Risk Detection Pre-configuration
To detect risks in Network Sensors and Agents, the detection entities must be configured.
Risk Detection Entities
The entities that detect risks are divided by risk detection item as follows. Pre-configuration is required to detect risks, depending on each detection entity.
If the risk detection entity is an Agent, risk detection is possible only by assigning the node action to the Node Policy.
Risk Detection ID | Risk Detection Entity | Configuration Item |
---|---|---|
Ad Hoc Network Connection | Agent | Network Information Collection Plugin |
ARP Bomb | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
ARP Spoofing | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
MAC / IP Clone | Network Sensor / Agent (ARP Spoofing) | Network Sensor MAC / IP Clone Detection Function |
Malware Detection | Agent | Malware Detection Plugin |
Port Scan | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
SNMP Blocking Request | Policy Server | SNMP Trap Reception Function |
Detecting Abnormal DHCP Server | Network Sensor | Network Sensor DHCP Server Scan Function |
Sensor MAC Clone | Network Sensor | Network Sensor MAC / IP Clone Detection Function, Sensor MAC Conflict Avoidance Function |
Unknown Service Request | Network Sensor | Virtual IP Configuration for Inducing Risky Traffic |
Using Invalid Gateway | Agent | Network Information Collection Plugin |
Configuring Environment
Configuring Virtual IP for Inducing Risky Traffic
Please refer to Configuring Virtual IP for virtual IP settings.
Configuring Network Sensor DHCP Server Scan Function
- Select System in the top panel.
- In the left system menu, click Sensor Management.
- Select the checkbox of the target Network Sensor for configuration.
- In the Select Action menu, select Bulk Sensor Settings item.
- In the Sensor Settings menu, change the DHCP Server Scan value to ON for the network scan item.
- Click the Save button.
Configuring Policy Server SNMP Trap Reception Function
- Select Settings in the top panel.
- In the left Preferences menu, select Audit Log.
- In the SNMP Trap Reception item, set usage to ON and enter the Community value.
- Click the Modify button.
Configuring Network Sensor MAC / IP Clone Detection Function
- Select System in the top panel.
- In the left system menu, click Sensor Management.
- Select the checkbox of the target Network Sensor for configuration.
- In the Select Action menu, select Bulk Sensor Settings item.
- In the Sensor Settings menu, change the MAC+IP Clone Detection value to ON for the node status check item.
- Click the Save button.