McAfee®
Network Protection
Industry-leading network security solutions










System Status Monitoring Guide
McAfee® Network Security Platform
Network Security Manager
version 6.0
revision 3.0



COPYRIGHT
Copyright ® 2001 - 2010 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into
any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARKS
ACTIVE FIREWALL, ACTIVE SECURITY, ACTIVESECURITY (AND IN KATAKANA), ACTIVESHIELD, CLEAN-UP, DESIGN (STYLIZED E), DESIGN (STYLIZED N),
ENTERCEPT, EPOLICY ORCHESTRATOR, FIRST AID, FOUNDSTONE, GROUPSHIELD, GROUPSHIELD (AND IN KATAKANA), INTRUSHIELD, INTRUSION PREVENTION
THROUGH INNOVATION, McAfee, McAfee (AND IN KATAKANA), McAfee AND DESIGN, McAfee.COM, McAfee VIRUSSCAN, NET TOOLS, NET TOOLS (AND IN KATAKANA),
NETSCAN, NETSHIELD, NUTS & BOLTS, OIL CHANGE, PRIMESUPPORT, SPAMKILLER, THREATSCAN, TOTAL VIRUS DEFENSE, VIREX, VIRUS FORUM, VIRUSCAN,
VIRUSSCAN, VIRUSSCAN (AND IN KATAKANA), WEBSCAN, WEBSHIELD, WEBSHIELD (AND IN KATAKANA) are registered trademarks or trademarks of McAfee, Inc. and/or
its affiliates in the US and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks
herein are the sole property of their respective owners.
LICENSE AND PATENT INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH
THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED,
PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING
OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE
FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL
THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO McAfee OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
This product includes or may include:
* Software developed by the OpenSSL Project for use in the OpenSSL Toolkit ( * Cryptographic software written by Eric A. Young and software written by
Tim J. Hudson. * Some software programs that are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or other similar Free Software licenses
which, among other rights, permit the user to copy, modify and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires that for
any software covered under the GPL, which is distributed to someone in an executable binary format, that the source code also be made available to those users. For any such
software covered under the GPL, the source code is made available on this CD. If any Free Software licenses require that McAfee provide rights to use, copy or modify a software
program that are broader than the rights granted in this agreement, then such rights shall take precedence over the rights and restrictions herein. * Software originally written by
Henry Spencer, Copyright 1992, 1993, 1994, 1997 Henry Spencer. * Software originally written by Robert Nordier, Copyright (C) 1996-7 Robert Nordier. * Software written by
Douglas W. Sauder. * Software developed by the Apache Software Foundation ( A copy of the license agreement for this software can be found at
www.apache.org/licenses/LICENSE-2.0.txt. * International Components for Unicode ("ICU") Copyright (C) 1995-2002 International Business Machines Corporation and others. *
Software developed by CrystalClear Software, Inc., Copyright (C) 2000 CrystalClear Software, Inc. * FEAD(R) Optimizer(R) technology, Copyright Netopsystems AG, Berlin,
Germany. * Outside In(R) Viewer Technology (C) 1992-2001 Stellent Chicago, Inc. and/or Outside In(R) HTML Export, (C) 2001 Stellent Chicago, Inc. * Software copyrighted by
Thai Open Source Software Center Ltd. and Clark Cooper, (C) 1998, 1999, 2000. * Software copyrighted by Expat maintainers. * Software copyrighted by The Regents of the

University of California, (C) 1996, 1989, 1998-2000. * Software copyrighted by Gunnar Ritter. * Software copyrighted by Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
California 95054, U.S.A., (C) 2003. * Software copyrighted by Gisle Aas. (C) 1995-2003. * Software copyrighted by Michael A. Chase, (C) 1999-2000. * Software copyrighted by
Neil Winton, (C) 1995-1996. * Software copyrighted by RSA Data Security, Inc., (C) 1990-1992. * Software copyrighted by Sean M. Burke, (C) 1999, 2000. * Software copyrighted
by Martijn Koster, (C) 1995. * Software copyrighted by Brad Appleton, (C) 1996-1999. * Software copyrighted by Michael G. Schwern, (C) 2001. * Software copyrighted by Graham
Barr, (C) 1998. * Software copyrighted by Larry Wall and Clark Cooper, (C) 1998-2000. * Software copyrighted by Frodo Looijaard, (C) 1997. * Software copyrighted by the Python
Software Foundation, Copyright (C) 2001, 2002, 2003. A copy of the license agreement for this software can be found at www.python.org. * Software copyrighted by Beman
Dawes, (C) 1994-1999, 2002. * Software written by Andrew Lumsdaine, Lie-Quan Lee, Jeremy G. Siek (C) 1997-2000 University of Notre Dame. * Software copyrighted by Simone
Bordet & Marco Cravero, (C) 2002. * Software copyrighted by Stephen Purcell, (C) 2001. * Software developed by the Indiana University Extreme! Lab
( * Software copyrighted by International Business Machines Corporation and others, (C) 1995-2003. * Software developed by the University of
California, Berkeley and its contributors. * Software developed by Ralf S. Engelschall <> for use in the mod_ssl project (http:// www.modssl.org/). * Software
copyrighted by Kevlin Henney, (C) 2000-2002. * Software copyrighted by Peter Dimov and Multi Media Ltd. (C) 2001, 2002. * Software copyrighted by David Abrahams, (C) 2001,
2002. See for documentation. * Software copyrighted by Steve Cleary, Beman Dawes, Howard Hinnant & John Maddock, (C) 2000. *
Software copyrighted by Boost.org, (C) 1999-2002. * Software copyrighted by Nicolai M. Josuttis, (C) 1999. * Software copyrighted by Jeremy Siek, (C) 1999-2001. * Software
copyrighted by Daryle Walker, (C) 2001. * Software copyrighted by Chuck Allison and Jeremy Siek, (C) 2001, 2002. * Software copyrighted by Samuel Krempp, (C) 2001. See
for updates, documentation, and revision history. * Software copyrighted by Doug Gregor (), (C) 2001, 2002. * Software copyrighted by
Cadenza New Zealand Ltd., (C) 2000. * Software copyrighted by Jens Maurer, (C) 2000, 2001. * Software copyrighted by Jaakko Järvi (), (C) 1999, 2000. *
Software copyrighted by Ronald Garcia, (C) 2002. * Software copyrighted by David Abrahams, Jeremy Siek, and Daryle Walker, (C) 1999-2001. * Software copyrighted by Stephen
Cleary (), (C) 2000. * Software copyrighted by Housemarque Oy <>, (C) 2001. * Software copyrighted by Paul Moore, (C)
1999. * Software copyrighted by Dr. John Maddock, (C) 1998-2002. * Software copyrighted by Greg Colvin and Beman Dawes, (C) 1998, 1999. * Software copyrighted by Peter
Dimov, (C) 2001, 2002. * Software copyrighted by Jeremy Siek and John R. Bandela, (C) 2001. * Software copyrighted by Joerg Walter and Mathias Koch, (C) 2000-2002. *
Software copyrighted by Carnegie Mellon University (C) 1989, 1991, 1992. * Software copyrighted by Cambridge Broadband Ltd., (C) 2001-2003. * Software copyrighted by
Sparta, Inc., (C) 2003-2004. * Software copyrighted by Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, (C) 2004. * Software
copyrighted by Simon Josefsson, (C) 2003. * Software copyrighted by Thomas Jacob, (C) 2003-2004. * Software copyrighted by Advanced Software Engineering Limited, (C)
2004. * Software copyrighted by Todd C. Miller, (C) 1998. * Software copyrighted by The Regents of the University of California, (C) 1990, 1993, with code derived from software
contributed to Berkeley by Chris Torek.


Issued SEPTEMBER 2010 / System Status Monitoring Guide
700-2375-00/ 3.0 - English


iii

Contents
Preface vi
Introducing McAfee Network Security Platform vi
About this Guide vi
Audience vi
Conventions used in this book vii
Related Documentation vii
Contacting Technical Support ix
Chapter 1 Using the Threat Analyzer 1
Defining terms 1
The life cycle of an alert 2
Understanding the alert cache and the database 2
Host Intrusion Prevention alerts 4
Chapter 2 Navigating to the Threat Analyzer 5
Real-Time Threat Analyzer 6
Historical Threat Analyzer 6
Selecting time constraints for Historical Threat Analyzer 6
Sample drilldown scenario 7
Threat Analyzer Home 8
Chapter 3 Alert Aggregation in Network Security Central Manager 10
Threat Analyzer of the Central Manager 10
Understanding alert aggregation and monitoring in Central Manager 11
Navigating to the Threat Analyzer from the Central Manager 12
Central Manager Threat Analyzer Home 13
Chapter 4 Viewing Alerts Dashboards 14
NSP Health view 14
Customized Dashboards and Monitors 15
Monitoring Sensor Performance metrics 27

Messages from McAfee 36
Status of Activities 36
Operational Status Summary 36
Sensor Update Summary 36
Viewing Operational Status 37
Viewing IPS alerts summary 38
Time view 39
Consolidated view 40
Viewing NAC summary 44
NTBA 45
The NTBA Monitors 46
Chapter 5 Viewing Alerts details 50

iv

Viewing alert attributes 51
Action buttons 53
Alerts view: Right-click options 54
Sorting alerts by attributes 57
Viewing data in the Count view 59
Sorting alerts using multiple criteria 60
Creating display filters for alerts 61
Acknowledging alerts 62
Show details of a specific attack 64
Viewing the Attack-Type 65
Performing a response action 70
Viewing a packet log 71
Sending a TCP Reset 72
Blocking further DoS packets for statistical attacks 72
Configuring attack filter association 73

Viewing and editing attack responses 75
Running a script 75
Viewing and saving an Evidence Report 77
IPS Quarantine options in Alerts page 78
Adding hosts for IPS Quarantine from the Alerts page 78
Quarantine of hosts from Alert Details 79
Manual Quarantine of a Host 81
Quarantining options for NTBA Policy Violation Alerts, Botnet, and Behavioral Alerts 82
Performing an NSLookup 84
Querying host details from the ePO server 84
Viewing details of Source and Destination Hosts 85
Viewing host details using IP address 88
Deleting alerts 93
Hiding alerts 93
Creating incidents 94
Adding alerts to an incident 96
Adding occurrences to an incident 96
Exporting incidents 97
Identifying new attacks in the Threat Analyzer 97
Setting preferences for viewing new threats 98
Viewing the first seen alerts in the Alerts page 100
Assigning a new threats monitor to a new dashboard 100
Chapter 6 Viewing Hosts details 104
Viewing host attributes 106
Hosts view: right-click options 106
NAC options in the Hosts page 107
Creating display filters for hosts 109
Viewing historical host data using display filter 110
IPS Quarantine options from the Hosts page 111
Chapter 7 Using Incident Viewer 113

Viewing incidents 115
Chapter 8 Viewing Host Forensics 116
Viewing ePO Information 116
Viewing host details using IP address 116
Launching ePO console form the Host Forensics page 118
Viewing Latest events from the Host Forensics page 119
On-demand Scan of Hosts listed in Alerts in the Threat Analyzer 120
Viewing Vulnerability Manager scans 122
Vulnerability Manager scan option 123
Rescanning the host 126
Concurrent scans 126
Fault messages for Vulnerability Manager on-demand scan 127
Vulnerability Manager scan from Hosts page 127
Network scenarios for Vulnerability Manager scan 128

v

Chapter 9 Setting Preferences 131
General Panel 131
Enabling IP address name resolution 132
Alerts View Panel 134
Hosts View Panel 135
Watch List 136
Historical Constraints 138
Chapter 10 Monitoring Operational Status 140
Operational Status condition indicator 140
Operational Status interface 141
Viewing a summary of selected fault messages 144
Fault window action buttons 144
Viewing the details of a specific fault 145

Action buttons 146
System fault messages 146
Index 147








vi

Preface
This preface provides a brief introduction to the product, discusses the information in this
document, and explains how this document is organized. It also provides information such
as, the supporting documents for this guide and how to contact McAfee Technical Support.
Introducing McAfee Network Security Platform
McAfee
®
Network Security Platform [formerly McAfee
®
IntruShield
®
] delivers the most
comprehensive, accurate, and scalable Network Access Control (NAC), network Intrusion
Prevention System (IPS) and Network Threat Behavior Analysis (NTBA) for mission-critical
enterprise, carrier and service provider networks, while providing unmatched protection
against spyware; known, zero-day, and encrypted attacks.
McAfee

®
Network Threat Behavior Analysis Appliance provides the capability of monitoring
network traffic by analyzing NetFlow information flowing through the network in real time,
thus complementing the NAC and IPS capabilities in a scenario in which McAfee Network
Security Sensor, NAC Sensor, and NTBA Appliance are installed and managed through a
single Manager.
About this Guide
This System Status Monitoring Guide provides different sections on two functionalities of
the Threat Analyzer interface- Monitoring alerts and system health.
Alerts section describes the Threat Analyzer functionality, configuration, and field
descriptions. Operational Status section describes the health interface and the messages
related to the status of your installed Network Security Platformcomponents.
This guide will walk you through:
 Using the Threat Analyzer (on page 1
): gives you detailed information on how to
navigate through the Threat Analyzer, starting the Threat Analyzer, generating user
incidents, and setting the Threat Analyzer preferences.
 Operational Status: details the functional status for all of your installed Network
Security PlatformIPS components, Operational Status indicators and viewing
summaries of selected faults in the Operational Status interface.
Audience
This guide is intended for use by network technicians responsible for maintaining McAfee
®

Network Security Manager and analyzing and disseminating the resulting data. It is
assumed that you are familiar with IPS-related tasks, the relationship between tasks, and
the commands necessary to perform particular tasks.


McAfee® Network Security Platform 6.0


Preface


vii

Conventions used in this book
This document uses the following typographical conventions:
Convention Example
Terms that identify fields, buttons, tabs,
options, selections, and commands on the
User Interface (UI) are shown in Arial
Narrow
bold font.
The
Service field on the Properties tab specifies the name of
the requested service.
Menu or action group selections are
indicated using a right angle bracket.
Select My Company > Admin Domain > Summary.
Procedures are presented as a series of
numbered steps.
1. On the Configuration tab, click Backup.

Names of keys on the keyboard are
denoted using UPPER CASE.
Press ENTER.
Text such as syntax, key words, and
values that you must type exactly are
denoted using Courier New font.

Type: setup and then press ENTER.
Variable information that you must type
based on your specific situation or
environment is shown in italics.
Type: Sensor-IP-address and then press ENTER.
Parameters that you must supply are
shown enclosed in angle brackets.
set Sensor ip <A.B.C.D>
Information that you must read before
beginning a procedure or that alerts you
to negative consequences of certain
actions, such as loss of data is denoted
using this notation.
Caution:
Information that you must read to prevent
injury, accidents from contact with
electricity, or other serious consequences
is denoted using this notation.
Warning:
Notes that provide related, but non-
critical, information are denoted using this
notation.
Note:
Related Documentation
The following documents and on-line help are companions to this guide. Refer to Quick
Tour for more information on these guides
 Quick Tour
 Installation Guide
 Upgrade Guide
McAfee® Network Security Platform 6.0


Preface


viii

 Getting Started Guide
 IPS Deployment Guide
 Manager Configuration Basics Guide
 I-1200 Sensor Product Guide
 I-1400 Sensor Product Guide
 I-2700 Sensor Product Guide
 I-3000 Sensor Product Guide
 I-4000 Sensor Product Guide
 I-4010 Sensor Product Guide
 M-1250/M-1450 Sensor Product Guide
 M-1250/M-1450 Quick Start Guide
 M-2750 Sensor Product Guide
 M-2750 Quick Start Guide
 M-3050/M-4050 Sensor Product Guide
 M-3050/M-4050 Quick Start Guide
 M-6050 Sensor Product Guide
 M-6050 Quick Start Guide
 M-8000 Sensor Product Guide
 M-8000 Quick Start Guide
 Gigabit Optical Fail-Open Bypass Kit Guide
 Gigabit Copper Fail-Open Bypass Kit Guide
 10 Gigabit Fail-Open Bypass Kit Guide
 M-8000/M-6050/M-4050/M-3050 Slide Rail Assembly Procedure
 M-2750 Slide Rail Assembly Procedure

 M-series DC Power Supply Installation Procedure
 Administrative Domain Configuration Guide
 Manager Server Configuration Guide
 CLI Guide
 Device Configuration Guide
 IPS Configuration Guide
 NAC Configuration Guide
 Integration Guide
 System Status Monitoring Guide
 Reports Guide
 Custom Attack Definitions Guide
 Central Manager Administrator's Guide
 Best Practices Guide
 Troubleshooting Guide
 Special Topics Guide—In-line Sensor Deployment
 Special Topics Guide—Sensor High Availability
 Special Topics Guide—Virtualization
 Special Topics Guide—Denial-of-Service
 NTBA Appliance Administrator's Guide
 NTBA Monitoring Guide
 NTBA Appliance T-200 Quick Start Guide
McAfee® Network Security Platform 6.0

Preface


ix

 NTBA Appliance T-500 Quick Start Guide
Contacting Technical Support

If you have any questions, contact McAfee for assistance:
Online
Contact McAfee Technical Support .
Registered customers can obtain up-to-date documentation, technical bulletins, and quick
tips on McAfee's 24x7 comprehensive KnowledgeBase. In addition, customers can also
resolve technical issues with the online case submit, software downloads, and signature
updates.
Phone
Technical Support is available 7:00 A.M. to 5:00 P.M. PST Monday-Friday. Extended 24x7
Technical Support is available for customers with Gold or Platinum service contracts.
Global phone contact numbers can be found at McAfee Contact Information
page.
Note: McAfee requir
es that you provide your GRANT ID and the serial number of
your system when opening a ticket with Technical Support. You will be provided with
a user name and password for the online case submission.








1

C HAPTER 1
Using the Threat Analyzer
The Threat Analyzer is used for the analysis of the alerts detected by your McAfee
®


Network Security Platform [formerly McAfee
®
IntruShield
®
] Sensors as well as those
processed by an integrated Host Intrusion Prevention Server. The Threat Analyzer works
in conjunction with the policies applied to your McAfee
®
Network Security Sensor and Host
Intrusion Prevention Sensors. For more information on policies, see
IPS Configuration Guide.
When a transmission violating your enforced security policies is detected by a Sensor, the
Sensor compiles information about the offending transmission and sends this “attack” data
to McAfee
®
Network Security Manager in the form of an alert. Alert details include
transmission data such as source and destination IP addresses in the packet, as well as
security analysis information (performed by the Sensor) such as attack type and severity.
Alerts are backed up to the database and archived in order of occurrence.
Note: Security analysis information can be determined by a signature match, set
threshold parameters, and abnormal spiking in traffic levels. All of these measures
are enforced through policy configuration and application.
The Threat Analyzer opens in a separate browser window from that of the Manager Home
page, providing a concentrated view for alert analysis. When you open the Threat
Analyzer, you specify a time frame to retrieve alerts from the database. The Manager
retrieves the alerts matching your criteria and displays them in the Threat Analyzer. By
examining and acknowledging the alerts, you can use the information your analysis
provides to determine your system weaknesses and modify your defenses.
Note: If you make configuration changes while maintaining an open Threat Analyzer

session, your configuration changes will not take affect in regards to actually seeing
the changes in the Threat Analyzer. The Threat Analyzer must be closed and re-
opened to view your changes. Configuration changes can include changing the
policy of a VIPS, splitting a port pair into two single ports and applying a separate
policy to each port; exporting User-defined Signature to the Manager’s attack
database, then applying a policy containing custom attacks to a VIPS; and so forth
as configuration changes that affect policy application are made.
Defining terms
An attack is any violation of your set McAfee
®
Network Security Platform policy
parameters. An alert is one or more attack instances.
In many cases, an alert represents a single detected attack. A multi-attack alert is
generated when multiple instances of identical attacks (same source IP, destination IP,
specific attack name, and VIPS [interface or sub-interface ID where alert was detected])
are detected within a two-minute period (by default); data for all attacks is throttled into one
alert instance; however, you can also choose to configure how many of each throttled
attacks you want to see in an individual alert (For more information, see Configuring alert
suppression with packet log response,
Devcie Configuration Guide. ). Each of the two main
McAfee® Network Security Platform 6.0

Using the Threat Analyzer


2

views (see Navigating to Threat Analyzer (on page 5)) of the Threat Analyzer distinguishes
between attacks and alerts, thus it is important to note the difference.
The life cycle of an alert

Alerts exist in one of three states:
 Unacknowledged
 Acknowledged
 Marked for deletion
When an alert is raised, it appears in McAfee Network Security Manager (Manager) in an
unacknowledged state. Unacknowledged means that you have not officially recognized its
presence by marking it acknowledged. An alert remains in an unacknowledged state until
you either acknowledge it or delete it.
Unacknowledged alerts display in the
Unacknowledged Alert Summary section of the Home
page
and in the Real-Time Threat Analyzer. Acknowledging alerts dismisses them from these
views. Acknowledged alerts display only in the
Historical Threat Analyzer and in reports.
Deleting an alert both acknowledges it and marks it for deletion. The alert is not actually
deleted until a scheduled
Disk Space Maintenance takes place. At that time, McAfee Network
Security Platform deletes those alerts marked for deletion and those alerts meeting the
deletion criteria specified in the scheduler-older than 30 days, for example, whether or not
they have been manually marked for deletion.
Note: For more information on Disk Maintenance, see Managing your database’s
disk space, Manager Server Configuration Guide. .
Alerts are backed up to the database and archived in order of occurrence. Deleted alerts
are removed from the database.
Understanding the alert cache and the database
The Threat Analyzer facility operates in the following manner: Manager receives alerts
from the Sensors and organizes the alerts by the timestamps with alert; the most recent
alerts are listed first. All alerts are stored in the database, while a preset number of the
most recent alerts are also maintained in a cache, known as the alert cache. The alert
cache contains only unacknowledged alerts, and is exclusive to a Real-Time Threat

Analyzer query; a Historical Threat Analyzer query only pulls alerts from the database. The
difference in Threat Analyzer operations is detailed in the subsections that follow.
The following below illustrates alert cache and database operation as it pertains to Threat
Analyzer queries.
McAfee® Network Security Platform 6.0

Using the Threat Analyzer


3


Figure 1: Alert cache and database operations
The letters below correspond to the lettering in the illustration.
a. All alerts are received by the Manager from the reporting Sensors. The alerts are
sent to both the alert cache and the database.
b. Once the alert cache’s buffer begins to overflow, the oldest alerts are dropped
from the cache. Since no modifications have been made, the database version is
maintained and the cached version is deleted.
c. A Real-Time View query is started requesting x number of alerts. These alerts are
pulled from the alert cache.
d. If during a Real-Time analysis an alert is Acknowledge[d] or Delete[d], the altered
alert file is forwarded to the database and the database version is updated with
the recent changes. The interaction between a Real-Time Threat Analyzer and
the database is one way; that is, alert record changes can be pushed from the
Real-Time Threat Analyzer, but a Real-Time Threat Analyzer does not receive
any data from the database.
e. During a Real-Time analysis, new alerts are received from the alert cache as they
are reported, refreshing every 5 seconds. Since the Real-Time Threat Analyzer
has a maximum number of alerts that can be viewed at a time, the oldest alerts

are dropped to accommodate new alerts. Since no modifications have been
made, the database version is maintained and the cached version is deleted.
McAfee® Network Security Platform 6.0

Using the Threat Analyzer


4

f. A Historical query pulls alerts only from the database; there is no interaction
between the alert cache and a Historical query. There is no refresh of newer
alerts because the Historical Threat Analyzer only requests alerts from a specific
time frame. Any alert file alteration (acknowledgement, deletion, and so forth) is
simultaneously saved to the database. Thus, the Historical Threat Analyzer can
pull and push alert records directly from the database.
Host Intrusion Prevention alerts
If integration with Host Intrusion Prevention is enabled, the Host Intrusion Prevention alerts
start to appear as soon as you start the Host Intrusion Prevention server on the ePO
console. All Host Intrusion Prevention alert data is parsed and formatted by the Manager
to resemble the Network Security Platform alert style. Note the following:
 Alerts sent by Host Intrusion Prevention are maintained by the Host Intrusion
Prevention server.
 All Host Intrusion Prevention alerts are categorized as Exploit alerts.
 You cannot initiate responses to Host Intrusion Prevention alerts. Any responses must
be sent via the Host Intrusion Prevention console.
 If a Host Intrusion Prevention alert is in
Mark as Read state before sent through
Integrator, the alert appears as
Acknowledged to Manager. Thus, any Mark as Read alerts
can only be seen using a Historical Threat Analyzer query.

Note: For more information, see Integrating Host Intrusion Prevention for alert
management.










5

C HAPTER 2
Navigating to the Threat Analyzer
You can view the overall summary of alerts in McAfee
®
Network Security Manager Home
page -
Unacknowledged Alert Summary section.
This view displays all of the unacknowledged alerts in the logged-in domain. Within the
Threat Analyzer, alerts are presented in multiple views for detailed analysis. Alerts are
organized by system impact severity level: High, Medium, Low, and Informational (For
more information on how McAfee
®
Network Security Platform calculates severity level, see
IPS Configuration Guide.)

Figure 2: Navigating To The Threat Analyzer

Item Description
1 Unacknowledged alerts by
severity
2 Current "monitored domain"
3 Click to open Real-time Threat
Analyzer
4 Click to open Historical Threat
Analyzer

To view further details on alerts, select Real-time Threats or Historical Threats from the Manager
Home page.
The Threat Analyzer Home page opens displaying the Dashboards by default.
Note: The Threat Analyzer takes a few seconds to load.
You can open multiple Threat Analyzer windows at a single time. You can also open both
Real-Time Threat Analyzer and Historical Threat Analyzer at the same time from the same
client.
The number of alerts the Threat Analyzer can display has a direct correlation to your
system’s memory. Since you can access McAfee
®
Network Security Manager (Manager)
from the local host or a remote connection, this depends on the machine used for Manager
McAfee® Network Security Platform 6.0

Navigating to the Threat Analyzer


6

login. The memory overhead for alerts, including the code base and Java virtual machine,
is approximately 1 KB per alert when there are at least 10,000 alerts in the Threat

Analyzer (more KBs when there are fewer alerts). McAfee recommends 1 GB of RAM in
your system, which enables you to handle up to 1,000,000 total alerts. If your available
memory does not meet minimum requirements or is not properly set, you could experience
memory problems.
Real-Time Threat Analyzer
The Real-Time Threat Analyzer sets the attack filter to display information retrieved from the
alert cache for a specified number of unacknowledged alerts. Once opened, the Real-Time
Threat Analyzer refreshes frequently to display the alerts that are being detected by your
Sensors, thus you can view the alerts as they happen in real time.
Historical Threat Analyzer
The Historical Threat Analyzer sets the filter to retrieve information for both acknowledged and
unacknowledged alerts archived in the database during a specified time. The Historical
Threat Analyzer does not refresh with new alerts, thus you can focus on analyzing all
alerts within the time frame you requested.
Selecting time constraints for Historical Threat Analyzer
When you click Historical Threat Analyzer from the Network Security Platform Security
Manager Home page, the Historical Constraints page is displayed.

Figure 3: Setting parameters for Historical Threat Analyzer
1 Select the Start Time and End Time for viewing alerts historical data from the database.
2 (Optional) Click
More Constraints to select filtering parameters for your historical query.
McAfee® Network Security Platform 6.0

Navigating to the Threat Analyzer


7



Figure 4: Setting additional parameters for Historical Threat Analyzer
The parameters available for filtering your historical alerts data query are as follows:

Start Time: date and time to start range. Format is yyyy-mm-dd hh:mm:ss.

End Time: date and time to stop range. Format is yyyy-mm-dd hh:mm:ss.

Additional Constraints: this feature enables filtering of Historical alerts only. When
this dialog is opened, one or more of the following parameters can be queried to
narrow your Historical Threat Analyzer analysis:
 IP Address Type: IPv4 or IPv6
 Source IP
 Source Port
 Destination IP
 Destination Port
 Attack
 Sensor
 Application Protocol
3 Click
OK, when finished.
For historical queries, the maximum number of alerts that can be viewed from the
database for the search are limited. Thus, if there are 130,000 alerts within your selected
Start and End times, you will only see the most recent 100,000 alerts in that time period.
Sample drilldown scenario
This example focuses on analyzing attacks originating from a specific source IP address.
For this scenario, the source IP is 172.26.23.145, and a Historical search is selected to
find all of the attacks from this source in the last 2 months. To find information specific to
this source IP address, do the following:
1 Open the
Historical Threat Analyzer. The End Time lists the current system time. Configure

the
Start Time to two months prior to today, thus change the month field (yyyy-mm-dd),
and click
OK
2 Select
Drilldown from the Threat Analyzer Detail view window, then select Source IP as
the category.
3 Find 172.26.23.145 in the
Source IP column of the Count View table.
4 Once found, select (left-click) the row for 172.26.23.145, then right-click for further
drilldown options.
5 Select
Drilldown, then select Attack to view the attacks from 172.26.23.145.
McAfee® Network Security Platform 6.0

Navigating to the Threat Analyzer


8

6 Repeat Step 4 and Step 5 to continue to drill down into 172.26.23.145 to view Severity,
Destination IP address, and other drilldown categories to focus your forensic analysis
for this source IP address.
Threat Analyzer Home
The Threat Analyzer Home page is the central interface of the Threat Analyzer and
displays the
Dashboards page showing the NSP Health tab by default. The Dashboards page
is logically divided into 2 sections: the top menu bar and the lower display area.

Figure 5: Summary view: IPS tab

Item Description
1 Menu Bar area
2 Display area

Menu Bar Area
: The menu bar of the Threat Analyzer Home page presents you with the
following navigation options:
 Dashboards: links to the Threat Analyzer NSP Health view page. The Dashboards page
provides two default dashboards namely, NSP Health and IPS.

 Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for the
selected time span in order of occurrence.

Hosts: links to the Hosts page. You can view the list of NAC hosts as well as IPS
hosts.

Incident Viewer: links to the Incident Viewer page. You can create user-generated
incidents to track alerts by parameters.

Host Forensics: links to the Host Forensics page. You can view the ePO and
Vulnerability Manager scan information.

Preferences: links to the Preferences page. Enables you to personally set various
options related to Threat Analyzer functionality and presentation.
McAfee® Network Security Platform 6.0

Navigating to the Threat Analyzer


9


Display Area: The display area of the Dashboards view page presents the following data for
the NSP Health and IPS default dashboards:
 NSP Health: Sensor TCP/UDP Flow Utilization, Sensor Throughput Utilization,
Messages from McAfee, Status of Activities, Operational Status Summary, Sensor
Update Summary.
 IPS: Attack Severity Summary, Attack Result Summary, RFSB Attack Summary, IPS
Quarantine Summary, Attacks Over Time (All Alerts, Attacks, Result Status, Source
IP, Destination IP).
 NAC: System Health Summary, McAfee NAC Client Summary, User Type Summary,
System State Summary.

 NTBA:
Throughput Enterprise Traffic, Host- Threat Factor, Traffic Volumes, Band
Utilization, Top files, Top URLs, Application Traffic, Protocol Distribution. For more
information see
NTBA Monitoring Guide
Note: Custom dashboards can be created using using Options on the top right corner
of the Dashboards page. See Customized dashboards and monitors (on page 15)









10


C HAPTER 3
Alert Aggregation in Network Security Central Manager
McAfee Network Security Central Manager provides you with a single sign-on mechanism
to manage the authentication of global users across all Managers configuration. Threat
analysis tasks are performed at the Manager level and aggregated at the Network Security
Central Manager (Central Manager). Local Managers attached to the Central Manager
push new alerts and modifications into the Central Manager. These alerts are aggregated
in the Central Manager Threat Analyzer.
Alerts from the Managers managed by the Central Manager can be monitored and
managed from the Central Manager. The Real-Time Threat Analyzer of the Central
Manager consolidates alerts from the local Managers and displays them for monitoring
purposes.
Threat Analyzer of the Central Manager
The Threat Analyzer in the Central Manager aggregates, alert information from the
Managers attached to the Central Manager.
The Threat Analyzer is used for analysis of alerts detected by your McAfee Network
Security Sensors integrated and configured through the Managers attached to the Central
Manager. The Threat Analyzer works in conjunction with the policies applied to your
McAfee Network Security Sensor and Host Intrusion Prevention Sensors. For more
information on policies, see
IPS Configuration Guide.
When a transmission violating your enforced security policies is detected by a Sensor, the
Sensor compiles information about the offending transmission and sends this “attack” data
to the Manager in the form of an alert. Alert details include transmission data such as,
source and destination IP addresses in the packet, as well as security analysis information
(performed by the Sensor) such as attack type and severity. Alerts are backed up to the
database and archived in order of occurrence. Alerts generated in the Sensors are
aggregated and displayed in the Threat Analyzer of the Central Manager.
Note: Security analysis information can be determined by a signature match, set
threshold parameters, and abnormal spiking in traffic levels. All of these measures

are enforced through policy configuration and application.
The Threat Analyzer opens in a separate browser window from that of the Central
Manager Home page, providing a concentrated view for alert analysis. The Threat
Analyzer of the Central Manager aggregates alerts in real time. By examining and
acknowledging the alerts, you can use the information your analysis provides to determine
your system weaknesses and modify your defenses.
Note: If you make configuration changes while maintaining an open Threat Analyzer
session, your configuration changes will not take affect in regards to actually seeing
the changes in the Threat Analyzer. The Threat Analyzer must be closed and re-
opened to view your changes. Configuration changes can include changing the
policy of a VIPS, splitting a port-pair into two single ports and applying a separate
McAfee® Network Security Platform 6.0

Alert Aggregation in Network Security Central Manager


11

policy to each port, exporting custom attacks to the Manager's attack database, then
applying a policy containing the custom attacks to a VIPS and so forth as
configuration changes that affect policy application are made.

Understanding alert aggregation and monitoring in Central
Manager
Alert monitoring in the Central Manager extends the model of alert monitoring in the local
Manager. Local Managers managed by the Central Manager push alerts to the Central
Manager. The Alerts from the local Managers are aggregated in the Central Manager
Threat Analyzer.
Any changes triggered by a Threat Analyzer that is connected to a local Manager, are
placed in the notification cache in the local Manager. These notifications are sent to

the Central Manager too. Once the Central Manager receives these notifications, it queues
them in its notification cache.

Figure 6: Alert Aggregation in Central Manager
The letters below correspond to the lettering in the illustration.
a The key components of live alerts received from Sensors are extracted and
cached in the alert cache.
b The Threat Analyzer connects to the Manager for retrieving live alerts. In the local
Manager, a secured communication is established between the local Manager
and the Threat Analyzer.
c Each local Manager pushes new alerts and modifications into the Central
Manager.
d The Threat Analyzer of the Central Manager connects to the Central Manager for
retrieving live alerts.


McAfee® Network Security Platform 6.0

Alert Aggregation in Network Security Central Manager


12

Navigating to the Threat Analyzer from the Central Manager
You can view the overall summary of alerts in McAfee Network Security Central Manager
Home page -
Unacknowledged Alert Summary section.
This view displays all of the unacknowledged alerts in the logged-in domain. Within the
Threat Analyzer, alerts are presented in multiple views for detailed analysis. Alerts are
organized by system impact severity level: High, Medium, Low, and Informational. (For

more information on how McAfee Network Security Platform calculates severity level, see
IPS Configuration Guide.)

Figure 7: Navigating to the Central Manager Threat Analyzer
Item Description
1 Unacknowledged alerts by severity
2 Click to open Real-Time Threat Analyzer
To view further details on alerts, you can access the Real-time Threat Analyzer from the
Central Manager Home page.
1 To start an analysis of generated alerts, do the following:
2 Select the
Real-time Threats option from the Central Manager Home page.
3 The Central Manager Threat Analyzer Home page opens displaying the
Dashboards
view by default.
Note: The Threat Analyzer takes a few seconds to load.
You can open multiple Threat Analyzer windows at a single time.
The number of alerts the Threat Analyzer can display has a direct correlation to your
system's memory. Since you can access the Central Manager from the local host or a
remote connection, this depends on the machine used for the Central Manager logon. The
memory overhead for alerts, including the code base and Java virtual machine, is
approximately 1 KB per alert when there are at least 10,000 alerts in the Threat Analyzer
(more KBs when there are fewer alerts). McAfee recommends 1 GB of RAM in your
system which enables you to handle up to 1,000,000 total alerts. If your available memory
does not meet minimum requirements or is not properly set, you could experience memory
problems.


McAfee® Network Security Platform 6.0


Alert Aggregation in Network Security Central Manager


13

Central Manager Threat Analyzer Home
The Central Manager Threat Analyzer Home page is the central interface of the Threat
Analyzer and displays the
Dashboards page by default. The Threat Analyzer pages are
logically divided into 2 sections: the top menu bar and the lower display area.

Figure 8: Central Manager Threat Analyzer Home Page
Item Description
1 Menu Bar area
2 Display area
 Menu Bar Area: The menu bar of the Threat Analyzer Home page presents you with
the following navigation options:
 Dashboards: links to the Threat Analyzer Dashboards view page. The
Dashboards page provides one default dashboard namely, IPS.
 Alerts: links to the Threat Analyzer Alerts view page. It lists all of the attacks for
the selected time span in order of occurrence.
 Preferences: links to the Preferences page. Enables you to personally set various
options related to Threat Analyzer functionality and presentation.
 Display Area: The display area of the Dashboards view page presents the following
data for the IPS default dashboard.

IPS: Attack Severity Summary, Attack Result Summary, RFB Attack Summary,
IPS Quarantine Summary, Attacks Over Time (All Alerts, Attacks, Result Status,
Source IP, Destination IP).


NTBA: Administer the Network Threat Behavior Analyzer environment.
Note: Custom dashboards can be created using
Options on the top right corner of the
Dashboards page. See Customized dashboards and monitors (on page 15).
Using the Central Manager Threat Analyzer is similar to using the Manager Threat
Analyzer. Specific differences between Central Manager Threat Analyzer and
Manager Threat Analyzer are indicated where relevant in Using the Threat Analyzer.








14

C HAPTER 4
Viewing Alerts Dashboards
The Dashboards page provides the following sections:
 NSP Health: a dashboard to display the operation status of the Sensor. Clicking on the
chart enables you to view the faults received on each Sensor.

IPS: the default dashboard displayed in the Dashboards page to view a summary of
IPS alerts. Clicking on the chart on the IPS tab automatically takes you to the Alerts
page to view further details.
 NAC: a new dashboard to display NAC alerts summary. As in the IPS tab, clicking on
the chart takes you to the Hosts page. For more information, see
NAC Configuration
Guide

.
 NTBA: offers the full range of Network Threat Behavior Analysis (ntba) functionality. For
more information see
NTBA Monitoring Guide.
Note: In the Central Manager Threat Analyzer, the Dashboards page provides a
single dashboard namely, IPS.
NSP Health view
The Alerts Dashboards - NSP Health tab enables you to view/perform the following:
 Monitoring Sensor TCP/UDP flow utilization: (on page 27
) Sensor TCP/UDP flow
utilization status for all the devices configured in the Manager.
 Monitoring Sensor throughput utilization (on page 29
): Sensor throughput utilization
status for all the devices configured in the Manager.
 Viewing Messages from McAfee (on page 36
): displays the latest updates, the current
version of signature set applied to your Sensor.
 Status of Activities (on page 36
): displays the status of all the Sensors configured in
the Manager.
 Operational Status Summary
(on page 36): displays the operational status from the
Manager Home page. This Operational Status view cannot be operated in the same
manner as the Operational Status available from the Manager Home page that is,
faults are not selectable. This view is available for a quick glance usage so that you
do not have to leave the Threat Analyzer to get an update on possible system faults.
 Sensor Update Summary
(on page 36):displays the current versions of the Sensor
software and signature set of the logged-in domain. The
Update Now button updates the

Sensor configuration.
McAfee® Network Security Platform 6.0

Viewing Alerts Dashboards


15


Figure 9: General View - Summary
To view the NSP Heath settings Dashboards in the Threat Analyzer, do the following:
1 Click the
Real-time threats from the Manager Home page.
2 Select
NSP Health tab.
Customized Dashboards and Monitors
The Threat Analyzer allows you to add your own dashboard (s) using Options on the top
right corner of the Dashboards page. You can then add monitor (s) to your dashboard (s).
A monitor is a customized page to view alerts and threats. You can either use the default
monitors or create your own. When you add a dashboard, it is initially made up of a single
window where you can assign a monitor.
Once you assign or create the first monitor, you can right-click on the name display area of
the monitor (that you have just added) to split the window vertically or horizontally. In the
split window, you can add another monitor to further build the dashboard of your choice.
You can resize each monitor window size using the drag and drop method.
Note that inside the monitors, you can switch between viewing the alerts data in bar chart
or pie chart format by clicking the small icon on the monitor’s name display area.
You can create as many dashboards as you need. If the number of dashboards increases,
the Threat Analyzer automatically provides scroll bars for ease of use.
You can perform the following actions using dashboards:

 Create customized dashboards and name/rename them accordingly
 Create/edit/delete multiple dashboards
 Switch between two dashboards pages in a default dashboard using toggle
 Move to the next and back page of multiple dashboards using the scroll bar
 Move custom dashboards using the Move left/move right buttons

McAfee® Network Security Platform 6.0

Viewing Alerts Dashboards


16

Creating a Dashboard
To create a dashboard:
1 Open the
Real-time Threat Analyzer from the Manager Home page.
The Dashboards page opens.
2 Click
Options > Dashboard > New.

Figure 10: Threat Analyzer - Dashboard
3 Enter a name for the dashboard and click OK.
Note: No blanks spaces or special characters are allowed in the Dashboard
Name.

Creating a Monitor
To create a new monitor:
1 Open the
Real-time Threat Analyzer from the Manager Home page.

2 Click
Options > Monitor > New.

Figure 11: Creating A Monitor
Alternatively, you can create a monitor while assigning a monitor to a dashboard. See
Assigning a New Custom Monitor