IBM Support

Realtime alert might report un-correlated DB User on MS SQL Server

Question & Answer


Question

We saw a case that our realtime alert was fired as we expected but the report (i.e. alert e-mail, syslog, or Policy Violations report) showed wrong DB user name. Why does it happen and how can we resolve it?

Cause

This could happen on V10.0 or older Windows S-TAP, due to the architecture of the collector side. There are a couple of backgrounds that you need to know, in order to understand the behavior.

    1. Windows S-TAP (before V10.1) sends the original MS SQL Server traffic to the collector. If the it's encrypted, S-TAP will attempt to retrieve the unencrypted information and send it to the collector once it's done.

    2. When collector receives traffic from S-TAP, it'll parse and store it to the internal database based on the installed policy. The encrypted traffic will be stored as well. Once the collector receives the unencrypted data, sniffer component will correlate it to the encrypted session information on the fly, and apply the policy with the unencrypted data such as DB user name ( if it's in the uncrypted data ).

    3. Guardium report system refers to the internal database. There is a batch process which correlates the unencrypted data to the encrypted session information and it'll updates the internal table data periodically.

There is latency in sniffer's on-memory correlation and the batch job correlation for the internal table update. This is the reason that we have a case of seeing un-correlated DB user name on your report even though the sniffer fired the alert action based on the correct (unencrypted) data.

Note that, if you see the report on GUI, the data (e.g. DB User) will be updated when you refresh the window after the batch correlation job is finished, but if you send e-mail or write to syslog, it won't be able to update because it's already sent/written.

So, this is expected behavior if you're using V10.0 or older Windows S-TAP.

Answer

V10.1 Windows S-TAP introduced a new feature, called 'SSL Data Correlation Driver'. This will analyze the traffic and retrieve the unencrypted information, and send only unencrypted information to the target collector. Therefore, the latency issue won't happen because the collector will no longer need to correlate unencrypted data to the original encrypted data.

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21993325

Page Feedback