GIN Troubleshooting

Troubleshooting Global Intelligence Network (GIN)
Contents
What is Global Intelligence Network ............................................................................................................ 1
Licensing:....................................................................................................................................................... 1
Configuration of GIN Settings : ..................................................................................................................... 2
Static (or LiveUpdate) : ............................................................................................................................. 2
Global Intelligent Network Internet Services :.......................................................................................... 3
Another Global Intelligence Network Integration Manager Server :........................................................ 3
Content of the GIN Database ........................................................................................................................ 4
What is the date and timestamp of the GIN Database ? .......................................................................... 4
Content not updated .................................................................................................................................... 6
What is Global Intelligence Network
Information Manager has access to current vulnerability, attack pattern, and threat resolution
information from the Threat and Vulnerability Management service. The Symantec Global Intelligence
Network is a comprehensive collection of vendor-neutral security data sources. The service is an
authoritative source of information about known and emerging vulnerabilities, threats, risks, and global
attack activity. More information at http://www.symantec.com/docs/DOC2480
Licensing:

Does the customer has a valid license (slf file) for GIN Content ?
In the WEBUI go to Settings -> Licensing -> GIN
The Field Current License should indicate the content of the xml license imported
Verify the <start_date>, <end_date>, <warn_policy>, <grace_policy>
If the license is invalid the customer will have to contact the licensing team.
Note: A good Licensing troubleshooting tip is to get customer to send you a copy of their slf and you can
test it in the lab if needed.
Configuration of GIN Settings :

Does the customer use Static or Dynamic updates ?
In WEBUI go to Settings -> GIN
3 options are possible
Static (or LiveUpdate) :
This will update the content only when a LiveUpdate is ran and the content is update monthly.
Go to the Maintenance -> LiveUpdate page
Select:






Symantec SIM Content
Symantec SIM GIN Content
Symantec SIM GIN Server
Symantec SIM Normalization Content
Symantec SIM Rules, Filters and Monitors
Symantec SIM System Queries
Click Update
The content is released once a month around the 25th.
Note: You might not have the entry listed in the LiveUpdate if you configured and changed the settings
other than Static before running LiveUpdate.
Global Intelligent Network Internet Services :
This will go directly to the internet
Make sure the setting are as displayed in screen below
Make sure the URL has no typo or has not been modified
Note: If your customer has issue with IP Watch List rule, the “IP Address Limit” of 300 is the number of
IP that will be stored in the Watchlist database.
Another Global Intelligence Network Integration Manager Server :
This will go directly to the upstream server.
Does the customer use proxy to connect to internet ?
Make sure the box for the proxy settings is correctly populated
Make sure to click "Test Proxy Configuration"
Content of the GIN Database
What is the date and timestamp of the GIN Database ?
In WEBUI go to Monitor -> SSIM -> GIN Status
Make sure the Date is today's day and the timestamp within the time range (by default it is every 60
minutes)
If customer is having issue with IP Watch List, make sure the number (by default 300) matches the
settings they entered in configuration page.
If customer is using Static content these values should more of less match the date of the LiveUpdate
page.
Ideally compare with your own test SSIM Appliance.
Make sure the JAVA Client UI shows the up to date information:
Go to the Intelligence tab
The 2 dates should be compared, the second date should be within the 60 minutes range (or value setup
in configuration)
If the JAVA Client says that it is using a Demo data, it means the License is not correct.
Content not updated
If the Content doesn't get updated what and where to look ? :
1- Deepsight Service
In WEBUI go to Monitor -> SSIM -> SSIM Services. The “dimserver” should be UP
In command line run a status command, output should say:
[root@atr-ses-9650 logs]# status
NAME
PID PORT UPTIME MAXUPTIME #START STATUS EXIT
dimserver
5512 55560 6d06:56 6d06:56 1 UP
0
If it is not running execute this command:
[root@atr-ses-9650 logs]# service dimserver start
Starting dimserver
[ OK ]
If the service fails to start go to the section about log file.
2- Networking
Verify Internet connectivity:
DNS configuration: if you ssh as root on appliance and run the following command:
"nslookup deepsightinfo.symantec.com"
Result should be something like that:
Server:
Address:
10.160.96.2
10.160.96.2#53
Non-authoritative answer:
Name: deepsightinfo.symantec.com
Address: 143.127.139.80
The result value can change depending where the customer is located in the world. If they use a proxy to
resolve name they might not get a IP address in return.
If customer doesn't use a proxy you can use a wget command to verify connectivity (you cannot pass
proxy parameter to wget)
"wget https://deepsightinfo.symantec.com/DataFeeds2/DataFeed.asmx"
--15:18:39-- https://deepsightinfo.symantec.com/DataFeeds2/DataFeed.asmx
=> `DataFeed.asmx'
Resolving deepsightinfo.symantec.com... 143.127.139.80
Connecting to deepsightinfo.symantec.com|143.127.139.80|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,470 (3.4K) [text/html]
100%[=====================================>] 3,470
6.50K/s
15:18:42 (6.49 KB/s) - `DataFeed.asmx' saved [3470/3470]
3- Log Files
If connectivity is good, the next step is to look at the Deepsight service log file on the SSIM Appliance:
The main log files to look at is located in /opt/Symantec/simserver/logs and called:


deepsightservlet.log
dimserver.log
These 2 log files can contain a lot of java exception error. They will also contains error if for example
there are proxy authentication errors.
To enable debug on the dimserver you need to edit the following file:
/opt/Symantec/simserver/dim/log4j.properties
Search for the following section:
#log4j.logger.com.symantec.dim=DEBUG
Edit the line to remove the # in front to look like this
log4j.logger.com.symantec.dim=DEBUG
Then execute “service dimserver restart”
Note: Do not enable DEBUG is not required, any critical error will be output to the log file in normal
mode.
You might need customer to give you a copy of the following file: /etc/Symantec/dim/dim.conf
The file contains all the settings from the WEBUI
IP Watch List specific issues
Customer complains a “good” IP is on the list
Once you have double checked that customer has all his GIN content and parameters correct.
1. Gets the IP address that is reported
2. Get the list is it on (When you hover the mouse on the red IP you will be displayed a list name
like “Bot Net”)
Next stage is to verify in your lab if this IP is also on your watchlist.
Important: Very often an incident will be created and the “Target IP” or “Source IP” won’t be displayed
in red any more. This means the Watchlist was refreshed and IP removed.
Typically you can use multiple collectors to replay a crafted event that contains the IP. If you use a
Microsoft IIS collector, you can take a line of a typical event, and replace the Source or Destination IP by
the one the customer gave you. Replay this line and the Correlation rule will trigger.
What to do next?
One of the recommended steps if your customer triggers a lot of “Bot Net” list, is to reduce the number
of IP collected. By default it is 300, reduce to 100, this should collect less candidate for False Positive.

Download Report