How to Create and Edit ASM Rules

Automated Security Manager rules serve two distinct functions:

  1. Examine the source of the threat (switch/port) to determine if certain conditions exist (e.g. threat category, source of the notifying IPS, policies currently applied to the port, etc.) that warrant a response.
  2. Define the action to be taken when these conditions match the criteria defined by the rule.

The Create Rule and Edit Rule windows are identical. They are accessed from the Automated Security Manager Configuration Window's Rule Definitions view. The only difference between the two windows is that the Edit Rule window contains the definition for a particular rule selected in the Rule Definitions view.

Information on:

Editing a Rule

To edit an existing rule:

  1. Select a rule from the table in the Automated Security Manager Configuration Window's Rule Definitions view.
  2. Click Edit. The Edit Rule window opens.
  3. Go on to Step 2 in the Creating a Rule section to modify the parameters for the rule as necessary.

Creating a Rule

To create a new rule:

  1. Click Create in the ASM Configuration Window's Rule Definitions view. The Create Rule window opens.
  2. Type a Name for the rule. The name can be any character string, excluding spaces, up to 64 characters.
  3. Define the Conditions To Test For that ASM uses to determine if and how to respond to a particular event:
    1. Expand the device tree in the Group & Devices panel to select a target device or device group eligible for the action specified in the rule. For example, do not select a device/device group for a device type that does not support policy if you are creating a rule with an action that applies a policy. Or as another example, in some rules, you may want to apply different actions or more or less permanent actions for certain subnets containing critical network resources. You can create several rules that address a particular threat and apply different actions based on your target.
    2. Select the Event Categories that result in applying the action for this rule. To be recognized by ASM, the text string in the event message sent by the IPS must exactly match the event category names in the rule.
      • Match Any - This is an unconditional match for the category.
      • Match Selected - The event category is compared against one or more categories selected from the list.
      • Exclude Selected - The event category matches if it is not one of the categories selected from the list.

      Extreme Networks IPS has four default notification rules: netsight-asm-attacks, netsight-asm-compromise, netsight-asm-informational, and netsight-asm-misuse. Each notification rule has a corresponding event category in ASM: ASM_ATTACKS, ASM_COMPROMISE, ASM_MISUSE, and ASM_INFORMATIONAL.

      For ASM's response to a serious threat to be timely and effective, it is important that ASM only be notified of serious threats. The following table lists the Extreme Networks IPS events for which notification to ASM is recommended:

      BACKDOOR:PHATBOTCOMP:MS-DIRCOMP:ROOT-ICMP
      COMP:ROOT-TCPCOMP:ROOT-UDPCOMP:SDBOT-LOGIN
      COMP:SDBOT-NETINFOCOMP:SPYBOT-DOWNLOADCOMP:SPYBOT-INFO
      COMP:SPYBOT-KEYLOGCOMP:WIN-2000COMP:WIN-XP
      GENERIC:UPX-EXEMS-BACKDOORMS-BACKDOOR2
      MS-BACKDOOR3MS-SQL:HAXOR-TABLEMS-SQL:PWDUMP
      MS-SQL:WORM-SAPPHIREMS:BACKDOOR-BADCMDMS:BACKDOOR-DIR
      SMB:SAMBAL-SUCCESSSSH:HIGHPORTSSH:X2-CHRIS
      SSH:X2-CHRIS-REPLY  
    3. Select the Sender Identifiers that result in applying the action for this rule. This is a unique identifier associated with the intrusion prevention system that detected the security event.
      • Match Any - This is an unconditional match for the Sender ID.
      • Match Selected - The Sender ID is compared against one or more Sender Identifiers selected from the list.
      • Exclude Selected - The Sender ID matches if it is not one of the Sender Identifiers selected from the list.
    4. Select the Policies that result in applying the action for this rule. This attribute examines policies currently applied on the port.
      • Match Any - This is an unconditional match for a currently applied policy.
      • Match Selected - The currently applied policy is compared against one or more policies selected from the list.
      • Exclude Selected - The currently applied policy is not one of the policies selected from the list.
    5. Select the VLANs that result in applying the action for this rule. This attribute examines VLANs currently applied on the port.
      • Match Any - This is an unconditional match for a currently applied VLAN. 
      • Match Selected - The currently applied VLAN is compared against one or more VLANs selected from the list.
      • Exclude Selected - The currently applied VLAN is not one of the VLANs selected from the list.
    6. Select the Day and Time Ranges that result in applying the action for this rule.
  4. Define the action taken when the event matches the above rule criteria. You can define one of three Standard ASM Actions, define a Custom Action, or define both a Standard Action and a Custom Action. When both are defined, ASM attempts to apply both actions. If either one fails, then the other action may still be applied.
     NOTES:
    1. Take care when defining both a standard and custom action for a rule. Ensure the two actions are independent. For example, create a standard action that applies a PVID on a port with a custom action that runs a script. The script assumes the PVID is applied and works to find the port on which the apply PVID failed.
    2. With one exception, you can undo applied actions. The exception occurs when two actions are defined within a rule: a standard ASM action and a custom action. If the standard ASM action fails, the custom action is applied and, if successful, cannot be undone. Under these circumstances, configure your custom action to take into account the potential failure of the standard ASM action.
    1. Standard ASM Actions: Select one of four standard ASM actions.
      • None - Take no action for this event.
      • Disable Port - Disable the port that is the source of the threat. The port can be disabled permanently or for a specific interval, depending on the Duration setting.
      • Apply Policy - A Policy you select can be applied to the port, either permanently or for a specific interval, depending on the Duration setting.

        When Apply Policy is selected and the threat is located on a port on a device that supports Multi-User Authentication (e.g., N-Series), you can apply a policy to a specific MAC address or IP address. This lets you isolate a single user instead of affecting all users on the port. You can apply a user-specific policy to an IP address or MAC address instead of changing the port policy. If the threat MAC Address is unique to a particular Threat IP (typically on devices at the edge of your network), select MAC to apply the policy to the MAC address and override its port or dynamic policy. If the threat is on a device at the core of your network and the MAC Address maps to several IP Addresses, select IP to apply the policy to the IP Address and override its port or dynamic policy.
        •  NOTE:Policies applied to a MAC source override policies applied to an IP source. So, if there is a policy currently applied to a MAC source, applying a policy to an IP source has no effect.
      • Apply PVID - You can select a PVID from the associated drop-down menu and apply it to the port. The PVID Egress drop-down menu lets you either retain the current PVID egress state by selecting None or change the egress state to Untagged. When Untagged is selected, the PVID is applied and the egress state is set to Untagged. When None is selected, the egress state is unchanged and only the PVID is applied. If you have specified a Discard VLAN as the PVID, selecting None typically indicates traffic is discarded.
      • Notify NAC - When you select Notify NAC, ASM notifies NAC Manager in response to a real-time security threat from an end-system on the network. NAC Manager automatically adds the end-system's MAC address to the Blacklist end-system group, effectively putting the end-system in quarantine and preventing the end-system from accessing the network from any location.
    2. Custom Action: Check Custom Action and click Edit to open the Specify Program for Action window, where you can customize the response to an event by selecting a program to be executed.
      1. In the Program to run field, type a script name, if known or use the Select button to open a file browser window and choose a script. The Program to run field does not allow using options. For example, you cannot enter myscript.bat –i <IP Address> -m <MAC Address> in the Program to run field.
         TIP:To execute a script with options, create a script without options that executes another script that has options (Windows only). For example:
        1. Create a script named, asm_script.bat with an entry to call myscript.bat such as: C:\Program Files\My Custom Files\myscript.bat –i %1 -m %2".
        2. Uncheck all but the Threat IP and Threat MAC checkboxes and select Unformatted without spaces (don't send any keyword (thip= or thmac=) to your script.). The variable %1 returns <Threat IP Address> and %2 returns the <Threat MAC Address>.

          If you are using PERL script, use a different argument variable, such as $ARGV[0] (First argument) or @ARGV (all arguments). Using the shell script is similar to a Windows batch file script (%1 for the first argument, %* for the all arguments).
      2. Select elements of the threat message to pass to your program from the Parameters to pass to program area.
      3. Select the format used for the information passed to your program.
        • When Formatted with keyword is selected, your program passes the parameters using a format that includes a keyword associated with each parameter (e.g., keyword="value"). So, for example, if Sender Name is selected as a parameter, the keyword sname is used and the information passed to the script would be sname="dragon_id" followed by a space and then the keyword and value for the next parameter. The following table defines the keywords for each parameter and the order that the values are passed to the script (listed from top to bottom in the table).
          ParameterKeyword
          Sender Namesname
          Sender IDsid
          Event Categoryecat
          Signaturesig
          Incident Numberincident
          Threat IPthip
          Threat MACthmac
          Device IPdev
          Device Portport
          Rule Namername
          Actionaction
          Detailsdtls
          SNMP Parameterssee Note 1
          Statusstat

          Note 1: When you select an SNMP parameter, the snmp=value indicates the SNMP version and the subsequent parameters contain the values assigned for the credentials associated with the device. When you select multiple SNMP parameters (e.g., SNMP Write and SNMP Read) the script uses the values for the highest access level.

          SNMP v1, SNMPv2SNMPv3
          ParameterKeywordParameterKeyword
          SNMP Readsnmp="v1"
          ro          		SNMP Read,
          SNMP Write,
          SNMP SU/Max Access          		snmp="v3"
          user
          seclevel
          authtype
          authpwd
          privtype
          privpwd
          SNMP Readsnmp="v1"
          rw
          SNMP Readsnmp="v1"
          su

          Example:

          If Sender Name, Sender ID, Threat MAC, and SNMP Write are selected and the device is configured for SNMPv1 credentials, the information passed to the script appears as:

          sname="my sender name" sid="dragon id" thmac="00.00.1d.11.22.33" snmp="v1" rw="public"

          And, for a script named myscript.bat, the resulting script command is executed as:

          C:\Program Files\Extreme Networks\NetSight\appdata\AutoSecMgr\scripts\my_script.bat sname="my sender name" sid="dragon id" thmac="00.00.1d.11.22.33" snmp="v1" rw="public"

        • When Unformatted without spaces is selected, the parameters are passed as space delimited, unformatted text, without keywords. For this option, your script must know which parameters are being passed the order in which they are passed. If a parameter contains any spaces, the script replaces them with an underscore ( _ ).

          Example:

          You select Sender Name, Sender ID, Threat MAC, and SNMP Write and the device is configured for SNMPv1 credentials, the information passed to the script appears as:

          my_sender_name dragon_id 00.00.1d.11.22.33 v1 public

          And, for a script named myscript.bat, the resulting script command is executed as:

          C:\Program Files\Extreme Networks\NetSight\appdata\AutoSecMgr\scripts\my_script.bat my_sender_name dragon_id 00.00.1d.11.22.33 v1 public

      4. Click OK.
    3. You can specify a notification to be part of the rule's action. For example, you can specify an E-Mail notification sent in response to a threat. Check Notification and select the desired notification from the drop-down menu. Click Edit to open the Edit Notifications window, which lists the configured notifications. In this window, you can select a Notification to edit, or click Create to open the Create Notification window.
    4. Click Manual Confirmation Required if the action requires manual confirmation before being applied.
  5. Specify an action to undo.
    1. Define the Time before Undo for the selected action as Permanent or set to a time span of Minutes, Hours, Days, as defined in the associated field. Permanent means that ASM does not automatically undo the action after a certain time interval, but it can still be manually undone.
    2. Check Custom Undo and click Edit if you want to specify an action taken when an action is undone. This opens the Specify Program for Undo window.
      1. In the Program to run field, type a script name if known, or use the Select button to open a file browser window and choose a script. The Program to run field does not allow using options. For example, you cannot enter myscript.bat –i <IP Address> -m <MAC Address> in the Program to run field. See the Tip above for more information.
         NOTE:When a custom undo action script does not specify the path for its output, the output is placed in the <install directory>\jboss\bin directory.
      2. Select elements of the threat message to pass to your program from the Parameters to pass to program area.
      3. Select the format used for the information passed to your program.
      4. Click OK.
    3. You can specify a notification to be part of the rule's undo action. Check Notification and select the desired notification from the drop-down menu. Click Edit to open the Edit Notifications window, which lists the configured notifications. In this window, you can select a Notification to edit, or click Create to open the Create Notification window.
  • When you are satisfied with the settings for your rule, click Apply and then Close. Your rule appears Enabled in the Rule Definitions view table.

    • Related Information

    For information on related windows:

    For information on related tasks:

    Top