RSA, The Security Division of EMC, releases Patch 7 for RSA enVision(r) 4.0 Service Pack 4.

12:22 AM

RSA, The Security Division of EMC, releases Patch 7 for RSA enVision® 4.0 Service Pack 4.

Note
Updated April 17, 2012

Description:
This RSA enVision patch provides a roll-up of hot fixes. Please read the release notes for more information. https://knowledge.rsasecurity.com.

Platforms:
This patch can be installed on RSA enVision 4.0 SP4.

Recommendation:
RSA, The Security Division of EMC strongly recommends installing these patches for RSA enVision 4.0.

Downloading the Patches:
To download RSA enVision 4.0 SP4 patches, please log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and navigate to the RSA enVision product page.

Obtaining Downloads:
To obtain the latest RSA product downloads, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose download you want to obtain. Scroll to the section for the product download that you want and click on the link.

Obtaining Documentation:
To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.

Obtaining More Information:
For more information about RSA enVision, visit the RSA web site at http://www.rsa.com/node.aspx?id=3170.

Getting Support and Service:
For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.

General Customer Support Information:
http://www.rsa.com/node.aspx?id=1264

RSA SecurCare Online:
https://knowledge.rsasecurity.com

EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
http://www.rsa.com/node.aspx?id=2575


About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you’d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you’d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.
(By RSA Customer Support)

-Regards,
Blackhattrick.com
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)
RSA, The Security Division of EMC, releases Patch 7 for RSA enVision(r) 4.0 Service Pack 4. RSA, The Security Division of EMC, releases Patch 7 for RSA enVision(r) 4.0 Service Pack 4. Reviewed by BlackHat on 12:22 AM Rating: 5

LCD screen on enVision Appliance displays a message

10:44 AM
LCD screen on enVision Appliance displays a message
Fact
enVision Core 3.7.1
60 series
Symptom
"e1211 ROMB Batt" seen on LCD
Change
The appliance unit may have been turned off for a period of time, perhaps during shipment.
Cause
The battery power is low for the SCSI controller and this does not effect the operation of the system.
Fix
Follow the instructions below to recharge the battery:
1.       Power down the appliance unit and unplug the power cord.


2.       Plug the power cord back into the appliance but DO NOT switch it back on as this will charge the battery.


3.       Let the battery charge for a minimum of three hours but the preference would be to charge the battery for twenty-four hours.


4.       After charging the battery, switch the appliance unit back on and the message should clear itself.
Please contact RSA Customer Support if the problem persists.



note
Refer also to document enVision appliance RAID controller battery for adidtional information.

-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

LCD screen on enVision Appliance displays a message LCD screen on enVision Appliance displays a message Reviewed by BlackHat on 10:44 AM Rating: 5

Nuggets found on E drive

10:44 AM
Nuggets found on E drive
Goal
How to recover nuggets on E drive from alternate nugget directory?
Fact
nuggets
tmp directory
%_enVision%\tmp\nuggets directory
Cause
Nuggets  (.nug files) can be written to the e:\ drive if the storage location has run out of space.  When space is freed up, these nuggets are not processed.
Fix
enVision version 4.0 and higher
In the e:\%_ENVISION%\etc folder, locate the pi.ini file.
Add the following line:
PACKAGER_ALT_DIRECTORY_CHECK=60

Restart the NIC Packager Service

The 60 correspond to 60 minutes.  This means that every 60 minutes the alternate nugget directory will be searched for nuggets.

The search commences when the 60 minutes has elapsed.  At this time, each processing thread in the packager will search N directories every minute, if there are no nuggets to process in the primary nugget directory.

-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

Nuggets found on E drive Nuggets found on E drive Reviewed by BlackHat on 10:44 AM Rating: 5

Web Management is working but the Java Analysis applet fails

10:43 AM
Web Management is working but the Java Analysis applet fails
Goal
Be able to view the Java Analysis applet
Fact
Envision is behind firewall & its ip address is translated (NAT)
enVision Core 3.7.0
Symptom
Normal web-management is ok but the Analysis applet (requiring Java) fails with the following error:
JAVA Console message:
load: class com.opensystems.ls.eventviewer.EventViewer.class not found.
java.lang.ClassNotFoundException: com.opensystems.ls.eventviewer.EventViewer.class
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed:<
http://<IP ADDRESS>:8080/lseventviewer/com/opensystems/ls/eventviewer/EventViewer/class.class>
at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
Exception: java.lang.ClassNotFoundException: com.opensystems.ls.eventviewer.EventViewer.class
Fix
1.       Confirm that you can access the Analysis applet when logged directly into the A-SRV.
2.       Confirm Port 2010/tcp is open between the client machine and the D-SRV using telnet.  If the port is not open then configure your firewalls accordingly.
3.       Confirm that the NAT'd IP address is set correctly in the EnVision Administration GUI (click 'Overview' - 'System Configuration' - 'Services' - 'Setup Site Communication').
4.       Make sure the Internal IP is used for the LAN interface on the EnVision Appliance and External is used if NAT is required.
5.       Using Remote Desktop, connect to the existing EnVision Appliance IP Address. - Click on 'Start' - 'Control Panel' - 'Network Connections' - 'LAN' - 'Properties'. Then highlight 'Internet Protocol TCP/IP' and click 'Properties'. - Confirm this IP Address is the same as your Internal IP Address.

-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)

Web Management is working but the Java Analysis applet fails Web Management is working but the Java Analysis applet fails Reviewed by BlackHat on 10:43 AM Rating: 5

enVision: Log Record Change: Log index above newest record collecting Windows logs

10:43 AM

enVision: Log Record Change: Log index above newest record collecting Windows logs
Fact
RSA enVision 4.0 SP2
Symptom
Log Record Change: Log index above newest record
Cause
Three are three known reasons for getting this error.
Fix
The event log on the device was disabled
enVision has become out of sync with the counter of the log. Fixed by deleting the Windows device in enVision and readding (under Manage Windows Service). Running "wintool reset" will also clear th e condition.
The administrator was clearing out/deleting event logs

-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


enVision: Log Record Change: Log index above newest record collecting Windows logs enVision: Log Record Change: Log index above newest record collecting Windows logs Reviewed by BlackHat on 10:43 AM Rating: 5

RSAENVISIO-Event Explorer Lab: Run a Command

10:42 AM
Event Explorer Lab: Run a Command

 Enable an analyst with the power to quickly launch an external application from within Event Explorer. Targets could include custom in house scripts or NetWitness integration.
 In this exercise you will create a custom run command that will initiate a geolocation IP lookup from Event Explorer.
 1. Create a new batch file on the Desktop called:
- ipinfodb.cmd
2. Right click on the file, select �Edit with Notepad++‖, and enter the following code:
@echo off
REM Takes variable %ipaddress% and using Internet Explorer
REM submits this against the ipinfodb.com website.
set ipaddress=%1
exit.
3. Log into Event Explorer
4. Click Tools > Command Manager
5. Click the New Command button.
6. Click the File Browse button and navigate to the Desktop (where you created the ipinfodb.cmd file). Select the file and click OK.

 7. Click OK again to return to the main Event Explorer workbench.
8. ALT+Click on a data point in one of your Trace Views, to bring up the detailed data for that point.
9. In the Data Point window: Right-Click on an IP Address in the DestinationAddress column, hover over Run, and finally select the ipinfodb.cmd option.

Exercise Complete: This will run the batch script created earlier. The script will load Internet
Explorer and navigate to the URL specified in the script. Note how the IP address is included.

 



-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


RSAENVISIO-Event Explorer Lab: Run a Command RSAENVISIO-Event Explorer Lab: Run a Command Reviewed by BlackHat on 10:42 AM Rating: 5

RSAENVISION - Event Explorer Lab: Advanced Tables and Watchlists

10:42 AM
Event Explorer Lab: Advanced Tables and Watchlists

 Use Case: The ability to include Watchlists in Charts or Tables is a powerful tool. Embedding
Watchlists enables analysts to update the contents of Charts and Tables without editing the View
Properties. This is especially useful when working with Advanced Charts and Tables.
Function: in_watchlist(field, ‘watchlist name’)
     EXAMPLE       
    where [not] in_watchlist(address1, ‘Problem IPs’)
    EXPLANATION
    WHERE the IP address in the table column address1 is [not] in the “Problem IPs” Watchlist.
 Exercise: This exercise will introduce you to the “in_watchlist” function.
1. Select one of your event traces Event Trace (or create a new one), go to Trace Views and add an Advanced Table
If creating a new Event Trace for this exercise, try creating a trace that is specific to the DeviceType you will be looking at in the Trace View
2. Name the new table “[DeviceType] [EventCategoryName] Address Pairs - Top 25
The DeviceType and EventCategory are your choice.  For this exercise, we will be using Tipping Point as the device type and Attacks as the EventCategoryName, but substitute whatever makes sense in your environment.
3. Add the following SQL into the editor:
select top 25
details2 as “Signature”,
address1 as “Source Address”,
address2 as “Destination Address”,
count(*) as “Frequency”
from Stream
where devicetype in (‘tippingpoint’)
and eventcategoryname like ‘Attacks%’
group by details2,
address1,
address2
order by count(*) desc

 4. Click OK to close the SQL editor.
 5. Click Finish and start the Trace.
 The newly created Advanced Table will display the top Source/Destination Address Pairs by Signature along with the frequency.

 Now you will create a Watchlist to use in filtering the Source Addresses.
 6. Click Tools > Watchlist Manager
 7. Click the New Watchlist button to open the New Watchlist Details window. (Your entries for IP addresses will vary.)
     - Name: Problem IPs
    - Description: List of Problem IP Addresses
    - Entry 1: 66.30.194.215
    - Entry 2: 224.245.254.245


8. Click OK to accept the new entries.
 9. Click OK to close the Watchlist Manager.
Now that the Watchlist is created, you will modify the Advanced Table to use the Watchlist.
10. Right-Click the Advanced Table and select Properties.
 11. Update the SQL Query to match the following:
select top 25
details2 as "Signature",
address1 as "SourceAddress",
address2 as "DestinationAddress",
count(*) as "Frequency"
from Stream
where devicetype in ('tippingpoint')
and eventcategoryname like 'Attacks%'
and in_watchlist(address1, 'Problem IPs') -- This is the new line.
group by details2,
address1,
address2
order by count(*) desc

Note how the Advanced Table has been updated to only include Source Addresses in the “Problem IPs” watchlist.


12. Now Right-Click the Advanced Table and select Properties.

13. Finally, update the SQL Query so the in_watchlist function is preceded by: “not”

where devicetype in ('tippingpoint')
and eventcategoryname like 'Attacks%'
and not in_watchlist(address1, 'Problem IPs')


-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


RSAENVISION - Event Explorer Lab: Advanced Tables and Watchlists RSAENVISION - Event Explorer Lab: Advanced Tables and Watchlists Reviewed by BlackHat on 10:42 AM Rating: 5

RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1)

10:41 AM
Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1)

Part I: Overview and Framing The Problem
In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

Why is this important?  With a physical infrastructure, you may architect physical separation of your PCI environment from your non-PCI environment.  (Picture two rooms: a PCI room and a non-PCI room.)  In that physical infrastructure, you would notice when someone relocates a server from the PCI room to the non-PCI room.  With a virtual infrastructure, it’s much harder to notice when a change like this occurs.  Organizations can leverage correlation rules within enVision to alert when this type of activity takes place.

We will define two Circuits:

Circuit 1: Contains the vCenter event(s) associated with the relocate action.

Circuit 2: Contains the ESX / ESXi event(s) associated with the relocate action.

Under these Circuits, we will nest and define four Statements:

Statement 1: The first statement is nested under our first Circuit group.  This statement contains the technical criteria we are looking for from vCenter.  In this case, we are looking for the specific Event ID VirtualMachine.relocate.

Statement 2: The second statement is the first of three statements nested under our second Circuit group.  This statement contains the first piece of technical criteria we are looking for from the ESX hosts.  In this case, we are looking for the Event Id TaskEvent on any ESX server within our PCI-Scope-ESX-Servers device group.

Statement 3: The second of the three statements nested under the second Circuit group, this statement contains the second piece of technical criteria we are looking for from the ESX hosts.  For this statement, we are looking for the Event Id VmBeingRelocatedEvent on any ESX server within our PCI-Scope-ESX-Servers device group.

Statement 4: The last of the three statements nested under the second Circuit group, this statement contains the final successful relocation event we are looking for from the ESX hosts.  For this statement, we are looking for the Event Id VmRelocatedEvent on any ESX server that was not within our PCI-Scope-ESX-Servers watchlist.

Once the Circuits and Statements have been defined, we also have to define a variable on which our Event messages could be multi-threaded—that is, “linked together” with.  In this case, we use the variable ID which ties directly to the VMware EventChain Id.  This is how we ensure we are following a string of messages across the Vblock VMware infrastructure.

The following diagram shows how the nesting of the circuits, statements, and message criteria is logically structured within RSA enVision.


As you can see, the Correlation Rule structure within RSA enVision allows for very detailed definition of rule logic.  This enables the user to build very complex rule sets quickly and easily within the RSA enVision Administrative interface.


-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1) RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 1) Reviewed by BlackHat on 10:41 AM Rating: 5

Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2)

10:41 AM
Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2)

Part II: Getting Started: The Device Group and Watchlist
In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

Before we start, we will define a device group and watchlist, which the rule will refer to later.  You may already have a similar device group and watchlist in your environment, or you may need to create it along with us.

We start by creating a static device group.  Navigate to the Overview Tab, in the menu on the left:

-        Select System Configuration
-        Expand Devices
-        Select Manage Device Group Filters
-        Click the Add Static button at the bottom of the window on the right.

 

Under the Manage Static Device Group Filters – Add/Modify Filter window, fill in the fields using the information in the screenshot below.  Once complete, click the Add button towards the bottom of the window.


You will be presented with a device filter window.  Here you can build a where statement to narrow down the devices you want to add to your device group. 

-        Click the Add button to add multiple levels to the where statement filter.
-        Click the Apply button to apply your filter to the device list.
-        For our example, we will build our statement filter using the values shown in the screenshot, but your IP Addresses will obviously be different.
-        Once complete, select the checkbox(s) next to the IP Address of the devices you want to add to the filter.
-        Click the OK button to save the device list.


You will now be returned to the Manage Static Device Group Filters – Add/Modify Filter window.  The devices you selected using the where statement filter will be displayed below.

-        Click the Apply button


-        Upon clicking apply, you will be presented with an information box informing you that certain services may need to be restarted before you can use this Device Group.  This applies to Device selection during Alert creation, etc. 
-        Click OK to acknowledge.


You will now be returned to the Manage Device Group Filters window.  You can see the newly created Device Group listed including the Type. 


-        By clicking on the Show Devices button, you can review what devices are included in the Device Group.


The Static Device Group is now available for use in alert rule creation, analysis, etc.

We’ll now add a static watchlist:

Navigate to the Overview Tab, in the menu on the left:

-        Select System Configuration
-        Expand Watchlists
-        Select Manage Watchlists
-        Click the Add button at the bottom of the window on the right.


Under the Manage Watchlists – Add/Modify Watchlist window, fill in the fields using the information in the table below.  Once complete, click the Add button towards the bottom of the window to add values to the watchlist.

-        For this watchlist, we will explicitly specify the device addresses of our PCI Scope ESX Servers (yours will be different):
          10.241.109.44
          10.241.109.45
-        Once complete, Click Apply to accept the values and create the watchlist.



-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2) Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 2) Reviewed by BlackHat on 10:41 AM Rating: 5

RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 3)

10:40 AM
Advanced Correlatio​n Lab: Build a Correlation Rule for VM Relocation (Part 3)


Part III: Circuit #1, Statement #1: The vCenter Event
In this lab exercise we will show you how to create a correlation rule in RSA enVision that can be used to issue an alert when a VM is relocated away from a PCI scope ESX server.

The first statement is nested under our first Circuit group.  This statement contains the technical criteria we are looking for from vCenter.  In this case, we are looking for the specific Event ID VirtualMachine.relocate.

First we add a new rule.

Under the Manage Correlation Rules – Add/Modify Rule window, fill in the fields using the information in the table below.  Once complete, click the Add Circuit button towards the bottom of the window.


Under the Add/Modify Circuit Definition window, fill in the fields as shown below.  Once complete, click the Add Statement button towards the bottom of the window.

 

Under the Add/Modify Statement window, perform the following steps.  A screenshot is included below.

-        Fill in the Statement label with "A VirtualMachine.relocate event has occurred"

-        Under the Threshold Definition section
-        Click the Consider every event radio button

-        Under the Device Selection section
-        Click the Select devices by Device Class/Type radio button
-        Click the Add button
-        Select Host.Virtualization/VMware vCenter in the drop down box

-        Under the Event Selection section
-        Click the Add button
-        Under Event Type, select Event ID for VMware vCenter in the drop down boxes
-        Under Comparison, select IN in the drop down box
-        Under Value, click the […] button
-        Browse for the VirtualMachine.relocate Event Id, and click the Select button

(You can use the browser find function, Ctrl-F, to quickly find the Event in this window.)
 

-        Click the Apply button towards the bottom of the window.

 

  
You will now be returned to the Add/Modify Circuit Definition window.  Here you will see the statement you just created.  Click the Apply button towards the bottom of the window.


You will now be returned to the Manage Correlation Rules – Add/Modify Rule window. 


-Regards,
Blackhattrick blog
(Googlethewebsite.blogspot.com/blackhattrick.blogspot.com)


RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 3) RSAENVISION - Advanced Correlation Lab: Build a Correlation Rule for VM Relocation (Part 3) Reviewed by BlackHat on 10:40 AM Rating: 5


SastiPrice.com Store

Powered by Blogger.