© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Using CSA Analysis Configuring Application Behavior Investigation
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Objectives At the end of this lesson, you will be able to meet these objectives: Identify the function of Application Behavior Investigation Describe how to configure Behavior Analysis
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Application Behavior Investigation Process Policy for Application Behavior Investigation deployed Events logged for Application Behavior CSA MC Host
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Behavior Analysis Before configuring Behavior Analysis for an application, ensure that you have these details: The application you want to analyze The host you want to select for application analysis
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Behavior Analysis Investigation
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Behavior Analysis Investigation (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Behavior Analysis Investigation (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Configuring Behavior Analysis Investigation (Cont.)
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Monitoring the Behavior Analysis
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Starting the Behavior Analysis
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Reviewing the Rule Module You can maintain integrity between the application and the system by: Protecting the application from the system: Behavior Analysis creates File Access Control rules to protect the application data from being exposed to external attacks. Protecting the system from the application: Behavior Analysis categorizes application resources into file, registry, network, and COM components, and creates access control rules for each of these categories.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v Summary The Application Behavior Investigation feature serves as a data analysis and policy creation tool for administrators. The three different contributing components for Application Behavior Investigation are CSA MC, the Behavior Investigation functionality, and the Agent. Application Behavior Investigation, when deployed on a host, monitors the actions of designated applications on that host and logs all attempts to access system resources. Application Behavior Investigation analyzes the logging data, prepares detailed reports for the designated application, and generates a rule module to implement the results. The rule module created during Behavior Analysis helps in enforcing normal application behavior and maintaining integrity between the application and the system. You can monitor the progress of the Behavior Analysis process on a host by using the Progress Status fields on the Behavior Analysis configuration page.
© 2006 Cisco Systems, Inc. All rights reserved. HIPS v