Page tree

Contents

Overview

ThreatSTOP IP Firewall Reporting focuses on delivering high-quality easily understood reports to Network Administrators and Security Professionals. This allows for rapid evaluation and remediation of threats to a network. The bulk of this process is controlled through a selection of filters that ring down as the user moves through the data.

Basic filter functions are:

  • Date Range: This is the time period that the report covers. Available values are:
    • Last 24 Hours
    • Last 7 Days
    • Last 30 Days
    Custom ranges can also be declared by clicking in the Start Date or End Date fields and selecting from a calendar pop-up. Alternatively, the dates and times may be entered in these fields using a MM/DD/YY HH:MM:SS format.
  • Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity.

     Threat Severity Matrix, Click to Expand
     
    Threat Severity Levels
    • Severity 0 – No/Unknown Threat Level – Threat does not pose a significant risk of harm to your network
    • Severity 1 – Low Threat Level - Threat poses a low risk of harm to your network
    • Severity 2 – Low/Medium Threat Level - Threat poses a low-to-moderate risk of harm to your network
    • Severity 3 – Medium Threat Level - Threat poses a moderate risk of harm to your network
    • Severity 4 – Medium/High Threat Level - Threat poses a medium-to-high risk of harm to your network
    • Severity 5 – Highest Threat Level - Threat poses a very high risk of harm to your network
  • Direction: Filters results to Inbound traffic, Outbound traffic, or both.

  • Devices: Contains a list of firewall devices currently associated with your account. This can help limit the returns to a specific firewall device.
  • Internal IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for outbound traffic.
  • External IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for inbound traffic.
  • Target Groups: Limits the returned Targets to the selected types.
  • Action Taken: Limits results based on what actions were taken with the network traffic.

    Note:

    These are all enabled by default, and will return data for each result. Unticking the box will hide returned data.

    • Block: Network traffic that has been blocked by the service.
    • Allow: Network traffic that has been allowed to pass through to the network.
  • Advanced Target Settings:
    • Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and not does not include returns from lists not included in the chosen policy.
  • Policies: Limits returned data to the policy selected.

Note:

Some reports will also display a Save/Edit email report button below the filter settings. See Email Reports for more information. For IP Firewalls Email reports are supported by:

  • Dashboard
  • IP Threat Summary
  • IP Combined Summary
  • IP Date Summary
  • Traffic Summary

After setting the desired parameters to limit the data being returned by the reporting system, clicking Apply Filter will apply the filters to the returned results, this will then update the report with data that matches the selected criteria. If applied filter values are no longer of use, they can be returned to the default state by clicking Reset.

Filter Information

As filters are changed a box will appear at the top of the filter stack labeled Filter Information. This box will show how many records the current filter set will return, with smaller returns displaying faster. This can also be helpful in building a filter strategy for your returned results in the Report Details section.

Dashboard

The Dashboard screen has two modes Inbound and Outbound, each gives an overview of threats by number of blocked connections, number of clients for each severity, and blocked connections for each threat group. It also introduces filters to limit the data returned by the report. After selecting the base filter parameters as denoted in the overview, a series of bar graphs showing results for the following result types will appear:

  • # of Blocked Connections for each Severity: cumulative result, based on your filter settings, for the number of threats documented by severity level.
  • # of Clients for each Severity: number of devices that have reported connection attempts in the reporting.
  • # of Blocked Connections for each Threat Group: number of Threat Types attempting to make a connection using your network.

IP Threat Summary

The Threat Summary screen is brought up either by selecting it through the IP Threats drop down, or by clicking on a results bar in the Dashboard. Across the top of the screen a bar graph will appear with a visual representation of the cumulative amount of attacks classed into each Severity level.

Note:

Any filter settings that you apply to the dashboard will carry through to following screens, but will not carry backwards to previous screens. For example, moving from Dashboard > Threat Summary will carry over the filter settings, but using the Back button to return to the Dashboard will reset the filter settings to their default state.

This report breaks down the total number of connection attempts by traffic direction (Inbound or Outbound) and severity level, from five (the most critical) to any User Defined threats. Each connection type is noted as well as the number of connection attempts made. The breakdown is provided in an accordion list, any severity levels that do not return results will appear collapsed, while severity levels that do return results will list the results with the following data:

  • Threat Severity: How questionable the target is. Severity 5 threats are listed at the top, and Severity 0 are listed at the bottom.
  • Target: Threat List entry that has been associated with URI being accessed. In our example a botted computer attempted to access a URI associated with DCNC - BOTNET DOMAINS.
  • Matches: Number of times a device attempted to access the associated URI. Staying with our example the machine(s) attempted to access the URI associated with DCNC - BOTNET DOMAINS 2,178 times.

Note:

User Defined threats are not afforded a higher severity due to their uncertain nature. If you, the user, feel that a User Defined threat is important to remediate then you can use the information provided here to discover the source of the attack.

Clicking on the line associated with the threat you want to investigate will drill down to the Report Details, this will open a listing of, up to, 5,000 connection attempts to the Target clicked on.

IP Combined Summary

Similar to the Client IP report, the Combined Summary report returns all recorded communications by all clients. The bar graph at top is laid out in an identical fashion to the Client IP report, with the highest Severity issues on the bottom, and the lowest priority at the top. The primary difference is in the report itself. The report is not broken down by individual IP address, instead the displayed results are the cumulative result of all devices in the report that match the chosen criteria. These results can then be drilled down into which will bring up the Report Details screen, allowing the individual devices that have made these communication attempts to be viewed.

Fields displayed for the report include:

  • Threat Severity: How questionable the target is. Severity 5 are listed at the top, and Severity 0 are listed at the bottom.
  • Threat Target: The target type with which the device was attempting to communicate. 
  • Connection Attempts: The number of times all devices in the filter attempted to communicate with a threat target.

IP Date Summary

The IP Date Summary shows communications attempts based on the date and Severity level of the communications. The report itself shows the number of communication attempts, the date of the attempts, and the severity level with each higher severity level having a brighter shade of red. The following settings can be applied to increase the resolution of the returned results:

  • Date Summary Reporting Period: Adjusts how fine grained the returned results are, available values are:
    • Hourly: Shows communications attempts by the hour and day.
    • Daily: Shows communications attempts for a given day.
    • Weekly: Shows communications attempts for a given week.
    • Monthly: Shows communications attempts for the month.
  • Inbound/Outbound: This switch returns results based on the direction the traffic was flowing, into the network or out of the network respectively.

The reports themselves contain the following data:

  • A time stamp showing the date and time a communication was made. This is up to the nearest hour in the case of hourly reports.
  • Below this the returned values are processed out by severity level and number of connection attempts for that severity.

Traffic Summary

The Traffic summary report allows for the ready viewing of traffic through the IP firewall. The display itself has a traffic graph across the top that will reflect returned data based on filter settings, below this are the details of the report. The IPs displayed are controlled to show either Internal IPs, or External IPs.

Data returned is separated by IP address, and reflects the following values:

  • IP address: Internal or External IP address logged.
  • Severity #: Threat severity logged.
  • Number of attempts: How many attempts were made by that threat severity to communicate with the given IP.
  • Target: Name of the target list the communication attempt was associated with.

The data relayed by this list will give the clearest view of how data is moving into and out of the network. It also reveals the most likely compromised systems in your network.

Internal IPs, External IPs, and the Direction Filter

One of the greatest strengths available to IP Firewall users is the ability to control the visibility of returned data based on the direction of traffic being viewed, and the direction of traffic being filtered; of course with great power comes a moderate learning curve. The following chart is intended to help show how the report settings will help you determine the source of the traffic, as well the direction and potentially the intent of the traffic.

IP LocationInternal IPsExternal IPs
Direction
InboundShows the addresses of devices inside your network with which devices external to your network are attempting to communicate.

Shows with which IP addresses outside of your firewall devices internal to your firewall are attempting to communicate.

OutboundShows the IP addresses outside your firewall with which devices inside your firewall are attempting to communicate.Shows with which IP addresses outside your network devices internal to your network are attempting to communicate.
Inbound & OutboundShows which of your devices inside your firewall are attempting to communicate with devices external to your firewall.Shows which of devices outside your firewall are attempting to communicate with devices internal to your firewall. 

Report Details

The report details establishes details about the device(s) attempting to connect to a threat, 50 entries at a time with, up to, 5,000 threats total displayed for a given filter set.

Note:

  • The number of entries shown can be adjusted using the Show ## entries dropdown menu.
  • If more than 5,000 total points of data are returned a note will appear at the top of the screen, results can be further refined by increasing the number of filters used.

Data is broken up into columns and displayed in a tabular format, columns displayed can be controlled using the Columns button. Additionally the data can be sorted by clicking the column header. This will reprioritize the order that data is made available to the user.

The following settings are available, with columns that are not turned on by default are noted:

    • Time: Date and time a connection attempt to the requested FQDN was made. This is displayed in the following format:

      YYYY-MM-DD HH:MM:SS
    • Device: Nickname of the device that processed the request.

    • Source IP: IP Address of the device attempting to pass data through the network.
    • Source Port: TCP/IP or UDP port to which data was being sent. This can help to identify the type of communication being attempted.

Commonly accessed ports include:

PortService
23telnet
53DNS
80HTTP
110POP
443HTTPs
  • Destination IP: IP Address of the device for which communication was intended, this may be inbound or outbound.
  • Destination Port: TCP/IP or UDP port to which data was being sent. This can help to identify the type of communication being attempted.
  • Action: Measure taken by the device, these can be one of two actions:
    • Block: Communications between the Source and Destination IP was not allowed.
    • Allow: Communications between the Source and Destination IP was allowed. This can happen if the IP address is in our intelligence lists, but is not incorporated into your policy.
  • Direction: The direction the traffic was flowing at the time of the log entry two directions are possible:
    • Out: Traffic from inside the network attempting to pass data to an IP address outside of the network.
    • In: Traffic from outside the network attempting to pass data into the network.

Note:

The following columns are not displayed by default, but may be enabled through the Columns button:

  • Source Port
  • Destination Port
  • ID
  • Targets: Details which Threat Intelligence list the Target is listed in. 
  • ID: This is a hash of the log line in the report. This is used for diagnostic purposes, and may on occasion be requested by ThreatSTOP Support.

Additionally the returned results can be exported in a CSV file by clicking on the Export to CSV button. This will compile the results into a Comma Separated Value (CSV) file that can be processed by most spreadsheet programs.

Check IOC

The deepest level of reporting will feed the target under investigation into our Check IOC utility.

IP Email Reports

Email reporting for both DNS and IP firewalls is covered in our Email Reports article.