H3c-technologies H3C Intelligent Management Center Manuel d'utilisateur

H3C Intelligent Management CenterUser Behavior Auditor Administrator Guide Hangzhou H3C Technologies Co., Ltd. http://www.h3c.c

1 1.Overview User Behavior Auditor (UBA) is an IMC service component used to audit flow records that are generated by network devices. By analyzing fl

2 3. Configure source data devices or probes. If you choose Flow, NAT, NetStream, or NetFlow for generating flow records, configure the corresponding

3 2.Quick start guide The following information guides you quickly through the main functions of the UBA component. UBA navigation menu UBA provides a

4 2. From the left navigation tree, click Traffic Analysis and Audit to expand the UBA navigation menu. For more information about each menu item&apo

5 Item Function Settings Provides access to the management and configuration functions such as device management, probe management, server configurati

6 UBA workflow To configure a user behavior audit task to audit user behaviors: 1. Add a device or probe to UBA. 2. Modify the server configuration

7 • General Audit. • NAT Audit. • Web Visiting Audit. • FTP Audit. • Mail Audit. The Web Visiting Audit, FTP Audit, and Mail Audit are special au

8 Setting the query time Use one of the following methods to set the start time and end time of a time range: • Enter time in the Start Time and End

9 Customizing UBA lists 1. Click Custom in a UBA list. The Column List window appears. The Column Name column displays all column names of the UBA li

10 3.Settings The Settings page allows you to manage UBA data sources, configure UBA servers, create user behavior audit tasks, and view audit result

Copyright © 2011-2014, Hangzhou H3C Technologies Co., Ltd. and its licensors All rights reserved No part of this manual may be reproduced or transmi

11 Managing UBA data sources Managing UBA data source devices Viewing UBA data source device list 1. Access the Settings page. 2. In the Settings ar

12 Adding a UBA data source device You can add data source devices either by adding devices manually or by selecting devices from the IMC Platform. •

13 The sampling rate is in the range of 1 to 65536. The value of 1 indicates that the sampling rate is 1:1, and the value of 100 indicates that the sa

14 − Contact—Enter the contact name information you want to search by. This field supports fuzzy matching. − Location—Enter the location information

15 2. In the device list, click the Modify icon for the UBA data source device you want to modify. The Modify Device page appears. 3. Modify devi

16 { IP—IP address of the probe. { Description—Description for the probe. { Enable Layer 7 Application Identification—Indicates whether Layer 7 app

17 Managing UBA servers The Server Management feature in UBA allows you to manage the configuration of all UBA servers, whether or not the UBA server

18 { FTP Username—Username of the FTP account used by probes to upload data to the UBA server. { Traffic Analysis Log Aggregation Policy—Aggregation

19 f. From the Traffic Analysis Log Aggregation Policy list, select one of the following aggregation policies: − No Aggregation (Best Report Timelin

20 Managing user behavior audit The user behavior audit management function allows you to perform the following tasks: • Add, view, modify, and delet

Preface The H3C IMC User Beahvior Auditor Administrator Guide includes 11 chapters, which describe how to configure UBA to process data and present re

21 { Last 1 hour—View the audit results generated in the last one hour. { Last 2 hours—View the audit results generated in the last two hours. { Cu

22 { Disk Usage—Usage of the disk space where the database files reside. NOTE: The database space management function is unavailable when UBA us

23 Managing data export The data export function allows you to view data export logs, modify data export configuration, and audit exported log files.

24 Data Export Log List contents { Date of Exported Data—Date when the exported data is generated, in the format of YYYY-MM-DD. { Table Name—Name of

25 4. Run the log file audit tool. 5. In the Basic Settings area, perform the following tasks: a. Click File Path. On the dialog box that appears,

26 { Protocol—Protocol type for the application. { Port—Port number for the Layer 4 application. This field is empty for Layer 7 application. { App

27 • A custom application takes precedence over a predefined application when the port number or port number range of the custom application is the s

28 b. Select Yes from the Enable list if you want to enable the application. Select No if you do not want to disable the application. 9. Click OK to

29 4. Click OK. Deleting an application You can delete only custom applications. To delete a custom application from UBA: 1. Access the Application

30 • Minus sign (-)—Represents a range if it is not the first or last character within the brackets. For example, [a-c] matches any lower-case charac

Convention Description TIP An alert that provides helpful information. Network topology icons Represents a generic network device, such as a router

31 100000. The default value is 1000. After completing the configuration, click OK next to the Max. Displayed Entries for Audit field. { DNS Setting—

32 2. In the filter strategy list, click a filter strategy name. The Filter Strategy Details page appears. Basic Information area { Name—Name of the

33 c. In the Source Port field, enter the source port number. d. In the Destination Host field, enter the destination IP address. You can enter an I

34 UBA provides the following predefined anomaly detection templates. You cannot add or delete anomaly detection templates, but you can modify them. •

35 • Ping of Death Attack—Used to attack hosts or network devices. The attacker sends large ICMP packets of more than 65507 bytes in size, which caus

36 { Window Size (1 to 10 min)—Set the size of the time window in the range of 1 to 10 minutes. After completing the configuration, click OK next to

37 Viewing details about an anomaly template that uses type-specific parameters Table 3 shows the anomaly detection templates that use their respectiv

38 anomaly templates that uses type-specific parameters, see "Modifying an anomaly template that uses common parameters." DHCP Offer Packet

39 4.Managing general audit General audit tasks allow you to audit user behaviors according to the source IP address, destination IP address, source p

40 Adding a general audit task 1. Access the User Behavior Audit Management page. 2. In the user behavior audit task list, click Add. The Select Aud

Documents Purposes SQL Server 2008 R2 Installation and Configuration Guide Guides you through installing SQL Server 2008 R2 for IMC. SQL Server 2012 I

41 d. Select the Source Port and Destination Port options and enter the source and destination port numbers in the format of 21 or 21-100. e. Select

42 The audit result list for a general audit task displays the following contents: • Start Time—Start time of the user behavior. • End Time—End time

43 Deleting general audit tasks Deleting a general audit task from UBA does not delete the flow records associated with the task prior to the deletion

44 5.Managing NAT audit NAT audit tasks allow you to audit user behaviors according to the IP addresses and the port before and after translation. Vie

45 The Access User, Terminal Type, and Operating System fields are displayed only when UBA works with UAM. 7. Click Back to return to the User Behavi

46 − NAT Mapping—Indicates one-on-one NAT mapping. Only the source IP address, transferred IP address, and time fields are valid in the flow records.

47 − In the Query Applications window that appears, enter an application name in the Application field. This field supports fuzzy matching. Select No

48 • NAT IP—Source IP address after translation. • NAT Port—Source port number after translation. • Terminal Type—Type of the endpoint used by the

49 6.Managing Web visiting audit Web visiting audit tasks allow you to audit user behaviors of Web visiting and view websites that users have visited

50 Adding a Web visiting audit task 1. Access the User Behavior Audit Management page. 2. In the user behavior audit task list, click Add. The Selec

Technical support [email protected] http://www.h3c.com Documentation feedback You can e-mail your comments about product documentation to [email protected].

51 a001:410:0:1::1/64 An example of a valid IPv6 address entry: a001:410:0:1::1- a001:410:0:1::100 d. Select the Destination Port option and enter th

52 The Terminal Type and the Operating System columns are displayed only when UBA works with UAM. Viewing audit results for a Web visiting audit task

53 1. Access the User Behavior Audit Management page. 2. In the user behavior audit task list, perform one of the following tasks: { To delete a We

54 7.Managing FTP audit FTP audit tasks allow you to audit user behaviors of FTP file transferring, and view the FTP account a user uses and the files

55 Adding an FTP audit task 1. Access the User Behavior Audit Management page. 2. In the user behavior audit task list, click Add. The Select Audit

56 An example of a valid IPv6 address entry: a001:410:0:1::1- a001:410:0:1::100 d. Select the Destination Port option and enter the destination port

57 Viewing audit results for an FTP audit task by group You can select one of the following group types from the Group list: Not Group, Source, Destin

58 8.Managing mail audit Mail audit tasks allow you to audit user behaviors of sending and receiving mails, and view the mail senders, mail receivers,

59 Adding a mail audit task 1. Access the User Behavior Audit Management page. 2. In the user behavior audit task list, click Add. The Select Audit

60 a001:410:0:1::1/64 An example of a valid IPv6 address entry: a001:410:0:1::1- a001:410:0:1::100 d. Select the Destination Port option and enter th

i Contents 1.Overview ································································································································

61 The Terminal Type and the Operating System columns are displayed only when UBA works with UAM. Viewing audit results for a mail audit task by group

62 9.User behavior audit and audit analysis User behavior audit 1. Click the Service tab. 2. From the navigation tree, select User Behavior Audit. T

63 { Top 10 Destination Host—Displays the top 10 destination IP addresses with the most audit results and the percentage of audit results of each des

64 10.Managing behavior audit reports UBA uses the report management function of the IMC Platform to display the behavior audit reports. UBA provides

65 { From the Type list, select Behavior Audit Report and click Query. The template list displays all templates whose type is Behavior Audit Report.

66 Figure 8 Application weekly report Modifying a behavior audit report 1. Click the Report tab. 2. Click My Real Time Reports to expand the real-

67 Deleting a behavior audit report Deleting a behavior audit report does not delete the flow records associated with the report prior to the deletion

68 11.UBA configuration example The following information provides an example for using IMC UBA and H3C NetStream to monitor and audit private network

69 Software version used This configuration example was created and verified on the following platforms: • IMC PLAT 7.1 (E0301) • IMC UBA 7.1 (E0301

70 Configuring UBA Adding the NetStream device to UBA 1. Click the Service tab. 2. From the navigation tree, select Traffic Analysis and Audit >

ii Viewing the filter strategy list ··················································································································

71 { Use the default settings public and 161 for SNMP Community and SNMP Port, respectively. Make sure the settings are the same as those on the devi

72 5. Enter intranet IP addresses in the Intranet Monitor Information area, and click Add. The intranet network segments are displayed in the Intrane

73 Figure 13 Adding a custom general audit task 4. Enter General Audit in the Name field. 5. Select 127.0.0.1 from the Server list. 6. Select Mee

74 Figure 14 Viewing the audit task 2. Click the Audit icon for General Audit. It takes time to generate the result. You can see the information

75 Figure 16 Viewing audit results by group

iii Viewing audit results for a mail audit task ······································································································