Summary
In some environments high number of file Read or NFS lookup operations against blocklist patterns may cause large number of unnecessary alerts/blocks. For example, this can happen in development environment because of “ls” command or some application reading restricted extensions.
In this situation it will be desirable to remove monitoring READ and NFS_LOOKUP against blocklist patterns.
This is normally done on the CryptoSpike->Clusters -> svmName screen by unchecking corresponding operations: “Read” checkbox and “Lookup” checkbox.
However, these operations are required for the behavioral pattern filters such as “Generic Ransomware (replace)” and “Generic Ransomware (overwrite)” and cannot be unchecked.
Below procedure allows to continue monitoring required READ and NFS_LOOKUP operations without generating alerts/blocks via blocklist patterns.
Step-by-Step
- Copy “BLOCK_ALL”:
SMB_CREAT,SMB_OPEN,SMB_CLOSE,SMB_DEL,SMB_REN,SMB_GET_ATTR,SMB_SET_ATTR,SMB_RD,SMB_WR,NFS_OPEN,NFS_CLOSE,NFS_CREAT,NFS_DEL,NFS_REN,NFS_GET_ATTR,NFS_SET_ATTR,NFS_RD,NFS_WR,NFS_SYM_LNK,NFS_LNK,NFS_LOOKUP
- Create “RD-LOOKUP-Removed”:
SMB_CREAT,SMB_OPEN,SMB_CLOSE,SMB_DEL,SMB_REN,SMB_GET_ATTR,SMB_SET_ATTR,SMB_WR,NFS_OPEN,NFS_CLOSE,NFS_CREAT,NFS_DEL,NFS_REN,NFS_GET_ATTR,NFS_SET_ATTR,NFS_WR,NFS_SYM_LNK,NFS_LNK
- At his time, we cannot mass-change Filter Category in GUI, and we need to do it via SQL statement. We also would need to stop/start tomcat8 so we do not see any discrepancy in GUI.
- Connect to CS Server via SSH
- Run: service tomcat8 stop
- mysql cryprospikecli
- update PL_FILTER set FILTER_CATEGORY=6, FILTER_CATEGORY_NAME= “RD-LOOKUP-Removed” where FILTER_CATEGORY=1;
- Run: service tomcat8 start
Note: in default installation we have 5 Filter Categories. “BLOCK_ALL” is FILTER_CATEGORY=1. "HIGH"-2, "MED"-3; "LOW"-4; "NONE"-5; New category (in this case “RD-LOOKUP-Removed”) will get next available number FILTER_CATEGORY=6.
You can check results by running:
select FILTER_CATEGORY_NAME,FILTER_CATEGORY,count(*) from PL_FILTER group by FILTER_CATEGORY;
This will display number of filters per each Name/Category.
- Enable Read and Lookup from SVM monitoring (CryptoSpike->Clusters -> svmName)
- On SVM level select “Inherit from parent” option
- Click on every Child button (for Volumed: CIFS, SIFS audit, NFS; for Shares: CIFS). This will setup inheritance from SVM Parent to Children Volume and Shares.
- Now “Save” – this will propagate “Inherit from parent” option to children Volumes and Shares.
- Now, on the same screen select “Blocklist” (instead of “Inherited from parent”)
- We now can check back “Read” and “Lookup” checkboxes from the “Monitor Operation” section of this SVM
- Now click on “Save” to propagated new setting to children Volumes and Shares, BUT WITHOUT CLICKING AGAIN ON THE CHILDREN BUTTONS
With this setup READs and LOOKUPs are monitored again for the SVM and existing behavioral Patterns should trigger normally. However, file Filter blocking (blocklist/passlist) will Not monitor files for READs and LOOKUPs since “RD-LOOKUP-Removed” Filter Category does not include these operations.