Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. License agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright 2010 EMC Corporation. All Rights Reserved. July 30, 2010
Contents
About Correlation Rules Mapping of NIC Rules to CRL Rules Correlated Rules to Event Source Mapping CRL-00002-01 CRL-00003-01 CRL-00003-01.02 CRL-00005-1.10 CRL-00007-1.10 CRL-00008 CRL-00010-1.00 CRL-00011-01 CRL-00011-1.00 CRL-00012 CRL-00013 CRL-00013-01 CRL-00013-02 CRL-00013-04 CRL-00013-05 CRL-00013-06 CRL-00014 CRL-00016 CRL-00023 CRL-00023-01 CRL-00023-02 CRL-00036 CRL-00037 CRL-00037-01 CRL-00040-1.0 CRL-00044 CRL-00101 6 7 9 24 27 30 32 34 36 38 40 43 44 46 48 50 52 54 56 58 60 62 64 65 66 67 69 71 73 74
CRL-00102 CRL-00103 CRL-00105 CRL-00106 CRL-00107 CRL-00108 CRL-00109 CRL-00110 Rule Set CRL-00111 CRL-00112 CRL-00115 CRL-00116 Rule Set CRL-00117 CRL-00118 CRL-00119 CRL-00120 CRL-00121 CRL-00122 CRL-00123 CRL-00124 CRL-00125-01 CRL-00125-02 CRL-00126 CRL-00127 CRL-00136 CRL-00137 CRL-00139 CRL-00140 CRL-00141 CRL-00143 CRL-00147 CRL-00148 CRL-00149 4
75 77 79 81 82 83 84 85 88 89 90 92 94 95 97 98 99 102 103 104 105 109 115 116 117 119 121 123 124 125 127 128 129
CRL-00151 CRL-00153 CRL-00154 CRL-00155 CRL-00156 CRL-00157 CRL-00158 CRL-00159 CRL-00160 CRL-00161 CRL-00162 CRL-00163 CRL-00190 CRL-00191 CRL-00192-01 CRL-00192-02 CRL-00193 CRL-00193-01 CRL-00193-02 CRL-00193-03 CRL-00193-01 CRL-194 CRL-00195 CRL-00196 CRL-00197 CRL-00198 Rule Pack CRL-00199 CRL-00200 CRL-00201
130 131 132 133 134 135 136 137 138 139 140 142 143 146 149 152 155 156 156 156 157 161 164 168 171 174 176 178 181
CRL Rule
CRL-00002-01 CRL-0003-1.02 CRL-00003-01 CRL-00005-1.10 CRL-00005-1.10 CRL-00007-1.10 CRL-00008 CRL-00005-1.10 CRL-00010-1.00 CRL-00011-1.00 CRL-00012 CRL-00016 CRL-00023 CRL-00023-01 CRL-00023-02 CRL-00013 CRL-00013-01 CRL-00013-02 CRL-00014 CRL-00103 CRL-00036 CRL-00037 CRL-00037-01 CRL-00040-1.0
NIC023
NIC027
NICRule
NIC040_CPFW NIC040_PIXFW NIC044 NIC_SUSPICIOUS_WORM_ACTIVITY
CRL Rule
CRL-00044 CRL-00102
CRL CRL-00002-01
Summary
This rule detects excessive denied inbound Firewall: Cisco PIX, CheckPoint connections across a firewall. The rule can Excessive Inbound be used to determine the host machines of Connections Denied potential intruders. by Firewalls CRL-00003-01 This rule monitors a variety of classes for IDS: Entercept, Dragon IDS, NFRIDS, specific port scan events that event Snort, Symantec Network Security, ISS Port Scan Detected sources detect. Port scan events can be RealSecure, Cisco Secure IDS, by a Device the precursor to an actual attack as they IntruShield are commonly used to probe for open ports IPS: Mazu Profiler on any IP address. Firewall: Juniper Networks NetScreen Firewall, CyberGuard Classic, SonicwallFW, Symantec Enterprise Firewall, Cisco PIX Firewall, Cisco ASA CRL-0003-1.02 This rule inspects all traffic reported by fire- All Firewall event sources walls for a single source trying to create Port Scan Detected connections on 20 ports within a given time frame. The correlation can identify potentially malicious sources as a port scan is typically used before an attack. CRL-00005-1.10 This rule detects if an event source on the All Windows Host, Mainframe, Unix, network does not restart after being Router, and Switch event sources Log Source Not rebooted. This rule can minimize downtime Restarted After by quickly identifying event sources that Reboot/Restart need attention. Command Issued Within 10 Minutes CRL-00007-1.10 This rule detects that a log source or mon- Router: Cisco Router, Nortel itored event source experienced sustained Log Source Switch: Foundry Switch high temperature conditions against its interComponent Under nal components. The rule inspects the tem- Firewall: IOS Firewall, Juniper Networks Sustained High NetScreen Firewall perature events generated by event Temperature Storage: Network Appliance Data ONTAP sources in the enterprise environment. Conditions over the Past 10 Minutes CRL-00008 This rule filters the SYNFlood events IDS: Dragon IDS, ISS RealSecure, Cisco detected by security event sources in an Secure IDS XML, Snort, Lancope Active SYNFlood enterprise environment. StealthWatch, NFR NIDS Attack Detected by IDS-IPS or Firewall Firewall: Secure Computing Sidewinder Devices G2, CyberGuard Classic, Juniper
CRL
Summary
Supported Event Sources Networks NetScreen Firewall, SonicwallFW Networks NetScreen Firewall, SonicwallFW Networks NetScreen Firewall, SonicwallFW Router: Cisco Router/IOS Firewall
This rule inspects all failed logon events to All event sources known security event sources and monitors access attempts to the security event sources that monitor the network.
This rule detects a brute force password All NIC System, Windows Hosts, Access attack against an event source. The rule Control, Firewall, IDS, IPS, and VPN event Possible Successful correlates a number of failed logons with a sources Brute Force Attack successful logon to a specific account. Detected CRL-00011-1.00 This rule examines the failed and sucAll Firewall event sources cessful logon attempts detected by firewallSeveral Failed Logins class event sources for indications of passFollowed by a word-based attacks. Successful Login CRL-00012 This rule filters events from IDS and IPS All IPS and IDS event sources event sources and detects an attack that Attacks Exploiting exploits the Microsoft Directory Service Microsoft Directory product. Service Vulnerability Detected by IPS-IDS Devices CRL-00013 This rule detects any failed logon event and All NIC: All discovered event sources in determines if the logon attempt was from a the current environment, with a special Unusual Number of remote location. This correlation could indi- emphasis on Windows events Failed User Login cate a brute force attack on an internal Attempts via Remote asset from a remote location. Connections to the Same Event Destination CRL-00013-01 This rule detects any failed logon event that All NIC: All discovered event sources in occurs on a local machine and checks the the current environment, with a special Numerous Failed frequency of such events against the nor- emphasis on Windows events User Login Attempts mal baseline for the entire network. This corLocally to the Same relation could indicate a brute force attack Event Source on an internal asset. CRL-00013-02 This rule detects any type of failed logon All NIC: All discovered event sources in event that occurs on a local machine and the current environment, with a special Numerous Failed checks the frequency of such events emphasis on Windows events Service Account against the normal baseline of the entire netLogin Attempts to the work. This correlation could indicate that a Same Event Source
10
CRL CRL-00013-04 Increase in Failed Remote Login Attempts Detected CRL-00013-05 Increase in Failed Interactive User Logins Detected
Summary
service is incorrectly configured. This rule detects numerous failed logons Hosts: Windows Events (BL, ER, NIC, using remote protocols such as SSH/SCP, Snare) HTTP, Telnet, or Remote Desktop. All Unix, Firewall, IDS, IPS, VPN, Switch, Router, and Storage event sources This rule detects numerous interactive failed logons to an event source. Hosts: Windows Events (BL, ER, NIC, Snare) All Unix, Firewall, IDS, IPS, VPN, Switch, Router, Storage, Database, Access Control, Wireless Devices, System, Configuration Management, Web Logs, Mail Servers, Mainframe, and Application Servers event sources Midrange: IBMiSeries AS/400 This rule detects numerous failed logons to Hosts: Windows Events (BL, ER, NIC, an event source. Snare) All Unix, Firewall, IDS, IPS, VPN, Switch, Router, Storage, Database, Access Control, Wireless Devices, System, Configuration Management, Web Logs, Mail Servers, Mainframe, and Application Servers event sources Midrange: IBMiSeries AS/400
CRL-00014
This rule inspects events from any event source for users being added to a group. Low-Privileged or The user name and group name are then Guest Account checked against two watchlists to deterAdded to mine whether the user is an administrator Administrative Group and whether the group has administrative privileges. The addition of a user who is not an administrator to a group with administrative privileges may indicate malicious privilege escalation activity. CRL-00016 This rule monitors events from specific IDS or IPS event sources and detects a burst of Attacks Exploiting attacks that exploit the vulnerabilities in HTTP Cold Fusion HTTP Cold Fusion products. Vulnerabilities Detected by IDS or IPS Devices CRL-00023 This rule detects when an event source stops sending log messages, indicating Event Source No incorrectly configured hardware or softLonger Sending ware, or a hardware or software failure. Events
IDS: Dragon IDS, ISS RealSecure, Entercept, Snort, IntruShield, Cisco Secure IDS XML, Cisco Secure IDS
Hosts: Windows Events (ER, NIC, Snare) Unix: IBM AIX, Hewlett-Packard UNIX, Apple Mac OSX, Nokia IPSO, Linux,
11
CRL
Summary
Supported Event Sources Solaris, Solaris BSMSolaris, Solaris BSMSolaris, Solaris BSM Firewall: Cisco ASA, Cisco PIX, CyberGuard Classic Firewall, CyberGuard Firewall, Fortinet FortiGate Antivirus Firewall, Secure Computing Sidewinder G2 Security Appliance, SonicWALL Firewall, Symantec Enterprise, Check Point Security Suite NG/NGX IDS: Cisco Security Agent, McAfee IntruShield, NFR NIDS, SNORT, Lancope StealthWatch, Symantec Intruder Alert, Symantec Network Security, TippingPoint Security Management System (SMS), McAfee Host Intrusion Prevention, Cisco Secure Intrusion Detection/Prevention System, Enterasys Dragon, IBMISS SiteProtector IPS: Arbor Networks Peakflow SP5, Mazu Networks Profiler, Top Layer Attack Mitigator IPS VPN: Cisco VPN 3000 Concentrator, F5 Firepass SSLVPN, Intel NetStructure VPN, Nortel Networks Contivity VPN Switch, SonicWall E-Class SRA Aventail SSLVPN Switch: F5 BigIP, Cisco Content Services Switch, Cisco Switch, Extreme Networks ExtremeWare Switch, Foundry Networks Switch, Hewlett-Packard ProCurve Switch Router: Nortel Passport 8600 Routing Switch, Cisco Router Storage: EMCCelerra, Network Appliance Data ONTAP, EMCSymmetrix Solutions Enabler Database: IBM DB2 Universal Database, Microsoft SQL Server, Oracle Database, Sybase Adaptive Server Enterprise
This rule detects when an event source stops sending log messages, indicating incorrectly configured hardware or software, or a hardware or software failure.
Access Control: Novell eDirectory, NetContinuum Web Application Firewall, Top Layer Secure Edge Controller, ActivIdentity 4TRESS AAAServer, Cisco Secure Access Control Server, Microsoft
12
CRL
Summary
Supported Event Sources Internet Authentication Service, RSA Access Manager, RSA Authentication Manager and User Credential ManagerInternet Authentication Service, RSAAccess Manager, RSA Authentication Manager and User Credential ManagerInternet Authentication Service, RSAAccess Manager, RSA Authentication Manager and User Credential Manager Wireless Devices: Motorola AirDefense Enterprise Console, AirMagnet Enterprise, Aruba Networks Mobility Controller Configuration Management: Solsoft NP, Microsoft System Center Operations Manager 2007, Tripwire Enterprise Web Logs: Websense Web Security Suite, Apache HTTPServer, Blue Coat System CacheOS, Cisco Content Engine, IBMWebsphere Application Server, Microsoft Internet Information Services, Microsoft Internet Security and Acceleration Server, Network Appliance NetCache Mail Servers: Lotus Domino, Microsoft Exchange Server Mainframe: IBMOS390/ZOS (Mainframe SMA_RT), IBMMainframe RACF, IBM Mainframe Top Secret, CA ACF2 Midrange: IBMiSeries AS/400 Application Servers: Microsoft Dynamic Host Configuration Protocol Server Network: Avocent IP KVM, Cisco Security Manager Anti virus: CipherTrust IronMail, Symantec Endpoint Protection, Trend Micro OfficeScan and Control Manager, McAfee ePolicy Orchestrator, McAfee VirusScan Enterprise
CRL-00023-01
Event Source Inactive for the Past 4 Hours CRL-00023-02 This rule detects if any event source has stopped sending event data in the past Event Source twenty-four hours.
This rule detects if any event source has All NIC: All discovered event sources in stopped sending event data in the past four the current environment hours. All NIC: All discovered event sources in the current environment
13
CRL
Summary
Inactive for the Past 24 Hours CRL-00036 This rule examines denial of service (DoS) All IDS, IPS, and Firewall event sources attack alerts to determine if an active High Number of DoS attack on the network is occurring. The rule Attack Alerts inspects the events detected by the IDS, IPS, and Firewall device classes in an enterprise environment. CRL-00037 This rule examines attack alerts for back- All IDS, IPS, and Firewall event sources door activities in the network by an attacker Backdoor-type in the external network. The rule inspects Activity Originating the events detected by the IDS, IPS, and From External Firewall device classes in an enterprise Networks Detected environment. CRL-00037-01 This rule examines attack alerts for back- All IDS, IPS, and Firewall event sources door activities in the network by an attacker Backdoor-type in the internal network. The rule inspects Activity Observed the events detected by the IDS, IPS, and Within Internal Firewall device classes in an enterprise Networks environment. CRL-00040-1.0 This rule detects a significant increase in All Firewall event sources the number of remote management conIncrease in Internections. This activity may indicate a maliZone Remote cious user probing different ports to map Management the network. Connections CRL-00044 This rule inspects the firewall for denied All Firewall and Router event sources connections that have been labeled as an Excessive Inbound inbound connection across a firewall or Connections Denied router. The rule helps find potential hostile from a Single IP hosts and users trying to access resources Address on the other side of a firewall or router. CRL-00101 This rule detects attacks occurring from an All IDS event sources internal IP address and terminating at an Large Number of internal IP address. This activity could indiAttack Events from cate that an internal attack is occurring or Internal IP an internal address is being spoofed. Addresses Detected by IDS Devices CRL-00102 This rule detects worm activity occurring on All IDS, IPS, and Firewall event sources the internal network of an enterprise. Worm Activity Originating on the Internal Network CRL-00103 This rule detects events that involve the All NIC: All discovered event sources in addition of users to groups. The user name the current environment Elevation of User and group name are checked against two Privileges Detected watchlists containing the known adminon a Log Source
14
CRL
Summary
istrators and the groups with administrative privileges assigned to them. The addition of a user who is not an administrator to a group with administrative privileges may indicate malicious intent. CRL-00105 This rule detects successful backdoor attacks. A successful attack is indicated Successful Backdoor by a backdoor attack intercepted by secuAttack rity event sources, followed by a connection between the attacker and the destination of the attack. CRL-00106 This rule detects successful denial of service (DoS) attacks. A successful attack is Successful Denial of indicated by a DoS attack intercepted by Service Attack security event sources, followed by a system failure event from the destination of the attack. CRL-00107 This rule detects if a log system has been enabled or disabled, or has encountered Possible Tampering some type of error. The rule also detects if of System Audit / logs have been deleted on some systems. Logs Detected
Windows: Windows Events (BL, ER, NIC, Snare) IDS: ISS RealSecure Web Logs: Cisco Content Engine Router: Cisco Router/IOS Firewall, Juniper JUNOS Router Switch: Cisco Switch Firewall: Juniper Networks NetScreen Firewall Unix: Solaris, IBMAIX VPN: Juniper SSL VPN
This rule detects if ARP poisoning is occur- IDS: Intrushield, Symantec Network ring on the network. ARP poisoning can Security, Cisco Secure IDS, Cisco lead to denial of service and can comSecure IDS XML promise information. Switch: ExtremeWare, Cisco Content Switch, Cisco Switch Firewall: Juniper Networks NetScreen Firewall, Cisco ASA, Cisco PIX Firewall, SonicWALL-FW, Symantec Enterprise Firewall Configuration Management: NetscreenSecurity Manager Unix: Nokia IPSO, Apple Mac OS X VPN: Nortel VPN Contivity Router: Cisco Router/IOS Firewall
15
CRL CRL-00109 Windows Service State Change CRL-00110 Detection of ClearText Confidential Information using RSA enVision Correlation
Summary This rule detects if a Windows service has been stopped, started, or restarted. The rule also detects if the startup behavior of a service has been modified. This correlation rule set assists in the identification of patterns of information in clear text within the payload of events that may be confidential.
Supported Event Sources Windows Hosts: Windows Events (BL, ER, NIC, Snare)
All Windows Hosts, Unix, Database, Configuration Management, Mail Servers, Web Logs, IDS, and IPS event sources
Removable Storage Removed from a Windows Event Source CRL-00115 This rule monitors events from IDSand IPS IDS: Dragon IDS, ISS RealSecure, event sources to detect attacks that exploit Tipping Point, Snort, Cisco Secure IDS Attacks Exploiting the vulnerabilities in the SANS TOP-20 XML Vulnerabilities in 2007 list. SANS TOP-20 2007 IPS: NetScreen IDP Observed CRL-00116 This rule set detects machines that may be All NIC: All discovered event sources in part of a BotNet inside your network. the current environment BotNet Detection Rule Pack CRL-00117 This rule monitors an RSA enVision sys- All NIC: All discovered event sources in tem to detect if log collection has stopped the current environment Log Collection due to filled disk capacity. This rule Stopped due to Filled inspects specific messages that the Disk Capacity enVision system generates regarding log collection and disk capacity. CRL-00118 This rule examines several specific mesSystem: All NIC system event sources sage IDs to determine if an event source or Disk Array Capacity Windows Hosts: Windows Events (BL, system is approaching maximum disk Approaching ER, NIC, Snare) capacity. Threshold Database: Microsoft SQLServer Unix: Nokia IPSO Firewall: Fortinet Antivirus Firewall, CyberGuard Classic Mail Servers: Microsoft Exchange
The rule set is a collection of the rules CRL00110-DB, CRL-00110-Hosts, CRL-00110File Integrity, CRL-00110-Email, CRL00110-Web, and CRL-00110-IDS. This rule detects possible network spoofing All Switch, Router, Firewall, Windows activity by inspecting the events reported Hosts, Wireless Devices, and Unix event by event sources that are associated with sources spoofing. This rule monitors Windows events involv- Windows Hosts: All Windows Hosts ing USB storage. event sources
16
CRL
Summary
Supported Event Sources Web Logs: Cisco Content Engine Anti virus: McAfee ePolicy Orchestrator, CipherTrust IronMail, McAfee Virus Scan Storage: Network Appliance Data ONTAP VPN: Nortel VPN Contivity Router: Cisco Router/IOS Firewall
CRL-00119
This rule detects password changes to known privileged user accounts. UnauthorPassword Change on ized password changes to these accounts a Known Privileged can have a significant impact on network User Account functionality and data integrity or conDetected fidentiality.
Windows Hosts: Windows Events (BL, ER, NIC, Snare) Unix: IBMAIX, HPUX/FreeBSD, Linux VPN: Aventail SSL VPN, Cisco VPN 3000, Juniper SSL VPN, Nortel VPN Contivity All NIC: NIC System Database: Sybase ASE, Microsoft SQL Server, Oracle Configuration Management: Tripwire Enterprise Firewall: Juniper Networks NetScreen Firewall
CRL-00120
This rule inspects events from a selection Windows Hosts: All Windows Hosts of common event sources used within a net- event sources Revocation of User work for revocation of user permissions. Privileges Detected Unix: All Unix event sources The rule detects removal of users from user groups or changes to the user level of users Firewall: All Firewall event sources IDS: ISS RealSecure within the system. Configuration Management: Solsoft NP CRL-00121 Unusual Number of Failed Vendor User Login Attempts This rule detects an increase in failed logon attempts using a vendor default account. Such attempts could indicate a brute force attempt to break into event sources from malicious locations. This alert is important for PCI-compliant organizations. Hosts: Windows Events (BL, ER, NIC, Snare) All Unix, Firewall, IDS, IPS, VPN, Switch, Router, Storage, Database, Access Control, Wireless Devices, System, Configuration Management, Web Logs, Mail Servers, Mainframe, and Application Servers event sources Midrange: IBMiSeries AS/400 CRL-00122 Active Directory Schema Change Detected This rule detects a change in the schema of Windows Hosts: Windows Events (BL, a Microsoft Active Directory installation. An ER, NIC, Snare) unauthorized change in the schema could indicate activity such as addition or deletion of users or modification of permissions. Such changes could indicate denial of service or unauthorized access to data.
17
CRL CRL-00123 Possible Non-PCI Compliant Inbound Network Traffic Detected CRL-00124 Failed Logins Exceeded 6 Login Attempts Without a Lockout Event
Summary
This rule monitors inbound connections into All Router and Firewall event sources secure event sources over non-compliant ports as specified by PCI compliance practices. This rule detects failed logons. To be PCIcompliant, user accounts should be locked out after six failed logon attempts, depending on the capability of the monitored event source to lock out user accounts.
IDS: Intrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDS XML Switch: Extremeware, Cisco Content Switch, Cisco Switch Firewall: Juniper Networks NetScreen Firewall, Cisco ASA, Cisco PIX Firewall, Sonicwall-FW, Symantec Enterprise Firewall Configuration Management: NetscreenSecurity Manager Unix: Nokia IPSO, Apple Mac OS X VPN: Nortel VPN Contivity Router: Cisco Router/IOS Firewall
CRL-00125-01
This rule detects a change in a core secu- All IDS, IPS, Firewall, and VPN event rity event source, such as an IDS, IPS, Fire-sources Configuration wall, or VPN event source. If unexpected, Change on Security such changes can lead to reduced security, Device Intercepted denial of service, or leaking of confidential information. CRL-00125-02 This rule detects a change in a core netAll Router and Switch event sources work event source, such as a router or a Configuration switch. If unexpected, such changes can Change on Network lead to denial of service or leaking of conDevice Intercepted fidential information. CRL-00126 This rule detects a configuration change in All Database event sources a PCI-compliant database system. ConConfiguration figuration changes include data changes Change made on PCI and permission changes. If unauthorized, Database System these changes can result in a compromised data integrity or data theft. CRL-00127 This rule detects if the password of a newly All Windows Hosts and Unix/Linux event created account is not changed after sources New User Account twenty-four hours. The longer these Created but Initial account passwords remain unchanged, the Password Not greater the chance of compromise, such as Changed unauthorized access.
18
Summary This rule detects if a system has become unstable. The rule inspects for conditions including:
l
Supported Event Sources All Windows Hosts, Router, Switch, VPN, Unix, and NIC event sources Configuration Management: Tripwire Enterprise
Multiple restart, reboots, or shutdowns in a given time frame l Creation of memory dump files on Windows and Linux systems l Startup events not preceded by a shutdown or restart command CRL-00137 This rule detects any unusual access of files or directories that are defined in a watUnusual File Access chlist of files or directories that should not Activity surrounding be accessed or should be accessed only by Important Event privileged users. Access includes travSource Files ersing, opening, creating, modifying, and deleting files or directories. CRL-00139 This rule detects successful logon attempts using a vendor default account. Compliance: This alert is important for PCI-compliant Successful Login organizations. Successful logons from a Attempt(s) Using a vendor account can indicate a security Vendor Default breach in the account. Account Detected CRL-00140
All Windows Hosts event sources, Tripwire Enterprise All Configuration Management event sources
All Windows Hosts, Unix, Firewall, IDS, IPS, VPN, Switch, Router, Storage, Database, Access Control, Wireless Devices, System, Configuration Management, Mail Servers, Mainframe, and Application Servers event sources Midrange: IBMiSeries AS/400
This rule detects an increase in peer-toAll Router, Firewall, IDS, and IPS event peer (P2P) traffic in the environment for the sources Increase in P2P past five minutes. P2P traffic can slow Traffic Detected in down the network and allow users to downthe Environment load potentially harmful files without the Within the Past 5 administrator's knowledge. This rule can Minutes also be used to discover faults in or backdoors to the network configurations. CRL-00141 This rule detects active P2P processes run- Windows Hosts: Windows Events (BL, ning on event sources inside an organER, NIC, Snare) P2P Software ization. P2P traffic can slow down the Running as Active network and allow users to download potenProcess on Event tially harmful files without the adminSource istrators knowledge. This rule can be used to discover breaches of security policies in an environment. CRL-00143 This rule detects an increase in file transfer All Router, Firewall, IDS, and IPS event activity using Instant Messaging (IM) for sources Increase in File the past five minutes. The rule can be used Transfer Activity to discover faults in or backdoors to the netUsing Instant work configurations as well as breach of polMessaging Detected icy related to file transfer within the
19
CRL
Summary
network. CRL-00147 This rule detects the modification of an Windows Hosts: Windows Events (BL, Active Directory policy object. Such a mod- ER, NIC, Snare) Active Directory ification can indicate a privilege escalation Policy Modified or loss of access and can result in unauthorized access or more serious compromises. CRL-00148 This rule detects that the Windows Agen- System: All NIC system event sources tless, ODBC, File Reader, or XML service Errors in Active has encountered errors while attempting to Pulling of Events gather events from an event source in an Detected enterprise environment. These types of errors may indicate system problems or failures of the event source. CRL-00149 This rule determines if the NIC SFTP Serv- System: Tripwire Enterprise, RSA Security ice has encountered errors gathering SecurID, Microsoft SQL Server, Microsoft Errors Detected in events from various event sources. An ISA Server, Microsoft IIS, Microsoft SFTP Collection error in extracting events may indicate a Exchange Server, Juniper Steel-Belted system or network failure arising from any Radius, Cisco Access Control Server cause from misconfiguration to network attack. CRL-00151 This rule detects if an enVision service has System: NIC Alerter, NIC Collector, NIC hung or crashed unexpectedly. Such an Locator, NIC Logger, NIC File Reader, NIC Possible enVision event may indicate a successful denial of Packager, NIC SDEE Collection, NIC Service Hang service attack to an enVision resource. Server, NIC Web Server, NIC Windows Detected Service, NIC DB Report Server CRL-00153 This rule detects if a critical alerting error Network System or NIC System: All Sysoccurred on enVision, which may indicate tem Alerts Critical Alerting Error errors, such as database connection errors. Detected CRL-00154 This rule detects if a critical web service Network System or NIC System: All Syserror has occurred on enVision. tem Alerts Critical Web Service Error Detected CRL-00155 This rule detects increases in the number of Network System or NIC System: All Sysincoming events to the RSA enVision plat- tem Alerts EPS Warning - EPS form that approach the EPS license limit. Approaching License An increase may result from a newly added Limits event source or a defective event source. An increase may also indicate that an attacker is trying to hide malicious activity inside an event flood. CRL-00156 This rule detects that the number of incom- Network System or NIC System: All Sysing events to RSA enVision has increased tem Alerts EPS Critical Error, to the extent that enVision is dropping Event Drop has been events and not collecting the events. An Detected increase may result from a newly added event source or a defective event source.
20
CRL
Summary
An increase may also indicate that an attacker is trying to hide malicious activity inside an event flood. CRL-00157 This rule detects if any error has occurred Network System or NIC System: All Sysduring the enVision content update proctem Alerts enVision Content ess. Failure of an update can lower the Update Failure level of accuracy of the messages genDetected erated by the system. CRL-00158 This rule detects errors that impact the Network System or NIC System: All SysenVision DB system. This rule detects tem Alerts Errors Detected in errors from LSIndex, DBConfig, Packager, enVision DBSystem and ODBC components. These errors indicate that enVision is not fully functional, and, as a result, malicious events may go undetected. CRL-00159 This rule detects a critical error condition All NIC: All discovered event sources in within the Packager component. the current environment Critical Error Detected in the NIC Packager Service CRL-00160 This rule detects excessive networkAll Switch, Router, and Firewall event related errors reported by Network and sources Possible Network Security event sources, such as switches, Performance routers, and firewalls, which can have a sigDegradation nificant impact upon network performance. Detected CRL-00161 This rule detects a number of possible Network System: All System Alerts IPDB corruption events as reported by the Possible Corruption RSA enVision system. These events could of Event Data Stored indicate data tampering or hardware issues within the IPDB on the appliance itself. CRL-00162 This rule detects if a user has been added Hosts: Windows Events (BL, ER, NIC, to and then removed from the same group Snare) Account Privilege within twenty-six hours. This activity could Elevation Followed Firewall: Cisco PIX Firewall, Cisco ASA indicate that an account is being used for by Restoration of malicious activity against a network by Previous Account elevating a users privileges temporarily to State within a 26 perform the malicious activities. Hour Period CRL-00163 This rule detects conditions where the avail- NIC System: All System Alerts able log storage for RSA enVision reaches RSAenVision Disk critical levels that threaten to shut down log Warning collection or have already shut down log collection. CRL-00190 This rule detects and alerts users of sus- Web Logs: Apache HTTP Server, Micropicious activity that strongly suggests that soft Internet Information Services, Blue Potential Phishing a fraudulent site is active. Coat Systems Security Gateway OS Attack
21
CRL CRL-00191 Potential Phishing Attack CRL-00192-01 Policy Access Violation CRL-00192-02 Policy Access Violation CRL-00193 Malware Drive-By Download
Summary
This rule detects suspicious activities that Web Logs: Apache HTTP Server, Microcould indicate that an active phishing site soft Internet Information Services, Blue exists. Coat Systems Security Gateway OS This rule detects improper use of IT sysWindows event logs: Aventail SSL VPN, tems by detecting logon activities assoCisco VPN 3000, Citrix Access Gateway, ciated with either sharing credentials or F5 Firepass, Intel VPN, Juniper SSL VPN, failing to properly log off of systems. Nortel VPN Contivity This rule detects improper use of IT sysWindows event logs: Aventail SSL VPN, tems by detecting logon activities assoCisco VPN 3000, Citrix Access Gateway, ciated with either sharing credentials or F5 Firepass, Intel VPN, Juniper SSL VPN, failing to properly log off of systems. Nortel VPN Contivity This rule sends an alert when malware is Web Logs: CRL-00193-01: Blue Coat downloaded and installed in your Systems Security Gateway OS environment. This rule set is made up of the Web Logs: CRL-00193-02: Tripwire Enterfollowing rules: prise
l l l
Web Logs: CRL-00193-03: Blue Coat Systems Security Gateway OS Web Logs: Blue Coat Systems ProxySG SGOS
This rule filters keywords from instant messaging sessions logged by a Blue Coat Proxy Security Gateway appliance. This rule detects anomalies or breach of adherence to internal trade-restrictive policies using internal instant messaging session logs. This rule detects malware downloads through search engine optimization (SEO) poisoning. This rule detects drive-by download attacks, in which a user is redirected to a malicious web site through a short URL.
Redirection to Malicious Web Sites Through a Short URL CRL-00197 This rule detects data that is compromised through Post Form redirection malware Post Form attacks. Redirection Malware CRL-00198 This rule detects an increase above the average number of Non Delivery Reports Backscatter sent by a mail server. CRL-00199 This rule detects if any violators caught snooping by FairWarning Privacy MonFairWarning itoring are also detected by RSA Data Loss Snooping Prevention Suite (DLP) to be involved in data leakage.
Web Logs: Blue Coat Systems ProxySG SGOS Mail Server: Microsoft Exchange Server
22
CRL CRL-00200 FairWarning Failed Logins CRL-00201 DNS Fast Flux Detection Kit
Summary This rule detects the misuse of employee accounts by identifying anomalous logon activity.
Supported Event Sources Analysis: FairWarning Privacy Monitoring All Access Control, Analysis, DLP, VPN, Unix, Virtualization, and Database event sources Web Logs: Blue Coat Systems ProxySG SGOS
23
CRL-00002-01
Overview
Name
Excessive Inbound Connections Denied by Firewalls
Purpose
Correlation rule CRL-00002-01 is triggered by excessive denied inbound connections across a firewall. This rule finds host machines of potential intruders and also detects if a particular user is trying, and subsequently failing, to access a resource inside a firewall. This rule revises the default correlation rule NIC002, which is included with RSA enVision. The revised rule uses the device class associated with firewalls and the event classes associated with denied connections. This ensures that any new firewalls added later are supported by this correlation rule without further updates.
Audience
This rule is intended for organizations that are concerned with monitoring heavy inbound network traffic.
Reference Material
l l
Existing correlation rule NIC002 The RSA event listings for supported firewall event sources
Requirements
Device Class or Systems
Correlation rule CRL-00002-01 is generic and not dependent on any specific event source or event. This rule revises the existing correlation rule NIC002, which only triggers on certain denied connections from Cisco PIX or Check Point firewalls.
Technical Analysis
Rule Logic
Unlike the existing rule, the revised rule monitors all event sources under the Firewall rule class, the directionality in reference to the firewall in question, and any event that happens to deny a connection. The Security.Firewall device class, and any events with an event category starting with Network.Denied Connections and an in-out value of one (to signify inbound connections), are used for this rule. This ensures that this rule is compatible with any new firewall support that may be created in the future.
24
CRL-00002-01
A threshold based on empirical observations of logon activity in large enterprise networks is used to enhance the accuracy of the rule. A 25 percent increase in five minutes from the denied connections baseline average triggers this alert. Multithreading is used to enhance the performance of the current rule. To use multithreading, the following variables are used:
l l
When conditions trigger this correlation rule, you should do the following:
l
Check the source IP address to determine whether this is expected traffic or traffic that should be monitored more closely. Analyze the source IP addresses and destination ports. Multiple source IP addresses with similar destination ports could indicate malicious activity.
CRL-00002-01.1
After installing rule CRL-00002-01.1, you must create a view to monitor for events created by the rule.
CRL-00002-01-1.00
After installing rule CRL-00002-01-1.00, you must create a view to monitor for events created by the rule. The firewalls must be properly configured to send the events required into the system. In this case, any and all logon activity should be logged. The data contains a large number of failed logon events from a Cisco ASA event source collected by an enVision appliance. Part of this rule looks to ensure that the connection is inbound (based on the IP addresses of the messages) so when testing, you may need to modify the source and target IP addresses so that the inout variable is set to one. You should set the IP address of a Cisco ASA event source to the same IP address as that in the syslog header of the sample file or, at least, ensure that the IP address used in the file is not already configured as some other event source.
Quick Deployment
RSA enVision Configuration
This rule works with the default enVision configuration settings. The monitored event sources for the rule are the event sources of the Firewall device class.
CRL-00002-01
25
The current revision of this correlation rule specifies 20 denied connections in a sixty second time period to trigger an alert. Modify the threshold if you receive a large number of false alarms. Note: This rule requires the Blacklisted IPaddresses watchlist. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
26
CRL-00002-01
CRL-00003-01
Overview
Name
Port Scan Detected by an Event Source
Purpose
CRL-00003-01 monitors a variety of classes for specific port scan events that are detected by event sources. The rule does not use separate events to create the port scan event, but instead looks for port scan events. Port scan events can be the precursor to an actual attack as they are commonly used to probe for open ports on any IP address. This rule revises the default enVision correlation rule NIC003. The revised rule uses a wider variety of event sources and more events than the existing rule to detect more port scans.
Audience
This rule is intended for organizations that are concerned with monitoring port scans.
Reference Material
l l
CRL-00003-01
27
Requirements
Device Class or Systems
This correlation rule supports the following event sources.
Security.IDS ISSRealsecure NFRNIDS Snort Symantec Network Security Tipping Point Mazu Profiler Security.IPS Radware DefensePro Astaro Security Gateway Check Point FW-1 Security.Firewall Cyberguard Classic Fortinet Antivirus Firewall Netscreen
28
CRL-00003-01
Technical Analysis
Rule Logic
This rule creates an alert from any port scan event detected by any supported event source. Because the classification of the events can sometimes be inconsistent, specific events have been used rather than the event categories. When new events that specifically cover port scan events are added to any supported event source, you should update this rule to include those events. CRL-00003-01 uses two circuits:
l
The High_Severity_PortScan circuit detects all port scan events categorized by an IDS, an IPS, or a firewall as a high severity event. If the Netblock watchlist contains the source address of the port scan, CRL-00003-01 triggers an alarm for the event. The MediumLow_Severity_PortScan circuit detects all the port scan events categorized by an IDS, an IPS, or a firewall as medium or low severity events. If the number of such events increases by 25 percent over the hour average and the Netblock watchlist contains the source addresses of the port scans, CRL-00003-01 triggers an alarm.
When conditions trigger this correlation rule, you should investigate the source and target of the port scan to determine whether this activity should be allowed. If the activity is not permitted, block or mitigate this event.
CRL-00003-01
29
CRL-00003-01.02
Overview
Name
Port Scan Detected
Purpose
Correlation rule CRL-00003-01.02 inspects the events generated by firewalls in an enterprise environment. The rule examines all traffic reported by firewalls for a single source trying to create connections on 20 ports within a given time frame. This correlation can identify potentially malicious sources as a port scan is typically used before an attack. This rule revises the default enVision correlation rule NIC003. The revised rule uses the entire Security.Firewall device class to ensure that it catches port scans regardless of the event source or event types. The rule does not use any specific port scan events, as these events are the end result of an event source detecting a complete port scan without using a correlation rule. In those cases, the port scan events should trigger an alert without using a correlation rule.
Audience
This rule is intended for organizations that are concerned with monitoring port scans.
Reference Material
l l
Requirements
Device Class or Systems
This correlation rule supports the following event sources:
Device Class
Security.Firewall
Device Type
All
Technical Analysis
Rule Logic
This rule is a revised version of the existing correlation rule NIC003, which triggers on complete port scan events. The revised rule is based on any firewall events with port information in which a source and
30
CRL-00003-01.02
a target are similar. IDS events are not used, as they primarily report complete port scan events, and those events should be alerted on directly, without requiring the correlation rule. This rule detects port scan events by monitoring any traffic detected by firewalls, the ports to which connections are being made, and the source from which the connection is coming. The new rule waits for 20 separate connections to 20 different ports from one source to one destination within five minutes. The five-minute time frame increases the likelihood of detecting scans that have been set up with a long wait period between new connection attempts. Modify the threshold if you receive a large number of false alarms. In some cases, legitimate events may trigger this rule for users who connect through NAT. To address this issue, some of the events dealing specifically with NAT translation have been filtered out, specifically those pertaining to the Cisco PIX and ASA event sources. When conditions trigger this correlation rule, you should do the following:
l l l
Investigate the source IP address of the messages. Investigate the destination host that is being scanned to ensure that it is not vulnerable. Block the source at the firewall level immediately if any traffic is getting through.
Quick Deployment
RSA enVision Configuration
This rule is designed to work with the default enVision configuration settings. The monitored event sources for the rule are the event sources of the Security.Firewall device class. After deploying the RSA enVision appliance in the target environment, you do not need to modify the rule.
CRL-00003-01.02
31
CRL-00005-1.10
Overview
Name
Log Source Not Restarted After Reboot/Restart Command Issued Within 10 Minutes
Purpose
CRL-00005-1.10 determines if an event source on the network is unable to restart after being rebooted. The rule detects if an event source generates any events after being rebooted. This rule can minimize downtime in an enterprise environment by quickly identifying event sources that need attention. This rule is a revision of the existing NIC005, NIC006, and NIC009 correlation rules, which are shipped with RSA enVision. The three existing rules determine if specific event sources (Cisco routers, switches, and Windows-based systems) are unable to restart. By combining these rules into one, and by making the rule more general, the revised rule can detect a broader set of event sources with less configuration required.
Audience
This rule is intended for organizations that are interested in minimizing downtime in their environments.
Reference Material
l l l
Existing correlation rule NIC003 Existing correlation rule NIC006 Existing correlation rule NIC009
Requirements
Device Class or Systems
This correlation rule supports all event sources that are a part of device group filter NIC_ALL.
Technical Analysis
Rule Logic
This rule detects system restart failures across a network. The rule uses a ten-minute threshold, based on empirical observations of the startup times of various event sources. The rule is composed of two circuits:
32
CRL-00005-1.10
l l
The first circuit, Reboot_Circuit, captures a message from an event source that is rebooting. The second circuit, Restart_Circuit, determines if the rebooting event source generates a message. The generation of any message indicates that the event source is back up in a running state. If there is no message from the event source matching the IP address captured by the first circuit, an alert is triggered.
Confirm that the event source is not running, and notify the appropriate person. If the event source is running,investigate whether there is a network communication issue.
Quick Deployment
RSA enVision Configuration
This rule uses device classes rather than specific event sources to eliminate the need for configuration. Note: False positives may occur if communications between the enVision Collector and the event source fails.
CRL-00005-1.10
33
CRL-00007-1.10
Overview
Name
Log Source Component Under Sustained High Temperature Conditions Over the Past 10 Minutes
Purpose
Correlation rule CRL-00007-1.10 inspects the temperature that event sources generate in an enterprise environment. The rule examines the temperature messages from various networking devices over a period of time. This rule revises the default enVision correlation rule NIC007. The revised rule includes additional event sources to broaden the scope, such as more specific Cisco event sources and their ancillary equipment, such as power supplies. Additionally, a decay time of ten minutes is used to increase accuracy.
Audience
This rule allows you to determine if there are environmental, configuration, or loading problems on various network elements.
Reference Material
l l l
Introduction
The rule detects that a log source or monitored event source experienced sustained high temperature conditions against its internal components. This condition could indicate hardware failure with one or more internal components of the log source (such as a system fan, or internal power supply) that directly contributes to the increased operational temperature. This condition could also indicate a problem with HVAC facilities. Sustained high temperature conditions could lead to denial of service and could impact the availability of critical business services. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Inform the log source owner. This situation requires immediate attention. Check the configuration and loading of the event source. Check the physical environment to see if there has been an increase in ambient temperature or there is some other hardware-based failure.
34
CRL-00007-1.10
Requirements
Device Class or Systems
This rule works with the default enVision configuration settings. The rule assumes that the network contains Cisco routers or switches, Foundry switches, NetApp event sources, Nortel event sources, or NetScreen event sources. The rule requires maintenance and configuration as you add or remove event sources. Check that the thresholds are appropriate for your environment. Increasing the time period for this rule will affect the performance of the enVision appliance.
Technical Analysis
Rule Logic
This correlation rule is designed to detect high temperature situations in various event sources. The rule contains 5 circuits, one for each of five manufacturers: Cisco, Foundry, NetApp, Nortel, and NetScreen. The circuits contain statements that either operate in pairs to detect high temperature, and reset high temperature alert or, for event sources that do not have a high temperature reset message, operate independently to detect high temperature. To filter out message flooding, a 5 percent increasing threshold was placed on message detection. This threshold is based on the minute baseline.
Quick Deployment
Event Source Configuration
This correlation rule supports the following devices:
Device Class
Network.Router/Cisco Router/IOS Firewall Foundry Switch NetApp Nortel NetScreen
Device Type
Catalyst 6000, Catalyst 4000, and other IOS-based routers and switches (c6k, c4k, ci, PS, RPS, sys messages specifically) Foundry Switch NetApp Nortel WebOS NetScreen
Rule Customization
This rule works with the default configuration settings of the enVision product. At least one of the supported event sources must be installed in the network environment.
CRL-00007-1.10
35
CRL-00008
Name
Active SYNFlood attack Detected by IDS-IPS or Firewall Devices
Purpose
Correlation rule CRL-00008 filters the SYNFlood events detected by security devices in an enterprise environment. This rule revises the default correlation rule NIC008, that is included with RSA enVision. The revised rule employs the SYNFlood events that were originally detected by the device, which makes it dependent upon specific environment settings. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate whether there is a network problem. Investigate the source IP address or username of the events. Investigate the destination host that was the target of the attack and diagnose potential impacts of the attack. Block traffic from the attacker.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IDS Security.IDS Security.IDS Security.IDS Security.IDS Security.Firewall Security.Firewall Security.Firewall
Device Type
Dragon IDS ISS Realsecure Cisco Secure IDS XML Snort Lancope StealthWatch NFR NIDS Secure Computing Sidewinder G2 Cyberguard Classic Netscreen
36
CRL-00008
Device Class
Security.Firewall Network.Router
Device Type
SonicWALL-FW Cisco Router/IOS Firewall
CRL-00008
37
CRL-00010-1.00
Overview
Name
Multiple Login Attempts To a Security Device
Purpose
Correlation rule CRL-00010-1.00 inspects the events detected by any event source on your network. The rule examines all failed logon events to the security event sources that monitor the network. This rule revises the default enVision correlation rule NIC010. The revised rule includes all event sources, rather than just NetScreen, to keep the maintenance and configuration requirements low.
Audience
The audience for this rule is organizations that want to monitor attempts to access the security event sources that monitor their network.
Reference Material
Existing correlation rule NIC010.
Introduction
The current revision of this correlation rule specifies five failed logon attempts in a sixty-second time period as an indication of an attack. If you experience a large number of false alarms, you need to modify this threshold. When conditions trigger this correlation rule, you should do the following:
l l l
Investigate the source IP address and user name of the messages. Investigate the destination host that refuses access. Monitor the source of these events closely along with the user name that is used to log on to the event source. Verify whether the source of these events should have access to the event source.
Requirements
Device Class or Systems
This rule works with the default enVision configuration settings. The rule uses device classes rather than specific event sources, so the rule works with all event sources. You do not need to modify the rule to add or remove event sources.
38
CRL-00010-1.00
Technical Analysis
Rule Logic
This correlation rule detects several logon attempts to a security event source on the network. The premise behind this rule is that all events of interest to this rule fall under the umbrella of the following event categories:
l l l l l
Auth.Errors Any event category that starts with Auth.Failures* Any event category that starts with Auth.Successful* User.Activity.Failed Logins User.Activity.Successful Logins
Multithreading is used to enhance the performance of the current rule. To do so, the following variables are used:
l l
Quick Deployment
Event Source Configuration
This correlation rule supports the following devices.
Device Class
NIC_ALL
Device Type
All
Rule Customization
This rule works with the default configuration settings of enVision. All event sources are utilized in this rule. You do not need to modify the rule to add or remove event sources.
CRL-00010-1.00
39
CRL-00011-01
Overview
Name
Possible Successful Brute Force Attack Detected
Purpose
Correlation rule CRL-00011-01 detects a brute force password attack occurring against an event source. The rule correlates a number of failed logons with a successful logon to a specific account.
Audience
The audience for this rule is organizations that want to monitor failed and successful logons that could signal a brute force attack.
Reference Material
l l
Introduction
This rule correlates a number of failed logons with a successful logon to a specific account. The rule uses a combination of event categories and messages to detect a brute force attempt. The rule also uses specific thresholds and cached variables. You may need to adjust thresholds if activity on the network changes. Because the Windows Event circuit uses specific messages, you may need to add new messages for subsequent versions of Windows. Each device class uses specific thresholds to determine if a brute force attack is occurring. You may need to modify these thresholds depending on your network. Upon triggering the conditions of the current correlation rule, the following action should be performed:
l
Requirements
Device Class or Systems
Each device class uses specific thresholds to determine if a brute force attack is occurring. You may need to modify these thresholds to meet the needs of your network. You may also need to adjust the decay time, based on the environment.
40
CRL-00011-01
Technical Analysis
Rule Logic
This rule contains two circuits. The first circuit, Grab Failed Events captures the failed logon attempts. The circuit contains four statements, each for a specific event category. The first category relates to the enVision appliance. The second category is for Windows-based event sources, and the third category is for UNIX event sources. Finally, there is a category for Security event sources, which includes Firewall, IDS, IPS, and VPN event sources. Each of these categories has a specific threshold, for example, three events within one hundred and eighty-one seconds for Security event sources, that the rule uses to determine if a brute force attack is occurring. When the condition has been satisfied, a cached variable is set, capturing the user name being exploited for the attack. The next circuit, Get successful with cache determines if a successful logon has occurred. This circuit compares the user name of the successful logon with the user name of the failed attempts in the first circuit. To minimize false positives, the rule uses multithreading based on the source address of the event. The circuits must fire within thirty-one minutes to generate an alert. The rule uses a number of thresholds to determine if a brute force attack is occurring. You may need to alter these thresholds, based on the network environment. You may also need to adjust the decay time, based on the environment. Because the rule is based on event categories, it will only be as accurate as the parsers. If messages are categorized incorrectly, the rule has no way of accounting for them.
Quick Deployment
Event Source Configurations
This correlation rule supports the following devices.
Device Class
Network.System/NIC System Host.Windows Hosts Host.Unix Security.Access Control Security.Firewall Security.IDS Security.IPS Security.VPN
Device Type
All All All All All All All All
CRL-00011-01
41
Rule Customization
This rule works with the default configuration settings of the enVision product. With the exception of Windows event sources, the rule uses device classes, reducing the amount of configuration. At least one supported event source is required for this rule to function.
42
CRL-00011-01
CRL-00011-1.00
Name
Several Failed Logins Followed by a Successful Login
Purpose
Correlation rule 00011-1.00 examines the failed and successful login attempts detected by firewall-class devices for indications of password-based attacks. The need for this rule arises from the potential for various password-based attacks, such as brute force attacks, that can occur in an enterprise-sized network. This rule revises the default enVision correlation rule NIC011. The existing correlation rule NIC011 is triggered by failed login activities followed by any activity. The revised rule monitors for successful logins after the failed login. The revised rule employs device classes rather than specific devices to keep the maintenance and configuration requirements low. When conditions trigger this correlation rule, the following action should be performed: Check the user, source, and the device to ensure that this user should be allowed to access to this firewall.
Supported Devices
This correlation rule supports the following device:
Device Class
Security.Firewall
Device Type
All
CRL-00012
Name
Attacks Exploiting Microsoft Directory Service Vulnerability Detected by IPS-IDS Devices
Purpose
Correlation rule CRL-00012 filters events from IDS and IPS-class devices and triggers upon detecting an attack that exploits the Microsoft Directory Service product. This rule revises the default enVision correlation rule NIC012. The revised rule employs device classes rather than specific devices in order to keep the maintenance and configuration requirements low. Additionally, confidence level filtering is employed in order to enhance the accuracy of the rule. When conditions trigger this correlation rule, the following actions should be performed:
l l
Identify the source of the attack and block traffic from the source. Identify the target host of the attack and apply the vendor-supplied patch to eliminate the vulnerability. Restrict access to the affected service for trusted hosts. Investigate the destination host that was the target of the attack and diagnose potential impacts of the attack.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security IPS
Device Type
All All
44
CRL-00012
Using the confidence level filtering to Filter out messages with low or medium Confidence increases the accuracy of the rule and reduces the number of false alarms. A threshold is set on the number of incoming events. In the current revision of this rule, a 10% increase from the minute baseline is specified as the triggering condition. The event category Attacks.Access is used as the major category of this correlation rule. The Attacks.Denial of Service category can be used as an alternative.
CRL-00012
45
CRL-00013
Name
Unusual Number of Failed User Login Attempts via Remote Connections to the Same Event Destination
Purpose
Correlation rule CRL-00013 detects any failed login event and checks to see if the login type was from a remote location from to the event destination. This correlation could indicate a brute force attack on an internal asset from a remote location. This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device types, the revised rule monitors a wider class of devices and more specific login types of remote logins only. When conditions trigger this correlation rule, the following actions should be performed:
l
Evaluate the number of times that a particular user attempts to log in to the event destination. Determining the source of the failed attempt will assist in assessing the actions severity. Investigate the source IP address and username of the messages. Investigate the destination host that refuses access.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_ALL
Device Type
All
Description
All devices are supported; however, given the nature of Windows events there was special emphasis placed on these events.
For all devices, except Windows, no maintenance or extension is needed as the rules are based on categories and collected IP addresses. If a new collection method is created for Windows Security Logs, you must extend this rule to cover those events.
CRL-00013
47
CRL-00013-01
Name
Numerous Failed User Login Attempts Locally to the Same Event Source
Purpose
Correlation rule CRL-00013-01 detects any failed login event that occurs on a local machine and checks the frequency of such events against the normal baseline for the entire network. This correlation could indicate a brute force attack on an internal asset. This rule is a revised version of the default enVision correlation rule NIC027, which triggers on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device types, the revised rule monitors a wider class of devices and a more specific login type of local logins only. When conditions trigger this correlation rule, the following actions should be performed:
l
Evaluate the number of occurrences of a particular user attempting to log in to the event source. Determine the source of the failed attempt as this will assist in the assessment of this action's severity. Investigate the source IP address and username of the messages. Investigate the host that refuses access.
l l
Supported Devices
This correlation rule supports the following device:
Device Class
NIC_ALL
Device Type
All
Description
All devices are supported; however, given the nature of Windows events there was special emphasis placed on these events.
For all devices except Windows no maintenance or extension is needed as the rules are based on categories and collected IP addresses. If a new collection method is created for Windows Security Logs, you must extend this rule to cover those events.
CRL-00013-01
49
CRL-00013-02
Name
Numerous Failed Service Account Login Attempts to the Same Event Source
Purpose
Correlation rule CRL-00013-02 detects any type of failed login event that occurs on a local machine and checks the frequency of such events against the normal baseline of the entire network. This correlation could indicate that a service is incorrectly configured. This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device types, the revised rule monitors a wider class of devices and more specific login type of service logins only. When conditions trigger this correlation rule, the following actions should be performed:
l
Check to see if a Service Account was set up incorrectly. This is most likely due to a password mismatch, or the Service Account might have been disabled. Corrective actions on the Event Source are required. Escalate as necessary. Investigate the source IP address and username of the messages. Investigate the host that refuses access.
l l
Supported Devices
This correlation rule supports the following device:
Device Class
NIC_ALL
Device Type
All
Description
All devices are supported; however, given the nature of Windows events there was special emphasis placed on these events.
50
CRL-00013-02
correlation to start firing a large number of times as users begin logging in to systems during peak business hours. Also, to ensure that it does fire properly, update the System User Names with any additional non-Windows service usernames. Increasing the time period for this rule will affect the performance of the enVision appliance. For all devices except Windows no maintenance or extension is needed as the rules are based on categories and collected IP addresses. For Windows Security Logs, if a new collection method is created, this rule will need to be extended to cover those events. To ensure that the correlation fires properly, verify that any service user account that starts or stops a user account is in the watchlist.
Note: This rule requires the Service User Names watchlist. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
CRL-00013-02
51
CRL-00013-04
Name
Increase in Failed Remote Login Attempts Detected
Purpose
Correlation rule CRL-00013-04 detects if there have been numerous failed logins using remote protocols such as SSH/SCP, HTTP, Telnet, or Remote Desktop. When conditions trigger this correlation rule, the following action should be performed: Evaluate the number of occurrences of a particular user attempting to log in to the event source. Determine the source of the failed attempt as this will assist in the assessment of this actions severity.
Supported Devices
This correlation rule supports the following devices:
Device Class
Windows.Hosts
Device Type
Windows Events (BL, ER, NIC, Snare) All Not applicable
Description
Host.Unix
Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins
Security.Firewall
All
Security.IDS
All
Security.IPS
All
Security.VPN
All
Network.Switch
All
Network.Router
All
Storage.Storage
All
52
CRL-00013-04
CRL-00013-04
53
CRL-00013-05
Name
Increase in Failed Interactive User Logins Detected
Purpose
Correlation rule CRL-00013-05 detects if there have been numerous interactive failed logins to an event source. When conditions trigger this correlation rule, the following action should be performed: Evaluate the number of occurrences of a particular user attempting to log in to the event source. Determine the source of the failed attempt as this will assist in the assessment of this action's severity.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Class
Windows.Hosts
Description Description
Not applicable Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Juniper SSL VPN 000501, 000600, 000500
Host.Unix
Security.Firewall
All
Security.IDS
All
Security.IPS
All
Security.VPN
All
Network.Switch
All
Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.Router
All
54
CRL-00013-05
Device Class
Device Type
Description
Storage.Storage
All
Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins
Storage.Database
All
Security.Access Control
All
Network.Wireless Devices
All
All
All
All
Host.Mail Servers
All
Host.Mainframe
All
Host.Midrange
iSeries
Host.Application Servers
All
Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
CRL-00013-05
55
CRL-00013-06
Name
Increase in Failed Service Account Logins Detected
Purpose
Correlation rule CRL 00013-06 detects if there have been numerous failed logins to an event source. When conditions trigger this correlation rule, the following action should be performed: Evaluate the number of occurrences of a particular user attempting to log in to the event source. Determine the source of the failed attempt as this will assist in the assessment of this action's severity.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Class
Windows.Hosts
Description Description
Not applicable Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Juniper SSL VPN 000501, 000600
Host.Unix
Security.Firewall
All
Security.IDS
All
Security.IPS
All
Security.VPN
All
Network.Switch
All
Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.Router
All
56
CRL-00013-06
Device Class
Storage.Storage All
Device Type
Description
Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins
Storage.Database
All
Security.Access Control
All
Network.Wireless Devices
All
All
All
All
Host.Mail Servers
All
Host.Mainframe
All
Host.Midrange
iSeries
Host.Application Servers
All
Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
CRL-00013-06
57
CRL-00014
Name
Low-Privileged or Guest Account Added to Administrative Group
Purpose
Correlation rule CRL-00014 inspects events from any device for users being added to a group. The username and group name are then checked against two watchlists that contain the known administrators and the groups with administrative privileges assigned to them. A non-administrative user being added to one of these groups may indicate malicious privilege escalation activity. This rule revises the default enVision correlation rule NIC031. The revised rule employs device classes and event categorization rather than specific devices and events. This keeps the maintenance and configuration requirements low. When conditions trigger this correlation rule, the following actions should be performed:
l
Determine whether this was an expected change. If it was an expected change, identify the source of this event. Remove the low-level account from the administrative group and disable access to the user who initiated the change. Investigate the source IP address or username of the messages. Multiple failed login events from a single IP address may indicate a password-based attack, such as a dictionary-based passwordguessing attack. Investigate the destination host that refuses access. This might be an indication of a problematic service.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_All
Device Type
All
58
CRL-00014
This rule is a revised version of the existing correlation rule NIC031, which is designed to trigger on malicious user login activities. Unlike the existing rule NIC031, which is based on specific device types, the revised rule monitors the wider class of devices. This correlation needs two watchlists that require constant updating to prevent false positives. The Administrative Groups watchlist holds all group names or IDs that are associated with administrative groups. The Administrative Users watchlist contains all of the existing administrative usernames. Note: You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed. This rule escalates any event that indicates that a non-administrator user has been added to an administrative group from any device. The events that indicate this must be classified as User.Management.Groups.Modification.User Added for this rule to fire properly. Due to the severity of this event, this rule immediately escalates any event that matches the criteria without any correlation across several devices.
CRL-00014
59
CRL-00016
Name
Attacks Exploiting HTTP Cold Fusion Vulnerabilities Detected by IDS or IPS Devices
Purpose
Correlation rule CRL-00016 monitors events from specific IDS/IPS devices and triggers upon detecting a burst on attacks which exploit the vulnerabilities in HTTP Cold Fusion products. This rule revises the default enVision correlation rule NIC016. The revised rule is based on the events that are originally detected by the IPS and IDS devices. The revised rule depends on specific devices and vulnerabilities. When conditions trigger this correlation rule, the following actions should be performed:
l l
Identify the source of the attack and block traffic from the source. Identify the target host of the attack and apply the vendor supplied patch to eliminate the vulnerability. Restrict access to the affected service for trusted hosts. Investigate the destination host that was the target of the attack and diagnose potential impacts of the attack.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IDS Security.IDS Security.IDS Security.IDS Security.IDS Security.IDS
Device Type
Dragon IDS ISS Realsecure Entercept Snort Intrushield Cisco Secure IDS XML Cisco Secure IDS
60
CRL-00016
CRL-00016
61
CRL-00023
Name
Event Source No Longer Sending Events
Purpose
Correlation rule CRL-0023 detects when an event source stops sending log messages, indicating incorrectly configured hardware or software, or a hardware or software failure. This rule is a revised version of the default enVision correlation rule NIC023, which triggers when a device has stops logging. Unlike the existing rule NIC023, this revised rule is able to supply a timeframe when the device stops logging. Additionally, only devices that use real-time or near real-time transport mechanisms are analyzed. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate network connectivity between the source and the enVision appliance. Check to see if logging or auditing has been disabled or misconfigured for the event source. Ensure that the event source is still functioning.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type
Description
airdefense, airmagnetenterprise, aix, arborpeakflow, arubanetworks, avocentkvm, bigip, caetrust, celerra, ciscoasa, ciscocontenteng, ciscocss, ciscopix, ciscorouter, ciscosecagent, ciscoswitch, ciscovpn, ciscoworks, cyberguard classic, cyberguard, dragonids, edirectory, extremesw, firepass, fortinet, foundryswitch, hpprocurvesw, hpux, ibmmainframe_sma_rt, intelvpn, intrushield, ironmail, lotusdomino, macosx, mazuprofiler, netapp, netcontinuumwebappfw, nfrnids, nokiaipso, nortelpassport, nortelvpn, nortelwebos, powerconnect, rhlinux, sidewinder, snort, solaris, solsoftnp, sonicwall, stealthwatch, Symantec, symantecav, symantecintruder, symantecsns, symmetrix, tippingpoint, toplayer, toplayeram, trendmicro, websense, winevent, winevent_er, winevent_snare, actividentity, apache, aventail, cacheflow, checkpointfw, ciscoacs, ciscocontenteng, ciscoidsxml, ciscoworks, epolicy, host intrusion prevention, ibmacf2, ibmdb2, ibmdb, ibmracf, ibmtopsecret, ibmwebsphere, iseries, iss, mcafeevirusscan, microsoftiis, mom, ,msdhcp msexchang, msias, msisa, mssql, netcache, oracle, rsaaccessmgr, rsaacesrv, solarisbsm, sybasease, tripwire, winevent_nic
N/A
N/A
62
CRL-00023
CRL-00023
63
CRL-00023-01
Name
Event Source Inactive for the Past 4 Hours
Purpose
Correlation rule CRL-00023-01 determines if any device has stopped sending event data in the past 4 hours. It is a revised version of the default enVision correlation rule NIC023. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate network connectivity between the source and the enVision appliance. Check to see if the event source has logging or auditing disabled or misconfigured. Ensure that the event source is still functioning.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_ALL
Device Type
N/A
Description
All enVision supported devices
64
CRL-00023-01
CRL-00023-02
Name
Event Source Inactive for the Past 24 Hours
Purpose
Correlation rule CRL-00023-02 determines if any device has stopped sending event data in the past 24 hours. It is a revised version of the default enVision correlation rule NIC023. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate network connectivity between the source and the enVision appliance. Check to see if the event source has logging or auditing disabled or misconfigured. Ensure that the event source is still functioning.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_ALL
Device Type
N/A
Description
All enVision supported devices
CRL-00023-02
65
CRL-00036
Name
High Number of DoS Attack Alerts
Purpose
Correlation rule CRL-00036 inspects the events detected by the IDS, IPS, and Firewall device classes in an enterprise environment. The rule examines Denial of Service (DoS) attack alerts to determine if there is an active attack on the network. This rule is a revised version of the existing correlation rule NIC036, that is included with RSA enVision. The revised rule covers new devices and event categories. The rule monitors events from the Attacks.Denial of Service category and its successor categories. When conditions trigger this correlation rule, the following actions should be performed:
l l
Inspect the source IP of the incoming messages and block the malicious traffic. Inspect the device that fires the DoS attack alerts and verify the validity of the event.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IPS Security.Firewall
Device Type
All All All
66
CRL-00036
CRL-00037
Name
Backdoor-type Activity Originating From External Networks Detected
Purpose
Correlation rule CRL-0037 inspects events detected by the IDS, IPS, and Firewall device classes in an enterprise environment. The rule examines attack alerts for backdoor activities in the network when the attacker resides in the external network. This rule is a revised version of the existing correlation rule NIC037, that is included with RSA enVision. The revised rule covers new device and event categories. The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category. When conditions trigger this correlation rule, the following actions should be performed:
l l
Identify the source of the attack and block traffic from the source. Identify the target host of the attack, apply the security patch, and remove the backdoor agent .
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IPS Security.Firewall
Device Type
All All All
Destination Address Not in Watchlist RFC 1918 List Source Address Not in Watchlist RFC 1918 List
The 1918.txt watchlist provides the allocated IP addresses for a private network as specified by RFC 1918.
CRL-00037
67
A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack events over the minute baseline is an indication of an ongoing attack against the network or a worm activity. The event category System.Unusual Activity is used as the major category of this correlation rule. Note: To use confidence level filtering to Filter out messages with low Confidence that contain the variable victim address, increase the accuracy of the rule and reduce the number of false alarms.
68
CRL-00037
CRL-00037-01
Name
Backdoor-type Activity Observed Within Internal Networks
Purpose
Correlation rule CRL-00037-01 inspects the events detected by the IDS, IPS, and Firewall device classes in an enterprise environment. The rule examines attack alerts for backdoor activities in the network when the attacker resides in the internal network. This rule is the revised version of the existing correlation rule NIC037, that is included with RSA enVision. The revised rule covers new device and event categories. The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category. When conditions trigger this correlation rule, the following actions should be performed:
l l
Identify the source of the attack and block traffic from the source. Identify the target host of the attack, apply the security patch, and remove the backdoor agent.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IPS Security.Firewall
Device Type
All All All
CRL-00037-01
69
A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack events over the minute baseline is as an indication of ongoing attack against the network or a worm activity. The event category System.Unusual Activity is used as the major category of this correlation rule. Note: In order to use confidence level filtering to Filter out messages with low Confidence that contain the variable victim address, increase the accuracy of the rule and reduce the number of false alarms.
70
CRL-00037-01
CRL-00040-1.0
Overview
Name
Increase in Inter-zone Remote Management Connections
Purpose
Correlation rule CRL-00040-1.0 detects a significant increase in the number of remote management connections. This activity may be seen as a malicious user probing different ports to map the network.
Introduction
This rule is an aggregation of NIC040, NIC040_CPFW, and NIC040_PIXFW. Device classes are used instead of specific devices, enhancing the usefulness of the rule. The ports used by these services are contained in a watchlist that can be easily modified by users to add and remove services that apply to their network. Currently, RDP, SSH, and Telnet are in the list.
Requirements
Device Class or Systems
Syslog events stored in a Unix file are used to test the rule. The PIX and NetScreen event sources were used (10.10.18.1 and 10.10.50.42 respectively) and the messages were copied into two separate files and injected in succession.
Other Requirements
CRL00040-1.0 was tested and developed using RSA enVision 3.7.0 build 0215. You must install the Known Service Ports watchlist to define the known service ports in the environment. To test this correlation rule, create a new view and add CRL 00040-1.0. Because this correlation rule uses 5% over the hour baseline for triggering, observe the baseline to determine what to inject.
Technical Analysis
Rule Logic
This rule is composed of one circuit and one statement. A decay time of 65 minutes is used, to keep in line with the hourly baseline. The statement looks at all the event sources contained in the Security.Firewall group. It compares the lport variable to the Known Service Ports watchlist to see if the port appears in that list. If it does, and the number of connections exceeds the hourly baseline by 5%, an alert is triggered.
CRL-00040-1.0
71
To test this rule, use the injector utility to inject the attached Unix file. Use the following command to reproduce the triggering condition of the rule: injector -redirect -host 127.0.0.1 -file netscreen.unx -eps 1 -time 1 injector -redirect -host 127.0.0.1 file port.unx -eps 1 time 1
Quick Deployment
Event Source Configuration
This correlation rule supports the following event sources:
Device Class
Security.Firewall
Device Type
All
Rule Customization
This rule is designed to work with the default configuration settings of RSA enVision. Because this rule uses the Security.Firewall class, event source additions or removals are handled automatically. The watchlist may have to be updated to include the particular services running on the clients network. The revised rule specifies a 5% increase over the hourly average to reduce the number of times the rule is triggered. Note: This rule requires the Known Service Ports watchlist. You can download sample watchlist files from RSASecurCare Online and edit the default values as needed. A desired threshold also needs to be determined for each site. The site needs to be using at least one of SSH, Telnet, or RDP for the rule to function properly. Upon triggering the conditions of this correlation rule, investigate the source IP address of the messages and the associated workstation, type, and owner. Escalate if necessary.
72
CRL-00040-1.0
CRL-00044
Name
Excessive Inbound Connections Denied from a Single IP Address
Purpose
Correlation rule CRL-00044 inspects the firewall for denied connections that have been labeled as an inbound connection across a firewall or router. This rule helps find potential hostile hosts and users trying to access resources on the other side of a firewall or router. This rule is a revised version of the existing correlation rule NIC044, that is included with RSA enVision. The revised rule uses the device class associated with firewalls and routers, and the event classes associated with denied connections. This is to ensure that new firewalls or routers added later are properly supported by this rule without further updates. Device classes Security.Firewall and Network.Router and any event with an event category starting with Network.Denied Connections or variations thereof are used for this correlation. The rule is developed to be generic and not dependant to any specific device or event. When conditions trigger this correlation rule, the following action should be performed: Check the IP address involved to ensure that this is either expected traffic or traffic that should be monitored more closely.
CRL-00044
73
CRL-00101
Name
Large Number of Attack Events from Internal IP Addresses Detected by IDS Devices
Purpose
Correlation rule CRL-00101 detects attacks occurring from an internal IP address and terminating at an internal IP address. This may mean that an internal attack is occurring, or an internal address is being spoofed. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate the attack source. Block malicious traffic. Inspect the target and take appropriate action.
Supported Devices
This correlation rule supports the following device:
Device Class
Security.IDS
Device Type
All
74
CRL-00101
CRL-00102
Name
Worm Activity Originating on the Internal Network
Purpose
Correlation rule CRL-00102 looks for worm activity occurring on the internal network of an enterprise. This rule is a revised version of the existing correlation rule NIC_SUSPICIOUS_WORM_ACTIVITY, that is included with RSA enVision. The device scope is increased to include IPS, IDS, and Firewall classes. These classes, along with the included watchlist, ease maintenance of the rule. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Determine the source of the infection. Update antivirus on end systems. Apply and revise enforcement policy regarding the use of external equipment and media.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IPS Security.Firewall
Device Type
All All All
CRL-00102
75
Note: This rule requires the RFC 1918 IPList watchlist. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
76
CRL-00102
CRL-00103
Name
Elevation of User Privileges Detected on a Log Source
Purpose
Correlation rule CRL-00103 looks for events that involve the addition of users to groups. The username and group name are checked against two watchlists containing the known administrators and the groups with administrative privileges assigned to them. A user being added to one of these groups who is not an administrator may indicate that there is malicious intent. This rule is a revision of the existing correlation rule NIC031, that is included with RSA enVision. The revised rule employs device classes and event categorization rather than specific devices and events to keep the maintenance and configuration requirements low. The monitored devices for the rule are composed devices that have events classified under User.Management.Groups.Modification.User Added. When conditions trigger this correlation rule, the following actions should be performed:
l
Verify that the user account in question has been granted elevated privileges corresponding to a Documented Change within the environment. If not, a deeper analysis and subsequent escalation may be required. Investigate the source IP address or username of the messages. Investigate the destination host that refuses access.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_All
Device Type
All
CRL-00103
77
78
CRL-00103
CRL-00105
Name
Successful Backdoor Attack
Purpose
Correlation rule CRL-00105 detects successful backdoor attacks. This is indicated by a backdoor attack intercepted by security devices, followed by a connection between the attacker and the destination of the attack. IDS, IPS, and Firewall device classes are monitored. The rule is developed to be generic and not dependant to any specific device type. The event category Attacks.Malicious Code.Trojan Horse/Backdoor is used to filter the backdoor attack events. When conditions trigger this correlation rule, the following actions should be performed:
l l l
Investigate the target host for possible backdoor agents. Apply proper security updates to remove vulnerabilities in the target host. Block traffic from the attacker.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IPS Security.Firewall
Device Type
All All All
CRL-00105
79
To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false alarms.
80
CRL-00105
CRL-00106
Name
Successful Denial of Service Attack
Purpose
Correlation rule CRL-00106 detects successful Denial of Service (DoS) attacks. This is indicated by a DoS attack intercepted by security devices, followed by a system failure event from the destination of the attack. The rule is developed to be generic and not dependant to any specific device type. Event categories Attacks.Denial of Service.* are used to filter the DoS attack events.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_All
Device Type
All
The system error event caused by the successful DoS attack is expected to initiate within 5 minutes after the DoS attack. Therefore, the decay time of the rule is set for 10 minutes. To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false alarms.
CRL-00106
81
CRL-00107
Name
Possible Tampering of System Audit / Logs Detected
Purpose
Correlation rule CRL-00107 detects whether a log system has been enabled or disabled, or has encountered some type of error. It also detects if logs have been deleted on some systems. When conditions trigger this correlation rule, the following action should be performed: Determine why the logging system has failed and escalate as appropriate.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Security.IDS Host.Web Logs Network.Router Network.Switch Security.Firewall Host.Unix Network.System Security.VPN
Device Type
Windows Events(BL, ER, NIC, Snare) ISS Realsecure Cisco Content Engine Cisco Router/IOS Firewall, Juniper JUNOS Router Cisco Switch Netscreen Unix Solaris, Unix AIX NIC System Juniper SSL VPN
82
CRL-00107
CRL-00108
Name
Possible ARP Poisoning Activity Detected
Purpose
Correlation rule CRL-00108 determines if ARP poisoning is occurring on the network. This rule is necessary in an enterprise environment because ARP poisoning can lead to Denial of Service (DoS) and compromise information. Specific messages from various devices are used to detect the spoofing attacks. In addition to specific IDS and IPS rules, duplicate IP address messages are included. When conditions trigger this correlation rule, the following action should be performed: Determine the source of the IP conflict caused by the poisoned ARP table.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Network.Switch Security.Firewall Network.Configuration Management Host.Unix Security.VPN Network.Router
Device Type
Intrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDS XML ExtremeWare, Cisco Content Switch, Cisco Switch Netscreen, Cisco ASA, Cisco PIX Firewall, SonicWALL-FW, Symantec Enterprise Firewall Netscreen-Security Manager Nokia IPSO, Apple Mac OS X Nortel VPN Contivity Cisco Router/IOS Firewall
CRL-00108
83
CRL-00109
Name
Windows Service State Change
Purpose
Correlation rule CRL-00109 determines whether a service in Windows has been stopped, started, or restarted. It also determines if the startup behavior of a service has been modified. When conditions trigger this correlation rule, the following action should be performed: Determine why the service state has changed on the system in question.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Hosts
Device Type
Windows Events (BL, ER, NIC, Snare)
84
CRL-00109
Purpose
The CRL-00110 correlation rule set represents a collection of rules (CRL-00110-DB, CRL-00110-Hosts, CRL-00110-File Integrity, CRL-00110-Email, CRL-00110-Web, and CRL-00110-IDS) that all feed into an overall CRL-00110 rule whose collective purpose is to assist in the identification of any patterns of information within the payload of events from key device classes that may be of a confidential nature, in clear text. Detecting the presence and/or activity surrounding the use of clear-text confidential information can assist enterprises in reducing the risks associated with the misuse and/or unauthorized disclosure. Enterprises currently deploy or are considering the deployment of many suites of tools that could assist in this identification.
Supported Devices
This correlation rule set supports the following devices:
Device Grouping
Host.Windows.Hosts Host.Unix Storage.Database Network.Configuration.Management.Tripwire.Enterprise Host Mail Servers Host.Web Logs Security.IDS Security.IPS
Type
Device Class Device Class Device Class Device Type Device Class Device Class Device Class Device Class
85
information. Note: You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed. The watchlists provide:
l l l l l
Common credit card recognition patterns Social Insurance Numbers (SIN) recognition Social Security Numbers (SSN) recognition Keywords common to enterprise deployments of data storage Frequently used user accounts (interactive or service) that have a business requirement to access confidential information. Support for events collected by the RSAData Loss Prevention (DLP) Suite.
The use of watchlists allows you to quickly add or modify criteria to tune the individual rules contained within the rules set to desired levels. For the purposes of the rule, Confidential Information is limited to:
l
Credit Card Numbers from VISA, Mastercard, American Express, JCB, Discover, and Diner's Club Keywords that match credit card, cardholder Social Insurance Numbers Social Security Numbers
l l l
These types of Confidential Information are usually found within databases, or as files stored on file systems hosted by Windows-based or UNIX-based operating systems. This information takes the form of content within files, or as part of the actual filename itself. In addition to these storage locations, the confidential information could be transmitted in clear text from a front-end application such as a web-based Graphical User Interface to a back-end database. This rule set evaluates key events from each of these sources and compares the payload to the watchlist of confidential information looking for the patterns contained within, triggering upon successful matches. The CRL-00110 rule set consists of seven individual rules:
l
CRL-00110 This rule collects the output of each of the subsequent CRL-00110 variants, and triggers based on a threshold against the minute baseline. CRL-00110-Hosts This rule looks specifically at events that relate to File Access, Modifications, Creations, and Deletions using the watchlists to identify potential confidential data patterns. This uses the device classes for Windows and UNIX. CRL-00110-File Integrity This rule uses Tripwire events to identify files or elements that may contain confidential patterns.
86
CRL-00110-DB This rule looks for SQL commands executed against any object that matches confidential data patterns using the database device class. CRL-00110-Email This rule examines the email traffic for confidential data patterns using the device class for email servers. CRL-00110-IDS This rule examines network intrusion detection and prevention events for any confidential data patterns within the event payload. CRL-00110-Web This rule examines web server events for confidential data patterns using device class for web servers.
Each rule selects events based on event categories most likely to contain confidential information. Selecting event categories ensures that newer device support under these device classes with messages matching the event categories are included within the rules set. They also reduce the out-of-the-box maintenance required for this rule by customers and help to improve the efficiency of the rule when loaded into the Alerter process. Examples of event categories used are:
l l l l l
Three watchlists are used in various combinations within each rule. These three watchlists are:
l
Confidential Data Patterns This watchlist contains regular expression constructs that recognize the following patterns: l Word patterns credit card, creditcard, cardholder,
l
Credit card Personal Asset Numbers (PAN) for VISA, Mastercard, Discover, American Express, JCB, and Diner's Club Social Insurance Numbers (SIN) Social Security Numbers (SSN)
l l l
Confidential Accounts This watchlist contains a list of users that have a business need to access potential confidential information and can be removed from the alerts as expected behavior. It is used in a few of the rules (such as CRL-00110-Hosts) where the user is expected to be within the payload of events. DLPConfidential Data Policies This watchlist allows the CRL-00110-Email and CRL-00110Web correlation rules to collect events from the RSAData Loss Prevention Suite.
With the exception of CRL-00110, each rule triggers on every event that matches the conditions outlined within the watchlists. CRL-00110 contains a threshold of 45 % increase in the hour baseline that receives events from the other CRL-00110 variants. This provides notification to a significant increase in the described activity that may require immediate attention.
87
CRL-00111
Name
Possible Spoofing Activity Detected
Purpose
Correlation rule CRL-00111 alerts on possible network spoofing activity by looking through the events reported by devices that are associated with spoofing. When conditions trigger this correlation rule, the following action should be performed: Investigate the source IPaddress and the nature of the event to determine why a spoof was reported.
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.Switch Security.Router Security.Firewall Host.Windows Hosts Network.Wireless Devices Host.Unix
Device Type
All All All All All All
88
CRL-00111
CRL-00112
Name
Removable Storage Removed from a Windows Event Source
Purpose
Correlation rule CRL-00112 monitors Windows events involving USB storage. Depending on your company policy, possessing any form of USB data device may be a violation. When conditions trigger this correlation rule, the following action should be performed: Investigate the source IP address and the user to ensure that he or she is authorized to use a USB device.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Hosts
Device Type
All
CRL-00112
89
CRL-00115
Name
Attacks Exploiting Vulnerabilities in SANS TOP-20 2007 Observed
Purpose
Correlation rule CRL-000115 monitors events from IDS and IPS devices, and triggers when it detects attacks that exploit the vulnerabilities in the SANS TOP-20 2007 list. Since the new revision is based on events that are originally detected by IPS and IDS devices, limitations are introduced, such as dependency on specific devices and vulnerabilities. Confidence level filtering is employed to enhance the accuracy of the rule. The event category Attacks.Access is used as the major category of this rule. When conditions trigger this correlation rule, the following actions should be performed:
l l
Identify the source of the attack and block traffic from the source. Identify the target host of the attack and apply the vendor supplied patch to eliminate the vulnerability. Restrict access to the affected service for trusted hosts. Investigate the destination host that was the target of the attack and diagnose potential impacts of the attack.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Security.IDS Security.IDS Security.IDS Security.IPS Security.IDS
Device Type
Dragon IDS ISS Realsecure Tipping Point Snort Netscreen IDP Cisco Secure IDS XML
90
CRL-00115
This rule uses 1800 events that are associated with the vulnerabilities in the SANS TOP-20 2007 list. This may cause performance issues for RSA enVision, so the device must be supervised. The confidence level filtering is set to Filter out messages with low or medium Confidence with Destination Address as the variable. This setting may need to be modified for your environment. A threshold is used to enhance the accuracy of the rule. A 10% increase over the minute baseline is an indication of an ongoing attack against the vulnerabilities listed in the SANS TOP-20 2007 list.
CRL-00115
91
Purpose
Correlation rule set CRL-00116 consists of a variety of correlations that can be used together to detect machines that may be part of a BotNet inside your network. This is a set of two rules. The first rule (CRL-00116-02) covers various AV, DNS, SMTP, IRC, and host file modifications. The second rule (CRL-00116-01) examines failed login attempts from multiple sources to one destination. By themselves, these attacks may indicate very little. However, when combined into one view, they can indicate a possible BotNet agent on your system.
Supported Devices
This correlation rule set supports the following device:
Device Class
NIC_ALL
Device Type
All
An increase in detected AV activity with special emphasis on viruses that could be used to gain further system access. A victim host will be used to further spread the BotNet itself. Host file modifications detected. If the victims host file is modified, it could be changed so that DNS requests are rerouted to a different location. This allows the BotNet C&C to pass down commands, or to redirect the users web requests to a different web server so that it can intercept personal information, such as passwords. Changes in DNS utilization. A BotNet victim may have new DNS entries added that will be used within the BotNets for attack coordination and improved victim organization.
92
In or Out IRC traffic. IRC traffic is suspicious because it is the single most common method for passing BotNet Command & Control commands around to victims. Outbound SMTP traffic volume increase. BotNets are recognized as a major source of SPAM world wide. They accomplish this by using random victim host machines to send out SPAM. Thus, an increase in SMTP traffic would indicate that the SMTP traffic may not be for legitimate reasons. Outbound SMTP traffic to known blacklisted servers. Increase in SMTP to blacklisted servers may indicate the existence of a BotNet in the network.
The second correlation rule (CRL-00116-01) monitors for multiple failed login attempts in to the same target host with the same username. One of the basic functions of Bots is that they are passed to a target PC via an infection attempt. When a command is sent, any target computer infected by a Bot may attempt to log in to the victim machine. This indicates that the hosts trying to log in may be part of a BotNet that is trying to expand itself or gain access to information on that particular target host. Note: This rule set requires the Known Service Account and Known Vendor Account watchlists. You can download sample watchlist files from RSASecurCare Online, import the data, and edit the default values as needed.
The new set of messages added are used to detect Bot activity. The decay time of the rule has been changed to 65 minutes. The threshold values for the Statements Viruse/Botnet detected by AntiVirus and Increased in SMTP outbound traffic have been modified to check if there is an increase based on hourly average for more accuracy.
93
CRL-00117
Name
Log Collection Stopped due to Filled Disk Capacity
Purpose
Correlation rule CRL-00117 monitors an RSA enVision system to determine if log collection has stopped due to filled disk capacity. This rule looks at specific messages which the enVision system generates regarding log collection and disk capacity. A loss of log collection will result in reduced effectiveness of the enVision system. You need to free up space, by archiving or deleting logs from the enVision LogSmart IPDB. Also, determine if you have any unused files that could be removed to recover disk space.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_All
Device Type
All
Consider archiving and/or deleting logs from the enVision LogSmart IPDB Look for unused files that could be removed to recover disk space.
94
CRL-00117
CRL-00118
Name
Disk Array Capacity Approaching Threshold
Purpose
Correlation rule CRL-00118 attempts to ascertain whether or not a device or system is approaching maximum disk capacity. The rule examines several specific message IDs to determine if disc capacity is approaching a limit. If you do not take action, you may exhaust disk space or risk other system malfunctions.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC.System Host.Windows Hosts Storage.Database Host.Unix Security.Firewall Host.Mail Servers Host.Web Logs Security.Anti Virus Storage.Storage Security.VPN Network.Router All Windows (NIC, BL, Snare, ER) Microsoft SQL Server Nokia IPSO Fortinet Antivirus Firewall, CyberGuard Classic Microsoft Exchange Cisco Content Engine McAfee ePolicy Orchestrator, CipherTrust IronMail, McAfee Virus Scan NetApp Nortel VPN Contivity Cisco Router / IOS Firewall
Device Type
CRL-00118
95
Upon triggering the conditions of the correlation rule, the following actions should be performed:
l
Consider archiving aged Information as dictated by the organizations Information Life Cycle Management Practices Cleaning temporary and/or unused files could also assist in recovering storage space If the alert came from enVision, consider using the lsmaint command to archive/or deleting older events.
l l
96
CRL-00118
CRL-00119
Name
Password Change on a Known Privileged User Account Detected
Purpose
Correlation rule CRL-00119 This correlation rule looks for password changes to known privileged user accounts. Unauthorized password changes to these accounts can have a significant impact on network functionality and data integrity/confidentiality.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Hosts Host.Unix Security.VPN NIC_ALL Storage.Database Network.Configuration Management Security.Firewall
Device Type
Windows Events (BL, ER, NIC, Snare) Unix AIX, HPUX/FreeBSD, Linux Aventail SSL VPN, Cisco VPN 3000, Juniper SSL VPN, Nortel VPN Contivity NIC System Sybase ASE, Microsoft SQL Server, Oracle Tripwire Enterprise Netscreen
CRL-00119
97
CRL-00120
Name
Revocation of User Privileges detected
Purpose
This correlation rule inspects events from a selection of common devices used within a network for revocation user permissions. In many cases, this is monitored through the users removal from user groups, or with events that change the user's user level within the system. The use case for this rule is to ensure that user privileges are not altered without the knowledge of the network administrators; such action, if unauthorized, may indicate that someone is preparing to perform malicious actions on your network and does not want certain users to interfere with their actions by limiting what they can do.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Hosts Host.Unix Security.Firewall Security.IDS Network.Configuration Management
Device Type
All All All ISS Realsecure Solsoft NP
98
CRL-00120
CRL-00121
Name
Unusual Number of Failed Vendor User Login Attempts
Purpose
Correlation rule CRL-00121 detects an increase in failed logo\in attempts using a Vendor Default account. This alert is important for those organizations interested in keeping Payment Card Industry (PCI) Compliance. User names for factory default Vendor accounts assigned to devices are well known, documented and freely available to the general public. As a best practice, organizations should not use a vendor account to perform management activities on a regular basis, but instead as a last resort. An increase in failed logins from vendor accounts could indicate brute force attempts to break into event sources from malicious locations.
Supported Devices
This correlation rule supports the following devices:
Device Class
Device Class
Device Type
Device Type Windows Events (BL), Windows Events (ER), Windows Events (NIC), Windows Events (Snare) All Description
Description
Host.Windows Hosts
Security_529_Security, Security_530_Security, Security_531_ Security, Security_532_Security, Security_533_Security, Security_534_Security, Security_535_Security, Security_539_Security Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Unix
Security.Firewall
All
Security.IDS
All
Security.IPS
All
Security.VPN
All
Network.Switch
All
CRL-00121
99
Device Class
Network.Router All
Device Type
Description
Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Failures, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins Auth.Errors, Auth.Failures, Auth.Failures.Administrative Settings, Auth.Failures.User Errors, User.Activity.Failed Logins
Storage.Storage
All
Storage.Database Security.Access Control Network.Wireless Devices Network.System Network.Configuration Management Host.Web Logs
All
All
All
All
All
All
Host.Mail Servers
All
Host.Mainframe
All
iSeries
All
100
CRL-00121
Upon triggering the conditions of the current correlation rule, perform the following actions:
l l l
Determine where the source of the attempts originates from Escalate this event to the necessary stakeholders Depending upon the location of the event source, it may be necessary to put in place a temporary firewall rule to deny Shell or Terminal Connections Disabling the service on the event source temporarily may also stop the attack Investigate further using the LogSmart IPDB and the Event Viewer to ascertain any other potential vectors of attack or any other activity that may be of interest on the event source
l l
CRL-00121
101
CRL-00122
Name
Active Directory Schema Change Detected
Purpose
This rule is designed to detect a change in the schema of a Microsoft Active Directory installation. An unauthorized change in the schema could indicate user addition/deletion, permission modification, etc. The impact of such changes could result in denial of service, unauthorized access to data, etc.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type
Windows Events (BL) Windows Events (ER) Host.Windows Hosts Windows Events (NIC) Windows Events (Snare)
102
CRL-00122
CRL-00123
Name
Possible Non-PCI Compliant Inbound Network Traffic Detected
Purpose
This rules primary goal is to monitor inbound connections into secure devices over non-compliant ports as specified by PCI compliance practices.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type Event Categories
Network.Connections Network.Router All Network.Connections.Successful Network.Connections.Successful.VPN Network.Connections Security.Firewall All Network.Connections.Successful Network.Connections.Successful.VPN
An analysis of this event and corresponding traffic events should be conducted to ascertain the destination port(s) and subsequent services/applications running behind those ports. These identified services and ports should then be escalated to the necessary stakeholders to determine whether or not these are approved for business use. Documentation should then follow and the watch lists updated. If not, security incidence response should be initiated.
CRL-00123
103
CRL-00124
Name
Failed logins Exceeded 6 Logon Attempts Without a Lockout Event
Supported Devices
This correlation rule supports the following devices:
Device Class
Security.IDS Network.Switch Security.Firewall Network.Configuration Management Host.Unix Security.VPN Network.Router
Device Type
Intrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDS XML Extremeware, Cisco Content Switch, Cisco Switch Netscreen, Cisco ASA, Cisco PIX Firewall, Sonicwall-FW, Symantec Enterprise Firewall Netscreen-Security Manager Nokia IPSO, Apple Mac OS X Nortel VPN Contivity Cisco Router/IOS Firewall
104
CRL-00124
CRL-00125-01
Overview
Name
Configuration Change on Security Device Intercepted
Purpose
Correlation rule CRL-00125-01 detects a change in a core security device, such as an IDS/IPS, firewall, or VPN. If such changes are unexpected, then their modification can lead to reduced security, denial of service, and leakage of confidential information.
Requirements
Device Class or Systems
The message for this rule was created using existing Netscreen messages and the parsers. The accuracy of this message was verified by injecting the message into the device and ensuring that it did not show up as an unknown message in the Event Viewer (graph by Event Type).
Other Requirements
RSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the configuration of the RSA enVision platform used for testing:
Device Class
Security.Firewall
Device Type
All
To test this correlation rule, create a new view and add CRL-00125-01.
Technical Analysis
Rule Logic
Rule CRL-00125-01 is composed of one circuit, which contains five statements. Each statement contains a list of categories and a filter to reduce the number of false positives. The following are the descriptions of the statements.
CRL-00125-01
105
Statement
Device_Changed
Event Category
All
Value
Attacks.Access.Modification Auth.Errors Auth.Failures.User Errors Auth.Successful Config.Changes Config.Changes.Add Config.Changes.Modify Network.Connections.Terminations Network.Denied Connections Policies.ACL.Errors Policies.Rules.Modified System.Accounting System.Crypto.Key.Manipulation System.Errors System.Errors.Interfaces System.Errors.Memory System.Errors.Services System.Errors.Software System.Heartbeats System.Normal Conditions System.Normal Conditions.Config System.Unusual.Activity User.Activity.Failed Logins User.Activity.Privileged Use.Successful User.Management User.Management.Groups.Modification.User Removed User.Management.Password.Modification User.Management.Users.Additions
Filter
Regex on Content look for changed
Device_Modified
All
106
CRL-00125-01
Statement
Event Category
Value
User.Management.Users.Modifications User.Management.Groups.Modifications.User Removed User.Management.Groups.Modifications.User Added
Filter
Device_Configured
All
User.Activity.Failed Logins Auth.Successful Config.Changes.Modify Network.Connections.Errors.VPN Network.Connections.Successful.VPN System.Errors.Software System.Normal Conditions System.Normal Conditions.Config System.Normal Conditions.Services
Quick Deployment
Event Source Configuration
Rule CRL-00125-01 requires minimal maintenance because of its use of event categories and filters. If new event sources are added, the appropriate messages should fall under one of the associated statements in the Rule Logic section. This correlation rule supports the following event sources:
Device Class Security.IDS Security.IPS Security.Firewall Security.VPN All All All All Device Type
CRL-00125-01
107
Rule Customization
This rule is designed to work with the default configuration settings of RSA enVision. The environment in which this rule is used must contain at least one of the event sources from the previous section. Once the rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the appropriate escalation and reporting procedures.
108
CRL-00125-01
CRL-00125-02
Overview
Name
Configuration Change on Network Device Intercepted
Purpose
Correlation rule CRL-00125-02 detects a change in a core network device, such as a router or a switch. If such changes are unexpected, their modification can lead to denial of service and leakage of confidential information leakage.
Requirements
Device Class or Systems
The message for this rule was crafted using existing Cisco messages and the parsers. Cisco log samples were also collected from OSSEC.net. The accuracy of this message was verified by injecting the message into the device and ensuring that it did not show up as unknown in the Event Viewer (graph by Event Type).
Other Requirements
RSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the configuration of the RSA enVision platform used for testing:
Device Class
Network.Router
Device Type
Cisco Router/IOSFirewall
IPAddress
10.10.50.51
To test this correlation rule, create a new view and add CRL-00125-02.
CRL-00125-02
109
Technical Analysis
110
CRL-00125-02
Rule Logic
CRL-00125-02
111
Rule CRL-00125-02 is composed of one circuit, which contains five statements. Each statement contains a list of categories and a filter to reduce the number of false positives. The following are the descriptions of the statements.
Device Class Type
Network.Router Network.Switch
Statement
Device_Changed
Event Category
All
Value
Network.Routing.Changes Config.Changes Policies.AC Policies.Rights.Successful.Privileged Use System.Error System.Errors.Environmentals System.Errors.Hardware System.Error.Interface System.Errors.Service System.Errors.Software System.Normal Condition System.Normal Conditions.Confi System.Normal Conditions.Service
Filter
Regex on Content look for changed
Devices_Removed
Network.Router Network.Switch
All
System.Unusual Activity System.Errors System.Errors.Config System.Errors.Resources System.Errors.Software System.Failures.Hardware System.Failures.Software System.Normal Conditions System.Normal Conditions.Config
Devices_Deleted
Network.Router Network.Switch
All
System.Unusual Activity Policies.Rights.Successful.Privileged Regex on Content look Use for deleted System.Crypto.Key.Manipulation System.Errors System.Errors.Config System.Errors.Software System.Failures.Software System.Normal Conditions System.Unusual Activity
112
CRL-00125-02
Statement
Devices_Added
Event Category
All
Value
Config.Changes.Add Policies.Rights.Successful.Privileged Use System.Errors System.Errors.Config System.Errors.Software System.Failures.Software System.Normal Conditions
Filter
Regex on Content look for added
Device_Configured
Network.Router Network.Switch
All
Quick Deployment
Event Source Configuration
Rule CRL-00125-02 requires minimal maintenance because of its use of event categories and filters. If new event sources are added, the appropriate messages should fall under one of the associated statements in the Rule Logic section. This correlation rule supports the following event sources:
Device Class Network.Router Network.Switch All All Device Type
CRL-00125-02
113
Rule Customization
This rule is designed to work with the default configuration settings of RSA enVision. The environment in which this rule is used must contain at least one of the event sources from the previous section. Once the rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the appropriate escalation and reporting procedures.
114
CRL-00125-02
CRL-00126
Name
Configuration Change made on PCI Database System
Purpose
This rule has been developed to detect a configuration change in a PCI Compliant Database System. A configuration change can be interpreted as data changes, configuration changes, permission changes, etc. If these changes are unauthorized, it can result in a compromise in data integrity, data theft, etc.
Supported Devices
This correlation rule supports the following devices:
Device Class
Storage.Database
Device Type
All
CRL-00126
115
CRL-00127
Name
New User Account Created but Initial Password Not Changed
Purpose
This correlation rule is designed to detect if a new account has been created, but, its password hasnt been changed after 24 hours. This rule is important because many large companies create new accounts with default passwords. The longer these account passwords remain unchanged, the greater the chance of compromise in the form of unauthorized access, etc.
Supported Devices
This correlation rule supports the following devices:
Device Class
Host.Windows Hosts Host.Unix/Linux
Device Type
All All
116
CRL-00127
CRL-00136
Name
Possible System Instability State Detected
Purpose
This correlation rule is designed to detect if a system has become unstable. This is done by looking for several conditions. These conditions include:
l l l
Multiple restart, reboots or shutdowns in a given time frame Creation of memory dump files on Windows and Linux systems Shutdown/restart command not preceding startup event
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type Event Categories
System.Startup Host.Windows Host All System.Shutdown System.Reboots Config.Changes.Add Network.Configuration Management Tripwire Enterprise Config.Changes.Modify Network.Router Network.Switch Security.VPN All All All All All All System.Startup Host.Unix All System.Shutdown System.Reboots System.Shutdown NIC_ALL All System Reboots System.Startup
CRL-00136
117
118
CRL-00136
CRL-00137
Name
Unusual File Access Activity surrounding Important Event Source Files
Purpose
This correlation rule is designed to detect any unusual file or directory access around files or directories defined by the end user via a watch list. By access, we refer to any file/directory that has been traversed, opened, created, modified, or deleted. This watch list can contain files or directories that should not be accessed or should only be accessed by privileged users. This rule is important for auditing sensitive directories or files for non approved users.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type Event Categories
Security_560_Security:01; Host.Windows Hosts All Security_560_Security Security_560_Security:01; Host.Windows Hosts Tripwire Enterprise Security_560_Security; Security_560_Security:02 Security_560_Security:02; Security_560_Security:03; Host.Windows Hosts All Security_560_Security; Security_560_Security:01 Security_560_Security:02; Security_560_Security; Host.Windows Hosts All Security_560_Security:01; Security_560_Security:03 Config.Changes.Add, Network.Configuration.Management All Config.Changes.Delete, Config.Changes.Modify
CRL-00137
119
120
CRL-00137
CRL-00139
Name
Compliance: Successful Login Attempt(s) Using a Vendor Default Account Detected
Purpose
This correlation rule detects successful login attempts using a Vendor Default account. This alert is important for those organizations interested in keeping Payment Card Industry (PCI) Compliance. User names for factory default Vendor accounts assigned to devices are well known, documented, and freely available to the general public. As a best practice, organizations should not use a vendor account to perform management activities on a regular basis, but instead as a last resort. The successful logins from vendor accounts can indicate a security breach in the account.
Supported Devices
This correlation rule supports the following devices:
Device Type
Device Class
Event Categories
Security_560_Security:01;
Host.Windows Hosts
All
Security_560_Security
Host.Unix Security.Firewall Security.IDS Security.IPS Security.VPN Network.Switch Network.Router Storage.Storage Storage.Database Security.Access Control Network.Wireless Devices Network.System, Network.Configuration Management Host.Mail Servers Host.Mainframe Host.Application Servers All Auth.Successful.Methods.SSH Auth.Successful.Methods.TACACS User.Activity.Successful Logins Auth.Successful Auth.Successful.Methods Auth.Successful.Methods.RADIUS
CRL-00139
121
Device Class
Device Type
Event Categories
122
CRL-00139
CRL-00140
Name
Increase in P2P Traffic Detected in the Environment Within the Past 5 Minutes
Purpose
This correlation rule is designed to detect an increase of Peer to Peer (P2P) traffic observed in the environment for the past 5 minutes. P2P traffic is considered to be undesirable within a network since it slows down the network dramatically and allows users to download potential harmful files without administrators knowledge. This rule can also be used to discover faults or backdoors to the network configurations.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.Router Security.Firewall Security.IDS Security.IPS
Device Type
All All All All
Event Categories
Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P
CRL-00140
123
CRL-00141
Name
P2P Software Running as Active Process on Event Source
Purpose
This correlation rule is designed to detect active P2P processes running on event sources inside an organization. P2P traffic is considered to be undesirable within a network since it slows down the network dramatically and allows users to download potentially harmful files without the administrators knowledge. This rule can be used to discover any breaches of security policies in an environment.
Supported Devices
This correlation rule supports the following devices:
Device Type
Windows BL Windows ER Windows NIC
Device Class
Event Categories
Host.Windows.Hosts
Security_592_Security
Host.Windows.Hosts
Host.Windows.Hosts
Host.Windows.Hosts
Windows Snare
Security_592_Security:01 Security_592_Security:02
124
CRL-00141
CRL-00143
Name
Increase in File Transfer Activity Using Instant Messaging Detected
Purpose
Correlation rule CRL-00143 detects an increase of file transfer activity using Instant Messaging (IM) traffic observed in the environment for the past 5 minutes. File Transfers via Instant Messaging may be prohibited within corporate environments and represents one avenue where Intellectual Property Loss may occur. The rule can be used to discover faults or backdoors to the network configurations as well as policy compliance related to file transfer usage within the network. Upon triggering this rule, the following actions should be performed:
l
Investigate the source IP address and the nature of the event to figure out why an increase of IM file transfer event has been reported. Escalate this event to the necessary stakeholders. Depending upon the location of the event source, you may need to put in place a temporary firewall rule to deny such connections.
l l
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.Router Security.Firewall Security.IDS Security.IPS
Device Type
All All All All
Description
Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P Attacks.Malicious Code.P2P
CRL-00143
125
Ports to check for additional IM file transfer events. This rule may require updates periodically as new protocols and port numbers become available. Each filter is set to trigger when an increase of 15% is exceeded within 5 minutes. This threshold may require adjustment depending on the environment and security policies in place within the network. Typically, you should never see these events at all, so any increase from what should be a baseline of zero events would trigger this correlation immediately.
126
CRL-00143
CRL-00147
Name
Active Directory Policy Modified
Purpose
Correlation rule CRL-00147 is used to detect whether or not an Active Directory policy object was modified. This is important in an enterprise environment because such a modification can indicate a privilege escalation, loss of access and the like. Unauthorized policy changes can lead to unauthorized access or more serious compromises.
Supported Devices
This correlation rule supports the following devices:
Device Type
Windows Events (BL)
Device Class
Event Categories
Windows.Hosts
Security_566_Security Security_566_Security:01
CRL-00147
127
CRL-00148
Name
Errors in Active Pulling of Events Detected
Purpose
This rule detects whether the Windows Agentless, ODBC, File Reader and XML services have encountered errors while attempting to gather events from an event source in an enterprise environment. These types of errors may indicate system problems/failures with the event sources in question.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System
Device Type
NIC System
128
CRL-00148
CRL-00149
Name
Errors Detected in SFTP Collection
Purpose
This rule is used to determine if the NIC SFTP service has encountered errors gathering events from various event sources. This rule is important in an enterprise environment because this method of event collection is used by mission critical systems such as Tripwire Enterprise, RSA Security SecurID, Microsoft SQL Server, Microsoft ISA Server, Microsoft IIS, Microsoft Exchange Server, Juniper SteelBelted Radius and Cisco Access Control Server. An error in extracting events may indicate a system or network failure arising from everything from misconfiguration to network attack.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System
Device Type
NIC System
CRL-00149
129
CRL-00151
Name
Possible enVision Service Hang Detected
Purpose
This rule is designed to detect whether an enVision service has hung or crashed unexpectedly. Such an event can be an indication of a successful Denial of Service attack to an enVision resource. This rule will be able to alert following a crash or unstable behavior of the following services: NIC Alerter, NIC Collector, NIC Locator, NIC Logger, NIC File Reader, NIC Packager, NIC SDEE Collection, NIC Server, NIC Web Server, NIC Windows Service, or NIC DB Report Server.
Supported Devices
This correlation rule supports the following devices:
Device Class
Windows.Hosts Network.System
Device Type
Windows Events (NIC) NIC System
130
CRL-00151
CRL-00153
Name
Critical Alerting Error Detected
Purpose
Correlation rule CRL-00153 detects if a critical alerting error has occurred on enVision. This is important because it may indicate errors from database connections, Bad XML, failing to open the LS and the like. These errors have serious consequences to the enterprise environment because enVision is not in a full functional state and as a result, malicious events may go undetected. Upon triggering the rule, perform the following actions:
l l
Investigate source IP address and determine why a critical error alert has occurred. Escalate and alert to necessary stakeholders.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages related to the Alerter.
CRL-00153
131
CRL-00154
Name
Critical Web Service Error Detected
Purpose
Correlation rule CRL-00154 detects if a critical web service error has occurred on enVision. The NIC Web Server handles the requests coming from the browser on which you are running the system. It also builds scheduled reports and exported database tables. This service depends heavily on the NIC DB Server. As a result, the loss of connectivity of server database is a very good indication of errors related to the web service. This problem should be addressed immediately since the enVision GUI may fail to launch and malicious events will go undetected. Upon triggering the rule, perform the following actions:
l l l
Check for the connectivity of the NIC DB Server Restart NIC DB Server if service stopped Escalate and alert to necessary stakeholders
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages related to the Web Server Service.
132
CRL-00154
CRL-00155
Name
EPS Warning - EPS Approaching License Limits
Purpose
Correlation rule CRL-00155 indicates increases in the amount of incoming events to the RSA enVision platform have been detected. If this continues, the excess events will be dropped and not collected by enVision. This situation has serious consequences to the enterprise environment where the potential for malicious activities may not be detected by enVision due to dropped messages. This situation might be the result of a newly added event source in the enterprise. A defective event source may cause a similar situation. An increasing number of events can be an indication of malicious activities in the network where an attacker tries to hide their activities inside the event flood. If this rule is triggered, perform the following actions:
l l l l
Determine the source of the activity and check for a defective event source. Purchase higher EPS threshold licenses if needed. Block the source of the event flood as a workaround for this problem. Escalate to appropriate stakeholders as necessary.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages in System.License.Violation.
CRL-00155
133
CRL-00156
Name
EPS Critical Error, Event Drop has been Detected
Purpose
Correlation rule CRL-00156 indicates that Increases in the amount of incoming events to RSA enVision platform have been detected to the extent that events are dropping and not collected by enVision. This situation has serious consequences to the enterprise environment where the potential for malicious activities may not be detected by enVision due to dropped messages. This situation might be the result of a newly added event source in the enterprise. A defective event source may cause a similar situation. An increasing number of events can be an indication of malicious activities in the network where an attacker tries to hide their activities inside the event flood. If this rule is triggered, perform the following actions:
l l l l
Determine the source of the activity and check for a defective event source. Purchase higher EPS threshold licenses if needed. Isolate the source of the event flood as a workaround for this problem. Escalate to appropriate stakeholders as necessary.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages in System.License.Violation.
134
CRL-00156
CRL-00157
Name
RSAenVision Content Update Failure Detected
Purpose
Correlation rule CRL-00157 detects if any error has occurred during the enVision content update process. Updates are very important to the enVision system as they keep the content up to date and accurate. Having one of these updates fail potentially lowers the level of accuracy of the messages generated by the system.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages related to the Alerter.
CRL-00157
135
CRL-00158
Name
Errors Detected in enVision DBSystem
Purpose
Correlation rule CRL-00158 detects errors that impact the enVision DB system. This rule covers errors from LSIndex, DBConfig, Packager, and ODBC components. These errors have serious consequences to the enterprise environment because enVision is not in a full functional state and as a result, malicious events may go undetected. Upon triggering the rule, perform the following actions:
l l
Investigate the faulting service and determine why a critical error alert has occurred. Escalate and alert to necessary stakeholders.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.System/NIC System
Device Type
NICSystem
Description
Specific messages related to the Alerter.
136
CRL-00158
CRL-00159
Name
Critical Error Detected in the NICPackager Service
Purpose
Correlation rule CRL-00159 detects a critical error condition within the Packager component. Upon triggering the rule, perform the following actions:
l l
Monitor the NICPackager Service, and if necessary, contact enVision Customer Service. If the Packager process is deadlocked on a given task, restart the Packager after seeing this event. This clears the error condition and allows the Packager to resume normal operations.
Supported Devices
This correlation rule supports the following devices:
Device Class
NIC_ALL
Device Type
N/A
Description
All enVision supported devices
CRL-00159
137
CRL-00160
Name
Possible Network Performance Degradation Detected
Purpose
This rule looks for excessive network-related errors reported by Network and Security Devices (such as Switches, Routers and Firewalls) that can have a significant impact upon network performance, specifically: 1. Excessive Network Collisions - occurs possibly due to Faulty Network Interfaces or devices, network loops or an extremely busy network; 2. Duplex Mismatches occurs when networking devices have not negotiated the maximum rate with each other; 3. Excessive Alignment Errors occurs possibly due to excessive network noise, faulty cabling, faulty network interfaces, faulty transmitting device, or device startups/shutdowns.
Supported Devices
This correlation rule supports the following devices:
Device Class
Network.Switch Network.Router Security.Firewall
Device Type
All All All
138
CRL-00160
CRL-00161
Name
Possible Corruption of Event Data stored within the IPDB
Purpose
This rule is designed to trigger on a number of possible IPDB corruption events as reported by the RSA enVision system. This is important to monitor as it will speak to the health of your enVision system and could allude to possible data tampering or hardware issues occurring on the machine itself.
Supported Devices
This correlation rule supports the following devices:
Device Class Device Type Events
505400 Network.System NIC System 505405
CRL-00161
139
CRL-00162
Name
Account privilege elevation followed by restoration of previous account state within a 26 hour period
Purpose
This rule is designed to detect if a user has been added to and then removed from the same group within 26 hours. This is important to monitor as it could indicate that an account is being used for malicious activity against a network by elevating a users privileges temporarily to perform the said malicious activities.
Supported Devices
This correlation rule supports the following devices:
Device Type
Windows Events (BL, ER, NIC, Snare) Cisco PIX Firewall Cisco ASA User.Management.Groups.Modifications.User Removed User.Management.Groups.Modifications.User Added
Device Class
Description
User.Management.Groups.Modifications.User Removed User.Management.Groups.Modifications.User Added
Windows.Hosts
Security.Firewall
502103
All
140
CRL-00162
malicious activities. Each event is considered individually to ensure that no user events are accidentally filtered out by the baselines themselves.
CRL-00162
141
CRL-00163
Overview
Name
RSAenVision Disk Warning
Purpose
The purpose of CRL-00163 is to detect conditions where the available log storage for RSA enVision reaches critical levels that threaten to shut down log collection or have already shut down log collection.
Audience
The audience for this rule is any organization that approaches the capacity of their available log storage.
Introduction
RSA enVision has limited available space for storing logs. Some organizations may be unaware that their available log storage space can reach a critical threshold. RSA enVision monitors its assigned log storage directories and records when a configured threshold is reached. RSA enVision also records when event collection ceases due to a lack of free space. This rule provides a simple alert for organizations to monitor their enVision environment and take corrective action before their system is impacted.
Requirements
Device Class/Systems
This rule requires the NIC device class.
Configuration of Environment
There is no configuration required. Logging of the required events is enabled by default.
Technical Analysis
Rule Logic
This rule contains one circuit and one statement. This rule triggers when any of the following NIC message IDs are triggered:
l l l
142
CRL-00163
CRL-00190
Overview
Name
Potential Phishing Attack
Purpose
The goal of this rule is to detect a phishing attack against an organization's hosted site. CRL-00190 is designed to detect and alert users of suspicious activity that strongly suggests a fraudulent site is active.
Audience
This rule is intended for any organization that hosts an external facing website and in turn, is concerned about the security of their information.
Introduction
Phishing attacks have long posed a problem to online security. A common method that is used to detect malicious phishing activity involves tracing referrer data. To avoid the detection of phishing sites, phishing attackers often keep their malicious website footprint small. This is done by limiting the number of images on a fraudulent website, causing the attacker to use links to the targeted organization's website. CRL-00190 tracks these activities by examining the web referrer fields. If these fields do not originate from the same web domain as the hosted site, an alert is issued.
Requirements
Device Class/Systems
This rule requires the use of systems that generate web logs and detailed web referrer fields. Currently, RSA supports three events sources that provide this information. For this rule to function, you must have one of the following event sources configured on your RSA enVision system:
l l l
Apache HTTPServer Microsoft Internet Information Services Blue Coat Systems Security Gateway OS
Configuration of Environment
If you are running Apache HTTP Server, you must update the Web Server configuration. For the latest configuration instructions for Apache HTTP Server, see the Apace HTTPServer configuration document on SecurCare Online. If you are running Microsoft Internet Information Services or Blue Coat Systems Security Gateway OS, the configuration of these devices remain the same.
CRL-00190
143
Technical Analysis
Rule Logic
This rule monitors web logs to make sure no phishing attacker is extracting images and links from an organization's hosted site. This rule confirms that an image and its referrer domain originate from the main web domain. RSA has two statements in this phishing attack circuit. The first statement sets up a cache variable to store the web domain value. The second statement detects if there are images on a site and verifies that the web domain and the web referrer domain are the same. If the web domain and web referrer differ, an alert is triggered. CRL-00190 focuses on all events from the Web Logs class which have the variable webAction_domain in the XML. RSA multi-threads through this variable. The following tables describe the statements of this rule:
Circuit/Statement
S1 S2
Meaning
Web Domain with cache set Image and Referrer Info
S1
0 0
S2
Description
Trivial Image and Referrer info without setting a cache No image or Referrer Image and Referrer info with the appropriate cache set No Alarm
Action
No Alarm
No alarm
Alarm
144
CRL-00190
Rule Customization
In this rule packet, there is a list of image extensions that CRL-00190 identifies. You can modify this list to accommodate the extension of links and images on the organization's hosted site.
CRL-00190
145
CRL-00191
Overview
Name
Potential Phishing Attack
Purpose
The purpose of CRL-191 is to detect behaviors associated with phishing attacks against a hosted website. This rule focuses on hosting, and is geared towards detecting suspicious activities that might alert when an active phishing site exists.
Audience
The audience for this rule is any organization that hosts external-facing websites and is concerned about attacks meant to steal their information and victimize their users.
Introduction
Phishing attacks have existed for many years in various forms. One method of detecting behaviors associated with certain phishing attacks is to follow the referrer data. To avoid detection of their phishing sites, some attackers keep their malicious website footprint small and link to the targeted organizations website instead of loading images onto their web pages. This rule tracks these attacks by looking at the web referrer fields to ensure that they match a known, and authorized, list of web hosts.
Requirements
Device Class/Systems
This rule requires the use of systems that generate web logs and specifically generate detailed web referrer fields. The following devices have been remediated and are suitable for this rule:
l l l
Apache Web Server Microsoft Internet Information Services (IIS) Blue Coat Extended Log File Format (ELFF)
Configuration of Environment
Refer to RSA SecurCare Online for specific instructions on device setup and logging through enVision.
Technical Analysis
Rule Logic
The rule logic is divided into Circuits, which consist of Statements that use conditional operators to form a larger logical meaning out of smaller subunits. The smallest unit can be any specific variable from the
146
CRL-00191
content. The logical operators consist of logic words, such as AND and OR. They also include, but are not limited to, logic phrases, such as followed by and not in. CRL-00191 uses the following algorithm: Set thread to variable=web_domain on class=host.security.nic security correlated class Circuit1 Statement1 Cache the web_domain values for weblog devices Apache, CacheflowELFF & MicrosoftIIS AND Statement2 Set filter to detect how many webpage values contain an image (use regex, for e.g.*jpg, *gif) AND Compare web_referer_domain values to cached web_domain values for a possible mis-match AND Check that web_referer_domain value is not an accepted one, by comparing it with values in custom created watchlist End Circuit1
S2
Description
Trivial (beware of false positives) Image and Referrer information without setting a cache No image or Referrer Image and Referrer information with the appropriate cache set
Action
Test for false positives No alarm -- test for false positives No alarm -- test for false positives Alarm -- The rule should fire in this case - Always test for false negatives
CRL-00191
147
Rule Customization
Users can introduce a watchlist with their custom web referrer domain list. This serves as a list of valid web referrer domains to make the comparisons for the rule. Users must create a view to use the rule.
148
CRL-00191
CRL-00192-01
Overview
Name
Policy Access Violation
Purpose
Rule CRL-00192-01 is designed to detect improper usage of IT systems. This rule focuses on detecting login activities associated with either sharing credentials or the failure to properly sign out of systems.
Audience
This rule is intended for any organization that is concerned with detecting violations to their acceptable use policy regarding access credentials and permitted uses.
Introduction
Policies surrounding corporate and remote access systems typically require users to log out when they are finished with their activities. Other policies may be concerned with account abuse, where one account is being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff, (either the console of a system, or a remote access session) and then logs onto the other.
Requirements
Device Class/Systems
This rule requires the use of Windows event logs. This version of the rule works only for Windows Server 2003. RSA envision currently supports three collection methods for Windows Server 2003:
l l l
This rule also requires the use of one of the following VPN devices that enVision currently supports:
l l l l l l l
Aventail SSL VPN Cisco VPN 3000 Citrix Access Gateway F5 Firepass Intel VPN Juniper SSL VPN Nortel VPN Contivity
CRL-00192-01
149
Configuration of Environment
For the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to configure your Windows event source, and your VPN event source, to send events to enVision.
Technical Analysis
Rule Logic
Note: Rule CRL-00192-01 does not work for Windows Server 2008 logon/logoff events. Rule CRL-00192-01 checks for interactive Windows logon events (Security event ID 528 and logon type equals 2), interactive Windows logoff events (Security event ID 538 and logon type equals 2), and VPN logon events (events categorized under Auth.Successful and User.Activity.Successful Logins) for the same user account. By default, CRL-192-01 triggers an alert if a user, who is already logged into a Windows Server 2003 workstation, logs on to the same server using a different method (For example, logging into the server using the console, then logging into the server using VPN) within 60 seconds. You can change the time parameter in the enVision UI. The behavior of CRL-192-01 could be described using the following truth table:
Interactive Windows logon event followed by
True True True True
Action
150
CRL-00192-01
Rule Customization
The built-in version of CRL-192-01 filters Windows logon and logoff events based on logon type. They could be customized by adding more filters:
Variable
Variable to use Domain Work Station
Variable
Variable to use Domain
CRL-00192-01
151
CRL-00192-02
Overview
Name
Policy Access Violation
Purpose
Rule CRL-00192-02 is designed to detect improper usage of IT systems. This rule focuses on detecting login activities associated with either sharing credentials or the failure to properly sign out of systems.
Audience
This rule is intended for any organization that is concerned with detecting violations to their acceptable use policy regarding access credentials and permitted uses.
Introduction
Policies surrounding corporate and remote access systems typically require users to log out when they are finished with their activities. Other policies may be concerned with account abuse, where one account is being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff, (either the console of a system, or a remote access session) and then logs onto the other.
Requirements
Device Class/Systems
This rule requires the use of Windows event logs. This version of the rule works only for Windows Server 2003. RSA envision currently supports three collection methods for Windows Server 2003:
l l l
This rule also requires the use of one of the following VPN devices that enVision currently supports:
l l l l l l l
Aventail SSL VPN Cisco VPN 3000 Citrix Access Gateway F5 Firepass Intel VPN Juniper SSL VPN Nortel VPN Contivity
152
CRL-00192-02
Configuration of Environment
For the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to configure your Windows event source, and your VPN event source, to send events to enVision.
Technical Analysis
Rule Logic
Note: Rule CRL-00192-02 does not work for Windows Server 2008 logon/logoff events. Rule CRL-192-02 checks for VPN logon events, VPN logoff events (categorized under User.Activity.Logoff), and interactive Windows logon events for the same user account. By default, CRL-192-02 triggers an alert if a user, who is already logged on to a Windows Server 2003 workstation, logs on to the same server using a different method (For example, logging into the server using the console, then logging into the server using VPN) within 60 seconds. You can change the time parameter in the enVision UI. The behavior of CRL-192-02 could be described using the following truth table
VPN logon event to Windows workstation followed by
True True True True
Action
CRL-00192-02
153
Rule Customization
The built-in version of CRL-192-02 filters Windows logon and logoff events based on logon type. They could be customized by adding more filters:
Variable
Variable
154
CRL-00192-02
CRL-00193
Overview
Name
Malware Drive-By Download
Purpose
Rule CRL-00193 alerts you when malware is downloaded and installed. This rule is divided into the following sub-rules:
l l l
Rule CRL-00193-01 detects if code from malicious web sites has been downloaded and executed. This rule uses web proxy logs to detect redirections to malicious web sites. Rule CRL-00193-02 detects changes to the Windows registry and the Windows file system that are reported by Tripwire Enterprise. Rule CRL-00193-03 detects file downloads onto the client machine using the Bluecoat Proxy logs. Based on the file type, and in combination with CRL-00193-02, this rule helps detect web attacks through exploited file types.
Audience
This rule is intended for organizations that are concerned about the safety of their data and the possibility of having malware running on their workstations.
Introduction
Malware drive-by download occurs when a malicious web site downloads and installs code without the user's knowledge. This kind of attack exploits vulnerabilities in browsers and plug-ins to redirect users to a malicious web site that downloads and executes code. Although some changes to the Windows registry or to the Windows file system are legitimate, others are not. After being run, malware usually starts its activity on a Windows workstation by altering the registry to change the system configuration or by installing new programs that run at startup. Malware can also add executable files to the Windows file system that can be used to install back doors, dump passwords, obtain e-mails from servers, and many other tasks. A new form of drive-by-download web attack uses morphed file types commonly downloaded from the Internet. For example, a .pdf file or a .doc file may be exploited to redirect browsers to a web site that downloads a malicious executable.
CRL-00193
155
Requirements CRL-00193-01
Device Class or Systems
CRL-00193-01 requires the use of systems that generate web proxy logs. You must have Blue Coat Systems Security Gateway OS configured on your RSA enVision system.
Other Requirements
You must create a watchlist named Content_Filter_Categories and add values from the Blue Coat Systems Security Gateway OS filter categories database. For example, you might add values such as Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information on creating watchlists, see the enVision Help.
CRL-00193-02
Device Class or Systems
This rule requires the use of Tripwire Enterprise. RSA enVision currently supports versions:
l l l
Other Requirements
You must create a watchlist named FileSytem_Registry_Changes and add the paths of Windows registry keys and Windows files or directories of interest. For example, you might add the following values to your watchlist:
l l l
For more information about creating watchlists, see the enVision Help. In the Tripwire Enterprise server, you must define your file system node by its IP address, not by its hostname. For more information, see the Tripwire documentation.
CRL-00193-03
Device Class or Systems
CRL-00193-03 requires the use of systems that generate web proxy logs. You must have Blue Coat Systems Security Gateway OS configured on your RSA enVision server.
156
CRL-00193
Other Requirements
You must create a watchlist named Content_Filter_Categories, and add values from the Blue Coat Systems Security Gateway OS filter categories database. For example, you might add values such as Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information about creating watchlists, see the enVision Help.
A user browses to the web site. The attacker injects code that can exploit a browser vulnerability into a web site. The code redirects the browser, through one or more redirections, to a malicious web site. The malicious web site downloads an executable and runs it without the user's knowledge.
CRL-00193-01 looks for redirections to a malicious site that downloads an executable file and runs it on the user's systems. This rule verifies the authenticity of the web site through the content filter provided by Blue Coat Systems Security Gateway OS.
Circuit
C1 C2 Look for redirections
Meaning
C1
0 0 1 1
C2
0 1 0 1 Trivial
Description
Action
No alarm No alarm No alarm Alarm
No redirections, executable downloads from the intended site Redirections followed by executable downloads Redirections followed by executable downloads from an uncategorized site
CRL-00193
157
CRL-00193-02
Rule Logic
Rule CRL-00193-02 checks for any changes to the Windows registry and to the Windows file system as reported by Tripwire Enterprise. On Tripwire Enterprise, you can create rules that monitor changes to the components of Windows registry keys and registry values or rules that monitor changes to the file system (files and directories) on a Windows system. These rules belong to Tripwire Enterprise predefined sets, Windows file system rules and Windows registry rules. By default, CRL-00193-02 triggers an alarm for each event enVision receives from Tripwire Enterprise if the path of the changed object (Windows registry value or Windows file or directory) belongs to the watchlist, FileSystem_Registry_Changes. You must create this watchlist in enVision and add the paths of objects of interest.
In Tripwire Enterprise, edit the Tripwire rules so that the rules monitor only objects of interest, such as specified directories and files on the system or specified registry keys and values. For more information, see the Tripwire Enterprise documentation. In enVision, customize the correlation rule to look for specific values for specified fields in the logs sent by Tripwire Enterprise. For more information, see Rule Customization.
CRL-00193-03
Rule Logic
Rule CRL-00193-03 checks for downloads onto the system of interest. This rule monitors downloaded files with the following extensions:
l l l l
158
CRL-00193
l l l l
By default, CRL-00193-03 triggers an alert for every file downloaded that file that has one of these extensions, but the rule needs a watchlist of filtered web categories, as described in "Other Requirements." This rule is the first phase of CRL-00193, and CRL-00193-02 is the second phase.. Together, CRL-00193-03 and CRL-00193-02 detect that an exploited file type was downloaded and redirected to malicious code, which tries to change the registry keys monitored by CRL-00193-02 using Tripwire Enterprise.
Rule Customization
Create a watchlist named Content_Filter_Categories. Add values from the Blue Coat Systems Security Gateway OS filter categories database, such as Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information on creating watchlists, see the enVision Help.
CRL-00193-02
Event Source Configuration
Configure Tripwire Enterprise to send events to enVision. For instructions, see the Tripwire Enterprise configuration document on RSA SecurCare Online. In the Tripwire Enterprise server, you must define the file system node by the IP address, not by the hostname in Tripwire. For more information, refer to the Tripwire Enterprise documentation. Create a watchlist named FileSytem_Registry_Changes. Add the paths of Windows registry keys and Windows files and directories of interest. For instructions on creating watchlists, see the enVision Help.
CRL-00193
159
Rule Customization
You can customize CRL-00193-02 by adding any of the filters described in the following table.
Field node server rule version changeType changeTypeName severity severityname time Attributes Variable Host Name Foreign Host Rule Version Field 1 Action Field 2 Severity Time Full Message
CRL-00193-03
Event Source Configuration
Configure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the Blue Coat Systems Security Gateway OS configuration document on RSASecurCare Online.
160
CRL-00193
CRL-194
Overview
Name
Instant Messaging Keyword Filtering Rule
Purpose
The goal of this rule is to filter keywords from instant messaging sessions logged by a Blue Coat Proxy Security Gateway appliance, based on business and organization policy adherence guidelines.This rule detects anomalies or breach of employees' adherence to internal trade-restrictive policies on internal instant messaging session logs.
Audience
This rule is intended for any organization that is concerned about attempts by employees to trade or disclose important business and security information.
Introduction
Instant messaging has become common within enterprises as more employees download and install free instant messaging software to communicate with colleagues and friends over the company network. The challenge for an enterprise is how to control access to these applications based on specific corporate usage policies. For example, some users may use instant messaging for real-time business communications across a distributed organization, and others may use it to chat with family and friends. The Blue Coat Proxy Security Gateway appliance monitors these conversations along with relevant information about the users involved in them, and sends out instant messaging logs. This rule uses a regular expression search from chat sessions to analyze and identify keywords that could potentially signify illegal use of the corporate network in compliance with the policies and guidelines of the organization.
Requirements
Device Class/Systems
This rule requires the use of systems that generate web logs, specifically detailed web_referer fields. Currently the Blue Coat Proxy Security Gateway device is suitable for this rule.
Configuration of Environment
For the latest configuration instructions for Blue Coat Proxy Security Gateway, see the Blue Coat Systems SGOS configuration document on RSA SecurCare Online.
CRL-194
161
Technical Analysis
Rule Logic
The purpose is to analyze a chat session and monitor the various conversations between a user and a buddy based on their instant messaging ID on all three instant messaging protocols supported by the Blue Coat Proxy Security Gateway appliance. We counted every positive keyword match in a session between the same user and the buddy. The current release of the implementation uses the following rule logic: Set rule to thread on variables im_buddyid and im_userid Circuit1 Statement1 Set the threshold (for example, three occurrences of the keyword in 60 seconds should send an alert) Set to only monitor instant messaging events AND Set monitoring of events having information for im_userid AND Set monitoring of events having information for im_buddyid Set filter to find a regular expression match for keywords in the watchlist for instant messaging text End Circuit1
162
CRL-194
Rule Customization
Customers intending to use this rule are required to build their own watchlists with keyword patterns that match their security criteria. For example, a keyword pattern, .*internal trade , could be used as a filter. The threshold in the rule is also critical in determining the accuracy of alerts generated by the rule. End users should modify this value as deemed suitable for their operating environment.
CRL-194
163
CRL-00195
Overview
Name
Search Engine Optimization Poisoning
Purpose
CRL-00195 detects malware downloads through search engine optimization (SEO) poisoning. Attackers use black hat SEO techniques to improve the ranking of malicious web sites in search results. Users who click these links may be led to malicious sites, which download malware to the users' systems.
Audience
Organizations that are concerned about data being stolen from their systems or their systems being opened for remote control.
Introduction
People generally use online search engines to find the latest news and topics of interest. Search engine optimization (SEO) poisoning attacks are usually attacks on legitimate web sites using cross-site scripting, XSS, JavaScript injections, or iFrame injections. The attackers use black hat SEO techniques to improve the ranking of the web pages in the search results. Once the victim clicks on these links, they are directed to a malicious web site which downloads malware onto their system. Rule CRL-00195 attempts to track SEO poisoning by looking at web proxy logs for information which tells the user that they have been directed to a malicious web site through a search engine result.
Requirements
Device Class or Systems
This rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source is suitable for this rule.
Configuration of Environment
You must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision appliance.
Other Requirements
You must create a watchlist named WebFilter_Approved_Categories that contains Blue Coat Systems Security Gateway OS filter categories of interest, such as Education, E-mail, and Translation.
164
CRL-00195
Technical Analysis
Rule Logic
CRL-00195 detects the following attacks:
l
While browsing, the user clicks a poisoned search engine result. The URL redirects to a web site that hosts a third-party JavaScript code that downloads an executable on the user machine. While browsing, the user clicks a poisoned search engine result. The URL directs the user to a malicious web site that exploits an unpatched browser or an unpatched plug-in to download malware on the user's machine.
CRL-00195 consists of three circuits, named web proxy logs, EXEDownloadViaThirdParty, and DirectEXEDownloads. The rule creates two cache variables to implement the rule logic. These variables are cache_webdomain and cache_thirdparty_webdomain. The circuits perform checks as follows:
l
Web Proxy Logs checks to see if the user was directed to a web site or a URL from a search engine result. The rule caches the web site domain into the cache variable named cache_ webdomain. EXEDownloadViaThirdParty checks if the web site that the user has visited through the search engine result references a JavaScript hosted on a third-party server that downloads an executable on the user machine. The circuit has two statements:
l
Check for JavaScript being run from a malicious site, which checks for logs where the web page contains JavaScript and the web referrer domain field is equal to the variable cache_webdomain that the Web Proxy Logs cached. The statement stores the web domain field into a cache variable called cache_thirdparty_webdomain. Check for executable downloads from a malicious site, which checks for logs where the web page field ends with .exe (or any of its variations). The statement checks that the value in the filter field is not in the watchlist WebFilter_Approved_Categories and the value in the web domain field is the same as the value stored into the cache variable cache_thirdparty_webdomain.
DirectEXEDownload checks if the website that the user has visited through the search engine result directly downloads an executable on the user machine. The circuit has only one statement, called DirectEXEDownload, which checks for logs where the web page field ends with .exe (or any of its variations). The statement checks that the value in the filter field is not in the watch list WebFilter_Approved_Categories and the value in the web referrer domain field is the same as the value stored into the cache variable cache_thirdparty_webdomain.
The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload to confirm that the filter field is not in the watch list WebFilter_Approved_Categories help to catch malicious web sites that are not categorized by Blue Coat System Security OS. The rule looks to see if a user was directed to a malicious web site by a search engine result.
CRL-00195
165
Circuit or Statement
C1 C2 C3
Meaning
Users being directed to web sites using search engine The web site may be compromised and lead to executable files being downloaded from a third-party web site The web site is malicious and downloads an executable file
The behavior of these three circuits in combination is described in the following table.
C1
0
C2
1
C3
0
Description
Not directed to the malicious web site by a search engine Not directed to the malicious web site by a search engine Not directed to a malicious web site The web site may be compromised and lead to executable files being downloaded from a third-party web site The web site is malicious and downloads an executable file
Action
No Alarm No alarm No alarm Alarm
Alarm
166
CRL-00195
Note: A sample watchlist, named WebFilter_Approved_Categories.txt, has been posted on RSA SecurCare Online as reference. You can find this watchlist at https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.
References
For more information about search engine optimization poisoning, go to www.symantec.com and www.websense.com.
CRL-00195
167
CRL-00196
Overview
Name
Redirection to Malicious Web Sites Through a Short URL
Purpose
CRL-00196 detects drive-by download attacks, in which a user is redirected to a malicious web site through a short URL. The malicious web site downloads an executable to the user's machine.
Audience
This rule is intended for organizations that are concerned with keeping their employees' workstations free of malware by detecting potential drive-by download attacks.
Reference Material
http://www.symantec.com/connect/blogs/tweeting-misleading-applications
Introduction
URL shortening is gaining more ground with the growth of social web sites, such as Twitter and blogs. In Twitter, for example, a tweet is limited to 140 characters. Users who want to add a link to their tweets turn to URL-shortening services to help them find more room for their ideas. URL-shortening services convert a long URL into a URL of fewer than 20 characters. Short URLs are obscure enough that they can lead a user to a malicious web site that can exploit an unpatched browser or plug-in to download and install malware on the user's machine.
Requirements
Device Class or Systems
CRL-00196 inspects proxy logs from Blue Coat System Security OS that follow the ELFF format. You must configure Blue Coat System Security OS to send logs to enVision in ELFF format.
Technical Analysis
Rule Logic
CRL-00196 detects the following attacks:
l
While browsing, the user clicks on a short URL that redirects the user to a web site that hosts a third-party JavaScript code that downloads an executable to the user's machine.
168
CRL-00196
While browsing, the user clicks on a short URL that redirects the user to a malicious web site that exploits an unpatched browser or plug-in to download malware on the user's machine.
CRL-00196 creates three cache variables to help implement the rule logic:
l l l
RedirectionThroughShortURL checks for redirection from the initial web site through a short URL. The circuit has two statements:
n
RedirectionToShortURL checks for logs that have status 301(which indicates redirection) and checks the web domain field to see if the logs belong in the watchlist Redirection_ Services. The statement stores the web referrer domain into the cache variable InitialDomain. RedirectionToLongURL checks for logs that have status 2xx (which represents a successful HTTP response) and checks whether the web referrer domain field is the same as InitialDomain. The statement stores the web domain field into the cache variable LongURLDomain.
EXEDownloadViaThirdParty checks if the web site the user was redirected to references a JavaScript file hosted on a third-party server that downloads an executable to the user machine. The circuit has two statements:
n
GettingMaliciousJavascript checks for logs in which the content type field contains JavaScript and where the web referrer domain field is the same as LongURLDomain. The statement stores the web domain field into the cache variable ThirdPartyDomain. EXEDownload checks for logs in which the web page file ends with .exe (or any of its variations). The statement checks to ensure that the value in the filter field is not in the watchlist Content_Filter_Categories and that the value in the web referrer domain field is the same as the value stored in the cache variable ThirdPartyDomain.
DirectEXEDownload checks if the web site to which the user was redirected to directly downloads an executable on the user's machine. The circuit has only one statement, DirectEXEDownload, which checks for logs in which the web page field ends with .exe (or any of its variations). The statement checks to confirm that the value in the filter field is not in the watchlist Content_Filter_Categories and that the value in the web referrer domain field is the same as the value stored in the cache variable LongURLDomain.
The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload (to confirm that the filter field is not in the watchlist Content_Filter_Categories) help catch malicious web sites that are categorized by Blue Coat System Security OS.
CRL-00196
169
The following table describes the combined results of these three circuits.
RedirectionThroughShortURL True True True EXEDownloadViaThirdParty False True False DirectEXEDownload False False True Action No alert Alert Alert
Quick Deployment
Event Source Configurations
Configure your Blue Coat event source to send proxy logs in ELFF format to enVision. For instructions, see the configuration instructions on RSA SecurCare online. Create two watchlists:
l
A watchlist named Redirection_Services. Add values that represent domains of short URLs to this list. A watchlist named Content_Filter_Categories. Add values from the Blue Coat System Security OS filter categories database, such as Hacking, Spywar/Malware Sources, and Uncategorized.
Note: You can add values to these watchlists from their copies posted on RSA SecurCare online. For instructions on creating watchlists, see the enVision Help.
170
CRL-00196
CRL-00197
Overview
Name
Post Form Redirection Malware
Purpose
CRL-00197 detects data that is compromised through Post form redirection malware attacks.
Audience
This rule is intended for organizations that are concerned about data theft from their systems or their systems being opened for remote control.
Introduction
Web sites transfer secure information from one form to another using the "post" method. This method is used when users must enter secure information on a web site. When a site that uses the post method to transfer information is compromised, the secure information that users entered in forms on that web site is sent to a malicious web site.
Requirements
Device Class or Systems
This rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source is necessary for this rule.
Configuration of Environment
You must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision appliance.
Other Requirements
You must create a watchlist named WebFilter_Approved_Categories that contains Blue Coat Systems Security Gateway OS filter categories of interest, such as Education, Email, and Translation.
Technical Analysis
Rule Logic
This rule looks at web proxy logs for any suspicious behavior that could indicate a Post form redirection malware attack. The algorithm pattern for this rule is as follows:
CRL-00197
171
Set rule to thread on class=host.weblogs, variable=Source Address Circuit: Web_Proxy_Logs Statement1: Set_Cache_with_WebDomain Cache the web_domain values for the web log event source Blue Coat Systems ProxySG SGOS. Name it as cache_webdomain. FOLLOWED BY Statement2: Check_for_Post_Form_Redirection Check that the HTTPmethod value is POST. AND Check that the HTTP status code is 200 or 302. AND Check that the web_referrer domain value is the same as the cache_webdomain value. The web_domain value must not be equal to the actual cache_webdomain value. If these values are intact, the data was posted on one web site but was transferred to a malicious web site. AND Check that the web_domain value is not present in the WebFilter_Approved_Categories. If the value is not present, the web site is malicious. End Circuit1
The rule verifies that a user was directed to a malicious web site through a Post form redirection malware attack.
Circuit or Statement
S1 S2 Cached web domain value Check for Post form redirection
Meaning
The behavior of these two circuits in combination is described in the following table.
S1
0 0
S2
Trivial
Description
Action
No Alarm
172
CRL-00197
S1
0 1 1 1 0 1
S2
Description
Check for Post form redirection without the cached web domain value Post form method was not used Check for Post form redirection with cache set for the web domain
Action
No Alarm No Alarm Alarm
Quick Deployment
Event Source Configuration
You must configure Blue Coat Systems SGOS to send logs to your enVision appliance in MAINformat. For instructions, see the Blue Coat Systems Security SGOS configuration document on RSASecurCare Online. Note: A sample watchlist, WebFilter_Approved_Categories.txt, has been posted on RSA SecurCare Online as reference. You can find this watchlist at https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.
CRL-00197
173
Purpose
CRL-00198 detects an increase above the average number of Non Delivery Reports sent by a mail server. This increase could indicate a potential Distributed Denial of Service (DDoS) attack on an organizations mail server.
Audience
This rule is intended for organizations that want to protect their mail servers from DDoS attacks.
Reference Material
http://www.techzoom.net/papers/mail_non_delivery_notice_attacks_2004.pdf
Introduction
To make their e-mail look legitimate, a spam author forges a sender address before sending an e-mail to a nonexistent address. A poorly configured mail server will send a Non-Delivery Report (NDR) to the forged sender address indicating delivery failure due to a nonexistent recipient address. Usually, the NDR includes the original message, in which the spam author may have included phishing links. A user whose e-mail address has been forged will find an NDR in the inbox and will probably open the NDR because the user trusts the mail server. Furthermore, a spam author can launch a DDoS attack on a mail server by sending a large number of e-mails to nonexistent addresses.
Requirements
Device Class or Systems
The CRL-00198 rule pack works on logs collected from Microsoft Exchange through Windows event logs or through the NIC File Reader Service. For instructions on configuring your Microsoft Exchange Server to send logs to RSA enVision, see RSA SecurCare online.
Technical Analysis
Rule Logic
The CRL-00198 rule pack consists of two correlation rules with the same logic:
174
l l
CRL-00198-01 works on logs collected through Windows event logs. CRL-00198-02 works on logs collected through the NICFile Reader Service.
CRL-00198-01 consists of one circuit labeled, NDR_Increase , which has one statement, WindowsLogs. CRL-00198-01 triggers an alert if the number of Microsoft Exchange messages whose Event ID is Application_3028_MSExchangeTransport increases 10 percent above the hour average. Application_ 3028_MSExchangeTransport indicates that the Microsoft Exchange Server failed to deliver an email because the recipient address doesnt exist. CRL-00198-02 consists of one circuit, NDR_Increase , which has one statement, FileReader . For events collected through the NIC File Reader Service, an NDR message due to a nonexistent recipient address must meet the following two conditions:
l l
Event ID is DELIVER. The value parsed by enVision and stored in the Product variable is Delivery Status Notification (Failure).
CRL-00198-02 triggers an alert if the number of NDR messages that meet these criteria increases 10 percent above the hour average.
Quick Deployment
Event Source Configurations
For instructions on configuring your Microsoft Exchange Server to send events to RSA enVision through Windows event logs or through the NIC File Reader Service, see RSA SecurCare online .
175
CRL-00199
Overview
Name
FairWarning Snooping
Purpose
Correlation Rule CRL-00199 detects if any violators caught snooping by FairWarning Privacy Monitoring are also detected by RSA Data Loss Prevention Suite (DLP) to be involved in data leakage. This condition could mean that an employee in a health organization is transferring patient records to an external device, or sending them over instant messaging services or over e-mail.
Audience
This rule is intended for any health organization interested in keeping patient records safe from malicious use by employees.
Introduction
According to health industry rules and regulations, a health organization must always keep patient records safe. FairWarning Privacy Monitoring generates events if authorized users in a health organization are caught snooping at the medical records of their co-workers, their co-workers' family members, or VIPs. Correlation Rule CRL-00199 leverages the information collected from FairWarning Privacy Monitoring, along with RSA DLP Suite, to monitor whether employees are transferring medical data outside of the healthcare organization using Instant Messenger or e-mail.
Requirements
Device Class or Systems
Correlation Rule CRL-00199 scans logs from FairWarning Privacy Monitoring and RSA DLP Suite to detect a snooping event followed by a data leakage incident by the same user.
Technical Analysis
Rule Logic
Correlation Rule CRL-00199 triggers an alarm if enVision receives an alert from FairWarning Privacy Monitoring indicating a snooping event (Family Snooping, VIP Snooping, or Employee Snooping) by an employee of a health care organization and an alert from RSA DLP Suite showing that the same employee is involved in a data leakage incident. Correlation Rule CRL-00199 consists of two circuits:
176
CRL-00199
FairWarning_Logs has one statement, Snooping, which searches for events collected from FairWarning Privacy Monitoring that are categorized by enVision under System.Audit. The value stored in the rulename variable must also match the regular expression .*[Ss]nooping.* . RSA_DLP_Logs has one statement, Exfiltration, which searches for events collected from RSA DLP Suite that fall in one of the following categories: Policies.Rules.Rejects, Policies.Rules.Successful, System.Audit, Content.Email.Delivery.Error, and Content.Email.Message.Sent.
Correlation Rule CRL-00199 multithreads on the User Name variable so the rule will not trigger an alarm unless the user name in FairWarning event is the same one contained in the RSA DLP event. Note: The AND operator is used to link the circuits, which means that CRL-00199 will trigger an alarm if the events meet the selection criteria regardless of the order in which enVision receives the events.
Quick Deployment
RSA enVision Configuration
For instructions in configuring FairWarning Privacy Monitoring and RSA DLP Suite to send logs to enVision, see the Device Configuration page on RSA SecurCare online.
CRL-00199
177
CRL-00200
Overview
Name
FairWarning Failed Logins
Purpose
CRL-00200 detects the misuse of employee accounts by identifying anomalous logon activity. HIPAA defines and identifies this activity in Section 164.308 and Section 164.306. The HIPAA Security Rule addresses the HIPAA logging and auditing requirements:
l l l l l
Administrative Safeguards - Section 164.308 Security Management Process Section 164.308(a)(1)(ii)(D) Security Awareness and Training Section 164.308(a)(5)(ii)(C) Evaluation (Required) Section 164.308(a)(8) Audit Controls (Required) Section 164.312(b) [2]
Audience
This rule is intended for health organizations that are concerned about protecting their patient records from malicious use.
Introduction
When FairWarning alerts on a failed logon, this rule checks for any failed logons with the same user credentials from other event sources on the network.
Requirements
Device Class or Systems
This rule requires the use of the FairWarning Privacy Monitoring event source. The logs from FairWarning are correlated with event sources from the following device classes:
l l l l l l l
Note: The current state of the Windows XML does not align with data used for the logon_id variable. The remediated Windows XML will be included in this rule when complete.
178
CRL-00200
Configuration of Environment
You must configure FairWarning Privacy Monitoring. For instructions, see the FairWarning Privacy Monitoring configuration document on RSA SecurCare Online.
Technical Analysis
Rule Logic
This rule looks at alerts from FairWarning that indicate a failed logon for a particular user. The user's credentials are correlated with other event sources to check for failed logons from the same credentials. The algorithm pattern for this rule is as follows: Set rule to thread on variable= Logon_id Circuit: Failed_Logins Statement1: Other_Devices_Failed_Logins Ensure that events with the variable logon_id are selected and fall under the category User.Activity.Failed.Logins. None of the events should be from FairWarning. AND Statement2: FairWarning_Failed_Logins Select events from FairWarning that have the variable logon_id. AND FairWarning events must fall under the category Attacks.Access. Failed logon events within the FairWarning XML fall under this category. A filter has been set to capture events that contain the keyword fail. This filter has been set because the category Attacks.Access can include other types of events from FairWarning. End Circuit1
Meaning
Failed Logons from all other event sources in the network Failed Logons from FairWarning
CRL-00200
179
The behavior of these two circuits in combination is described in the following table.
S1
0 0 1 1 0 1 0 1
S2
Trivial
Description
Action
No alarm No alarm No alarm Alarm
No failed logons from event sources other than FairWarning No failed logons from FairWarning Failed logons from other event sources AND from FairWarning. The logon_id value for both of the events match.
Quick Deployment
Event Source Configuration
You must configure FairWarning Privacy Monitoring to send events to RSA enVision. For instructions, see the FairWarning Privacy Monitoring configuration document on RSASecurCare Online.
180
CRL-00200
CRL-00201
Overview
Name
DNS Fast Flux Detection Kit
Purpose
Rule CRL-00201 detects and alerts on possible DNS fast-flux domains.
Audience
This rule is intended for organizations that capture their web proxy traffic logs and want to receive alerts for fast-flux domains that have been captured in the logs of the web proxy event source..
Introduction
The primary role of the Domain Name System (DNS) is to hierarchically name computers or any other resources connected to the Internet or a private network. The Domain Name System assigns an IP address with a given domain name for a period of time. This Time To Live (TTL) period depends on the type of lease. Botnets and other malicious hosts take advantage of the TTL period and use a technique known as a DNS fast flux. The DNS servers have a very short TTL associated with a domain, which allows for a continual reassignment of IP addresses to these event source domain names. Some of these fast-flux domains behave as peers and share the role of a command and control server as sometimes found in phishing attacks. However, due to the constant DNS flux, it becomes very difficult to determine the source of such botnets or malicious hosts. This rule attempts to track fast fluxing domains by caching on a specific domain name and checking if the IP assignments to such domains are short-lived, which indicates that they may be part of a fast-flux domain.
Requirements
Device Class or Systems
This rule uses the Web Logs device class and monitors events from web proxy event sources. Currently the rule fires alerts for logs from the Blue Coat Systems ProxySG SGOSevent source.
Technical Analysis
Rule Logic
All the rules in this rule set have the same architecture and are implemented as two logical circuits joined by a FOLLOWED BY clause.This rule examines the web proxy logs and searches for suspicious activity within these logs.
CRL-00201
181
The characterization of all traffic happens in the first circuit, where the rule looks for specific domain, status, category, and web page information in the event. The original IP address of the server is also cached in this circuit. The second circuit compares the server IP address for the subsequent events within a specified time-frame (by default, one hundred and eighty seconds). The rule threads on the web_host variable, which contains the information about the Fully Qualified Domain Name (FQDN). In the first circuit, the filter, status, domain, and webpage variables are filtered during each event. This filters the traffic so that only the events that satisfy the criteria for filters are considered by the rule. The second circuit compares the supplier_ip variable with the cached IP variable, DestAddress. If the cached IP variable differs from the supplier_ip, an alert is triggered.
Quick Deployment
Event Source Configuration
Configure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the Blue Coat Systems Security Gateway OS configuration document on RSASecurCare Online.
182
CRL-00201