PacketViper Use & Management Tips
PacketViper can be accessed directly using the console screen, or accessing it using a simple web browser from within your secure network.
Example http://<internal IP>:47880 or securely https://<internal IP>:47881
1. Global Network List (GNL) Data: Different GNL's are updated at various times. For instance Global HoneyPot, Forum Spam, and many others change nightly. Business GNL's could update daily/weekly/monthly depending on the amount and types of information we receive regarding their networks.
2. Country IP/Network assignments change infrequently, so these update monthly. On the other hand, assignments within country change much more often. These are gathered from ARIN, RIPE, AFRINIC, APNIC, and LACNIC, manual location research, proprietary geo-location pinpointing processes, and purchased lists and are updated as needed.
"Unassigned" are IP addresses that are not assigned to a country. Typically these are RFC1918 addresses (ie private IP ranges like 192.168..., 172..., and 10...).
"Other" is the sum of all blocked traffic from other countries that aren't in the top 6.
Yes. PacketViper's comes with an Active Connections area, in which an administrator can kill connections quickly.
Go to TRAFFIC CONTROL --> CONNECTIONS
Yes. PacketViper can quickly send its logs to any existing event manager via syslog.
Go to Setup -->System -->Remote Syslog Settings
If you wanted to restrict/block a single port from a country, append the port with a exclamation point (example: !80)
If you wanted to allow single port from a country or global network list, just add the port number (example: 80)
If you wanted to allow multiple ports from a country or global network list, separate them with a comma (example: 80,443,25)
Once you have your PacketViper setup, make sure you get your triggers built. Triggers are an additional level of protection from those countries and networks you must leave unfiltered. Post triggers you have found useful to help other customers here.
The trigger example below will evaluate after the custom rules, for any TCP 3389 connections, auto block them, then email the alert.
Go To-. TRAFFIC CONTROL TAB - > TRIGGERS
Trigger Name: Name Your Trigger
Trigger Position: When you want the trigger evaluated (After custom rules is default)
Protocol: Choose which Protocol to monitor
Port: Choose which Protocol Port
Add Action: Add Src Custom Rules Blocking; Will automatically add source IP to custom rules to block further attempts
Add Action: Add Src Custom Rules Blocking;Rule Comment: Is comments which are displayed in custom rules
Add Action: Send Email Alert: Sends an email once the trigger is fired
Add Action: Send Email Alert:To: destination address
Add Action: Send Email Alert:Sen Every: How soon to send email
Add Action: Send Email Alert:Email ID: Choose email template to send (If none is created, you will have to create one)
That's up to you and your environment.
What recommend in the beginning is once PacketVIper is placed inline, observe the traffic for a day or so, even longer depending on the volume. Then using the report filters and summary reports, you can begin getting a better picture of what should not be permitted.
From there you can start limiting countries to a specific port inbound/outbound, then build triggers to alert and block based on suspect areas and ports you discovered from the reports or real time logs. You will notice as you start filtering out the unwanted stuff, your network security environment becomes less strained, and worked.
I've got a ton of invalid TCP traffic which I believe is because I've applied the Setup -> Security -> drop invalid packets.
The TCP Invalid traffic means that PacketViper is seeing traffic for already established connections which it doesn't already know about. This would be expected when placing inline when there are already established connections. They should disappear over time as PacketViper sees those connections all reestablish. The setting is useful to drop connection spoofing where an attacker crafts a packet to look like it is for an already establish connection.
Once PacketViper is installed and running, and good practice is to create several tasks which email you nightly traffic reports. You can do the by go to SETUP -> SCHEDULE TASKS