QRadar 3.0 Updates NBAD Device

In QRadar, Q1 Labs has added a threats view, which shows rate-based activity, including DoS (denial of service) attacks and scans, stealth activity and protocol misuse; an alert console and creation wizards, which give you easy access to defined Sentry alerts and a simpler way to create your own Sentries; a new report generator and scheduler, so you can define your own reports; system-monitoring features; and small but useful interface improvements.

I used a beta version of QRadar in our Syracuse University Real-World Labs® for more than two months to monitor NETWORK COMPUTING's network traffic. I like the changes, but be prepared to spend time customizing the product.

What You See

QRadar presents network traffic data graphically. You could ask for a view of all the traffic going to or coming from the local network, showing the server ports used, or a view of mostly one-sided traffic. In addition QRadar has some preconfigured views, such as flow types, ("mostly in," "mostly out," "nearly the same"), and a view that presents the flows from a collector.

The most interesting new view, though, is the threats view, which shows network-based attacks--DoS, network scans, worm activity and protocol misuse. With QRadar, I found that a number of hosts on our internal network were infected by various worms, sometimes multiple worms simultaneously. I detected Sasser by a rapid uptick in connection attempts to Port 445, which was shown in the threats view as a high-intensity scan.

Alerts Made Easy

To define alerts with QVision 2.1, you had to define bookmarks manually to link to sentries. But with QRadar, I could add an alert by simply navigating to the appropriate view, and the Sentry wizard walked me through the process.QRadar offers four types of sentries: Behavior sentries look for changes in network behavior over time; anomaly sentries learn what normal behavior is and then alert on abnormalities; policy sentries alert on detected traffic; and threshold sentries alert on defined traffic thresholds. In my tests, I created a policy sentry to detect client connections to TCP server Port 2745 and found another worm--the Beagle.

Sentry alerts show up in the alert console (see screen, page 32). Alerts are organized by a combination of factors: weight, the network object (in this case subnet-92), the package (OtherOneSidedFlows High) and the Sentry (Worm_policy _all), with the highest weights presented first.

The alert console displays two graphs: One shows traffic at the time the event occurred; the other, real-time network activity/traffic. For further analysis, you can drill down into either graph. Eventually you can dismiss an event or send the alert to other QRadar users.

Reporting In

QRadar's customizable reporting system lets you define and schedule reports. I wanted a daily report on the threats QRadar detected, so I selected that view. In the report window, two layers--host count and packets--are exposed or hidden. I scheduled the report to be run daily at midnight and requested it as an Adobe PDF file in an e-mail. Reports can be sent as XML and CSV (comma separated value) files, too.Although the reports aren't detailed, they provide a good overview of network traffic. Reports also can be created on the current view and can trend as far back as 30 days.

QRadar's interface includes options on the right-click menus, adjustable time periods for data mining and a network diagram based on network definition. However, the interface lacks an application definition, and there's no an easy way to build app signatures from packet capture in the data-mining view.

Because QRadar offers a view of network traffic that a NIDS won't show, it can be used by network admins for traffic monitoring and as a basis for capacity planning.

Mike Fratto is editor of sister publication Secure Enterprise. Write to him at [email protected].