OPSEC ��� error code�
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
OPSEC error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0008E ��� �� SAM ��
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0009E OPSEC ���� ������.
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0010E ����� ��� ��� ������.
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0011E �� ��� ��� ������.
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
241Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMSM0012E SAM �� ���� ������.
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0013E �(SAM request)� ������.
��: The task to use the CheckPoint FireWall-1 SAM inteface failed to execute because it encountered the
an error.
��� �: The task fails to perform the requested command.
��� �: Try running the task again. Check your CheckPoint FireWall-1 SAM Server. Consult the CheckPoint
FireWall-1 OPSEC documentation.
HRMSM0016E � RMADHOME� ���� �� ����.
��: The task can not execute because the needed environment variable is not defined.
��� �: The task fails.
��� �: Check the Risk Manager installation on the affected machine.
HRMSM0017E rma_cpfw.conf� ���� � ���.
��: The task can not execute because the configuration file can not be accessed.
��� �: The task fails.
��� �: Check the Risk Manager installation on the affected machine.
HRMSM0018E SAM �� ��� ���� ����.
��: The task can not execute because the configuration file can not be accessed.
��� �: The task fails.
��� �: Check the Risk Manager installation on the affected machine.
Cisco Secure IDS ���
HRMCI0001E Risk Manager �� ��� ��� ��� ������.
��: The Risk Manager Event Integration Facility may not be configured.
��� �: Try reconfiguring the Risk Manager Event Integration Facility.
242 �� 3 ��� 8
HRMCI0002E Risk Manager �� �� ����� �� ������.
��: Risk Manager Event Integration Facility shared library was not found.
��� �: Try reinstalling the Risk Manager Event Integration Facility.
HRMCI0003E error number � � ��
��: Cisco Datafeed component was unable to get a response from the central Cisco Secure IDS Communication
Service.
��� �: There may be a problem communicating with this remote process.
HRMCI0004E error number �� � ���.
��: Cisco IDS DataFeed component is not installed.
��� �: Install the Cisco DataFeed component.
HRMCI0005E error number �� ���� ���.
��: Cisco IDS DataFeed component is already initialized.
��� �: Try restarting the adapter. Check the system error log for further messages.
HRMCI0006E error number ��� ��
��: Adapter is failing to initialize the Cisco IDS DataFeed component.
��� �: Try restarting the adapter. Check the system error log for further messages.
HRMCI0007E error number �� ������� �� ���.
��: A second adapter or some other Cisco IDS DataFeed application must be running.
��� �: Run rma_csids-init stop to stop the other adapter. If the problem persists, run csidsDataFeed
stop -f and remove all file from the DataFeed/var directory.
HRMCI0008E error number � � ���.
��: Unknown error code.
HRMCI0010E ���� ������.
��: Adapter is failing to initialize the Cisco DataFeed component.
��� �: Try restarting the adapter. Check the system error log for further messages.
243Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMCI0021E --debug �� -d ��� � �� �������.
��: --debug or -d option given more than once.
��� �: Remove the second instance of the option.
HRMCI0022E --event-output �� -e ��� � �� �������.
��: --event-output or -e option given more than once.
��� �: Remove the second instance of the option.
HRMCI0023E --warning-output �� -w ��� � �� �������.
��: --warning-output or -w option given more than once.
��� �: Remove the second instance of the option.
HRMCI0024E � � � ��: option letter
��: Unknown command line option given.
��� �: Try running rma_csids --help or -h for list of command line options.
HRMCI0025E --install-service �� -i ��� � �� �������.
��: --install-service or -i option given more than once.
��� �: Remove the second instance of the option.
HRMCI0026E --remove-service �� -r ��� � �� �������.
��: --remove-service or -r option given more than once.
��� �: Remove the second instance of the option.
HRMCI0028E Windows NT ������� variable name ��
��: The adapter failed to create a new Windows registry entry.
��� �: Make sure adapter has Administrator authority.
HRMCI0029E �� �� ��: adapter name
��: The adapter failed to install itself as a Windows service.
��� �: Try running rma_csids -r to remove it as a service.
244 �� 3 ��� 8
HRMCI0033E �� �� ��: adapter name
��: The adapter failed to remove itself as a Windows service. The adapter may not currently be installed
as a Windows service.
��� �: See if the adapter is listed in the Windows Service Control Panel.
HRMCI0035E adapter name� �� �� ��
��: Adapter failed to locate itself.
��� �: Try reinstalling the adapter.
HRMCI0036E adapter name �: error number
��: Unknown and unexpected adapter error.
��� �: Try reinstalling and reconfiguring the adapter.
HRMCI0037E Risk Manager ��� �� �� �� ��� ������.
��: The adapter could not find the Risk Manager Event Integration Facility library.
��� �: The Risk Manager Event Integration Facility must be installed.
Risk Manager �� ���
HRMCO0053E �� ��
��: The rmcorr_cfg command encountered an error and backed out any completed processing.
��� �: The rmcorr_cfg command stops.
��� �: Check your parameters and re-execute the rmcorr_cfg command.
HRMCO0056E � � �� ��� � : path
��: The rmcorr_cfg command was not able to create a rulebase in the directory specified.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Re-execute the rmcorr_cfg command specifying a valid directory.
HRMCO0057E � �� � �� �� �: %1$s
��: The rmcorr_cfg command was not able to create a rulebase in the directory specified.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Re-execute the rmcorr_cfg command specifying a valid directory.
245Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMCO0059E rulebase � ��� ���� �
��: The rulebase does not compile.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: If the rulebase exists, fix it before installing the Risk Manager rules. Otherwise, contact Tivoli
support.
HRMCO0060E rulebase � �� �� ��
��: The rmcorr_cfg command was not able to create the rulebase.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Validate the parameters to rmcorr_cfg.
HRMCO0061E rulebase_from � �� rulebase_to � �� ���� � ���
��: The rmcorr_cfg command can not copy the rulebase.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Validate the parameters to rmcorr_cfg. Re-execute the rmcorr_cfg command.
HRMCO0062E class�() rulebase�() ���� � ���
��: The class was not successfully imported into the rulebase.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Validate the parameters to rmcorr_cfg. Ensure that your Tivoli environment is properly installed
and running. Re-execute the rmcorr_cfg command.
HRMCO0063E rules � ��� rulebase � �� ���� � ���
��: The rules file was not successfully imported into the rulebase.
��� �: The rmcorr_cfg command backs out any completed processing.
��� �: Validate the parameters to rmcorr_cfg. Ensure that your Tivoli environment is properly installed
and running. Re-execute the rmcorr_cfg command.
HRMCO0064E directory ��� �� ��
��: The rmcorr_cfg command could not find the directory.
��� �: The rmcorr_cfg command backs out any completed processing and stops.
��� �: Check that Risk Manager has been properly installed. Re-execute the command.
246 �� 3 ��� 8
HRMCO0067E rulebase � �� � ��
��: The rmcorr_cfg command could not load the rulebase.
��� �: The ruleabase is not loaded, changes to it are backed out.
��� �: Verify the parameters to rmcorr_cfg. Check your Risk Manager configuration files for syntax
errors. Check the ptc* (* is a number) file in your $BINDIR/RISKMGR/corr directory for details of the failure.
Re-try the command.
HRMCO0068E TEC ��� �� �� ��
��: The TEC Event Server did not start.
��� �: The TEC Event Server is not active.
��� �: Start the TEC Event Server using the wstartesvr command.
HRMCO0069E TEC ��� �� � ��
��: The TEC Event Server was not stopped.
��� �: The rmcorr_cfg command does not re-start the TEC Event Server.
��� �: Stop then start the TEC Event Server.
HRMCO0072E ��� �� eventsource �� ��
��: The rmcorr_cfg command was not able to create the event source.
��� �: The event source is not created.
��� �: If needed, re-run the command.
HRMCO0073E ��� ����� libraryname �� ��
��: The rmcorr_cfg command was not able to create the task library.
��� �: The task library is not created.
��� �: Verify that the Tivoli environment is installed and running properly. Verify that you have installed
a c preprocessor (cpp) on your system. On Unix systems, the rmcorr_cfg command attempts to use the
/usr/ccs/lib/cpp directory as the c preprocessor. On Windows systems, the c preprocessor,
$BINDIR/tools/cpp.exe, is used. You may load the task library using ‘rmcorr_cfg -tasklib’.
HRMCO0075E ��� ���� � : filename
��: The rmcorr_cfg command was not able to access the file.
��� �: The rmcorr_cfg command stops.
��� �: Verify that the Tivoli Risk Manager server is properly installed.
247Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMCO0076E ��� � �� ��� �
��: The rmcorr_cfg command could not determine the event cache size.
��� �: The rmcorr_cfg command displays this message.
��� �: Check that the Tivoli environment is properly installed and running. You can use the wlsesvrcfg
command to list the Event Server configuration.
HRMCO0077E �� � �� ��� ��� �
��: The rmcorr_cfg could not determine the current rulebase path.
��� �: The rmcorr_cfg command stops.
��� �: Check that the Tivoli environment is properly installed and running. You can use the wrb -lscurrb
command to list the current rulebase.
HRMCO0078E �� � �� ��� �
��: The rmcorr_cfg could not determine the current rulebase path.
��� �: The rmcorr_cfg command stops.
��� �: Check that the Tivoli environment is properly installed and running. You can use the wrb -lscurrb
command to list the current rulebase.
HRMCO0079E rulebase � ���� class � �� �� ��
��: The class was not able to be deleted from the rulebase.
��� �: The rmcorr_cfg command does not delete the rule file from the rulebase.
��� �: Verify the command line parameters you specified for rmcorr_cfg. The wrb -delrbclass -force
command may be used to delete the rulebase if the rmcorr_cfg command continues to fail.
HRMCO0080E rulebase � ���� rulefile �� ��
��: The rule file was not able to be deleted from the rulebase.
��� �: The rmcorr_cfg command does not delete the rule file from the rulebase.
��� �: Verify the command line parameters you specified for rmcorr_cfg. The wrb -delrbrule -force
command may be used to delete the rulebase if the rmcorr_cfg command continues to fail.
HRMCO0081E %1$s � �� �� ��
��: The rmcorr_cfg command failed to delete the rulebase.
��� �: The rmcorr_cfg command stops without deleting the rulebase.
��� �: Verify the command line parameters you specified for rmcorr_cfg. The wrb -delrb command
may be used to delete the rulebase if the rmcorr_cfg command continues to fail.
248 �� 3 ��� 8
HRMCO0082E rulebase � �� ��� � ���. � �� �� � ���.
��: The rulebase was not found, so rmcorr_cfg command was unable to delete it.
��� �: The rmcorr_cfg command stops without deleting the rulebase.
��� �: Re-execute the command specifying an existing rulebase.
HRMCO0085E event_source ��� �� �� ��
��: The rmcorr_cfg command was unable to delete the event source.
��� �: The rmcorr_cfg fails to delete the event source.
��� �: Verify your Tivoli environment and if needed, re-execute the command. If it fails again, use
the wdelsrc command to remove the event source.
HRMCO0096E � �� �� ��: filename
��: The prolog file did not compile. The most likely cause is that the file contains syntax errors.
��� �: The rmcorr_cfg command backs out any completed commands.
��� �: Verify the parameters to rmcorr_cfg. Check your Risk Manager configuration files for syntax
errors. Check the ptc* (* is a number) file in your $BINDIR/RISKMGR/corr directory for details of the failure.
Re-execute the command.
HRMAR0001E (script) ‘-r seconds’ ��� ����.
��: The task or job script is missing the -r argument. The script only archives events older than the specified
number of seconds.
��� �: Risk Manager data archiving is not successful.
��� �: Specify the -r argument for the script. You must use a value of 10 seconds or greater.
HRMAR0002E (script) INTERP ���� ���, �� ��� ��� � ���.
��: The task or job script could not determine which directory to use as a temporary directory because it
could not determine the current operating system. The INTERP environment variable defines the operating system.
��� �: Risk Manager data archiving is not successful.
��� �: Ensure that the Tivoli environment is installed, configured, and running properly.
HRMAR0003E (script) dir �� ���� ���� ����.
��: The temporary directory does not exist in the file system or exists as a file and not a directory.
��� �: Risk Manager data archiving is not successful.
��� �: Ensure that you have free disk space. Create the named temporary directory if it does not exist.
Re-execute the task or job.
249Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMAR0004E (script) ‘wgetrim RIM_object’ ��
��: The task or job script could not access the Tivoli RDBMS Interface Module (RIM) or the specified
RIM object. Further explanation may appear in messages from the wgetrim command.
��� �: Risk Manager data archiving is not successful.
��� �: Ensure that the Tivoli environment is running and that you have the correct roles and permission
to perform RIM functions. Ensure that the specified RIM object has been created and then re-execute the task
or job.
HRMAR0005E (script) RIM �� ��� ��� � : file
��: The script could not create the file.
��� �: Risk Manager data archiving is not successful.
��� �: Ensure that the Tivoli environment is running and that you have free disk space and write
permission on the system temporary directory. Re-execute the task or job.
� �� �� ���
HRMWN0001E select ��� wrimsql� �� ��� ������. �����.
��: The database could not be accessed or the select parameters were incorrect.
��� �: The data was not retrieved from the database.
��� �: Verify the database and then contact technical support.
HRMWN0003E �� ���� ���. �����.
��: The program requires a temporary directory for its processing.
��� �: The program exited without executing
��� �: Create the temporary directory, /tmp on a Unix platform or /temp on a Windows platform.
Risk Manager Event Integration Facility ���
HRMRM0008E � ��: ��� �� �
��: There was a general failure sending an event to the Risk Manager EIF daemon.
��� �: The event was not sent to the Risk Manager EIF daemon.
��� �: Check the Risk Manager EIF and TEC configuration and then contact technical support.
250 �� 3 ��� 8
HRMRM0009E ���� �� ��
��: There was a general failure allocating storage in the Risk Manager EIF daemon.
��� �: The Risk Manager EIF daemon exits with return code of -1.
��� �: Check hardware and OS software configurations.
HRMRM0016E Common Adapter Pipe Processing Failed, rc = return code.
��: Failure Reading or writing Risk Manager EIF daemon communication pipes.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0017E Common Adapter Initialization Failed, rc = return code.
��: Risk Manager EIF daemon initialization failed.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0018E �� ��� �� ���� � ������.
��: Risk Manager EIF daemon could not resolve the installation path.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and registry entries and then contact technical support.
HRMRM0019E LCF_DATDIR �� ���� ����.
��: Risk Manager EIF daemon (TME version) could not determine the specified path.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and registry entries and then contact technical support.
HRMRM0020E NSLPATH �� ���� ����.
��: Risk Manager EIF daemon could not determine the specified path.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and registry entries and then contact technical support.
HRMRM0021E �� ���� �� ��, rc = return code
��: Risk Manager EIF daemon could not create a control semaphore.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
251Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMRM0022E �� ���� �� ��, ERRNO = errno
��: Risk Manager EIF daemon could not remove a control semaphore.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check Risk Manager EIF configuration, contact technical support.
HRMRM0023E �� ���� �� ��, ERRNO = errno
��: Risk Manager EIF daemon could not access a control semaphore.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0024E �� ���� �� ��, ERRNO = errno
��: Risk Manager EIF daemon could not access a control semaphore token.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0025E port number �� �� ���� ���� ���.
��: There is an invalid local event processing port number defined in the Risk Manager EIF configuration
file.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Specify a valid port number in the configuration file.
HRMRM0026E � ��� �� �� � �� � ���� ���.
��: Local event processing is specified in the Risk Manager EIF configuration file, but a port number is
not defined.
��� �: The Risk Manager EIF daemon exits with a return code of -1
��� �: Specify a valid port number in the configuration file.
HRMRM0027E [CDS file name ]([] ��� ��) ��� CDS ��� ���� ����.
��: The CDS file defined in the configuration file does not exist.
��� �: The Risk Manager EIF daemon exits with a return code of -1
��� �: Specify a valid .cds file in the configuration file.
252 �� 3 ��� 8
HRMRM0028E CDS �� ���� ��� ��, rc = return code
��: The .cds file parsing failed.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Ensure that the .cds and .fmt files match.
HRMRM0029E ServerLocation� [configuration file] ��� ��� �� ����.
��: Server location is not defined in the Risk Manager EIF configuration file.
��� �: The Risk Manager EIF daemon exits with a return code of -1
��� �: Specify a valid ServerLocation in the Risk Manager EIF configuration file.
HRMRM0030E �� ���� �� �� ��� �� � ������.
��: The Risk Manager EIF daemon could not access its configuration file.
��� �: The Risk Manager EIF daemon exits with a return code of -1
��� �: Ensure that the configuration file exists and is in the correct location.
HRMRM0031E TEC EIF ��� ��, rc = return code
��: The Risk Manager EIF daemon could not initialize communication with the TEC.
��� �: The Risk Manager EIF daemon exits with a return code of -1
��� �: Check the Risk Manager EIF and TEC configurations and then contact technical support.
HRMRM0032E �� �� ��� ������.
��: The Risk Manager EIF daemon could not create internal communication pipes.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0033E TEC �� �� ��. tec_errno = return code
��: The Risk Manager EIF daemon could not create a TEC communication handle.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF and TEC configurations and then contact technical support.
HRMRM0034E �� ��� �� �� �� pipe name �� ��, errno =
��: The Risk Manager EIF daemon could not open an internal communication pipe for reading.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
253Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMRM0035E �� ��� �� pipe name �� �� �� ��, errno =
��: The Risk Manager EIF daemon could not open an internal communication pipe for writing.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0036E pipe name �� �� �� ��, Errno =
��: The Risk Manager EIF daemon could not create internal communication pipe.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0037E ��� �� � ��� �� �� � ������.
��: The Risk Manager EIF daemon could not read the message type from an internal communication pipe.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0038E �� ���� ��� ��� �� � ������.
��: The Risk Manager EIF daemon could not read the message data from an internal communication pipe.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF daemon and then contact technical support.
HRMRM0039E ��� ��� �� - �� � = return code
��: The Risk Manager EIF daemon could not format the message data sent.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0040E CDS ��� ��� �� ��� ��� ���� � ���.
��: The Risk Manager EIF daemon has received an event to format, but a .cds file does not exist.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration, ensure that a .cds file exists, and verify that the
file is defined in the Risk Manager EIF configuration file.
254 �� 3 ��� 8
HRMRM0041E �� ��� � ��� ��� ��� � ������.
��: The Risk Manager EIF daemon could not send a termination message to the local event processor.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0042E ��� ���� ������.
��: The Risk Manager EIF daemon could not format an event.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0043E ���� ���� ���� ���� ����.
��: The Risk Manager EIF daemon received invalid event data.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0044E � ��� �� �� ���� � ������.
��: The Risk Manager EIF daemon failed to create a communication socket.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0045E � ��� ��� ��� � ������.
��: The Risk Manager EIF daemon failed to connect to a communication socket.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0046E � ��� ��� ��� �� � ������.
��: The Risk Manager EIF daemon failed writing to a communication socket.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
255Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMRM0047E ��� ��� ��, rc = return code
��: The Risk Manager EIF daemon received an error return value when sending an event to TEC.
��� �: The Risk Manager EIF daemon returns a return code of -1 to the Risk Manager EIF shared
library.
��� �: Check the Risk Manager EIF and TEC configurations and then contact technical support.
HRMRM0048E �� ���� �� ��, ERRNO = errno
��: Risk Manager EIF daemon could not create a control semaphore.
��� �: The Risk Manager EIF daemon exits with a return code of -1.
��� �: Check the Risk Manager EIF configuration and then contact technical support.
HRMRM0049E winsock.dll �� retun code�(�) ��� ���.
��: Risk Manager EIF daemon could not start Windows socket communication.
��� �: The Risk Manager EIF daemon exits with return code of returned from WSAStartup.
��� �: Check the Risk Manager EIF and OS configuration and then contact technical support.
HRMRM0050E ���(�� ��) ���� �� ���.
��: Risk Manager Observer is running in debug (non-service) node.
HRMRM0051E Install the service.
��: Risk Manager Observer usage.
HRMRM0052E RMO -r : �� �����.
��: Risk Manager Observer usage.
HRMRM0053E �� ��� � - Service name
��: Risk Manager Observer service failed to install.
��� �: Risk Manager Observer service exits with a return code from the failing Application Processing
Interface (API).
��� �: Check the Risk Manager Observer configuration and then contact technical support.
HRMRM0054E �� � ��
��: Risk Manager Observer service failed to install.
��� �: Risk Manager Observer service exits with return code from failing API.
��� �: Check Risk Manager Observer configuration, contact technical support.
256 �� 3 ��� 8
HRMRM0055E �� ��
��: Risk Manager Observer service could not create a registry entry.
��� �: Risk Manager Observer service exits with a return code from the failing API.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
HRMRM0056E ����� �� � - Library name
��: Risk Manager Observer service could not load the Java virtual machine DLL.
��� �: Risk Manager Observer service exits with an non-zero return code.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
HRMRM0057E JVM� ��� � ���. �� �: return code
��: Risk Manager Observer service could not create an instance of the Java virtual machine.
��� �: Risk Manager Observer service exits with a non-zero return code.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
HRMRM0058E ��� �� � : return code
��: Risk Manager Observer service could not locate the RMO class.
��� �: Risk Manager Observer service exits with a non-zero return code.
��� �: Check th Risk Manager Observer configuration and then contact technical support.
HRMRM0059E java ��� ID �� � ���.
��: Risk Manager Observer service could not locate the Main method in the RMO class.
��� �: Risk Manager Observer service exits with a non-zero return code.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
HRMRM0060E Service name - ��
��: Risk Manager Observer error string.
HRMRM0063E Risk Manager Observer ��� �
��: Risk Manager Observer was unable to start.
��� �: Risk Manager Observer service exits with an non zero return code.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
257Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMRM0064E Risk Manager Observer �� �
��: Risk Manager Observer was unable to stop.
��� �: Risk Manager Observer service exits with an non zero return code.
��� �: Check the Risk Manager Observer configuration and then contact technical support.
Risk Manager EIF Observer ���
HRMJR0003E line number � ��� � �� ��� �����.
��: The rule file whose syntax was being checked contains an error that causes the rule to be invalid.
��� �: The rule file will not function properly if used with the Risk Manager EIF Local Event Processing
engine.
��� �: Correct the error in the rule file.
HRMJR0004E � �� ����� ���.
��: The rule file whose syntax was being checked has a missing semicolon. The rule file is not valid.
��� �: The rule file will not function properly if used with the Ris Manager EIF Local Event Processing
engine.
��� �: Correct the error in the rule file.
HRMJR0005E ��� �: failing rule
��: The rule listed contains a syntax error.
��� �: The rule file will not function properly if used with the Risk Manager EIF Local Event Processing
engine.
��� �: Correct the error in the rule file.
HRMJR0006E file name ��� �� � ���.
��: The file can not be opened by the program.
��� �: If this problem is encountered by the Risk Manager EIF Local Event Processor, the program
may terminate abnormally. In some cases, processing may continue but no duplicate event reduction will be
performed.
��� �: Ensure that the file name has been correctly passed to the program.
HRMJR0007E � ��� ��� port number �� ���� � ���.
��: The local event processor (rmo) can not open the port specified as the LocalEventPort in the
$RMADHOME/etc/rmad.conf configuration file.
��� �: The local event processor fails.
��� �: Change the port to one that is available on your system.
258 �� 3 ��� 8
Web IDS ���
HRMWI0001E �� �� �� file_name ��� � � ���.
��: Specified webserver log was not found.
��� �: Try again with valid file name.
��� �: File not found. Program stopped.
HRMWI0002E Risk Manager ��� �� �� ����� � Webids �� ��� �� ���� ����.
��: Cannot find Risk Manager Event Integeration Facility library files necessary to send information to the
TEC server.
��� �: Modify the librmadPath value in the configuration file to point to the proper directory
��� �: Library not found. Events will not be sent.
HRMWI0005E �� ��� variable_name�(�) ����. �� ��� ���, � � �� � ��� ������.
��: A variable necessary for web IDS to operate is missing from the configuration file.
��� �: Add the missing variable to the configuration file and assign it an appropriate value.
��� �: Variable not found. Program halted.
HRMWI0006E ���� ���� ��� � ��� ���� ��� � ���. �� ���� ���� �/�� � ��
�����.
��: Web IDS must know how to properly split up a date, therefore a delimiter is required.
��� �: Specify a value for date_delim in the configuration file.
��� �: No delimiter specified. Date will not be parsed properly.
HRMWI0007E file_name <line_number> key_name�(�) ��� � ���.
��: The key was not recognized. In general a valid key is either ″value″ or ″delim″.
��� �: Change the key to be a valid value (″value″ or ″delim″).
��� �: Error reported, continue execution.
HRMWI0008E �� ��� dictionary_value� ���. dictionary_value ����� logPattern_value ���� �� �
� ��� ������.
��: The variable dictionary_value is missing from the configuration file.
��� �: Add dictionary_value to the configuration file and assign it an appropriate value.
��� �: Variable not found. Program halted.
259Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMWI0009E ���� ���� ��� �� ��� ���� ��� � ���. �� ���� ���� �/�� �� ��
�����.
��: When you specify a dictionary value in the configuration file, you must also specify a dictionary delimiter.
��� �: Specify a value for dictionary_delim in the configuration file.
��� �: Dictionary delimiter not found. Program halted.
HRMWI0010E � ���� ���� �� ��� ���� ��� � ���(user specified valid delimiters).
��: The dictionary entry in the web server’s log cannot be broken into components using the specified delimiter
list, and therefore it cannot be understood.
��� �: Specify a valid delimiter list in the configuration file.
��� �: Dictionary delimiter invalid. Program halted.
HRMWI0011E CLF �� �� �� false ������, logPattern �� ���� ����. �� ��� ��
��� �� ������.
��: Web IDS has been informed that the log file is not in CLF format, but has not been instructed how
to read it.
��� �: Specify a value for logPattern_value in the configuration file, or change clf_value to 1 if
the log file is actually in CLF format.
��� �: Cannot understand logfile. Program halted.
HRMWI0012E ���� ���� ��� logPattern ��� ���� ��� � ���. �� ���� �����
logPattern, �� logPattern �� �����.
��: When you specify a logPattern value in the configuration file, you must also specify a logPattern delimiter.
��� �: Specify a value for logPattern_delim in the configuration file.
��� �: logPattern delimiter not found. Program halted.
HRMWI0013E � ���� ���� logPattern ��� ���� ��� � ���(user specified valid delimiters).
��: The logPattern value was not able to be broken into components using the specified logPattern delimiter
list.
��� �: Specify a valid delimiter list in the configuration file.
��� �: logPattern delimiter invalid. Program halted.
HRMWI0014E � ���� ���� � ��� ���� ��� � ���(user specified valid delimiters).
��: The date value was not able to be broken into components using the specified date delimiter list.
��� �: Specify a valid delimiter list in the configuration file.
��� �: Date delimiter invalid. Program halted.
260 �� 3 ��� 8
HRMWI0015E ���� ���� ��� � ��� ���� ��� � ���. �� ���� ���� �/�� � ��
�����.
��: When you specify a time value in the configuration file, you must also specify a time delimiter.
��� �: Specify a value for time_delim in the configuration file.
��� �: time delimiter not found. Program halted.
HRMWI0016E � ���� ���� � ��� ���� ��� � ���(user specified valid delimiters).
��: The time value was not able to be broken into components using the specified imte delimiter list.
��� �: Specify a valid delimiter list in the configuration file.
��� �: Time delimiter invalid. Program halted.
HRMWI0017E ‘engine_name’ ��� �� ‘name’ ���� �� ���� ����.
��: Each class within a given engine must have a unique name.
��� �: Change the name of one of duplicate classes in the signature file.
��� �: Duplicate class names
HRMWI0018E �� ‘signature_file_name’�� ‘signature name’ ��� ���� ����. �� � � �� � � ��� �
� ��.
��: A signature either consists of a pattern and name, or a pattern, name, vulnerability ID, and the name
of the vulnerability database. Therefore, a signature without 2 or 4 fields exactly is invalid.
��� �: Modify signature to have the requisite number of fields.
��� �: Invalid signature. Program halted.
HRMWI0019E ‘engine(class_name)’ � ���� ‘signature_file_name’ �� ��� ���.
��: Some classes are required for Web IDS to operater properly.
��� �: Restore required class from backed up copy of sig.nefarious.
��� �: Required class missing. Program halted.
HRMWI0020E ‘engine_name’ �� ‘class_name’ ���� �� ��� �� � ���.
��: A signature pattern defined in the signature file is not a valid regular expression.
��� �: Modify the signature so that it is a valid regular expression, and can be properly evaluated.
��� �: Invalid signature pattern. Program halted.
261Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMWI0021E ‘class_name’ ��� ‘parameter_name’ � ���� ���� �� ��� ����.
��: The parameters for the specific class are incorrect.
��� �: Modify the parameter to conform to the syntax specific to that engine or class (read the comments)
��� �: Program halted.
HRMWI0022E ‘signature_file_name’ �� ���� ���� �� �� �� ‘engine_name’�(�) �� ���.
��: Engine name is not one of the following: skip, parser, pattern, trust, or suspicion.
��� �: Define all classes and signatures within one of the provided engines.
��� �: Invalid engine name. Program halted.
HRMWI0023E ‘signature_file_name’ �� ���� � ��� �� ���� �� printLvl ‘print_level’�() ������
�.
��: printLvl must be one of the following: all, warnings, or alerts.
��� �: Set printLvl to one of the three valid values.
��� �: printLvl invalid. Program halted.
HRMWI0024E ‘%2$s’ �� ���� suspicion ��� �� ���� �� ��� ‘%1$s’�() �������.
��: A parameter for the suspicion engine is incorrect. Either the syntax is incorrect, or the parameter is
not printLvl (the only valid parameter).
��� �: modify the engine specification to only have printLvl as a parameter.
��� �: Program halted.
HRMWI0025E ‘engine_name’ ��� ‘signature_file_name’ �� ���� �� ��� ���� ����.
��: This engine definition takes no parameters. Therefore, anything defined here is meaningless. Only the
suspicion engine takes parameters.
��� �: Remove parameters for this engine.
��� �: Invalid engine parameter. Program halted.
HRMWI0026E ‘signature_file_name’ �� ���� suspicion �� ‘suspicion’� �� printLvl ��� ���� ���
�.
��: The parameter printLvl must be defined for the suspicion engine.
��� �: Define the parameter printLvl for the engine.
��� �: Program halted.
262 �� 3 ��� 8
HRMWI0027E ‘signature_file_name’ �� ���� ‘engine_name’ �� ‘class_name’ ���� �� ���� ��, ��
�� �� ��1, ��2 �� k ��� �������.
��: The level1, level2, and k parameters must be specified correctly for each class definition. In this case,
they are either missing or defined incorrectly.
��� �: Analyze the parameters of this particular class for improper values.
��� �: Improper parameters. Program halted.
HRMWI0028E ‘signature_file_name’ �� ��� �� ‘engine_name’ �� ‘class_name’ ����� ��1� ��2�� ��
���.
��: Level1 is not greater than Level2. This means that everytime a ″per host″ alert was generated, a redundant
″per domain″ alert would also be generated.
��� �: Set Level1 to be something greater than Level2.
��� �: Program halted.
HRMWI0029E ‘signature_file_name’ �� ���� ‘engine_name’ �� ‘class_name’ ���� �� ���� �� ��1, �
�2 �� k �� �������.
��: The level1, level2, and k parameters must be specified correctly for each class definition. In this case,
they are defined incorrectly.
��� �: Analyze the parameters of this particular class for improper values.
��� �: Improper parameters. Program halted.
HRMWI0030E ‘signature_file_name’ �� ��� �� ‘engine_name’ �� ‘class_name’ ���� �� � ���� �
��.
��: The field parameter specifies which part of a log entry to look in when matching against the signatures
in this class. Without it, Web IDS does not know where to look.
��� �: Specify a field name as a parameter for the class.
��� �: Program halted.
HRMWI0031E ‘signature_file_name’ ���� ‘engine_name’ �� ‘class_name’ ���� �� ���� �� � ��
‘field_name’�() �������.
��: The field name is not one of the acceptable values, and therefore means nothing to Web IDS.
��� �: Set the field value to an acceptable value, such as ″url″.
��� �: Program halted.
263Risk Manager ��� ���
A.
Risk
Man
ager
��
�
HRMWI0032E ‘signature_file_name’ ���� ‘engine_name’ �� ‘class_name’ ���� �� ���� �� �
‘operator’�() �������.
��: A condition other than ‘!’ or ‘=’ was specified.
��� �: Analyze the condition and change it to the appropriate valid operator.
��� �: Program halted.
HRMWI0033E ‘signature_file_name’ ���� ‘engine_name’ �� ‘class_name’ ���� �� �� ��� ���� �
���.
��: Classes within the trust engine require a cancel parameter which specifies what classes of events to
nullify.
��� �: specify a cancel parameter so that Web IDS knows what events to invalidate as a result of
matching this class.
��� �: Program halted.
HRMWI0034E ‘signature_file_name’ ���� ‘engine_name’ �� ‘class_name’ ���� �� �� ���� ���� �
� ��� �� ‘cancelled_class_name’�() �������.
��: The cancel parameter only makes sense if it specifies a class that currently exists. Unfortunately, this
class’s parameter does not.
��� �: Make sure that the cancel parameter specifies an existing class.
��� �: Program halted.
HRMWI0035E ‘signature_file_name’ ���� ‘engine_name’ �� ‘class_name’ ���� �� � ���� ���� �
� ��� �� ‘required_class_name’�() �������.
��: The require parameter only makes sense if it specifies a class that currently exists. Unfortunately, this
class’s parameter does not.
��� �: Make sure that the require parameter specifies an existing class.
��� �: Program halted.
HRMWI0036E ���� �� ��� ����.
��: The alert data structure, an internal Web IDS structure, is corrupted.
��� �: Restart Web IDS.
��� �: Program halted.
HRMWI0037E ‘engine_name’ �� ‘class_name’ ���� �� ‘which_level’ ��� ��� � ���.
��: An internal Web IDS structure is corrupted.
��� �: Restart Web IDS.
��� �: Program halted.
264 �� 3 ��� 8
HRMWI0038E �� ‘engine_name’ ‘class_name’ ���� �� K �� ��� � ���.
��: An internal Web IDS structure is corrupted.
��� �: Restart Web IDS.
��� �: Program halted.
HRMWI0039E ������ ��� � � � ���.
��: Having trouble communicating with the NT Event Log.
��� �: Restart Web IDS. If problem continues, reboot system.
��� �: Communication problem. Program halted.
HRMWI0040E ��� Risk Manager ��� �� ��� �� � ���.
��: Web IDS is having trouble communicating with RMEIF. Either something is misconfigured, or this is
only a temporary problem .
��� �: If message happens only once, do nothing. Otherwise, stop Web IDS, enter wrmadmin -restart
at the command line, and restart Web IDS.
��� �: Communication problem. Continuing execution.
265Risk Manager ��� ���
A.
Risk
Man
ager
��
�
�����
� ����� �� Risk Manager ��� ������ �� ����� ��� �����.
��� �� 3.8 �� �� �� �����Risk Manager �� � 3.8 ���� ���� �� �� �� � ��� ��� �
� �� ����� �� �� �� �� ����. � ��� �� �� RMADHOME� � �� �� $RMADHOME/etc/backup �� �� ����.
¶ /usr/RISKMGR (AIX)
¶ /opt/RISKMGR (Solaris � Linux)
¶ %SystemDrive%\Program Files\Tivoli\RISKMGR(Windows� ���)
�� � ��� ��� ����.
¶ Risk Manager Event Integration Facility
$RMADHOME/etc/rmad.conf$RMADHOME/etc/rmad_summary.rules
¶ � �� �� ���
$RMADHOME/etc/sig.nefarious$RMADHOME/etc/webids.cfg$RMADHOME/etc/webids.fmt$RMADHOME/etc/webids.nt.fmt
¶ Cisco Secure IDS� ��
$RMADHOME/etc/csids.fmt$RMADHOME/etc/csids.nt.fmt
¶ Check Point FireWall-1� ��
$RMADHOME/etc/cpfw.fmt$RMADHOME/etc/cpfw.nt.fmt$RMADHOME/etc/rma_cpfw.conf
¶ Risk Manager �� ��
$RMADHOME/etc/os_aix.fmt$RMADHOME/etc/os_solaris.fmt$RMADHOME/etc/os_nt.fmt$RMADHOME/etc/os_linux.fmt$RMADHOME/etc/pix.fmt$RMADHOME/etc/pix_nt.fmt$RMADHOME/etc/rmnav.fmt$RMADHOME/etc/rmmac.fmt$RMADHOME/etc/tecad_snmp.cds$RMADHOME/etc/tecad_snmp.oid
B
267Risk Manager ��� ���
B.
��
��
�
����, �� �� ������ �� � ���� �� �� ��� � ��
� ��� ���. � ��� � � �����, �� �� ��� $RMADHOME/etc����� ���.
�� �� ����� �, �� rmad.conf � rmad_summary.rules ��� �� �
�����, �(�� ��) �� ����. Risk Manager� �� �� ����
rmad.conf � rmad_summary.rules �� �����.
¶ � ���� $RMADHOME/etc/File $RMADHOME/etc/backup/File.orig� �����.
¶ � ���� $RMADHOME/etc/backup/File $RMADHOME/etc/File� �����.
File� rmad.conf �� rmad_summary.rules� �����.
Risk Manager �� 3.7� ���� ��� ������� �������� ��� Risk Manager � 3.7 ���� (Tivoli ���� � TME tar ����
�) � ��, � 3.8 ��� ��� �� �� �� ������ �� �����.
AIX � Solaris ���� ��
¶ rma_app_env.sh �� ����� ��� 3.7 �� ��� �����. (app� �� �
�� ��� eif, cpfw, nr, web �� perl � �����.)
¶ ���� �� � �� ���� ���� � ��� �� �� � $RMADHOME/etc/backup� � � ��� �����. � ��� �� ��� � ����.
v Risk Manager Event Integration Facility
v Web Intrusion Detection System
v Cisco Secure IDS� ��(���� NetRanger� ��)
v Check Point FireWall-1� ��
�: �� Risk Manager �� ��� � 3.7 ���� ����� ���� ����. �
��� ��� � �� ��� �� �����.
v Risk Manager Event Integration Facility
$RMADHOME/etc/rmad.conf$RMADHOME/etc/rmad_summary.rules
v Web Intrusion Detection System
$RMADHOME/etc/sig.nefarious$RMADHOME/etc/webids.cfg$RMADHOME/etc/webids.fmt$RMADHOME/etc/webids.nt.fmt
v Cisco Secure IDS� ��
$RMADHOME/etc/csids.fmt$RMADHOME/etc/csids.nt.fmt
v Check Point FireWall-1� ��
268 �� 3 ��� 8
$RMADHOME/etc/cpfw.fmt$RMADHOME/etc/cpfw.nt.fmt$RMADHOME/etc/rma_cpfw.conf
v Risk Manager �� ��
$RMADHOME/etc/os_aix.fmt$RMADHOME/etc/os_solaris.fmt$RMADHOME/etc/os_nt.fmt$RMADHOME/etc/os_linux.fmt$RMADHOME/etc/pix.fmt$RMADHOME/etc/pix_nt.fmt$RMADHOME/etc/rmnav.fmt$RMADHOME/etc/rmmac.fmt$RMADHOME/etc/tecad_snmp.cds$RMADHOME/etc/tecad_snmp.oid
¶ Risk Manager � 3.7 �� 3.7 �� ����� ���� �����. ��� �� �
���� �����.
Windows ���� ��
� 3.8 ��� �� Risk Manager 3.7 �� ���. ��� Risk Manager �
3.7 ��� ���� �� �����.
1. �� �� ��� �� Risk Manager ��� ���� specific environment � ������. �� � �� �� ����.
¶ %SystemRoot%\Tivoli\rma_eif_env.cmd
¶ %SystemRoot%\Tivoli\rma_web_env.cmd
¶ %SystemRoot%\Tivoli\rma_cpfw_env.cmd
¶ %SystemRoot%\Tivoli\rma_nr_env.cmd
¶ %SystemRoot%\Tivoli\rma_perl_env.cmd
2. removal � ������. �� � �� �� ����.
¶ rma_eif-remove.cmd
¶ rma_web-remove.cmd
¶ rma_cpfw-remove.cmd
¶ rma_nr-remove.cmd
¶ rma_perl-remove.cmd
3. ����� �� �� � �����.
del %RMHOME%\bin\%INTERP%\bin\Command
���, �� ��� �� ����.
Risk Manager � 3.7�� � � ��� ��� �� �� �� �� ��� ��
����.
1. %RMADHOME% �� �� � ����, �� � ���� �� � ��� ��
������.
269Risk Manager ��� ���
B.
��
��
�
rmdir /s %RMADHOME%
2. TME � � TME� � �� �� ������.
del %RMHOME%\bin\%INTERP%\bin\wbindmsg.exedel %RMHOME%\bin\%INTERP%\bin\rmenvcrt.exe
3. � TME� � �� �� ������.
del %RMHOME%\msg_cat\*\rminst.cat
4. TME� � �� �� ������.
del %RMHOME%\generic\msg_cat\*\rminst.cat
� 3.8� � Risk Manager � 3.7 �� ����� �� ��� ���� ���
�. � 3.8 �� � ��� ��� ��, 3.8 �� �����.
Risk Manager �� �����Risk Manager � ����� �, � ��� $BINDIR/RISKMGR/backup �� �� ��
��. �� ��� ����.
¶ �� .pro ��
¶ �� .lst ��
¶ �� .rls ��
¶ �� .baroc ��
¶ rmt_tasks.tll ��
¶ RISKMGR/ACF_REP �� �� �� �� �� � ��
270 �� 3 ��� 8
Cisco Secure IDS �� ��
��� Risk Manager Cisco Secure IDS� ��� ���� ���� � �� ��
� ���� Cisco Secure IDS ���--� ��� ��� �� ����--� �� ����
�.
sig_1000 IP options-Bad Option Listsig_1001 IP options-Record Packet Routesig_1002 IP options-Timestampsig_1003 IP options-Provide s,c,h,tccsig_1004 IP options-Loose Source Routesig_1005 IP options-SATNET IDsig_1006 IP options-Strict Source Routesig_1100 IP Fragment Attacksig_1101 Unknown IP Protocolsig_1102 Impossible IP Packetsig_1103 IP Fragments Overlapsig_1104 IP Localhost Source Spoofsig_1200 IP Fragmentation Buffer Fullsig_1201 IP Fragment Overlapsig_1202 IP Fragment Overrun - Datagram Too Longsig_1203 IP Fragment Overwrite - Data is Overwrittensig_1204 IP Fragment Missing Initial Fragmentsig_1205 IP Fragment Too Many Datagramssig_1206 IP Fragment Too Smallsig_1207 IP Fragment Too Many Fragssig_1208 IP Fragment Incomplete Datagramsig_1220 Jolt2 Fragment Reassembly DoS attack NEWsig_2000 ICMP Echo Replysig_2001 ICMP Host Unreachablesig_2002 ICMP Source Quenchsig_2003 ICMP Redirectsig_2004 ICMP Echo Requestsig_2005 ICMP Time Exceeded for a Datagramsig_2006 ICMP Parameter Problem on Datagramsig_2007 ICMP Timestamp Requestsig_2008 ICMP Timestamp Replysig_2009 ICMP Information Request
C
271Risk Manager ��� ���
C.
Cisco
Secu
reID
S�
��
�
sig_2010 ICMP Information Replysig_2011 ICMP Address Mask Requestsig_2012 ICMP Address Mask Replysig_2100 ICMP Network Sweep w/Echosig_2101 ICMP Network Sweep w/Timestampsig_2102 ICMP Network Sweep w/Address Masksig_2150 Fragmented ICMP Trafficsig_2151 Large ICMP Trafficsig_2152 ICMP Floodsig_2153 Smurfsig_2154 Ping of Death Attacksig_3000 TCP Portssig_3001 TCP Port Sweepsig_3002 TCP SYN Port Sweepsig_3003 TCP Frag SYN Port Sweepsig_3005 TCP FIN Port Sweepsig_3006 TCP Frag FIN Port Sweepsig_3010 TCP High Port Sweepsig_3011 TCP FIN High Port Sweepsig_3012 TCP Frag FIN High Port Sweepsig_3015 TCP Null Port Sweepsig_3016 TCP Frag Null Port Sweepsig_3020 TCP SYN FIN Port Sweepsig_3021 TCP Frag SYN FIN Port Sweepsig_3030 TCP SYN Host Sweepsig_3031 TCP FRAG SYN Host Sweepsig_3032 TCP FIN Host Sweepsig_3033 TCP FRAG FIN Host Sweepsig_3034 TCP NULL Host Sweepsig_3035 TCP FRAG NULL Host Sweepsig_3036 TCP SYN FIN Host Sweepsig_3037 TCP FRAG SYN FIN Host Sweepsig_3038 Fragmented NULL TCP Packetsig_3039 Fragmented Orphaned FIN packetsig_3040 NULL TCP Packetsig_3041 SYN/FIN Packetsig_3042 Orphaned Fin Packetsig_3043 Fragmented SYN/FIN Packetsig_3045 Queso Sweepsig_3050 Half-open SYN Attacksig_3100 Smail Attacksig_3101 Sendmail Invalid Recipientsig_3102 Sendmail Invalid Sendersig_3103 Sendmail Reconnaissancesig_3104 Archaic Sendmail Attacks
272 �� 3 ��� 8
sig_3105 Sendmail Decode Aliassig_3106 Mail Spamsig_3107 Majordomo Execute Attacksig_3108 MIME Overflow Bugsig_3109 Q-Mail Length Crashsig_3110 Suspicious Mail Attachmentsig_3150 FTP Remote Command Executionsig_3151 FTP SYST Command Attemptsig_3152 FTP CWD xrootsig_3153 FTP Improper Address Specifiedsig_3154 FTP Improper Port Specifiedsig_3155 FTP RETR Pipe Filename Command Executionsig_3156 FTP STOR Pipe Filename Command Executionsig_3157 FTP PASV Port Spoofsig_3200 WWW Phf Attacksig_3201 WWW General cgi-bin Attacksig_3202 WWW .url File Requestedsig_3203 WWW .lnk File Requestedsig_3204 WWW .bat File Requestedsig_3205 HTML File Has .url Linksig_3206 HTML File Has .lnk Linksig_3207 HTML File Has .bat Linksig_3208 WWW campas Attacksig_3209 WWW Glimpse Server Attacksig_3210 WWW IIS View Source Attacksig_3211 WWW IIS Hex View Source Attacksig_3212 WWW NPH-TEST-CGI Attacksig_3213 WWW TEST-CGI Attacksig_3214 IIS DOT DOT VIEW Attacksig_3215 IIS DOT DOT EXECUTE Attacksig_3216 IIS Dot Dot Crash Attacksig_3217 WWW php View File Attacksig_3218 WWW SGI Wrap Attacksig_3219 WWW PHP Buffer Overflowsig_3220 IIS Long URL Crash Bugsig_3221 WWW cgi-viewsource Attacksig_3222 WWW PHP Log Scripts Read Attacksig_3223 WWW IRIX cgi-handler Attacksig_3224 HTTP WebGaissig_3225 HTTP Gais Websendmailsig_3226 WWW Webdist Bugsig_3227 WWW Htmlscript Bugsig_3228 WWW Performer Bugsig_3229 Website Win-C-Sample Buffer Overflowsig_3230 Website Uploader
273Risk Manager ��� ���
C.
Cisco
Secu
reID
S�
��
�
sig_3231 Novell convertsig_3232 WWW finger attemptsig_3233 WWW count-cgi Overflowsig_3250 TCP Hijacksig_3251 TCP Hijacking Simplex Modesig_3300 NetBIOS OOB Datasig_3301 NETBIOS Statsig_3302 NETBIOS Session Setup Failuresig_3303 Windows Guest Loginsig_3304 Windows Null Account Namesig_3305 Windows Password File Accesssig_3306 Windows Registry Accesssig_3307 Windows Redbutton Attacksig_3308 Windows LSARPC Accesssig_3309 Windows SRVSVC Accesssig_3400 Sunkillsig_3401 Telnet-IFS Matchsig_3450 Finger Bombsig_3500 Rlogin -froot Attacksig_3525 IMAP Authenticate Buffer Overflowsig_3526 Imap Login Buffer Overflowsig_3530 Cisco Secure ACS Oversized TACACS+ Attack NEWsig_3540 Cisco Secure ACS CSAdmin Attack NEWsig_3550 POP Buffer Overflowsig_3575 INN Buffer Overflowsig_3576 INN Control Message Exploitsig_3600 IOS Telnet Buffer Overflowsig_3601 IOS Command History Exploitsig_3602 Cisco IOS Identitysig_3603 IOS Enable Bypasssig_3650 SSH RSAREF2 Buffer Overflowsig_3990 BackOrifice BO2K TCP Non Stealthsig_3991 BackOrifice BO2K TCP Stealth 1sig_3992 BackOrifice BO2K TCP Stealth 2sig_4000 UDP Packetsig_4001 UDP Port Sweepsig_4002 UDP Floodsig_4050 UDP Bombsig_4051 Snorksig_4052 Chargen DoSsig_4053 Back Orificesig_4054 RIP Tracesig_4055 BackOrifice BO2K UDPsig_4100 Tftp Passwd Filesig_4150 Ascend Denial of Service
274 �� 3 ��� 8
sig_4500 Cisco IOS Embedded SNMP Community Names NEWsig_4600 IOS UDP Bombsig_5034 WWW IIS newdsn attacksig_5035 HTTP cgi HylaFAX Faxsurveysig_5036 WWW Windows Password File Access Attemptsig_5037 WWW SGI MachineInfo Attacksig_5038 WWW wwwsql file read Bugsig_5039 WWW finger attemptsig_5040 WWW Perl Interpreter Attacksig_5041 WWW anyform attacksig_5042 WWW CGI Valid Shell Accesssig_5043 WWW Cold Fusion Attacksig_5044 WWW Webcom.se Guestbook attacksig_5045 WWW xterm display attacksig_5046 WWW dumpenv.pl reconsig_5047 WWW Server Side Include POST attacksig_5048 WWW IIS BAT EXE attacksig_5049 WWW IIS showcode.asp accesssig_5050 WWW IIS .htr Overflow Attacksig_5051 IIS Double Byte Code Pagesig_5052 FrontPage Extensions PWD Open Attemptsig_5053 FrontPage _vti_bin Directory List Attemptsig_5054 WWWBoard Passwordsig_5055 HTTP Basic Authentication Overflowsig_5056 WWW Cisco IOS %% DoSsig_5057 WWW Sambar Samplessig_5058 WWW info2www Attacksig_5059 WWW Alibaba Attacksig_5060 WWW Excite AT-generate.cgi Accesssig_5061 WWW catalog_type.asp Accesssig_5062 WWW classifieds.cgi Attacksig_5063 WWW dmblparser.exe Accesssig_5064 WWW imagemap.cgi Attacksig_5065 WWW IRIX infosrch.cgi Attacksig_5066 WWW man.sh Accesssig_5067 WWW plusmail Attacksig_5068 WWW formmail.pl Accesssig_5069 WWW whois_raw.cgi Attacksig_5070 WWW msadcs.dll Accesssig_5071 WWW msacds.dll Attacksig_5072 WWW bizdb1-search.cgi Attacksig_5073 WWW EZshopper loadpage.cgi Attacksig_5074 WWW EZshopper search.cgi Attacksig_5075 WWW IIS Virtualized UNC Bugsig_5076 WWW webplus bug
275Risk Manager ��� ���
C.
Cisco
Secu
reID
S�
��
�
sig_5077 WWW Excite AT-admin.cgi Accesssig_5078 WWW Piranha passwd attacksig_5079 WWW PCCS MySQL Admin Accesssig_5080 WWW IBM WebSphere Access NEWsig_5081 WWW WinNT cmd.exe Access NEWsig_5083 WWW Virtual Vision FTP Browser Access NEWsig_5084 WWW Alibaba Attack 2 NEWsig_5085 WWW IIS Source Fragment Access NEWsig_5086 WWW WEBactive Logfile Access NEWsig_5087 WWW Sun Java Server Access NEWsig_5088 WWW Akopia MiniVend Access NEWsig_5089 WWW Big Brother Directory Access NEWsig_5090 WWW FrontPage htimage.exe Access NEWsig_5091 WWW Cart32 Remote Admin Access NEWsig_5092 WWW CGI-World Poll It Access NEWsig_5093 WWW PHP-Nuke admin.php3 Access NEWsig_5095 WWW CGI Script Center Account Manager Attack NEWsig_5096 WWW CGI Script Center Subscribe Me Attack NEWsig_5097 WWW FrontPage MS-DOS Device Attack NEWsig_5099 WWW GWScripts News Publisher Access NEWsig_5100 WWW CGI Center Auction Weaver File Access NEWsig_5101 WWW CGI Center Auction Weaver Attack NEWsig_5102 WWW phpPhotoAlbum explorer.php Access NEWsig_5103 WWW SuSE Apache CGI Source Access NEWsig_5104 WWW YaBB File Access NEWsig_5105 WWW Ranson Johnson mailto.cgi Attack NEWsig_5106 WWW Ranson Johnson mailform.pl Access NEWsig_5107 WWW Mandrake Linux /perl Access NEWsig_5108 WWW Netegrity Site Minder Access NEWsig_5109 WWW Sambar Beta search.dll Access NEWsig_5110 WWW SuSE Installed Packages Access NEWsig_5111 WWW Solaris Answerbook 2 Access NEWsig_5112 WWW Solaris Answerbook 2 Attack NEWsig_5113 WWW CommuniGate Pro Access NEWsig_5114 WWW IIS Unicode Attack NEWsig_6001 Normal SATAN Probesig_6002 Heavy SATAN Probesig_6050 DNS HINFO Requestsig_6051 DNS Zone Transfersig_6052 DNS Zone Transfer from High Portsig_6053 DNS Request for All Recordssig_6054 DNS Version Requestsig_6055 DNS Inverse Query Buffer Overflowsig_6056 BIND NXT Buffer Overflowsig_6057 BIND SIG Buffer Overflow
276 �� 3 ��� 8
sig_6100 RPC Port Registrationsig_6101 RPC Port Unregistrationsig_6102 RPC Dumpsig_6103 Proxied RPC Requestsig_6104 RPC Set Spoofsig_6105 RPC Unset Spoofsig_6110 RPC RSTATD Sweepsig_6111 RPC RUSERSD Sweepsig_6112 RPC NFS Sweepsig_6113 RPC MOUNTD Sweepsig_6114 RPC YPPASSWDD Sweepsig_6115 RPC SELECTION_SVC Sweepsig_6116 RPC REXD Sweepsig_6117 RPC STATUS Sweepsig_6118 RPC ttdb Sweepsig_6150 ypserv Portmap Requestsig_6151 ypbind Portmap Requestsig_6152 yppasswdd Portmap Requestsig_6153 ypupdated Portmap Requestsig_6154 ypxfrd Portmap Requestsig_6155 mountd Portmap Requestsig_6175 rexd Portmap Requestsig_6180 rexd Attemptsig_6190 statd Buffer Overflowsig_6191 RPC.tooltalk buffer overflowsig_6192 RPC mountd Buffer Overflowsig_6193 RPC CMSD Buffer Overflowsig_6194 sadmind RPC Buffer Overflowsig_6195 RPC amd Buffer Overflowsig_6200 Ident Buffer Overflowsig_6201 Ident Newlinesig_6202 Ident Improper Requestsig_6250 FTP Authorization Failuresig_6251 Telnet Authorization Failuresig_6252 Rlogin Authorization Failuresig_6253 POP3 Authorization Failuresig_6255 SMB Authorization Failuresig_6300 Loki ICMP Tunnellingsig_6302 General Loki ICMP Tunnelingsig_6500 RingZero Trojansig_6501 TFN Client Requestsig_6502 TFN Server Replysig_6503 Stacheldraht Client Requestsig_6504 Stacheldraht Server Replysig_6505 Trinoo Client Request
277Risk Manager ��� ���
C.
Cisco
Secu
reID
S�
��
�
sig_6506 Trinoo Server Replysig_6507 TFN2K Control Trafficsig_6508 Mstream Control Trafficsig_8000/2101 FTP Retrieve Password Filesig_8000/2302 Telnet-/etc/shadow Matchsig_8000/2303 Telnet-+ +sig_8000/51301 Rlogin-IFS Matchsig_8000/51302 Rlogin-/etc/shadow Matchsig_8000/51303 Rlogin-+ +sig_10000/1000 IP-Spoof Interface 1sig_10000/1001 IP-Spoof Interface 2
278 �� 3 ��� 8
ISS RealSecure �� ��
��� ISS RealSecure� SNMP ����� TEC SNMP ��� �� ��� �� ���
��. ��� TEC SNMP ��� �� ���� �� �����.
Risk Manager� ���� �� ISS RealSecure ��� Catch All ���� �����.
��� �� ��HTTP..HTTP Robots TxtHTTP NCSA Buffer OverflowHTTP NT8.3 FilenameHTTP Netscape Space ViewHTTP Netscape Page ServicesHTTP IE3 URLHTTP IIS$DATAHTTP PHFHTTP UNIX PasswordsHTTP IE BATHTTP Nph Test CgiHTTP ShellsHTTP Test CgiHTTP WebSite UploaderHTTP Sgi HandlerHTTP WebSite SampleHTTP IISExAir DoSHTTP Campas cgi-binHTTP HylaFax faxsurveyHTTP Cold FusionHTTP IIS3 Asp DotHTTP IIS3 Asp 2eHTTP WebFingerHTTP CachemgrHTTP MachineInfoHTTP CountHTTP SiteCsc AccessHTTP Webgais
D
279Risk Manager ��� ���
D.
ISS
RealS
ecure
��
��
HTTP FormMailHTTP GuestbookHTTP WebsendmailHTTP Classifieds PostHTTP Glimpse cgi-binHTTP HTMLScriptHTTP Novell ConvertHTTP Novell FilesHTTP PHP OverflowHTTP Pfdisplay ReadHTTP Pfdisplay ExecuteHTTP RegEchoHTTP RpcNLogHTTP SCO View-SourceHTTP SGI WrapHTTP SGI WebdistHTTP Verity SearchHTTP Carbo ServerHTTP Info2WWWHTTP JJHTTP CdomainARP Host DownPortmapper Program Dump DecodeIP HalfScanQueso ScanRlogin -frootWindows Access ErrorFtp SYST Command DecodeFtp RootFSP DetectedFinger UserPort ScanUDP Port ScanKerberos User SnarfDNS Length OverflowEcho Denial of ServiceGeneric Intel OverflowMountd Export DecodeMountd Mnt DecodeNfs Mknod CheckPerl Fingerd CheckEmail ExpnEmail VrfyEmail Vrfy OverflowEmail Helo Overflow
280 �� 3 ��� 8
Email EhloEmail PipeEmail DecodeEmail DebugEmail WizEmail Qmail LengthIdent ErrorSnmp ActivitySnmp SetSun SNMP BackdoorHP OpenView SNMP BackdoorImap UserImap PasswordImap OverflowPOP OverflowTearDropLand_UDPLand Denial of Service AttackIdent User DecodingFinger BombFTP BounceFTP Privileged Bounce AttackPing FloodSmurfWin IGMPWindows Out Of BandPing Of DeathSYNFloodIP Protocol ViolationBackOrificeTrinooDaemonNetBus_ProIPUnknownProtocolIPFragSatanISS Scan Check
��� �� ��Login SuccessfulLogoutGuestUse Of User RightsPassword change FailedPassword change Successful
281Risk Manager ��� ���
D.
ISS
RealS
ecure
��
��
Failed login - account locked outFailed login - account expiredFailed login - bad username or passwordFailed login - account disabledLogon with Admin PrivilegesGlobal group user addedGlobal group user removedLocal group changedLocal group createdLocal group deletedLocal group user addedLocal group user removedAccount policy changeUser account changedUser account createdUser account deletedUser right grantedUser right revokedAudit log clearedAudit policy changeUser added to local admin groupUser admin right grantedImportant programsPrivilege service calledRegistry autorun changedProgram startedProgram exitedLogon process registeredBrute Force login attackBrute Force login attack SuccessfulChange password attackChange password attack SuccessfulRegistry eventlog settings changedRegistry NT security options changedFailed change of important filesConfig-log files deletedSuspect port scanSuspicious FTP connectionSuspicious IMAP connectionSuspicious Netstat connectionSuspicious POP3 connectionSuspicious POP2 connectionSuspicious SMTP connectionSuspicious Systat connectionSuspicious Telnet connection
282 �� 3 ��� 8
Suspicious Whois connectionSuspicious WWW connectionSuspicious Finger connectionSuspicious Time connectionSuspicious SSH connectionSuspicious Sunrcp connectionSuspect Netbus
283Risk Manager ��� ���
D.
ISS
RealS
ecure
��
��
McAfee Alert Manager � McAfeeNetShield �� ���
�� McAfee Alert Manager � NetShield ��� Risk Manager rmmac.fmt �� ���
� �����.
���� ��� Alert Manager ��� �� ��� ����.
¶ �� �� ��
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.Detected with Scan Engine %ENGINEVERSION% DAT version %DATVERSION%
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. Unableto clean the file using the current Scan engine version %ENGINEVERSION% DATversion %DATVERSION%.
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. Unableto delete the infected file.
v Unable to exclude %FILENAME% from further scans.
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. Accessto the file was denied. Detected using Scan engine version %ENGINEVERSION%DAT version %DATVERSION%
v The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%.Unable to move the file to the quarantine area. Detected using Scan engine version%ENGINEVERSION% DAT version %DATVERSION%
v System memory is infected with the %VIRUSNAME% %VIRUSTYPE%. Detectedusing Scan engine version %ENGINEVERSION% DAT version %DATVERSION%.
v The scan found a boot record infected with %VIRUSNAME% %VIRUSTYPE%.Detected using Scan Engine version %ENGINEVERSION% DAT version%DATVERSION%.
v The scan found infected files. Scan engine version %ENGINEVERSION% DATversion %DATVERSION% The scan found and cleaned infected files using Scanengine version %ENGINEVERSION% DAT version %DATVERSION%.
v Infected Binder Object
E
285Risk Manager ��� ���
E.
McA
fee�
��
��
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%.Detected with Heuristics, Scan Engine %ENGINEVERSION% DAT version%DATVERSION%
v Heuristics has detected that file %FILENAME% is infected with %VIRUSNAME%%VIRUSTYPE%. Unable to delete the infected file.
v Heuristics has detected that file %FILENAME% is infected with %VIRUSNAME%%VIRUSTYPE% and has moved the file to the quarantine area. Detected using Scanengine version %ENGINEVERSION% DAT version %DATVERSION%
v Heuristics has detected that file %FILENAME% is infected with %VIRUSNAME%%VIRUSTYPE%. Unable to move the file to the quarantine area. Detected usingScan engine version %ENGINEVERSION% DAT version %DATVERSION%
v The scan encountered an error attempting to clean a boot record infected with%VIRUSNAME% %VIRUSTYPE%. Detected using Scan Engine version%ENGINEVERSION% DAT version %DATVERSION%.
v An email from %MAILFROMNAME%, addressed to %MAILTONAME%, withsubject %MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% inattachment %FILENAME%. The infected attachment could not be cleaned with Scanengine version %ENGINEVERSION% DAT version %DATVERSION%, and has beendeleted.
v An email for %MAILTONAME% (CC to %MAILCCNAME%) from%MAILFROMNAME% with the subject line %MAILSUBJECTLINE% was infectedwith the virus %VIRUSNAME%. The email has been deleted.
v An email from %MAILFROMNAME%, addressed to %MAILTONAME%, withsubject %MAILSUBJECTLINE% was Infected with the virus %VIRUSNAME% inattachment %FILENAME%. The infected attachment could not be cleaned with Scanengine version %ENGINEVERSION% DAT version %DATVERSION%, and has beendeleted and quarantined.
¶ �� ��
v The file %FILENAME% was infected with %VIRUSNAME% %VIRUSTYPE%. Thefile was successfully cleaned with Scan engine version %ENGINEVERSION% DATversion %DATVERSION%.
v The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. Thefile was successfully deleted.
v Heuristics has detected that file %FILENAME% is infected with %VIRUSNAME%%VIRUSTYPE%. The file was successfully deleted.
v The update failed; see event log
v The upgrade failed; see event log
286 �� 3 ��� 8
v An email for %MAILTONAME% (CC to %MAILCCNAME%) from%MAILFROMNAME% with the subject line %MAILSUBJECTLINE% is infectedwith the virus %VIRUSNAME%.
v A maximum load condition is occuring!
¶ ��� ��
v A Macro was detected within %FILENAME%.
v A macro was deleted from within %FILENAME%
v An email from %MAILFROMNAME%, addressed to %MAILTONAME%, withsubject %MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% inattachment %FILENAME%. The infected attachment has been cleaned.
v An email for %MAILTONAME% (CC to %MAILCCNAME%) from%MAILFROMNAME% with the subject line %MAILSUBJECTLINE% is infectedwith the virus %VIRUSNAME%. The email has been quarantined.
v Inbound email is being suspended until more disk space is available.
v Warning - abnormal termination!
v An email from %MAILFROMNAME%, addressed to %MAILTONAME%, withsubject %MAILSUBJECTLINE% was infected with the virus %VIRUSNAME% inattachment %FILENAME%. The infected attachment has been cleaned and quarantined.
¶ �� ��
v The file %FILENAME% will be excluded from further scans.
v The file %FILENAME% is infected with the %VIRUSNAME% %VIRUSTYPE%.The infected file was moved to quarantine area. Detected using Scan engine version%SCANENGINE% DAT version %DATVERSION%
v The scan was cancelled at time %GMTTIME%.
v The scan reported an error accessing the activity log file while scanning file%FILENAME%. Scan engine version used is %ENGINEVERSION% DAT version%DATVERSION%.
v The scan reported a memory allocation error while scanning file %FILENAME%.Scan engine version used is %ENGINEVERSION% DAT version %DATVERSION%
v The directory path name is too long. The scan could not scan some items in thespecified location. Error occurred while scanning file %FILENAME%. Scan engineversion used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan could not access the media due to write protection while scanning file%FILENAME%. Scan engine version used is %ENGINEVERSION% DAT version%DATVERSION%.
v The scan could not find the specified media while scanning file %FILENAME%.Scan engine version used is %ENGINEVERSION% DAT version %DATVERSION%.
287Risk Manager ��� ���
E.
McA
fee�
��
��
v The scan found an invalid scan item while scanning file %FILENAME%. Scan engineversion used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan reported a file I/O error while scanning file %FILENAME%. Scan engineversion used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan reported a disk I/O error while scanning file %FILENAME%. Scan engineversion used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan reported a general system error while scanning file %FILENAME%. Scanengine version used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan reported an internal application error while scanning file %FILENAME%.Scan engine version used is %ENGINEVERSION% DAT version %DATVERSION%.
v The Scan encountered an error while processing password protected file%FILENAME%. Scan engine version used is %ENGINEVERSION% DAT version%DATVERSION%.
v The Scan was unable to scan password protected file %FILENAME%. Scan engineversion used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan of %FILENAME% has taken too long to complete and is being canceled.Scan engine version used is %ENGINEVERSION% DAT version %DATVERSION%.
v The scan cleaned a boot record infected with the %VIRUSNAME% %VIRUSTYPE%.Detected using Scan Engine version %ENGINEVERSION% DAT version%DATVERSION%.
v An error occurred while sending an alert.
v Invalid Options were Specified.
v Unable to start scheduled task.
v Error stopping scheduled task.
v Task was canceled.
v An error occurred writing to the log file %FILENAME%.
v A memory allocation error occurred.
v Scan Process Error
v The upgrade was cancelled.
v The DAT version was not new enough. Scan version %ENGINEVERSION% DATversion %DATVERSION%.
v An email from %MAILFROMNAME%, addressed to %MAILTONAME%, withsubject %MAILSUBJECTLINE% has broken the Content Filter rule %VIRUSNAME%.The email has been blocked.
v An email for %MAILTONAME% (CC to %MAILCCNAME%) from%MAILFROMNAME% with the subject line %MAILSUBJECTLINE% has brokena Content Filter rule. The email has been blocked.
288 �� 3 ��� 8
v Inbound email has resumed, as sufficient disk space is available.
¶ ��� ��
v The scan completed. No infected files were found. Scan engine version used is%ENGINEVERSION% DAT version %DATVERSION%.
v Service was started.
v Service ended.
v Task was started successfully.
v Scheduled task was stopped.
v Task was successful.
v On-access Scan started at %GMTTIME%. Scan version %ENGINEVERSION% DATversion %DATVERSION%.
v On-access scan stopped. Scan version %ENGINEVERSION% DAT version%DATVERSION%.
v Scan Settings were %INFO%. Scan version %ENGINEVERSION% DAT version%DATVERSION%.
v EVENT_SCAN_ENDED
v The update was successful. Scan version %ENGINEVERSION% DAT version%DATVERSION%.
v The update is running.
v The update was canceled.
v The upgrade is running.
v Scan was cancelled by autoupdate of DAT files. Scan version %ENGINEVERSION%DAT version %DATVERSION%.
v Process started.
v Process Ended.
v On-demand scan started
v On Demand scan complete. Viruses Found %NUMVIRS%, Cleaned% N U M C L E A N E D % , D e l e t e d % N U M D E L E T E D % , Q u a r a n t i n e d%NUMQUARANTINED%.Scan version %ENGINEVERSION% DAT version%DATVERSION%.
v Running on %OS% with processor serial number %PROCESSORSERIAL% (PIIIonly)
v Startup request successfully processed.
v Shutdown request successfully processed.
v A New MIB File is available at %FILENAME%
289Risk Manager ��� ���
E.
McA
fee�
��
��
v Alert Manager Service: Alert Manager Service Started.
v Network Associates AutoUpdate started successfully.
v Network Associates AutoUpdate stopped successfully.
v The new version is the same as the installed product.
v Trying to update to %DATVERSION% version of the DAT files.
v NetShield 2000 McShield service started - scanning for %NUMVIRS% viruses. Engineversion : %ENGINEVERSION% Driver version : %DATVERSION% Extra drivername : %DRIVERNAME% Number of virus signatures in extra driver : %NUM%Names of viruses that extra driver can detect : %VIRUSNAMES%
290 �� 3 ��� 8
Network IDS �� ��
���� �� �� ���(IDS)� ID ��� ���� �� ��� ����. � ���
CVE(Common Vulnerability Entry) ��� ��� ����. Network IDS� ���(�:
� ��, ���, ��� �)�� �� � ��� � ����� �����. �� NetworkIDS� ��� � ���� �� �����. ���� CVE ��� ��� ��� NetworkIDS ��� �, Network IDS� �� ���� � �� CVE � ID� �����. ���
� CVE ID� �� ��� ��� http://csrc.nist.gov/icat/vulnerabilities/<CVE-ID>�� �
� ����.
Network IDS� �� �� �� ��� �����. 0� � �� �� ���� �,��� ��� � �� �� �� ��.
� ��� ��� ����� ���� ����. �� ��� �� ����.
19. �� ��
CVE CVE ������ �� ��� ���
ALERT CVE ������ ���� �� � ��
DOS ��� ��� �� ��
SCAN �� �� �� �� ���� ��� �
CONFIG � �� � ��� ����� ��
AUTH �� ��� �� �� �� ��
BACKDOOR ��� ��� ����� �� �� ��� ��������
� ���
STEALTH ��� �� ��� ��� �� ���
Network IDS� �� �� �� � �� � ��� � �� �� ��� ����.
Network IDS � �� ���� �� ��� �� �� �� ����� �� � � � ���� �� ��� �
����. ��� �� �����, �� � ��� ��� ��� �� �� ��� ��
�� ���. Network IDS� ��� ���� �� ��� ��� � ����.Network IDS� ids.msg ���� ��� �� �� ��� �� �� ��� �� ��
�����.
F
291Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
��� � ��� ��� �� �� ���� Network IDS �� �� �� ���� ��
�����. � ����� Risk Manager Network IDS� � ���� ���� ���
UNIX syslog ��� �� ��� �����.
��CVE-1999-0526 AUTH X11 client connected with NULL auth
N/A AUTH - BAD PASSWORD
N/A AUTH - LOGIN FAILURE
N/A AUTH - UNKNOWN USER
N/A AUTH - X11-Connection failed
��N/A BACKDOOR - Possible Back Orifice session detected
��CVE-1999-0986 CONFIG - Record Route Packet
N/A CONFIG - Source Routed Packet
��� ��CVE-1999-0016 DOS - SRC address is equal to DST address
CVE-1999-0103 DOS - UDP FLOOD
CVE-1999-0116 DOS - SYN FLOOD
CVE-1999-0128 DOS - Oversized Pa
CVE-1999-016 DOS - IPFRAG overlay - possible teardrop
CVE-1999-0153 DOS - OUT-OF-BAND Data.. possible WINNUKE
CVE-1999-0513 DOS - ICMP Flood
N/A DOS - FIN FLOOD
N/A DOS - IP Fragment Length <= 0 - possible DOS
N/A DOS - Possible connection flood
N/A DOS - RST FLOOD
LOKIN/A BACKDOOR - LOKI packet - 2 way stealth channel
292 �� 3 ��� 8
�� ��N/A SCAN - ICMP - Wide Scan Fast
N/A SCAN - TCP - FIN Scan Slow
N/A SCAN - TCP - FIN Scan
N/A SCAN - TCP - Port Scan Fast
N/A SCAN - TCP - Port Scan Slow
N/A SCAN - TCP - RST Scan Slow
N/A SCAN - TCP - RST Scan
N/A SCAN - TCP - Wide Scan Fast
N/A SCAN - UDP - Port Scan Fast
N/A SCAN - UDP - Port Scan Slow
N/A SCAN - UDP - Wide Scan Fast
N/A SCAN - UDP - Wide Scan Slow
��CVE-2000-0305 STEALTH - Possible IP Frag attack
N/A STEALTH - FRAGMENTED packet in session
N/A STEALTH - Micro Frag detected - possible IDS evasion
N/A STEALTH - Time-To-Live: Changed - possible IDS evasion
�� �� ���� � ����, Network IDS� ��� �� � ��� �� �� �� ��� ����
� �� � ����. Network IDS� ids.rules ���� ��� �� �, �� ��
� � �� ��� �����. ��� ���� Network IDS� � ���� ���
UNIX syslog ��� �� ��� ���� Network IDS ���(� ��� ��� ��
�� ����)� �� �����. ��� ��, �� � � �� ���� �����.
�� ��
DNSCVE-1999-0166 ALERT Bad request ../.. possible attack
N/A ALERT Attempt to crash mSQL server
293Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
N/A ALERT Bad request /bin/ possible attack
N/A ALERT DNS - Encrypted DATA
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Slammer attack
N/A ALERT create file foo
N/A ALERT iChat Server vulnerability
N/A ALERT write file: .rhosts - data: +
FTPCVE-1999-0080 ALERT site exec bug
CVE-1999-0080 SITE ALERT command
CVE-1999-0095 ALERT DEBUG command attempted
CVE-1999-0095 ALERT Sendmail DEB
CVE-1999-0095 ALERT WIZ command attempted
CVE-1999-0166 ALERT ../.. file attempt
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT Mail Relay Attempted
N/A ALERT Mail being sent to file
N/A ALERT PIPE - bug 2
N/A ALERT PIPE - bug 3
N/A ALERT PIPE - bug
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SMTP help invoked
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT access .rhost or .forward file
294 �� 3 ��� 8
N/A ALERT access hosts.equiv file
N/A ALERT cannot mail directly to programs
N/A ALERT mail being sent to program
N/A ALERT mail being sent to system
N/A ALERT old sendmail version
N/A APPE (Append) command attempted
N/A Permission Denied Notice
N/A Unsafe CHMOD attempted
IDENTN/A ALERT possible IDENT attack
IMAPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT possible exploit attempt IMAP
IPN/A ALERT ICMP - Duplicate SEQ number
N/A ALERT ICMP - Encrypted PAYLOAD
N/A POLICY - Possible spoofed IP address
NNTPN/A ALERT NNTP signature
N/A ALERT shell command in news ctrl msg
POPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT possible exploit attempt POP
295Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
TelnetCVE-1999-0067 ALERT attack - PHF bug
CVE-1999-0067 ALERT attack - known phf bug
CVE-1999-0277 ALERT linux workman exploit
N/A ALERT expn - known sendmail problem
N/A ALERT possible AIX lquerypv exploit
N/A ALERT possible attack - gene
N/A ALERT possible chmod sgid file
N/A ALERT possible chmod suid file
N/A ALERT possible chmod uid/sgid file
N/A ALERT sendmail pipe bug
N/A ALERT tprof -x AIX
TFTPN/A ALERT TFTP - Attempt to grab system file
WWWCVE-1999-0039 ALERT SGI webdist.cgi attack
CVE-1999-0039 ALERT SGI webdist.cgi/wrap attack
CVE-1999-0058 ALERT php.cgi access. known security exposure
CVE-1999-0067 ALERT PHF attempt
CVE-1999-0146 ALERT CAMPAS SECURITY BUG
CVE-1999-0175 ALERT Novell convert.bas vulnerability
N/A ALERT ./UnlGG1.1 vulnerability
N/A ALERT /bin/filemail.pl vulnerability
N/A ALERT /cgi-bin/bnbform.cgi vulnerability
N/A ALERT /cgi-bin/cgimail.exe vulnerability
N/A ALERT /cgi-bin/mlog.phtml vulnerability
296 �� 3 ��� 8
N/A ALERT /cgi-bin/mylog.phtm vulnerability
N/A ALERT AT-admin.cgi vulnerability
N/A ALERT Attempting to retrieve access file
N/A ALERT CGI_lite.pm, know security problem
N/A ALERT EWS (Excite for Web Servers) CGI hole
N/A ALERT Glimpse Server attack
N/A ALERT Hostile Servlet attempt
N/A ALERT IIS icat script vulnerable
N/A ALERT IIS perl script vulnerable
N/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT Link to BAK file
N/A ALERT Link to LNK file
N/A ALERT Link to URL file
N/A ALERT Lotus Notes system file attempt
N/A ALERT MAN-sh Possible Vulnerable program access
N/A ALERT MS Front Page vulnerable ext
N/A ALERT MS IIS CGI filename exploit
N/A ALERT MS Index Server Source Disclosure
N/A ALERT MS Personal Web Server listing bug
N/A ALERT MS frontpage vulnerability
N/A ALERT POST proxy attempted
N/A ALERT Page Services bug attempted
N/A ALERT Possible Code Red compromise
N/A ALERT Possible Code Red worm attack
N/A ALERT Possible Counter.cgi attack
297Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SGI - Vulnerable program access
N/A ALERT SGI handler attack
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Showcode vulnerability attempted
N/A ALERT Suspicious HTTP Request
N/A ALERT UNICODE
N/A ALERT Vulnerable CGI program detected
N/A ALERT Vulnerable CGI
N/A ALERT WINDOWS Teamtrack vulnerability
N/A ALERT WWW dumping system files
N/A ALERT WebGAIS Accessed - check logs
N/A ALERT WebGAIS Accessed via mail - check logs
N/A ALERT WebSite buffer Overflow
N/A ALERT Windmail vulnerability attempted
N/A ALERT accessing vulnerable script
N/A ALERT asapi/query vulnerability
N/A ALERT asapi/srch vulnerability
N/A ALERT attempt to break out of dir
N/A ALERT attempt to locate shell
N/A ALERT attempting to use date
N/A ALERT coldfusion display openfile vulnerability
N/A ALERT coldfusion exprcalc vulnerability
N/A ALERT coldfusion openfile vulnerability
N/A ALERT dumping .asp source code
298 �� 3 ��� 8
N/A ALERT getmvs vulnerability
N/A ALERT htmlscript access attempt
N/A ALERT lyris vulnerability
N/A ALERT maillist.pl vulnerability
N/A ALERT proxy attempted
N/A ALERT survey.cgi vulnerability
N/A ALERT test-cgi access. known security exposure
N/A ALERT tools/getdrvrs.exe vulnerability
N/A ALERT tools/iisamin vulnerability
N/A ALERT tools/newdsn.exe vulnerability
N/A ALERT uploader.exe access. �� �
N/A ALERT web-store.cgi vulnerability
N/A ALERT webcom guestbook vulnerability
N/A ALERT websendmail vulnerability
X11CVE-1999-0067 ALERT attack - PHF bug
CVE-1999-0067 ALERT attack - known phf bug
N/A ALERT expn - known sendmail problem
N/A ALERT linux workman exploit
N/A ALERT possible AIX lquerypv exploit
N/A ALERT possible attack - newline problem in httpd
N/A ALERT possible chmod sgid file
N/A ALERT possible chmod suid file
N/A ALERT possible chmod uid/sgid file
N/A ALERT sendmail pipe bug
N/A ALERT tprof -x AIX
299Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
XDMCPN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
��
DNSN/A ALERT Intel NOOP codes..Possible Buffer Overflow
N/A ALERT RS6K NOOP codes..Possible Buffer Overflow
N/A ALERT SPARC NOOP codes..Possible Buffer Overflow
N/A ALERT Spawning ROOT shell
N/A ALERT write file foobar
N/A AUTH NULL or Bad Password
N/A AUTH Null or Bad user name
FTPN/A ALERT attempt to go to root directory
N/A AUTH Anon FTP login
N/A AUTH BOGUS login
N/A AUTH attempt to login as demos
N/A AUTH attempt to login as lp
N/A AUTH attempt to login as sync
N/A AUTH guest login banner
N/A AUTH guest login
N/A AUTH root login offpeak
POPN/A AUTH POP login failure
TelnetN/A ALERT rlogin -froot bug
N/A AUTH AS/400 Default accounts attempted
300 �� 3 ��� 8
N/A AUTH DEC server default accounts attempted
N/A AUTH DEFAULT USER Account access attempted
N/A AUTH ROOT logging in
N/A AUTH ROOTKIT Default password
N/A AUTH login failure
N/A AUTH permission warning
TFTPN/A ALERT TFTP - Attempt to grab password file
N/A ALERT TFTP - password file contents in TFTP session
N/A ALERT TFTP - router password file in TFTP session
WWWN/A ALERT attempt to access password file
X11N/A ALERT rlogin -froot bug
N/A AUTH login failure
N/A AUTH permission warning
��
DNSN/A BACKDOOR Back Orifice
N/A BACKDOOR Common Backdoor port
N/A BACKDOOR Deep Throat port
N/A BACKDOOR Deep Throat traffic
N/A BACKDOOR NetBus getinfo request
N/A BACKDOOR NetBus port
N/A BACKDOOR NetBus traffic
N/A BACKDOOR PC Anywhere port access
301Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
��
DNSN/A CONFIG 3270 mapper - service
N/A CONFIG ALIS - service
N/A CONFIG DATABASE_SVC - service
N/A CONFIG ETHERSTATD - service
N/A CONFIG KEYSERVD - service
N/A CONFIG LLOCKMGR - service
N/A CONFIG NLOCKMGR - service
N/A CONFIG NSEMNTD - service
N/A CONFIG PCNFS - BAD SERVICE
N/A CONFIG REXD - vulnerable service
N/A CONFIG RJE MAPPER - service running
N/A CONFIG RQUOTAD - service
N/A CONFIG RSED - service
N/A CONFIG RSTATD - service
N/A CONFIG RUSERS - service
N/A CONFIG RWALLD - vulnerable service
N/A CONFIG SELECTION SVC - vulnerable service
N/A CONFIG SHOWFHD - vulnerable service
N/A CONFIG SNMP - service
N/A CONFIG SPRAYD - vulnerable service
N/A CONFIG STAT - vulnerable service
N/A CONFIG STATMON - vulnerable service
N/A CONFIG SUNLINK MAPPER - vulnerable service
N/A CONFIG TFSD - vulnerable service
302 �� 3 ��� 8
N/A CONFIG TOOLTALK - vulnerable service
N/A CONFIG X25.inr - service
N/A CONFIG YPBIND - vulnerable service
N/A CONFIG YPPASSWD - vulnerable service
N/A CONFIG YPSERVE - vulnerable service
N/A CONFIG YPUPDATE - vulnerable service
N/A CONFIG YPXFRD - vulnerable service
N/A CONFIG bad resolve request
FTPN/A CONFIG deleting file/directory
IPN/A CONFIG - LSRR Loose Source Routing
N/A CONFIG - RR Record Route
N/A CONFIG - SSRR Strict Source Routing
SSHN/A CONFIG - Old SSH Server
N/A CONFIG - SSH protocol mismatch
TelnetCVE-1999-0291 CONFIG WinGate installed
N/A CONFIG . in PATH
TFTPN/A CONFIG - TFTP - Service attempt
WWWN/A CONFIG Directory Browsing Enabled
N/A CONFIG SERVER protocol ERROR
N/A CONFIG www-sql - can access protected files
X11N/A CONFIG . in PATH
303Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
XDMCPN/A CONFIG XDMCP traffic
��� ��
DNSN/A AUTH DOS Probe
N/A DOS - Traffic FROM trino master
N/A DOS - trino traffic
N/A DOS - trinoo traffic
N/A DOS CICSO router DOS
N/A DOS NT RAS PPTP DOS attempt
FTPN/A DOS Lotus Notes MTA DOS
N/A DOS Serve-U FTP DOS check
FingerN/A DOS recusrsive finger
IPN/A DOS - Fragment too small
N/A DOS - Huge fragment
N/A DOS - IP fragment out of order
N/A DOS - Out-Of-Band Packet- Possible WINNUKE attack
N/A DOS - fragmented packet overlap
WWWN/A ALERT cgi-dos/args.bat vulnerability
N/A DOS Possible Annex DOS
N/A DOS web oracle web server
��
��CVE-1999-0124 ALERT GOPHER - known gopher attack
N/A CONFIG GOPHER traffic
304 �� 3 ��� 8
N/A SCAN GOPHER - password file
LOKI
IPN/A ALERT ICMP - LOKI Tag in ICMP packet
Port
FTPN/A Bad PORT Command
�� ��
DNSCVE-1999-0166 ALERT NFS attack: ../
CVE-1999-0166 ALERT NFS attack: ../.
N/A ALERT Bad requuest Buffer Overflow probe
N/A SCAN - Requested Service Dump
N/A SCAN .rhosts file lookup
N/A SCAN 3270 mapper - service
N/A SCAN ALIS - service
N/A SCAN Browsing
N/A SCAN DATABASE_SVC - service
N/A SCAN ETHERSTATD - service
N/A SCAN KEYSERVD - service
N/A SCAN LLOCKMGR - service
N/A SCAN NLOCKMGR - service
N/A SCAN NSEMNTD - service
N/A SCAN Nessus Scan - IMAil Test
N/A SCAN Nessus Scan
N/A SCAN PCNFS - BAD SERVICE
N/A SCAN REXD - vulnerable service
305Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
N/A SCAN RJE MAPPER - service running
N/A SCAN RPCinfo query
N/A SCAN RQUOTAD - service
N/A SCAN RSED - service
N/A SCAN RSTATD - service
N/A SCAN RUSERS - service
N/A SCAN RWALLD - vulnerable service
N/A SCAN Requesting Service IPC$
N/A SCAN Requesting Service ROOT
N/A SCAN Requesting Service WINNT$
N/A SCAN SELECTION SVC - vulnerable service
N/A SCAN SHOWFHD - vulnerable service
N/A SCAN SNMP - service
N/A SCAN SPRAYD - vulnerable service
N/A SCAN STAT - vulnerable service
N/A SCAN STATMON - vulnerable service
N/A SCAN SUNLINK MAPPER - vulnerable service
N/A SCAN TFSD - vulnerable service
N/A SCAN TOOLTALK - vulnerable service
N/A SCAN X25.inr - service
N/A SCAN YPBIND - vulnerable service
N/A SCAN YPPASSWD - vulnerable service
N/A SCAN YPSERVE - vulnerable service
N/A SCAN YPUPDATE - vulnerable service
N/A SCAN YPXFRD - vulnerable service
306 �� 3 ��� 8
N/A SCAN password file lookup
N/A SCAN shadow file lookup
N/A SCAN ypcat password
N/A SCAN zonexfer request from outside network
FTPN/A ALERT Possible Buffer Overflow Probe
N/A SCAN Nessus FTP check writable directory
N/A SCAN expn - recon
N/A SCAN looking at passwd file
N/A SCAN possible mailed password file
N/A SCAN possible xfered password file
N/A SCAN verify - recon
FingerN/A ALERT Cfinger Search exploit
N/A ALERT compromised finger daemon
N/A ALERT finger pipe attempt
N/A ALERT finger to program
N/A SCAN finger dump
N/A SCAN finger traffic - RECON
N/A SCAN finger traffic - root
��N/A SCAN router password file
IDENTN/A SCAN IDENT request
N/A SCAN possible password file
IMAPN/A SCAN possible mailed password file
307Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
NNTPN/A SCAN possible password file
POPN/A SCAN possible mailed password file
TelnetN/A ALERT attack - generic IFS probe
N/A SCAN - fingering root user
N/A SCAN - obtaining list of files
N/A SCAN - poking http
N/A SCAN - probe w/ finger
N/A SCAN - wildcard finger
N/A SCAN verfiy - recon
N/A SCAN zone xfer attempt via dig
WWWN/A ALERT Fax Survey cgi probed
N/A ALERT Possible Buffer Overflow Probe
N/A SCAN - using finger to get information
N/A SCAN Accessing WWW Admin Port
N/A SCAN Attempt to grab password file
N/A SCAN Attempting to retrieve passwd file
N/A SCAN Browsing Scripts Directory
N/A SCAN gathering file names
X11N/A ALERT attack - generic IFS probe
N/A SCAN - fingering root user
N/A SCAN - obtaining list of files
N/A SCAN - poking http
308 �� 3 ��� 8
N/A SCAN - probe w/ finger
N/A SCAN - wildcard finger
N/A SCAN verify - recon
N/A SCAN zone xfer attempt via dig
309Risk Manager ��� ���
F.
Netw
ork
IDS
��
��
��
�
��(attack)
��� �� ��� ���� ���� �� ��� �� ��. �� ��� �����.
�� �(managed node)
Tivoli ���� Tivoli Enterprise Framework� � �� ��
���(administrator)
�� �����.
��� ��� �����(graphical user interface)
Tivoli ���� ��� ���� ���� ��� �� ���� � ���� ��� ��� ����(GUI).
Risk Manager ��� ��� Tivoli ��� �����. ��� �� �����.
�
��� �� ���(network-based system)
���� ���� ��� ���� �� � ��� �����. ��� �� ���� ��� �� �� �
� � ����. ���� � �� ���� � ���� �� ���� ��� �� ��� ���� ����
�� �� �� � ����. ���� � �� ��������� � � ��� �� �� �� ����
�� ��� � ����. �� ������� �� ���� �� ��� ��� ���� � �� ����
�.
�
� ��(rule base)
Tivoli ���� � � ��� ��� �� � ��. Tivoli Enterprise Console� ��� ��� ��
� �����. �� � ��� ���� ��� ��� �� �� �� ��� � ��� ����
��� �� � ����.
� ��(rules engine)
��� Tivoli Enterprise Console� ����. �� ��� ���� ���� �� �� ��� �
�� �����.
�(rule)
Tivoli ���� ��� � � ����� ��(��� �� ��)� ��� �� �� ��� �� ����
�� ��� �� � ��
�
� (firewall)
�� �� �� ����� ������ �� � �� ���� ���� ���
�
�� �� ��(correlation engine)
Risk Manager ��. �� �����.
�� �� ��(Denial of Service attacks)
�� �� ��
311Risk Manager ��� ���
��
��(sensor)
��� ���
��(attribute)
���� ���� � � �� �� ����� ��. �� �� ��� �� ��� ���� �� � ��
�� � ����. Risk Manager� � ��� � �� �����. � ��� �� � � ���� �
�� �� �� ���� � ������. �� attribute_name=value �� ����. ��� ��� ��
� ���� ���� � ��� ��� ����� Tivoli ��� � � � ��.
����(script)
��� ���� ���� ��
�
��(alarm)
��� �� ��� �� �� � ��� �� ����� � �� ���� ����. Risk Manager
��� ISS RealSecure � Cisco Secure IDS(NetRanger)� �� ��� �� �� TEC ���� ���
���. Tivoli ���� ��� � �� ��� ��� � ��(�� ��), �� ��(��� ��), ��� ���
��(��� � ��)� �����. TEC ���� �����.
��� �� ��(Adapter Configuration Facility)
Tivoli ���� Tivoli ���� �� � ���� ���� ��� ��� �� ��� ���� �� �
�� � �� ��� ��� ����.
��� �� ��(Adapter Configuration Profile)
�� � ��� �� ���. �� � ���� �� � ������ ���� � ����. ��
��� ��� ��� �� ��� ���� � �� ��, �� �� � ��(�: � ��), ��� �� �
�, �� �� �� �� �����.
���(adapter)
Risk Manager�� ��� �� ��� � ��� �� ������. ��� ��(���)� ���� Tivoli
Enterprise Console(TEC)� ��� � �� ���� ���� ����. �� �� ��� ���� TEC��
� ��. ��� �� � TME ��� �����.
����� �(endpoint node)
1) TMR(Tivoli Management Region)�� �� � ����� � Tivoli �����. 2) �� ��� ��
� ��� �� ��. � �� ������.
��(roles)
��� ��� super, senior, admin, user �� �����. ��� ���� ���� ���� ���� �� �
� ��� ��� ��� � �� �� �����.
���(priority)
Risk Manager� �� ��� �� �� ���� ��� �����. �� ��, UNIX syslogd ��� �
� ���� �� � ����. TME ��� ��� � ���� �� UNIX � syslog ���� �
� �� � ���� ������.
��� ��(validation)
���� �� ��� �� ������ , , ��� ��� �
��� � �(event group filter)
Tivoli ���� ��� �� ��� �� ���� ���� ��� ��� �� ���, �� � ��� ���
�����.
312 �� 3 ��� 8
��� �(event group)
Tivoli ���� �� � � �� ��� ��. ��� ��� ���� � ��� �� �� ��. Tivoli ���
� �� �� �� �� ��� �� ���� � ����.
��� ��(event server)
Tivoli ���� ���� ���� �� � . ��� � � ���� � ����� �� ����. ��� �
� � ��� �� ���� ���� ���� ���� ����� ��� � ��� �����. �� ��
� � � ��� �� �� ��� ��� �����. 1� ��� � � �� ���� ��� ���� 2� �
�� � � � ��.
��� ���(event adapter)
Tivoli ���� ���� Tivoli Enterprise Console� ��� � �� ���� ���� �����. ���� �
�� � � �����. Tivoli Event Integration Facility(EIF) �� Risk Manager Event Integration Facility�
���� �� ���� �� �� �� �� ��� ��� ��� ��� � ����. �� � ��
� �� � ����� �����.
��� �(event console)
Tivoli ���� ��� ���� ��� � �� �� ���� �� �� � �� ��� ��� ����
(GUI)
��� ���(event class)
Tivoli ���� ��� ��� ��� � � ��� �� �� ���� ���� ��
���(event)
Tivoli ���� ��� ��, ���� �� �� ���� ������� ��� �� �. Risk Manager� ��,
�� �, �� ���� ��� �� ���� ��� � ����. ���� ��� ����� ���� � �
��, ��� �� �, � ��� ����. Risk Manager�� ���� �� �� ������.
�
�� �� ��(Java Virtual Machine)
�� ������ ��� �� ����� ���� �����(�� ��� �� ��). � ��� ���� ��
��� ��� �� �� �� �� ��� ������.
�� ��� (Java Runtime Environment)
�� ������ ��� �� �����. JVM(Java Virtual Machine)� ���� �����. �� ���� �
� � � ��� ����, � � , �� �� ����(Sun� �� JRE ��� �)� ���� � �� ��
��� �����.
�� �� ���(behavior-based system)
��� ���� ���� ��� � ���� �� ���� ���� �����. �� �� ����
� ��� ��� �� ��� � ��� � ������. �, ��� ���� �� ��� ��
���� � � ��� �� �����. �� � � ��� �� �� ��� �� �� �����
�. ��� ��� �� ���� �� �� ��� � ��� ���. � � ������ �� ���
�� � ���.
��� (false positive)
��� ��� ��� �� ���� �� ��� �����. � �� ���� ���� �� �� � �� �
�� ��� � � ����. ��� �� ���� IDS� �� ��� ��� � �� �� ���� �� ��
��. ��� ��� �� ��� ��� � ���� ��� �� �� ��� � ����. ��� � ��
� Risk Manager� �� ��� ��� � ����.
��� �(false negative)
��� ��� ��� �� ���� �� �� �����. � ��� ���� � ��� ���� �� �
�� ��� �� �����. ��� IDS� Tivoli ����� �� �� �� � � ����.
313Risk Manager ��� ���
��
�� (real positive)
��� ��� ���� ��� �� ��. ���� IDS�� ��� �� ��� �����.
�� �(real negative)
��� �� ��� �� ���� �� ��. ���� IDS�� ������ �� ��� ���� �� ����
�����. �� ���� �� ���� ���� ����. ��� �� ���� � ��� �����.
�� �� ���(knowledge-based system)
�� � ���� ��� �� � ��� �� �� ����� ��� ���� ��� �� �����. �
� � ���� � ���� ��, ��� ��� ���� �� �� �� �� ����� �����. ��
����� �� ��� �� �� ��� �� ��� � ����.
�
��� � � (vulnerability assessment products)
�� �� ��� ��� ����� ����� ��� ����� ���� �� �� ���� �� ���
�� �� �� ���� ���.
�� �� ���(intrusion detection system)
1) �� �� ��(�: ��� �� �� ���)� ���� �� � ��� �� ���� ���� �� ���
�� � �. 2) ����� ����� �� �� �� ���� �� �����. ��� ��� ���� �
� ��� ���� ��� � ����.
�� ��(intrusion attempt)
�� �� ��� ���� ��� ������ ����� ��
�
��
��� �� �� PowerPlay ����� ���. �� Cognos PowerPlay Transformer�� � .mdc ���
��. ���� ������ ��� ��� ��� � ���� � ����(���)� ����. ��
PowerPlay �� ��(.ppr)� �� ��� �� ��� �����.
���(class)
�� �� � �� ������� �� ��� ���� �� ��, �, � ���� ���� ��. ��
��� ��� ����� ���. ��� ���� �����.
�
�(Prolog)
�� �����(Programming in Logic). �� ����� �� � � ����� ��
�
�� ��(format file)
�� ��� TME ��� �� CDS �� �����. �� �� ���� ��� ��� �� ��� ��
� �� ��� �� �� ���� � CDS �� ������. Risk Manager��� TME ��� Tivoli
Enterprise Console� ���� � ���� ����� �� ������ �����.
��� �� ���(host-based system)
��� � ���� ���� �� ��� ���� �� ����. ������ ���� ��� ��� �
� �� � ����. ��� ��� � ���� ��� �� �� � �� ��� ����. ��� � �
� �� �� ��� ���� ��� ��� �� �� �� ��� ��� � �� ���. �� �� ���
�(�: �� ��� �� �� ���� �� ���) ������.
314 �� 3 ��� 8
���(host)
������ ��� �� ��� ��� ���� �� �
A
ACF
�� � �� �����.
ACP
�� � ���� �����.
B
BAROC ��(BAROC file)
Basic Recorder of Objects in C(BAROC) ��. ��� � � �� �� ��� ���� �� �. Risk Manager
�� BAROC ��� Risk Manager �� ��� ���� ��� ���� �����.
E
EIF
Tivoli Event Integration Facility� �����. Risk Manager Event Integration Facility� �����.
G
GUI
��� ��� ����� �����.
I
IDS
�� �� ��� �����.
IIS
Internet Information Server� �����.
Internet Information Server(IIS)
Microsoft � �
J
JRE
�� ��� �� �����.
JVM
�� �� ��� �����.
P
Perl
Practical Extraction and Report Language
315Risk Manager ��� ���
��
R
Risk Manager Event Integration Facility
�� API(Application Programming Interface)� ���� �� � Tivoli ���� ���� Tivoli Enterprise
Console� ��� � �� Tivoli SecureWay Risk Manager� � ��� ��� ��� � ��� �� ��. �
� ��� �� �� �� ������� ���� �� �� ����.
T
TEC
Tivoli Enterprise Console �����.
TEC ���(TEC event)
Tivoli Enterprise Console �� ���
Tivoli Enterprise Console
���, ������, ����, ����� ���� ����, ���� �� �� ��� �� ���� ��
� Tivoli ��. �� ������ ���� �� �� ����. Tivoli Enterprise Console� ���� ��� �
�� �� ��� ���� ��� �����. �� �� ��� ���� ���� ��� ���� �� ��
� � � ���� ��� ���� �� ��� �� ���� ��� ����� ��� �����.
Tivoli Event Integration Facility
�� API(Application Programming Interface)� ���� �� � Tivoli ���� ���� Tivoli Enterprise
Console� ��� � �� � ��� ��� ��� � ��� �� ��. �� ��� �� �� �� �����
�� ���� �� �� ����.
Tivoli Management Environment
�� �� ��� ��� �� ���� �� ���� ��� ��� ���� Tivoli ������(Tivoli
Management Framework �). Tivoli ���� ��� ���� ������ ����� ��� � ����
��� �� ��� � ����� �� ����� � ���� � ����. Tivoli Management
Environment� ���� TME 10�����.
Tivoli Management Framework
Tivoli Management Environment ��� ������ ����� ��� �� �����. � ������ �
�� Tivoli � Tivoli ���� ��� �� ������ ���� ��� � ����. Framework�� ���
�����.
¶ ���� �� �� (oserv)
¶ �� ���� �����
¶ �� �� ��
¶ �� ������ ���
¶ �� ��� ���(�: ��� ��� ����(GUI))
Tivoli Management Environment�� �� ���� �� ����� � � � Tivoli Management Framework
� �����.
¶ ����� PC� Tivoli Management Framework� ��� ��� ����. �� PC�� PC �����
�����.
¶ Tivoli Management Region(TMR) � � �� ���� ������ ���� ��� � ���.
316 �� 3 ��� 8
Tivoli Management Region
Tivoli Management Environment�� ���� ���� ����� �� � TMR � . �� �� ��� TMR
�� � ����. TMR� ��� ��� ��� ��� policy region� ��� ��� � ����.
TME
Tivoli Management Environment� �����.
TME ���(TME adapter)
�� � �� �� ���� TEC ���� �����. ��� ��� ���� �� ��� ���� �
� ���� TEC� ��� � �� ���� ��� ����� �������. Risk Manager�� TME ��
(UNIX� �� �� �� �� Windows NT� NT ��� �� ��)� IDS ���� ��� ���. ��
� ��� ��� �����.
TMR
Tivoli Management Region �����.
317Risk Manager ��� ���
��
��
�����
� 126
� � 67
�� 127
��
Risk Manager 7
��
�� 59
��� � 59
�� �� 111
��
Risk Manager � TME �� �� �� 44
sig.nefarious � ��� 123
��
Network IDS 198
Network IDS �� �� �� 206
�� �� xxi
�� ���, �� 122
�� �� 123
ISS RealSecure 279
Network IDS 205
�� �� ��
Cisco Secure IDS 130, 271
ISS RealSecure 135
Network IDS 206, 291
�� �� ��(CLF �) 108
��
Check Point FireWall-1 173
Cisco Secure IDS� �� 132
Cisco ���� �� 148
ISS RealSecure� �� 140
Web IDS 118
�� ��
TEC �� �� � 55
�� ���
TEC �� �� 58
���
� � �� 21
���, Tivoli
�� xix
��� ���� 60
���� �� 109, 124
�
��� �� �� 115
� � 115
� (� )
��� � 43
Check Point FireWall-1 167
Cisco Secure PIX Firewall 156
Host IDS 183
iPlanet � � 116
Microsoft Internet Information � 116
Risk Manager TEC �� �� 56
Risk Manager �� �� 55
Risk Manager � �� �� 59
� �� 55
���� � �� � 57
Check Point FireWall-1 168
Cisco Secure PIX Firewall 162
riskmgr_thresholds.pro 53
rmcorr_cfg 56, 59
���
�� 51
Risk Manager 10, 34
��� �� 51
�� xxi
��
Network IDSalerts 202
�� �
� � �� 50
�� �� ��
Network IDS 206
������� �� �� ���
�� ��� 201
�� 222
� ��� 200
� ��� 200
�� 197
���� ��� �� 60, 72, 73, 75
����� ��� � 31
����� �� ��
� � �� 49
319Risk Manager ��� ���
��
����� �� ��
��� 3.8 ��� 2
�����, RDBMS 15
�� xix
����� �� 127
�� ��
Web IDS 107
�� ��(CLF �) 108
��
�� �� 59
Risk Manager ��� 34
���, � 35
��
�� 59
�� 59
� 59
� 59
��� �� 58
��
� 55
�� 132
��� 3.8 ��� 1
����� �� �� 2
�� 5
�� ��� � �� 3
� �� 3
�� 4
� �� 4
� �� �� �� 1
� � �� 3
� � �� �� 2
��� 4
TEC ��� 4
���������
� 3.8 267
��
���� �� �� ��� 222
�� �� 245
� 236
Check Point FireWall-1 238
Cisco Secure IDS 242
Event Integration Facility 250
Network IDS 222
�� (� )
Sam ����� 240
Web IDS 259
�
gencds 45
logfile_gencds �� nt_gencds 46
nids 203
riskmgr_gencds 85
rmeif_cfg 86
webids �� webids.bat 105, 120
wrmadmin 85
wrmsendmsg 85
��
��� 3.8 ��� 5
Cisco Secure IDS 130
ISS RealSecure 135
Risk Manager xx, xxi
TEC �� �� xix
Tivoli security �� xxii
������ �� ���
Check Point FireWall-1 166
��� ���
Check Point FireWall-1 166
� 3.8
������ 267
��
���� �� 311
� �� ��� 122
� � ��� �� 105, 121
�� �� ���� 122
���
Network IDSalerts 203
�� ��� �� 67
�� ���, �� 67
��� ��
Cisco Secure PIX Firewall 154
������ ��� 77
��� ���
Cisco Secure IDS� �� 132
Cisco ���� �� 148
ISS RealSecure� �� 140
TEC �� �� 58
Web IDS� 118
320 �� 3 ��� 8
�� ��
�� 10
� 55
���� �� �� �� 48
��, �� 13
Risk Manager �� �� � 59
TEC �� �� � 56
�� �� �� 245
��
Risk Manager ��� � 59
��
�� 53
�� 54
�� ��� �� 68
�� ���, �� 68
�� � 64
�� ���
��� ���� ��� � 66
���� ��� ��� � 66
�� �� xix
� � ��
Check Point FireWall-1 168
� , �(� � �) 11
� , ���(��� � �) 43
�
��� 67
�� �� ���� �� �� 65, 68
�
�� 3
�� 31
�� �� 59
��� 3.8 ���� �� �� 3
�� 236
� �� ��� ��� �� 117
��� � 31, 42
��� 200
Check Point FireWall-1 167
Cisco Secure PIX Firewall 154, 155
Host IDS 182
ISS RealSecure 137
Network IDS 200
Norton AntiVirus 193
Risk Manager ��� 34
TEC �� �� 55
Tivoli ��� 36
Tivoli �� �� 32
TME �� 42
Web IDS 113
� �
Host IDS 182
� ����
ISS RealSecure 138
��
��� 3.8 ��� 4
��
Check Point FireWall-1 166
Cisco Secure IDS(NetRanger) �� 130
Cisco Secure PIX Firewall 152
ISS RealSecure �� 135
Network IDS 197
Web IDS 105
�� ��
Check Point FireWall-1 166
�� �� ��, ��
Cisco Secure PIX Firewall 160
�� �� ��, �
Cisco Secure PIX Firewall 159
�� ���, ��
Cisco Secure PIX Firewall 157
�� ��
�� 61
��
���� �� �� ��� 197
���� � � 107
BAROC �� 16
CDS �� 17
Cisco Secure PIX Firewall 151
Host IDS 181
Network IDS 197
Perl �� 107
Risk Manager � �� �� 53
Web IDS sig.nefarious �� 108
�� � ��� �� ��
Check Point FireWall-1 175
�
msg 95, 96
pix_code 96
pix_ifname 96
pix_sev 96
rm_DestinationIPAddr 96
rm_SensorIPAddr 96
rm_SourceIPAddr 96
���� ��
rmcorr_cfg 44
�� ���
��� �� 69
�� ��
� �� � 65
�� ��� �� 68
�� �� ���� �� �� � 65, 68
����
�� � �� 64
��� �� �� �� 64
321Risk Manager ��� ���
��
�
Network IDS 201
TME �� 46
Web IDS 120
� �� 111, 125
��, TEC �� �� 213
�� 62
����� � xx
�� policy �
Check Point FireWall-1 172
� ��
Cisco Secure PIX Firewall 157
��� �� ��
� 115
�� 107
��� �� 105, 121
��� �� 117
��
ACF ����� � 47
ACF� � �� 46
TEC 15
Windows ���� � 41
�� � ��(ACF) xix
�� � ����(ACP) xix
�� �
AIX 37
AIX smit 38
AIX �� 37
Linux 39
native � 37
Solaris 40
Windows ��� 41
�� �
Check Point FireWall-1 174
�� ��
Check Point FireWall-1 176
��, Risk Manager
Check Point FireWall-1l 165
Cisco Secure IDS 130
Cisco Secure PIX Firewall 151
Cisco ��� 143
Host IDS 181
ISS RealSecure 135
McAfee Alert Manager 185
Norton AntiVirus 191
��, �� ��� �
��� 3.8 ��� 3
��, �
Cisco Secure PIX Firewall 155
��
��, sig.nefarious �� 111
����, sig.nefarious �� 109, 124
� , sig.nefarious �� 111, 125
�, sig.nefarious �� 111, 125
�, sig.nefarious �� 110, 123
�
LEA � � 170
��
�� �� ������ ��� � 78
�� �� �� 45
wrmsendmsg 85
�� ��
TEC �� �� 213
�� ��
Check Point FireWall-1 178
��
webids 121
��
�� �� xxi
�� 54
�� ��� 132, 140
��� �� 48
� �� 77
���� � �� 57
�� �� 18
BAROC �� 16
TEC ��� 99
Web IDS ��� 118
�� ��� 96
�� �� ���� 96
� ��
��� 3.8 ��� 4
� �� �� ��
��� 3.8 ��� 1
� ��
��� 122
�� 123
� � ��
�� � 50
����� �� �� 49
��� 3.8 ��� 3
��� �� 31
�� 21
� ��
Cisco Secure IDS �� 130
ISS RealSecure �� 135
Risk Manager xx
� ���
� �� �� xxii
322 �� 3 ��� 8
� ��� (� )
Bugtraq 122
Cisco Secure IDS �� �� 130
Common Vulnerabilities Enumeration(CVE) 122
CVE �� 199
Internet Security Systems (ISS) 135
ISS RealSecure �� 135
ISS RealSecure �� �� 135
Tivoli Risk Manager xxii
Tivoli �� �� xxi
Tivoli �� xxii
� �
���� Risk Manager 107
iPlanet � � � 116
Microsoft IIS � 116
� � �� ��
��� 3.8 ��� 2
� �� ��
� ��� �� 117
�� ��� 77
�
��� ���� 60
��� 106
� 106, 124, 125
� �� 111, 125
��� � �� 125
� ���� � �� 1
� �� �� xix
���
�� 70
�� �� 62
� � 62
�� ��� 62
�� �� 71
��� ��
�� 48
� 48
��� ����� 13, 15
��� �� API(LEA) 165
��� ��
Cisco Secure PIX Firewall 161
��� �� 70
��� �� 48
��� ���� 60
��� �� �� 62
��� �
�� 59
� 43
� 31, 42
Risk Manager ��� �� 59
TEC 15
��� �� ��� 62
��� ��
Check Point FireWall-1 167
��� �
��� ���� �� 66
���� ��� 66
��� ��, TEC ��� � 15
��� ��
�� 13
��� ��� 93
���(event)
�� 96
�� 95
���(TEC ��� �) 316
����
��� ����� 13
��� ��� ����(GUI) 311, 312
TEC ��� �� 313
Tivoli �� � Tivoli 15
���
� �� 76
�� 76
� 126
����
� �� 59
��� �� 48
�� �� �� �� 48
��
Web IDS 105, 106
��, Risk Manager xx
��
���� ��� �� 60, 72, 73, 75
��� �� �� 64
�� �� 61
�� ��� ��� 69
�� ��, � �� 65
���� �� � 64
��� 76
sig.nefarious � �� ��� 123
trusted host 61
��
� �� �� 123
��� ��� �� 124
�� ��� 122
trusted �� 125
�� � �� 13
�
�� �� 127
323Risk Manager ��� ���
��
� (� )
�� �� 127
��� � ��� 126
� � �� �� ��� 313
�� ��� 77
�, �
Cisco Secure PIX Firewall 155
�� ��� �� 71
��
Cisco Secure IDS� �� 133
Network IDS 202
TME �� 46
��, Tivoli �� xxi
��
��� � �� 125
�����
� �� �� 123
��� ��� �� 124
�� ��� 122
trusted �� 125
�� ��
9
�� ��
Cisco Secure PIX Firewall 154
�����
�� 127
�� 127
��� �� �� �� 17
��� �� ��, Tivoli
�� 45
��� 46
tecad_logfile.cds 46
tecad_nt.cds 46
������
Check Point FireWall-1 177
Cisco Secure PIX Firewall 161
��� ����� 99
Cisco Secure PIX Firewall 162
Network IDS 201
���, ��
�� ��� � 58
Cisco Secure IDS� �� 132
Cisco ���� �� 148
ISS RealSecure� �� 140
Web IDS 118
� �� 77
��
Cisco ��� 149
��� 54
�� 122
Cisco Secure PIX Firewall 154
�� ��
Network IDS 202
�� ��(sig.nefarious �� �) 108
��, ��
Cisco Secure PIX Firewall 154
�����
��� �� 107
��� �� �� �� 17
�� 18
CDS 17
cpfw.baroc 17
crouter_snmp.baroc 17
csids.fmt 18
fmt 18
netranger.baroc 17
nids.baroc 17
os.baroc 17
os_aix.fmt 18
os_nt.fmt 18
os_solaris.fmt 18
pix.baroc 17
pix.fmt 18
pix_nt.fmt 18
realsecure.baroc 17
riskmgr.baroc 16
rmad_summary.rules 96
rmcorr_cfg 56, 59
rmcorr_cfg � �� 44
rmnav.fmt 18
rmvirus.baroc 17
sensor_abstract.baroc 16
sensor_generic.baroc 16
sig.nefarious 108, 123
startconsole.sh iPlanet � � ���� 116
webids � 120
324 �� 3 ��� 8
�� (� )
webids.baroc 17
webids.nt,fmt 18
.cds 45
���, � 200
� �� 110, 123
� ���, sig.nefarious 123
, C 83
���� � ��
�� 57
riskmgr_thresholds.pro 76
���� �� �� �� 48
���� ��
� 55
��, � 32
�����
TEC �� �� �� �� 213
�� �� 18
�� 44
� 43, 55
�� 18
TEC �� 44
�� ��, Tivoli
tecad_logfile.fmt 18, 45, 46
tecad_nt.fmt 45, 46
���
�� 60, 72, 73, 75
��� � ��
Network IDSalerts 203
��� �� ��(Host IDS) 181
���, � 124
���
��� 3.8 ��� 4
���� 8
AACF
� 46
� ��� �� 46
ACF(adapter configuration facility) xix
ACF � 46
ACP(adapter configuration profiles) xix
AIX
� ��� Risk Manager ��� 37
AIX ��
�� � 37
Cisco Secure PIX Firewall � 38
Host IDS � 38
Network IDS � 38
SNMP �� � 38
Web IDS � 38
BBAROC �� 16
� 55
�� 16
sensor_abstract.baroc 18
Bugtraq � ��� 122
CCDS
�� 17
CDS ��
��� 45
CDS �� ��� 45
Check Point FireWall-1
�� 173
� 167
� �� 168
��� �� ��� 166
��� ��� 166
� � �� 168
� 167
�� �� 166
�� 165
�� � ��� �� �� 175
�� policy � 172
�� � 174
�� �� 176
�� �� 178
��� �� 167
��� 177
IP �� �� 174
LEA� �� ��� 166
OPSEC � � 169
OPSEC ����� � 170
SAM � � 171
Solaris �� � 41
TEC ��� 173
Check Point FireWall-1 �� 238
325Risk Manager ��� ���
��
Check Point FireWall-1 �
Solaris �� 41
Check Point FireWall-1� ��
TEC ��� 173
Cisco Secure IDS
�� �� 271
�� 130
�� �� 130
��� �� � ��� 130
Solaris �� � 41
Cisco Secure IDS �� 242
Cisco Secure IDS �
Solaris �� 41
Cisco Secure IDS� ��
�� 132
��� ��� 132
�� 133
TEC ��� 133
Cisco Secure PIX Firewall
� 156
� �� 162
��� �� 154
� 154, 155
� � 155
�� �� 152
�� �� ��, �� 160
�� �� ��, � 159
�� ���, �� 157
�� 151
� �� 157
��, � 155
��� �� 161
�� �� 154
��� 161
��� ����� 162
�� 154
��, �� 154
AIX �� � 38
Solaris �� � 41
TEC 153
TEC ��� 157
Cisco Secure PIX Firewall �
AIX �� 38
Solaris �� 41
Cisco ���
�� 143
�� 149
AIX� SNMP �� � 38
Solaris� SNMP �� � 41
Cisco ���� ��
�� 148
CLF
� � � �� 108
Common Vulnerabilities Enumeration (CVE) 122
Comprehensive Perl Archive Network (CPAN �) 83
CPAN 83
cpfw.baroc 17
crouter_snmp.baroc 17
csids.fmt �� �� 18
CVE ��
Network IDS 205
CVE ��
� ��� 199
Ddrop_unsecure_events 67
EEIF 81
EIF(Event Integration Facility �) 313
EIF(Event Integration Facility) xix
Event Integration Facility 81, 313
Event Integration Facility �� 250
Event Integration Facility(EIF) xix
Ggencds � 45
HHost IDS
� 183
� 182
� � 182
� � 182
�� 181
AIX �� � 38
Solaris �� � 41
TEC �� �� 181
TEC ��� 184
Host IDS �
AIX �� 38
Solaris �� 41
326 �� 3 ��� 8
IInternet Security Systems (ISS) 135
IP �� ��
Network IDSalerts 203
IP �� ��
Check Point FireWall-1 174
iPlanet � � 116
ISS RealSecure
�� �� 279
�� 135
� 137
� ���� 138
�� 135
� ��� 135
AIX� SNMP �� � 38
Solaris� SNMP �� � 41
ISS RealSecure� ��
�� 140
��� ��� 140
LLEA ��� �� API 165
LEA ���� ��
Check Point FireWall-1 166
Linux
�� � 39
Check Point FireWall-1 �� � 174
logfile_gencds � 46
MMcAfee Alert Manager
�� 185
Microsoft Internet Information � 116
Nnative �
�� 37
Risk Manager ��� 34
NetRanger(Cisco Secure IDS �� �) 130
netranger.baroc 17
Netscape Enterprise � 116
Network IDS
�� 198
�� �� 205
Network IDS (� )
�� ��� 201
�� 202
�� �� �� 206
�� 222
��� 203
� 200
�� 197
� 201
�� � 201
�� �� 201
�� 202
�� � �� �� 206, 291
�� ��, �� 202
��� � �� 203
AIX �� � 38
CVE �� 205
IP �� �� 203
nids � 203
Solaris �� � 41
TEC �� �� 198
TEC ��� 201
Network IDS �
AIX �� 38
Solaris �� 41
Network IDS� ��
TEC ��� 201
nids �
Network IDS 203
nids.baroc 17
Norton AntiVirus
� 193
�� 191
TEC �� �� 193
nt_gencds � 46
Oobserver
Risk Manager 83
Open Platform for Secure Enterprise Connectivity(OPSEC �
�) 165
OPSEC � 165
OPSEC � �
Check Point FireWall-1 169
OPSEC ����� �
Check Point FireWall-1 170
os.baroc 17
os_aix.fmt �� �� 18
os_nt.fmt �� �� 18
327Risk Manager ��� ���
��
os_solaris.fmt �� �� 18
PPAN 83
Perl ��
�� 107
pix.baroc 17
pix.fmt �� �� 18
pix_nt.fmt �� �� 18
policy region 99
Rratio_down 66
ratio_up 66
RDBMS ����� 15
realsecure.baroc 17
Risk Manager
�� 7
��� 10
�� xx, xxi
�� 53
�� �� 54
� ��� 35
� �� 32
� ��� 34
�� 11
� � � 115
� �� xxii
��� �� �� 48
�� 7
�� 7
�� �� ��� ���� 60
��� ����� 99
�� �� �� 18
���� 8
ACF� ��� � 46
BAROC �� �� 16
Event Integration Facility 313
iPlanet � � � 116
native � ��� 34
Risk Manager �� �� � 59
Risk Manager � �� �� �� 53
TEC �� �� � 56
Web IDS �� 105
Risk Manager 3.8 � 1
Risk Manager 3.8 � �� �� 1
Risk Manager EIF
� TME �� � 86
TME �� � 86
Risk Manager Event Integration Facility 81
Risk Manager Observer 83
Risk Manager Web IDS �
AIX �� 38
Risk Manager ���
�� � 59
��� � �� �� 59
Risk Manager �� ��
� 59
Risk Manager � �� ��
�� 53
���� � �� 57
Risk Manager � 31
Risk Manager ��
���� �� �� ��� 197
Network IDS 197
Risk Manager ��
Check Point FireWall-1 165
Cisco Secure IDS 130
Cisco Secure PIX Firewall 151
Cisco ��� 143, 148
Host IDS 181
ISS RealSecure 135
McAfee Alert Manager 185
Norton AntiVirus 191
riskmgr.baroc 16
riskmgr_links.pro
�� ��� ��� �� 69
��� �� 70
�� ��� �� 71
riskmgr_parameters.pro
��� � 67
� �� �� 65
�� ��� �� 67
�� ��� �� 68
��� �� �� �� 64
���� �� � �� 64
��� ���� �� ��� � 66
���� ��� �� ��� � 66
�� �� ���� �� �� � 65, 68
RiskMgr_Reception 48
RiskMgr_Situations 48
riskmgr_thresholds.pro 76
riskmgr_thresholds.pro �� 53
rmad_summary.rules 96
rmcorr_cfg � �� 56
rmcorr_cfg �� 44, 57, 59
rmeif_cfg � 86
rmnav.fmt �� �� 18
328 �� 3 ��� 8
rmvirus.baroc 17
RM_Error 48
RM_InputErr 48
RM_PrologErr 48
RM_SituationErr 48
RM_TrustedHosts 48
SSAM � �
Check Point FireWall-1 171
Sam ����� �� 240
sensor_abstract.baroc 16
sensor_generic.baroc 16
SET ��� 97
set_decay_value 67
sig.nefarious
� ��� 123
Web IDS 108
sig.nefarious ��
�� � �� 108
sig.nefarious � ��� � 123
smit
�� � 38
SNMP ��
AIX �� � 38
Solaris �� � 41
SNMP �� �
AIX �� 38
Solaris �� 41
Solaris
�� � 40
Check Point FireWall-1 �� � 174
Solaris ��
Check Point FireWall-1 � 41
Cisco Secure IDS � 41
Cisco Secure PIX Firewall � 41
Host IDS � 41
Network IDS � 41
SNMP �� � 41
Web IDS � 40
startconsole.sh iPlanet � � ���� 116
TTasks for Enterprise Risk Management
�� 99
TCP/IP(Transmission Control Protocol/Internet Protocol) xix
TEC
�� xix
�� 15
� � �� 21
��� � 15
��� �� 13
TEC Region policy region 201
TEC
Cisco Secure PIX Firewall 153
TEC �� ��
�� ��� 58
� 56
� �� 55
���� ��� �� �� 60, 72, 73, 75
� 55
�� �� �� 61
�� �� 213
��� �� �� 62
��� � 62
��� �� ��� 62
��� �� 76
� �� 77
Host IDS 181
Network IDS 198
Norton AntiVirus 193
riskmgr_thresholds.pro � �� 53
trusted host �� 61
Web IDS� 112
TEC ��
�� 15
TEC ���
���� 60
TEC ��� ��(��� �� �) 13
TEC ���(��� �) 316
TEC ���
��� 3.8 ��� 4
�� 99
Cisco Secure PIX Firewall 157
Check Point FireWall-1 173
Check Point FireWall-1� �� 173
Cisco Secure IDS� �� 133
Cisco Secure PIX Firewall 157
Host IDS 184
Network IDS 201
Network IDS� �� 201
tecad_logfile.cds 46
tecad_logfile.fmt 17, 18, 45, 46
tecad_nt.fmt 17, 45, 46
TEC-Region policy region 99
Tivoli
�� �� xxi
� �� � �� xxii
329Risk Manager ��� ���
��
Tivoli (� )
�� � ��(ACF) xix
�� � ����(ACP) xix
�� � ��� xxii
Event Integration Facility(EIF) xix, 313
Risk Manager 7
Risk Manager ��� � 32
Risk Manager� ��� �� 13
TEC �� �� 15
Tivoli Enterprise Console �� 13
Tivoli Decision Support 207
Tivoli Enterprise Console(TEC �) xix, 316
TME ��
�� �� ��� � 44
� 42
� 46
�� 317
�� 46
Risk Manager �� �� �� 44
Web IDS �� 112
Transmission Control Protocol/Internet Protocol(TCP/IP) xix
trusted host
�� 61
trusted �� 125
WW3C �� 116
W3C � �� �� 116
Web IDS
�� �� 127
�� �� � 127
�� 118
�� �� � 127
��� ��� 118
� 113
�� 105
� 120
��� �� �� 107
��� �� �� � 115
� �� ��� �� 122
� �� �� �� �� �� 123
��� ��� �� �� �� 124
��� � �� �� 125
��� � ��� � 126
���� � � 107
�� ��� �� 122
�� ��� �� 122
� ��� �� � � 123
AIX �� � 38
Web IDS (� )
iPlanet � � � 116
Microsoft Internet Information � � 116
Perl � �� 107
sig.nefarious �� �� 108
Solaris �� � 40
TEC �� �� 112
trusted �� �� �� �� 125
Web IDS �� 259
Web IDS �
Solaris �� 40
Web IDS � ��� �� 117
webids � 120
webids.baroc 17
webids.bat 118, 120, 121
webids.nt.fmt �� �� 18
Windows ���
�� � 41
Check Point FireWall-1 �� � 174
��� ���.baroc �� (BAROC �� �) 16
.cds(��� �� �� �) 17
330 �� 3 ��� 8