beautypg.com

Modifying the data export configuration, Auditing the exported data, Anomaly detection management – H3C Technologies H3C Intelligent Management Center User Manual

Page 66

background image

56

4.

Click Query to view the data export logs matching the criteria. Click Reset to clear all query

criteria.

Modifying the data export configuration

1.

Select Service > Traffic Analysis and Audit > Data Export.
The Data Export Config List appears in the main pane of the Data Export page.

2.

Click the Modify icon

.

3.

Select the Enable Data Export option to enable the data export function.
After you enable the data export function, you can configure the Trigger Data Export by Data
Space Alarm and Path of Exported File parameters.
If you do not select the Trigger Data Export by Data Space Alarm option, the NTA server can
export data according to only the log lifetime. With the Trigger Data Export by Data Space Alarm

option selected, when the data space alarms occur, the NTA server automatically exports the
oldest data day by day until the data space alarms are eliminated.

4.

Enter the absolute path of the exported file on the NTA server.

5.

Click OK to complete modifying the data export configuration.

Auditing the exported data

NTA provides an auditing tool. An operator can use the log auditing tool to audit the traffic data of the

exported file. The auditing tool depends on JRE. To guarantee normal operation of the auditing tool,
make sure you have downloaded the latest JRE.
To audit the exported data:

1.

From the top navigation bar, select Service > Traffic Analysis and Audit > Data Export.
The Data Export Config List appears in the main pane of the Data Export page.

2.

Click Log File Audit to download and start the auditing tool.
The auditing tool can perform only general audit for the exported data. Use the auditing tool in the
same way as you use the auditing tool of UBA. For information about using an auditing tool, see

IMC IMC User Behavior Auditor Administrator Guide.

Anomaly detection management

NTA collects statistics on traffic flow records and compares the statistics with the thresholds in the

anomaly detection templates. If a threshold is crossed, NTA issues an alarm.
NTA has a series of predefined anomaly detection templates. You cannot add or delete templates, but

you can modify them.
The anomaly detection templates fall into two categories: templates that use the same parameters and

templates that use anomaly type-specific parameters.
The following templates use the same parameters:

TCP Null Scan

TCP Fin Scan

TCP Syn Fin Scan

TCP Xmas Scan

UDP Bomb Attack

Snork Attack

See also other documents in the category H3C Technologies Safety: