H3C SecCenter CSAP-ATD

Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Contents

Configuration overview·· 1

Login· 2

Event log· 3

Basic events· 3

Malicious code events· 3

Configuration· 5

Configuring system settings· 5

Configuring parameters· 6

Administrator management 8

System administrator 8

Trusted Manager Configuration· 9

Role configuration· 10

Role group configuration· 11

System operation logs· 12

System upgrade· 12

Automatic upgrade· 12

Manual update· 13

System information· 13

Restoration to factory settings· 14

Appendix· 16

Common application protocols and their port numbers· 16

Terminology· 17

Security event classification and rating· 17

 

Configuration overview

H3C SecCenter CSAP-ATD Configuration Guide describes the Web configuration methods of each function module of the H3C advanced threat detection (ATD) engine and provides users with related configuration guidance. Table 1 shows the main functions of the H3C advanced threat detection engine.

Table 1 Key functions

Type	Function
Event log	Displays malicious code events generated by the threat detection engine, presents detection logs, and supports event filtering queries and report export.
Configuration	Includes configuring system parameters, administrator, and upgrade.

 

Login

Open your browser, and then enter the system management IP address to navigate to the system login page, as shown in the following figure. Enter the correct username and password and then click Log In.

Figure 1 Login page of the ATD engine

 

NOTE: Enter the default username and password below on the first login. Default username/password: admin/Admin@123

 

Event log

Basic events

Malicious code events

The default interface after login is the Malicious Code Event page. The malicious code events are file threats which are the basic threat events detected by the sandbox.

Click Event Log > Basic Events > Malicious Code Event. Or you can open the Malicious Code Event page, as shown in the following figure:

Figure 2 Malicious code events

 

Double-click any malicious code event to view the details of the files containing the malicious code, including file summary, network log details, and application log details. You can also re-check the sample file and generate a full report, as shown in the following figure.

Figure 3 Malicious code file details

 

Where:

·     File Summary: Displays file details such as the name, type, and source/destination port of the sample file.

·     Network Log Details: Displays the network behavior log of the sample file.

·     Application Log Details: Displays details such as the number, name, type, and level of threats detected in the sample file

·     Re-Check: Retests the sample file.

·     Full Document Report: Generates a full report of the sample file.

Configuration

Configuring system settings

Click Configuration > System Configuration to open the following page:

Figure 4 Configuring system settings

 

Here three modules can be configured:

1.     Time configuration

¡     Automatic Time Setting: Synchronizes with the network time through NTP server

¡     Time Zone

¡     Date

¡     System Time

¡     Domain Name/IP: NTP server address

2.     Network configuration

¡     IP Protocol

¡     Management Interface: Port connected to the management network of the ATD engine

¡     IP Address: IP address of the management port

¡     Subnet Mask: Mask of the IP address of the management port

¡     Default Gateway: Default gateway of the management port

¡     DNS Server Address: DNS server address of the management port, which can be more than one

¡     Traffic Port: Network adapter port that receives traffic, which cannot conflict with the management port

¡     Traffic Collection Range: Range where the traffic is collected

¡     Maximum Traffic: Maximum traffic that can be received, beyond which limit some data will be discarded

¡     Custom Traffic Percentage: You can set the traffic collection ratio for multiple traffic ports, for example, if the maximum traffic is 3000 MB, then set eth2 to be 1000 MB, and eth3 to be 2000 MB

3.     Device Operation

¡     Device Restart

¡     Shut Down Device

Configuring parameters

Click Configuration > Parameter Configuration. Parameter configuration options include Basic Configuration, Data Storage, System Security, and IP Attribution.

1.     Basic configuration

Select Basic Configuration to navigate to the page below.

Figure 5 Parameter Configuration > Basic Configuration

 

Parameters for basic configuration include:

·     Threat Scoring Model: Options include loose mode and rigorous mode.

·     All log switch: Allows you to save all sample logs.

·     File detection download format: Allows you to set the file detection sample download extension.

·     Dynamic refreshing time of attack situation: Dynamic refreshing time of attack situation (unit: s). The default value is 60, which indicates that attacks are refreshed every 60 seconds.

·     The mode of file detection: The mode of file detection, which can be either Synchronization or Asynchronization.

·     Time to collect statistics on security events, threat hosts, and threat sources: Statistical period of security events, threat hosts, and threat sources (unit: day). The default value is 7, which indicates that data is counted every 7 days.

·     Detects files of unknown type: You can enable or disable this option as needed.

·     Normal sample free time: During this period the normal samples are not detected.

2.     Data storage

Select Data Storage to navigate to the page below.

Figure 6 Parameter Configuration > Data Storage

 

Parameters for data storage include:

·     ES Data storage policy

·     Maximum storage percentage of the ES partition

·     Maximum storage space of the ES partition

·     Clean up time of the ES partition disk

3.     System security

Select System Security to navigate to the page below.

Figure 7 Parameter Configuration > System Security

 

Parameters for system security include:

·     SSH service switch

·     SNMP service switch

·     Password validity period configuration: Allows you to set the password policy

·     Login failure restriction: The maximum number of password attempts is 5 by default. When this limit is reached, the system will be locked for 10 minutes, during which period you cannot log in to the system.

·     Login Timeout: The system will automatically log off in case of inactivity for the timeout period.

·     Trusted Manager switch: You can enable or disable this option as needed.

4.     IP attribution

Select IP Attribution to navigate to the page below.

Figure 8 Parameter Configuration > IP Attribution

 

Parameters for IP attribution include:

·     IP Address: IP address and range of the intranet

·     Place: Home area to which the intranet IP address belongs

Administrator management

System administrator

Click Configuration > Administrator Management > System Administrator to open the following page:

Figure 9 Administrator configuration

 

·     Super administrator

·     System administrator: Configures system settings

·     Security administrator: Manages device logs

·     Security Auditor: Manages system operation logs

Administrator configuration allows you to define the legal administrators in the system and specify the role group and management scope of an administrator.

Click + to add a user, as shown below:

Figure 10 Creating an administrator user

 

Parameters include:

·     Account: Username of an administrator.

·     Password: Allows you to specify a password that meets complexity requirements. The password must contain at least eight characters, including numbers and letters (upper and lower case). Special half-width characters are allowed.

·     Confirm Password: Enter the password again.

·     Role Group: Allows you to specify the corresponding role group for the user. The user can have the permissions for the group.

·     Status: You can enable or disable the user status. When the user status is disabled, you cannot log in.

·     Description: Allows you to compile descriptive information which helps you quickly understand the functions and permissions of the new user and perform maintenance later.

Trusted Manager Configuration

Click Configuration > Administrator Management > Trusted Manager Configuration to open the following page:

Figure 11 Trusted manager configuration

 

Click + to add a trusted manager. Set the IP address, which can be a single IP address (such as 192.168.1.2) or a range of IP addresses (such as 192.168.1.2 – 192.168.1.10).

Select a single record and click - to delete the record.

Select a single record and click Edit to edit the record.

Figure 12 Adding a trusted manager

 

The trusted manager is empty. By default, all IP addresses are granted access to the system. When the trusted manager address is set, only the set trusted manager can access the system.

Click Configuration > Parameter Configuration > System Security to enable or disable the trusted manager feature. When the feature is disabled, all IP addresses are granted access to the system. When the feature is enabled, only the set trusted manager can access the system.

Role configuration

Click Configuration > Administrator Management > Role Configuration to open the following page:

Figure 13 Role configuration

 

Click + to add a role, as shown below:

Figure 14 Creating a role

 

Select a single record and click - to delete a role.

Select a single record and click Edit to edit a role.

By default, there are nine roles in the system, which include Monitor, Event Log, Policy, Analytics, Report, Configuration, System Administrator, Security Auditor, and Security Administrator. Each role is granted different permissions for some resources. Do not add or modify the roles unless needed.

Role group configuration

Click Configuration > Administrator Management > Role Group Configuration to open the following page:

Figure 15 Role group

 

Click + to add a role group, as shown below:

Figure 16 Adding a role group

 

Select a single record and click - to delete a role group.

Select a single record and click Edit to edit a role group.

By default, there are six role groups in the system, which include System Administrator Group, Security Auditor Group, Security Administrator Group, Operator group, Auditor Group, and Administrator Group. Each role group is granted different permissions. Among them super administrators have all permissions. Do not add or modify the roles unless needed.

System operation logs

Click Configuration > Administrator Management > System Operation Log to open the following page:

Figure 17 System operation logs

 

The system operation logs record the operation logs of users who log in to the ATD engine.

System upgrade

Automatic upgrade

Click Configuration > System Upgrade > Automatic Upgrade to open the following page:

Figure 18 Automatic upgrade configuration

 

This page allows you to set whether the ATD engine server system needs to be automatically upgraded. To enable the automatic upgrade, you need to set the upgrade time point and the download address of the upgrade package:

·     Time Point: If you set the time to 02:10, the upgrade package is downloaded at 2:10 AM in the next morning. The upgrade is automatic and can only be set in the 24-hour format.

·     Server Address: It is a valid server address where the upgrade package is downloaded. Click Network Connectivity Check to check whether the server address is available, for example, https://atdupdate.h3c.com.cn/check/. If the address is not reachable, the upgrade fails automatically.

·     Update Log: They record the automatic upgrade records.

Manual update

Click Configuration > System Upgrade > Manual Update to open the following page:

Figure 19 Manual update

 

Select the directory where the upgrade package is located. Click Open to upload the upgrade package and start the upgrade.

System information

Click Configuration > System Upgrade > System Information to open the following page:

Figure 20 System information

 

This page shows the device information and system function module information of the ATD engine system. Click Configure Authorization to update the license code, as shown below:

Figure 21 Entering the license code

 

Enter the new license code and click OK to display the updated system information.

Restoration to factory settings

Click Configuration > Restore Factory Settings to open the following page:

Figure 22 Restoration to factory settings

 

This page allows you to restore the factory settings. You can choose whether to clear the configuration when restoring the factory settings.

Appendix

Common application protocols and their port numbers

Figure 23 Internet protocols

 

Table 2 Common application protocols and their port numbers

Application protocol	Port number	Transport layer protocol
DNS	53	TCP, UDP
SMTP	25, 587	TCP
POP3	110	TCP
HTTP	80	TCP
HTTPS	443	UDP
TELNET	23	TCP
FTP	20, 21	TCP
TFTP	69	UDP
IMAP	143	TCP
SNMP	161	UDP
SNMP TRAP	162	UDP

 

Terminology

Table 3 Terminology

Terminology	Description
APT	Advanced Persistent Threat
IMAP	Internet Mail Access Protocol
SMTP	Simple Mail Transfer Protocol
POP3	Post Office Protocol – Version 3
SNMP	Simple Network Management Protocol
ES	Elasticsearch, which is a distributed, full-text search engine

 

Security event classification and rating

The security events are classified below in light of the national standards GB/Z 20986 and GB/T 20984:

Figure 24 Security event classification

 

The security events are rated as follows:

Figure 25 Security event rating