5 Replies Latest reply on Feb 8, 2013 8:12 AM by ccannefax

    Completely turn off aggregation for all rules

    parinya.ekparinya

      Hi guys,

       

      Is there a easier way to turn off aggregation for a whole receiver or even a whole McAfee SIEM system. I knew that turn off aggregation impact ESM performance. Since number of EPS arrived at ESM will be higher.

      However, for most of events we got, we need more than 3 fields to be exactly matched before aggregation.

       

      Regards,

       

      Parinya

        • 1. Re: Completely turn off aggregation for all rules
          artek

          Parinya,

           

          yes - it is possible. You should go to the Policy Editor, then select Advanced Syslog Parser, and then - click on the "Aggregation" word. See below:

           

          ESM03.PNG

           

           

          ESM04.PNG

           

          Next you can repeat this steps for Data Source section in the left tree.

           

          Best Regards,

          Artur Sadownik

          • 2. Re: Completely turn off aggregation for all rules
            parinya.ekparinya

            Well... actually, we can disable a bunch of rules each time by holding "Shift" key and "Up" or "Down" arrow key to select multiple rules. However, highlight too many rule will result in an error message.

            It took me awhile before I can turn off aggregation for every rules!!!

             

            What I just wonder and that's also my question here is can we turn off aggregation for every rules in just a flash?

            In case of flow aggregation we got a menu to turn it off. But I didn't see something like that in case of event.

            Is there any other easier method to turn them off for every rules?

             

            Turn off Flow Aggregation.png

            • 3. Re: Completely turn off aggregation for all rules
              dcobes

              Not only will it impact your performance, but analysis at that point becomes very difficult. The point of aggregation is to match common fields:

               

              CLASSIC USE CASE

              EVENT ID/NAME (hard-coded) + SOURCE IP + DEST IP

               

              Non-Classic Use Case

              Lets say you have email logs that parse out event id/name, sender email address, Source IP, Subject Line, and recipients.

               

              Depending on the event, a good aggregation would be

               

              EVENT ID/NAME (hard-coded) + sender email address + subject line

               

              You have the ability to modify your 2nd and 3rd fields to suit your needs, but you need to know what you want out of the data to effectively complete this.

               

              If you need more than 3 fields for aggregation, you really need to look into implementing some correlations. Also, with aggregation turned off some of your correlations will be extrememly hard to work with since every event will only trigger 1 time.

               

              -d

              • 4. Re: Completely turn off aggregation for all rules
                parinya.ekparinya

                I aware of performace degration. As far as I know, turn off aggregation will result in 90% EPS decay. For example ETM-5600 with 50,000 EPS, according to data sheet ,can handle only 5,000 EPS without aggregation. One more thing, I want to point out that even content provided in McAfee Partner Learning Center also gave us incorrect calculation regarding how to calculate EPS required on ESM. From what I thought, there should be no impact for Receiver or if some effect exist, receiver performance should be improved a little bit because they don't have to perform events check for aggregation.

                 

                Since I cannot set aggregation fields to some custom type even though those custom type are present by default.
                Allow such aggregation will cause us to lost of information for some cases. 

                About using correlation instead for more than 3 fields aggregation, I still don't understand. Could you give me an example and how to do it that way?

                 

                Regards,

                Parinya

                • 5. Re: Completely turn off aggregation for all rules
                  ccannefax

                  Let's say you are looking for common outside hackers scanning and need to correlate the activity. To analyze what activity the hacker is passed or denied, using SIGID (which would equate to the actual firewall rule log itself - i.e. - ACL #1 or #2) + Source IP + Dest IP + Dest Port would get more in depth firewall details than what comes canned (SIGID + Source IP + Dest IP).

                   

                  So, not aggregating in this example would reveal the first reported Dest Port aggregated for the signature on the Source IP / Dest IP connection thus giving you an inaccurate account of activity. In other words, if they were doing a port scan for a destination and it was dropped on the same rule (SIGID), you would only see one port reported, not the potential thousands.

                   

                  If you want to use this for firewall analysis that is in depth, you have to factor this in.

                   

                  So, change aggregation for stuff that adds security value or whatever information you require that adds value. Don't just change for all because we obviously know that each instance of turning off goes against the EPS.

                   

                  Hope that helps.