Incident Test Tool

This tool lets you test and debug the search scopes and actions to verify ASM's response to an event.

Click areas in the window for more information.

Incident Test Tool

Two levels of testing can be performed:

Test response by sending an SNMP trap to ASM - This level uses Console's SNMPTrap Service to receive the trap and notify ASM of the threat. This is the more comprehensive test because it simulates exactly the workings of an actual trap. This test requires the SNMP message be correctly specified (including authentication credentials) and that Console's SNMPTrap Service is running.

	NOTES:	Your client system must have SNMP access to the server to use the Test response by sending an SNMP trap to ASM level of testing. The NetSight SNMPTrap Service (snmptrapd) must be configured with Security User credentials and/or Engine IDs for devices from which Console's SNMPTrap Service (snmptrapd) accepts SNMPv3 Notification messages. Without this information, notification messages are dropped by SNMPTrap Service. The traps do not appear in the Events view and ASM does not receive notification. Refer to How to Configure the SNMP Trap Service to learn more about configuring SNMPTrap Service.

Test response by directly invoking ASM - This level bypasses the SNMP trap mechanism, sending the trap directly to ASM. ASM processes the threat as if it were received as a real SNMP trap message. If ASM is in Search and Respond mode, the configured action will be applied.

Specify parameters of test incident to be sent to ASM

Both levels of testing use these parameters. Your settings here define a simulated threat sent to ASM. You should specify parameters that match your settings for the Rule you are testing.

Sender ID: This is a unique identifier associated with the intrusion detection system that detected the security event.

Sender Name: The sender name being tested. This is a unique name associated with the intrusion detection system that detected the event. Sender Names are case sensitive.

Threat Category: The event category being tested. ASM's default event categories are ASM_ATTACK, ASM_COMPROMISE, ASM_INFORMATIONAL, and ASM_MISUSE. Event Category Names are case sensitive.

Signature: A signature provides a unique identifier for the threat being tested.

Threat IP: This is the IP address of the end station attached to the port where the threat is detected.

Specify additional parameters for sending SNMP trap

These parameters allow Console's SNMPTrap Service to receive a test trap and notify ASM of the threat. They allow more comprehensive testing that simulate the receipt of an actual trap by Console's SNMPTrap Service.

SNMPv3 User Name: The user name of the simulated user used for testing.

Authentication Type: The authentication method used for the inform (MD5 or SHA) message.

Authentication Password: The authentication password of the simulated user.

Privacy Type: The encryption method used for the inform (DES or None) message.

Privacy Password: The encryption password for the simulated user.

Trap Receiver: This is the system running the SNMPTrap Service.

Trap Sender: The system sending the SNMP trap.

Save Password (clear text)

When checked, the password information is saved as human readable text in the ASMClientOptions.properties file in the <user's home directory>\NetSight\AutoSecMgr\Options directory.

	CAUTION:	This feature is intended for use in a test environment and could present a security risk in your live network environment. It is recommended you do not select this option in a production environment.

Send Incident to ASM: Sends the test (inform) message you've configured to ASM. If you've configured your ASM Rules correctly, the message information appears in the ASM Monitor.

Related Information

For information on related windows:

For information on related tasks: