[ LiB ] |
To display a view, click on the view name in the Views folder on the lower-left window pane, as shown in Figure 13.1. To close the view, right-click on the Views tab and select Close from the context-sensitive menu. Note that closing the view doesn't delete it from the database; to delete the view, right-click the view from the Views folder and select Delete View from the menu.
If you want to change the data source for the viewfor example, if you want to switch from the realtime events table to a previously imported fileright-click the view from the Views folder and choose Data Source from the drop-down menu to display the Change Data Source window. Choose the name of the database table of interest and click OK.
To delete an event from the database, right-click the event in the main view pane and choose Delete Row in Database from the menu.
If you want to display all the details of an IDS event, right-click the event and select Expand Whole Details from the drop-down menu to display the Expanded Details dialog window. Here you can choose to view the alarm detail according to Class A, B, or C Level addressing or for the whole address. Simply select the View tab which corresponds to the level of detail that you want to see.
From the Expanded Details window, you can right-click on an alarm and select View Alarms to see the signature name and source and destination addresses for the corresponding alarm event. You can also see all the information associated with an alarm event by right-clicking on the event and selecting Show All Columns from the drop-down menu.
You can view alarm context data for Transmission Control Protocol (TCP)based signatures, for which the sensor can capture up to 256 characters of the TCP stream. The data in this stream is called the context data buffer and can contain keystrokes, data, or both in the connection stream around the string of characters that triggered the signature. In this way, it can be used to determine whether the signature triggered accidentally or from a deliberate attack.
To view the context data buffer, right-click the alarm you're interested in and choose Show Context from the drop-down menu to display the Decode Alarm Context with the signature and context information.
When an event is reported , it's easy to imagine a situation where you want to customize the data that is displayed, depending on the signature characteristics. Creating views is an easy way to do so. Select New, View from the File menu and follow the instructions of the two-step wizard, as shown in Figures 13.2 and 13.3.
The up and down arrows in the Step 2 of 2 screen of the View Wizard allow you to adjust the order of the columns in the view. |
You can view both realtime and statistical data in a graph format, using either a bar or area graph format. Both graphs show the average number of aggregate alarms by severity level on the Y axis, per unit time on the X axis.
The Realtime Graph displays the average number of alarms received by IEV. The timestamp on alarms reflects the time that IEV received the alarm, rather than the time the sensor generated the alarm. To view the Realtime Graph, select Realtime Graph from the Tools menu.
The Statistic Graph is based on a data source that you select, which could be the event_realtime_table or any imported or archived table. The events displayed in the Statistic Graph reflect the average number of alarms received by IEV, based on the filter that is applied to the data source. Therefore, depending on the filter, the Statistic Graph might not reflect the true average number of alarms. The timestamps for these events in the Statistic Graph reflect the time that the sensor generated the alarm and not the time that the alarm was received by IEV (as is the case in the Realtime Graph).
To view the Statistic Graph, select the view from the Views folder in the lower-left pane which contains the alarm data that you want to display. Right-click the view from the Views folder and choose Statistic Graph. Figure 13.4 shows a sample Statistic Graph in bar format.
If you want to view a continuous stream of events from the sensor, you can use the Realtime Dashboard , as shown in Figure 13.5.
Select Realtime Dashboard, Launch Dashboard from the Tools menu to launch the Realtime Dashboard. IEV opens a subscription request to the sensor to display the most recent events received by the sensor since the request was issued.
To pause the continuous streamfor example, if you want to study one particular entryclick the Pause button on the bottom left; to resume the stream, click the Resume button. Because they are toggle buttons, only one option is available at a time.
To clear all existing events from the Dashboard and open a new subscription request to the sensor, click Reconnect.
The Realtime Dashboard displays the four security level events: Informational, Low, Medium, and High. |
[ LiB ] |