The LANGuardian dashboards display live network information that you can use to monitor your network. When you log into LANGuardian, the dashboards are immediately displayed. If you navigate away from the dashboards, you can click Dashboards in the LANGuardian menu bar to display the dashboards again. By default, LANGuardian contains five dashboards as follows:
- Network Traffic
- Network Security
- Internet Activity
- Inventory and Services
To display a different dashboard, click on one of the dashboard tabs that are displayed at the top of the dashboard display area as follows:
You can customize the dashboards to show at a glance the network information that is most important to you. You can also create new dashboards and customize them by adding and arranging reports and graphs.
Dashboards are user-specific, so each user can have an instant view of the information that is most important to them. Each user can have a maximum of five dashboards.
You can add any LANGuardian trend or report to a dashboard. When you create new trends or reports, they immediately become available for addition to dashboards under the Trends category.
1.2.Edit the Dashboards
To edit a dashboard, click on the button. When you are in Edit mode, you can perform any of the modifications described in sections below. To save the changes that you make to a dashboard, click Save. To cancel any changes to a dashboard and exit Edit mode, click Cancel.
Modify the Dashboard Display
When you are in Edit mode, the details about each column of information that is displayed on the dashboard is presented as follows:
You can modify the display of each dashboard in the following ways:
- To modify the width of a column, type the width in pixels in the Column x width text box.
- To change the order in which the reports/trends are displayed in a column, hover over the report/trend name until you see the move pointer and then drag the report/trend to the desired location in the list. You can also drag a report to another column.
- To add a new column to the dashboard, click on the Add Column icon. A new column is displayed with a default width and you can add reports or trends to the column as described in the next section.
- To remove a column from the dashboard, click on the icon beside the Column x width text box and click Delete.
- To change the order in which the columns are displayed, click on the blue header for the column and drag to column to the desired location.
- To add reports or trends to a dashboard, see Add or Remove Reports or Trends [add hyperlink].
To save the changes to the dashboard and exit Edit mode, click Save. To cancel any changes that you made to the dashboard and exit Edit mode, click Cancel.
Add or Remove Reports or Trends
To add a report or trend to a column:
- Click on the column that you wish to modify.
- Click on the arrow next to the All menu, as shown here:
- Select a report/trend category from the list, for example, Netscan.
- Click in the white space to the right of the arrow to view a list of the reports that are available for the selected category, as shown in the following example:
- Click on the report that you want to add. The report is added to the column.
- Click Save to save the changes to the dashboard and exit Edit mode.
Rename a Dashboard
To rename a dashboard, click on the dashboard tab and then click in the navy box, as shown in the following example:
Type the new name for the dashboard and click Save.
Move a Dashboard
To change the order in which the dashboard tabs are displayed, hover over the arrows displayed to the right of the dashboard name until you see the move pointer and then drag the dashboard to the desired location.
To save changes to the dashboard location, click Save.
1.3.Add a Dashboard
The maximum (default) number of dashboards that LANGuardian can display is five dashboards. You can add a new dashboard if you currently have less than five dashboards and the icon circled below is displayed next to the dashboard tabs.
If the icon is not displayed and you want to add a new dashboard, then you must first delete an existing dashboard. See Delete a Dashboard.
To add a dashboard:
- Click on the Add Dashboard icon.
- Click in the new dashboard tab and type a name for the new dashboard.
- By default, new dashboards contain one column. You can edit the dashboard to add the information that you require. See Edit the Dashboards for more information.
- Click Save to save the new dashboard.
1.5.Modify Report Displays in a Dashboard
You can modify how each report is displayed on a dashboard in the following ways:
- Click on the edit icon to the right of the report name, as shown below:
- Use the Run Time section to show data for the Last 1 Hour, Last 4 Hours, or Last 24 Hours. Click on the option that you require.
- Use the Show Chart section to specify whether to display a graphical representation of the data on the dashboard, if appropriate. The options can be None, Pie, and Bar, depending on the report type. For some reports, charts are not relevant and None is selected. For other reports, the options Pie and/or Bar may be displayed. Click on the option that you require.
- Use the Show Table section to specify whether to display the report information in table format. The options are None, Headers and Content, or Content Only. Click on the option that you require.
- Click Save to save the changes.
Note: LANGuardian displays the first five rows of each report that is included on a dashboard. To access the full report from the dashboard, click on the arrow icon to the right of the report name. See Access a Full Report from the Dashboard for more information.
1.6.Access a Full Report from the Dashboard
LANGuardian displays the first five rows of each report that is included on the dashboard. If the report displays something of interest on the dashboard and you want to view the full report, you can access the full report from the dashboard by clicking on the arrow button to the right of the report name, as shown in the following example:
The full report is displayed. You can modify the filter options if required and click Run Report to view the information that interests you.
1.7.Sending Feedback from the Dashboard
Sending your feedback is very easy in Languardian, follow these steps:
- Click the Help button on the Languardian menu bar.
- Click the Send Feedback option from the drop down menu.
- Enter a description, and click the Send Feedback button to send your feedback straight to netfort.
1.8.Reporting a Issue from the Dashboard
To report a technical issue in Languardian, follow these steps:
- Click the Help button on the Languardian menu bar.
- Click the Report An Issue option from the drop down menu.
- Enter a description of the issue, and click the Send A Report to send the issue straight to our support team.
1.9.View System Information from the Dashboard
To View the System information from the dashboard, follow these steps:
- Click the Help button on the Languardian menu bar.
- Click the About option from the drop down menu.
LANGuardian captures all network traffic flowing through your core switch and stores this data in a LANGuardian traffic database. LANGuardian provides a large number of built-in reports based on the data that it captures. You can customize the built-in reports to suit your requirements by applying a variety of filters. You can also easily create new custom reports if there is no built-in report to meet your requirements. When you run a report, LANGuardian creates a query based on your report criteria, applies the query to the LANGuardian database, and displays the results in graphical and tabular format.
To view all of the built-in reports that are available, click on All Reports . A list of report categories is displayed, with the most popular reports in each category displayed first. The reports are grouped under eight categories as follows:
- Windows File Shares
- My Reports
To view all of the reports in a category, click on More >>. When you click on More >>, LANGuardian displays a full list of the reports available in the reporting category and a brief description of each report.
To run a report and view the results:
- Click on a report name. A list of filter options is displayed on the left side of the screen, which you can modify according to your preferences. See Apply Report Filters for more information
- To run the report, click Run Report. The report results are displayed on the right side of the display.
- To hide the report filters and fill the display area with the report results, you can click on the arrow button to the top left of the report results, as shown in the following example:
To display the report filters again, click on the arrow button again.
- To view a graphical representation of the report results and to toggle between the graphical view and the tabular view, click .
- If the report contains multiple screens of information, use the page navigation buttons at the bottom of the screen to navigate the report. You can also use the Rows drop-down list to select the number of report rows to display per page. The Rows setting persists for all reports.
2.2.Apply Report Filters
Report Filters are displayed on the left of the screen and allow you to effectively modify the report results to display exactly the information that is of interest to you. By default, the most popular filters are displayed initially. To view more filters, click Show More. To view less filters again, click Show Less.
Using the Source IP/Subnet Filter
Many of the LANGuardian reports support the use of an IP/Subnet filter field to narrow the results of the report to specific IP addresses, a range of IP addresses, or to exclude certain IP addresses or ranges. The following table describes how to effectively use the IP/Subnet field to focus a report on the IP addresses that are of interest to you.
Using Common Regular Expressions
Some of the report filter fields contain a drop-down list to enable you to filter the report using regular expressions. For example, the following shows the drop-down list for the Website Name field:
The following table provides examples of some of the regular expressions that you can use to filter reports, depending on the filter field in use:
Filtering SQL Server Reports
To view SQL Server reports, click on All Reports, go to the Inventory category, and click on SQL Server.
To check if sensitive information such as passwords, user profiles, or addresses is being accessed on the network, you can use the Statement filter field in SQL Server reports. For example, to search for all SQL statements requesting password, username, or address information, select Matches regexp from the Statement drop-down list and enter password|username|address.
To check for instances of data drops from SQL databases, you can select Drop from the Statement Type filter field to display all drop statements.
2.3.Special usernames in Reports
In addition to the regular usernames displayed in reports, the following special names are frequently displayed:
- Unknown: LANGuardian queried a Domain, but could not find a log on record to match the client generating this flow or event.
- Not Classified: LANGuardian has not yet queried the Domain Controllers to find a log on record to match the client generating this flow or event. LANGuardian updates the records about every 5 minutes.
- Anonymous: LANGuardian queried the Domain Controllers and found a log on record to match the client generating this flow or event. The username returned by the Domain Controller was ‘Anonymous’.
2.4.Embed a Report in a Third-Party Application
To view a report from a third-party application without having to log on to LANGuardian, you can embed a link to a report in the third-party application. To do this from a report results page:
2.5.Create a Trend Report
You can create a trend from a report. Trends can then be displayed on a dashboard or you can access the trend by editing a dashboard, clicking on the dashboard menu and selecting Trends.
To create a trend from a report:
- View the report that you want to trend.
- Select a sensor from the Sensor drop-down list. For trend reports, the default Sensor option of “all” is not acceptable. A trend must be connected to a particular sensor.
- Click Actions () and select Trend Report.
- Type a name for the trend in the Name field.
- The report columns that are suitable for inclusion in the trend are listed. By default, all suitable report columns are selected for inclusion in the trend. To exclude a column, deselect the column name.
- Click Create.
2.6.Save a Report as a Custom Report
If you make changes to the filter fields for a standard report, you may wish to save a copy of the report for future use. The report then becomes a custom report. To save a copy of a report:
- Click Actions () and select Duplicate Report.
- Type a name for the report in the Name field.
- Type a brief description of the contents of the report in the Description field.
- Click Save. The results are saved to a report and stored under the My Reports category. The results are cleared from the current screen. To view the report, click All Reports and select the report under the My Reports category.
2.7.Download a Report
To download a report:
- Click Download Report .
- Select the report format:
- PDF (Portable Document Format), for viewing and printing with Adobe Reader or Adobe Acrobat.
- CSV (Comma-Separated Values) format, for importing into applications such as Microsoft Excel and Google Apps™.
- Select Current to export only the current page of results or All to export all of the results pages. The number of pages of results is indicated in the bottom right of the report display, for example, 1 of 18.
- Select A4 or Letter to determine the paper size.
- Select Portrait or Landscape to determine the orientation of the pages.
- Click Download. The file is downloaded to the default Downloads folder in the specified format.
2.8.Email a Report
To email a report to an email address:
- View the report that you want to email.
- Click Send Report by Email on the report menu bar.
- Type the recipient email address in the To field.
- Type a brief subject in the Subject field. For example, “Top Talkers Report from LANGuardian”.
- Type a message in the Message field.
- Select Current to email only the current page of results or All to email all of the results pages. The number of pages of results is indicated in the bottom right of the report display, for example, 1 of 18.
- Click Send.
The report is included in the message body and sent to the recipient.
You can email any LANGuardian report on demand, and you can also schedule reports to run and email the results to specific users at hourly, daily or weekly intervals.
You can use the Search bar in the LANGuardian menu bar to search the LANGuardian reports and the LANGuardian traffic database for specific information.
You can use the Search bar in two different ways as follows:
- Click in the Search box to display a full list of all LANGuardian reports. Select a report from the list to go directly to the report and click Run Report.
- Click on the arrow to the right of the Search box to display other search options as follows:
- To search for information by IP address or subnet, type an IP address or subnet in the IP Address text box. For example, 192.168.1.227 or 192.168.1.0/24.
- To search for information by username, type a full or partial username in the User Name text box.
- To search for information by filename, type a filename, partial filename, directory name, partial directory name, or file type in the File Name text box. LANGuardian searches for all filenames that match the search criteria.
- To search for information by website, type a full or partial domain name. For example, you can enter “youtube.com” to display data for youtube.com or enter “you” to display data for any domain name that contains the word “you”.
- From the Time Range drop-down list, select whether to perform the search on data from the Last 1 Hour, Last 4 Hours, or Last 24 Hours (default). Alternatively you can click on the calendar icon to display a date/time range dialog and specify a longer period of time that you want to search.
- Click the Search button to begin the search. All reports that contain data matching the search criteria are displayed. To view the full report, click on the arrow to the right of the report name.
The following table provides some guidelines for entering search criteria:
4.Custom Event Rules
This is a powerful feature that allows you to define a custom rule that can be used to trigger alerts for a suspicious activity that may appear on the network.
4.1.Creating Custom Rules
To create a custom event rule in LANGuardian:
- Choose Settings from the Settings drop-down menu
- Under Alerts, Reports click the Alert rules link
- Click the Add New Rule link
- Create a name for the rule. Note that rule names are restricted to letters and numbers only
- Define the custom rule by selecting a module from the drop-down menu ‘Module’
- Then select a hook for a custom rule from the next drop-down menu ‘Hook’. See ‘Modules and Hooks’ below
- Finally add some fields to completely customise the event rule
- Click the Save button
- To view the alerts created from the custom event rules, select the search bar and enter User Defined, then select the Network Events Summary (User Defined) report
- Run the report
4.2.Modules and Hooks
There are 14 possible modules to select from, each is detailed below with its associated hooks. Each module allows you to create rules based on a particular type of network traffic, or a related set of parameters.
- Procedure call
- DNS A-record response
- DNS A-record response from blacklisted domain
- Email with attachment
- Email without attachment
- Fake hyperlink URL
- Create file
- Delete directory
- Delete file
- Map share
- Open file
- Read file
- Rename file
- Write file
- Web access
HTTP Proxy Module:
- Web access via proxy
- Secure web access
- New flow
- TCP connection handshake (SYN)
NFS Mount Module:
- Mount Failure
- Mount request
- Mount success
NFS v3 Module:
- Create a directory
- Create a file
- Create a special device
- Create a symbolic link
- Create a link to an object
- Extended read from directory
- Lookup filename
- Read from file
- Remove a directory
- Rename a file or directory
- Set file attributes
- Write to file
Network Scan Module:
- Network scan
Port Scan Module:
- Port scan
Volume Overflow Module:
- Volume overflow
- SQL database query
Each Hook has a number of Fields that define the criteria for the rule.
The following is a list of some examples of the fields that a hook may contain. Adding fields helps generate a more exact custom rule.
To create a rule for a File share read action from source IP or domain where the file name is “somefilename.doc”. It can be easily done by selecting Module -> Fileshare, Hook ->’Read File’ and add fields src,dst and filename using the && operators seen in the next section.
- Module ‘File Share’ and where Hook is ‘Read file’
- src: the source IP of the traffic e.g. 192.168.127.1 or 3232268022 or 172.16.17.30/20
- dst: the destination IP of the traffic e.g. 192.168.127.1 or 3232268022 or 172.16.17.30/20
- sport: the source port e.g. 22
- dport: the destination port e.g. 22
- protover: the SMB protocol version e.g. 2
- username: User name e.g. “peter”
- share: Share name e.g. “sharename”
- name: File name e.g. “somefile”
2. Module ‘HTTP’ and where the Hook is ‘web access’
- src: the source IP address of the request e.g. 192.168.127.1 or 3232268022 or 172.16.17.30/20
- dst: the destination IP address e.g. 192.168.127.1 or 3232268022 or 172.16.17.30/20
- sport: the source port e.g. 22
- dport: the destination port e.g. 22
- host: the host name portion of the URI e.g. “weather.noaa.gov”
- uri: the URI excluding the host portion e.g. “/cgi-bin/mgetmetar.pl?cccc=KBOS”
- rlim: Rate limit e.g. 100/m
When creating rules there are a number of conditional operators that can be used instead of the equals operator.
The following is a list of all available operators.
Contains : =~
example: host =~ “web”
Not equal to: != or !~
example: host != “web”
Less than: <
example: dport < 443
Less than or equals: <=
example: dport <= 443
Greater than: >
example: dport > 80
Greater than or equals: >=
example: dport >= 80
4.5.Building a Custom Event Rule
These steps outline how to build a custom event rule:
- Select the Module that best suits your requirements from the Module drop-down
- Next, select a Hook associated with that module from the next drop-down menu
- Next, select the Field(s) from the list of Fields associated with that Module.
String fields such as host and name require that the value is surrounded by double quotes,
e.g. host=”website”, while IP addresses and integer values, such as those used for src and port, do not. For example src=10.1.1.1.
Several fields can be used in combination in the same rule to define the criteria for the rule. See examples below.
The following rule will fire an alert when a user accesses any URI under cnn.com AND via port 80:
host=”cnn.com” && dport=80
This will generate an alert if a URI with either cnn.com OR www.foxnews.com is accessed:
host=”cnn.com” || host=”www.foxnews.com“
4.6.Configuring an Immediate Alert E-mail
These steps outline how to configure an immediate email on triggering a custom rule, known in LANGuardian as a user-defined event:
- Go to https://LANGuardianIP/ids/marked.cgi and click on ‘Add New Marked Signature’.
- Search for Name ‘User Defined’ and ‘mark’ the ‘action’ to ‘send email’.
The recipients in the alerts e-mail distribution list will receive the alerts.
There are four fields to the packet capture available on LANGuardian.
- Network Interface
- File Name
- Max Number of Packets
Network Interface: This allows the user to select what interface they wish to capture packets from.
Filter: This conforms to regular TCPDump filters.
Examples can be found here: http://www.tcpdump.org/tcpdump_man.html.
For more detailed filters: http://www.tcpdump.org/manpages/pcap-filter.7.html
File Name: This is the name under which the user wants the file to be saved.
Max Number of Packets: This allows the user to choose how many packets they wish to capture up to a maximum of 100,000
The following steps will demonstrate how to manually update LANGuardian.
NOTE: Manually updating LANGuardian is not a recommended all customers. Manual upgrades are typically used by customers who have their LANGuardian installed in an environment without an internet connection.
- Access the Settings Menu
- Access Updates on the Setting page
- Select More Options to get the Select File option. Select the upgrade package.
If you require a download link please contact support and they will be happy to provide you with the latest update package.
To integrate LANGuardian with Active Directory
The following five steps need to be completed to enable the integration.
(1) Create an AD account which your LANGuardian will use for logging onto domain
(2) Assign WMI permissions to this user
(3) Add user to Performance Log Users and Event Log Readers groups
(4) Check access rights using wbemtest application
(5) Configure AD integration on LANGuardian
1. Create a standard user logon for LANGuardian
An existing account for AD integration can be used but for the purposes of this guide a new account will be created called LANGuardian.
This account does not need to be an administrator or in the domain admins group but it does need extra permissions which are described below.
We recommend that the account is set with a password which does not expire as there is no facility within the LANGuardian GUI to set AD passwords.
2. Assign WMI permissions
Logon to each domain controller and grant specific WMI permissions to the new user.
Click on start\run and type in wmimgmt.msc. In the WMI Management window, right click on the WMI Control sub menu and select Properties.
Under Security Tab select CIMV2 and click on the Security button in the bottom right corner. See below:
Add the LANGuardian AD account and verify that Enable Account, Remote Enable and Read Security is Allowed, if not, enable those permissions and apply your settings.
3. Add user to Performance Log Users and Event Log Readers groups
Use the Active Directory Users and Computers application to add the LANGuardian AD account to the groups Performance Log Users and Event Log Readers.
4. Check configuration and permission using the wbemtest application
Test the WMI configuration and permissions using the native Windows tool WBEMTEST from your desktop
(1) Click on run and type in wbemtest on a Windows 7 or 10 system
(2) Click on connect and type in \\x.x.x.x\root\cimv2 into the namespace field where x.x.x.x is the IP address of a domain controller
(3) Use the LANGuardian AD account with password and click on connect
(4) If the account has permissions to connect via WMI you should not see any error messages
If the steps above fail add the LANGuardian user account to the domain group Performance Log Users and try running the test again.
If this fails then try the test using the Administrator account to see if the server is blocking all remote WMI connections.
Optionally click on Query and type in SELECT * FROM Win32_NTLogEvent WHERE Logfile = ‘Security’ AND EventCode = ‘4624’.
The above command verifies that the account can run a query and see the user logon events.
If you do not get any data back from the query you may not be auditing user logon events or the LANGuardian AD account is not in the Event Log Readers group.
5. Configure AD integration on LANGuardian
Logon to the LANGuardian GUI and click on the gear symbol top left then settings \ Identity \ Active Directory.
Click on add domain and enter the IP address of one domain controller together with the LANGuardian AD account.