Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
111112113114115116117118119120
3-52
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS
Step 2: Detect Threats
7. Optionally, test the IPS configuration to verify that it is responding to malicious traffic.
a. You can use port scanning software to probe ports on your network in such a way that
the sensor detects it as malicious traffic. A common program for scanning ports in this
way is NMAP (which is available at www.insecure.org). NMAP was run in the example
network from one of the computers, using this command:
nmap -p0-65535 -sT <target IP address>
This caused repeated connection requests to a wide range of ports on one of the
computers in the data center (that is, the scans traversed the IPS), which the IPS
interpreted as an attack on the host.
b. Check the sensor’s event log for security events to verify that the IPS is detecting the
attack.
i. Click Monitoring in the toolbar at the top of the Web browser interface.
ii. Click Events in the left navigation bar.
iii. Configure the options on the Monitoring > Sensor Monitoring > Events window so
that the type of events you want to view are listed.
Figure 3-51. Setting Filters for the Events List
iv. Click View to see the event list. Depending on the options you selected for viewing
the logs, the event list will display a variety of detected events. You might find the
Event ID useful for correlating events on the sensor with events received by PCM+
on the management station.
In the example network, the Produce Alert action was included for the 3002 TCP
SYN Port Sweep signature. And an event action override with a risk rating of Low
caused the event to be listed in the event log.