Configuring ThreatSTOP email alerts.

Overview

One of the largest issues encountered with any monitoring system is the eventual development of alarm fatigue. Alarm fatigue is a condition in which the brain begins to filter out repeated false alarms, and increases user danger. With this in mind, ThreatSTOP set out to develop a network threat alert system with the express intent of avoiding alert fatigue.

ThreatSTOP Alerts works by taking the filter conditions you’ve currently set for your reporting, and on clicking Save/Edit Alert saves those settings into a pre-defined alert that will email you when the filter conditions are met. If you find the initial alert to be questionable, you can then set a cool off period on a given alert for an hour in the future (the cool off must be set in multiples of one whole hour). If the alert repeats then it may bear further investigation.

Filter Configuration

Selecting your filter conditions is covered in <a href=/dnsfw_reports.html>DNS Firewall Reporting, and <a href=ipfw_reports.html>IP Firewall Reporting. Once defined and the Save/Edit Alert button is clicked, a pop-up will appear to save the new values.The filter conditions that are incorporated in an alert trigger are:

  • Severity: The severity level of the threat recorded, threat levels break down into five levels in order of increasing severity.
  • Devices: Contains a list of firewall devices currently associated with your account. This can help limit the returns to a specific firewall device.
  • Direction: Filters results to Inbound traffic, Outbound traffic, or both.
  • Client IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range.
  • Internal IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for outbound traffic.
  • External IP: Allows the entry of an IP address range (in CIDR format, or longhand) to limit returns in reporting to the given address range for inbound traffic.
  • Target Groups: Limits the returned Targets to the selected types.
  • Queried Name: Can be used to search for the existence of a domain name in the log files.
  • Action Taken: Limits results based on what actions were taken with the network traffic.
    • Blocked (NXDOMAIN): Network traffic is blocked with a “no such domain” error.
    • Blocked (NODATA): Network traffic is blocked with no data regarding the domain’s existence.
    • Blocked (DROP): Network traffic is dropped, with no information provided to the requesting service.
    • Pass-Through: Network traffic is allowed to pass through to the requested system.
    • Redirected: Network traffic is pointed to a different location such as a Walled garden.
    • Block: Network traffic is blocked by the service.
    • Allow: Network traffic is allowed to pass through to the network.
  • Advanced Target Settings:
    • Only targets present in policy: This filter will limit the returned results to only those targets in the current policy, and not does not include returns from lists not included in the chosen policy.
    • Trigger type: Includes targets based on the action that triggered the firewall to take an action.
      • QNAME: the Requested Name (QNAME) matches an entry in the RPZ.
      • NSDNAME: the Name Server Domain Name (NSDNAME) matches an entry in the RPZ.
      • RPZ-IP: another of the IP addresses in the DNS Response matches an entry in the RPZ.
      • NSIP: Name Server IP address (NSIP) matches and entry in the RPZ.
      • Policies: Limits returned data to the policy selected.

Date Range fields are not considered for alert programming as the trigger is provided in real time.

Alert Configuration

Available fields are:

  • Save as: Allows you to save the current filter as New, or to update an existing filter.
  • Title: A name for the report conditions, this can be set up to 100 characters.
  • Email Address: The primary email address to which alerts will be sent.
  • Email CCs: Up to three additional email addresses can be added to receive alerts.
  • Alert me after: This is the trigger to fire an alert email. If the conditions defined by the filter are met so many times in an hour then an email alert will be sent.
  • Don’t alert me again for: Setting this field to 1 or more whole hours will allow a triggered alert to cool down for that time duration. This is useful for silencing alerts that are repeatedly triggered.