Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

IBM Security Threat

 

The Extension Threat Theme adds rule content and building blocks to JSA that focus on threat events and detection. This extension enhances the base rule set of JSA for administrators who have new JSA installations.

IBM Security Threat Content Extension V1.1.0

The following table shows the custom properties that are included in IBM Security Threat Content Extension V1.1.0.

Note

The custom properties that are included in this content extension are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 1: Custom Properties in IBM Security Threat Content Extension V1.1.0

Custom Property

Found in

Threat Name

URL

Web Category

The following table shows the rules and building blocks that are updated in IBM Security Threat Content Extension V1.1.0.

Table 2: Rules and Building Blocks in IBM Security Threat Content Extension V1.1.0

Type

Name

Description

Building Block

BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Identifies flows that have an illegal TCP flag combination.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Identifies ICMP flows with suspicious Internet Control Message Protocol (ICMP) type codes.

Building Block

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0

Identifies suspicious flows that use port 0.

Building Block

BB:HostDefinition:Proxy Servers

Edit this building block to define typical proxy servers. Used with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositve: Proxy Server False Positive Events building blocks.

Building Block

BB:CategoryDefinition: Firewall or ACL Accept Event for a FW/Router/Switch Device

Defines firewall or ACL Accept events from firewall, router, and switch devices.

Building Block

BB:DeviceDefinition: AV/AM

Defines all anti-virus (AV) and anti-malware (AM) on the system.

Building Block

BB:DeviceDefinition: Proxy

Defines all proxy sources on the system.

Building Block

BB:DeviceDefinition: FW / Router / Switch

Defines all firewalls, routers, and switches on the system.

Building Block

BB:CategoryDefinition: Worm Events

Edit this building block to define worm events.

This building block only applies to events that are not detected by a custom rule.

Building Block

BB:CategoryDefinition: Unidirectional Flow SRC

Building Block

BB:Flowshape: Outbound Only

Matches flows that are outbound only.

Building Block

BB:CategoryDefinition: Recon Event Categories

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:CategoryDefinition: Suspicious Event Categories

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:Threats: Scanning: ICMP Scan Low

Identifies a low level of ICMP reconnaissance.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

Identifies bidirectional traffic that doesn't include payload.

Building Block

BB:Threats: Scanning: Scan High

Identifies a high level of potential reconnaissance.

Building Block

BB:CategoryDefinition: Unidirectional Flow

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys

Identifies traffic where ICMP replies are seen with no request.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

Identifies unidirectional ICMP flows.

Building Block

BB:Flowshape: Inbound Only

Matches flows that are inbound only.

Building Block

BB:CategoryDefinition: Recon Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:Threats: Port Scans: UDP Port Scan

Identifies UDP based port scans.

Building Block

BB:Threats: Scanning: ICMP Scan Medium

Identifies a medium level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Low

Detects potential reconnaissance activity where the source packet count is greater than 500.

Building Block

BB:CategoryDefinition: Suspicious Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Suspicious Events

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow

Identifies flows that have been active for more than 48 hours.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Medium

Detects potential reconnaissance activity where the source packet count is greater than 5,000.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

Identifies flows with abnormally large ICMP packets.

Building Block

BB:Threats: Scanning: ICMP Scan High

Identifies a high level of ICMP reconnaissance.

Building Block

BB:Threats: Port Scans: Host Scans

Identifies potential reconnaissance by flows.

Building Block

BB:Threats: Scanning: Scan Medium

Identifies a medium level of potential reconnaissance.

Building Block

BB:Threats: Scanning: Scan Low

Identifies a low level of potential reconnaissance.

Building Block

BB:CategoryDefinition: Recon Events

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:Threats: Scanning: Potential Scan

Identifies potential reconnaissance by flows.

Building Block

BB:CategoryDefinition: Unidirectional Flow DST

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

Identifies unidirectional TCP flows.

Building Block

BB:CategoryDefinition: Mail Policy Violation

Edit this building block to include anything you consider to be a mail based policy violation. For example, outbound traffic on port 25 not originating from a mail server.

Building Block

BB:Threats: Scanning: Empty Responsive Flows High

Detects potential reconnaissance activity where the source packet count is greater than 100,000.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

Identifies flows with abnormally large DNS packets.

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows

Identifies unidirectional UDP and other miscellaneous flows.

Rule

Remote Proxy or Anonymization Service (Inbound)

  • New rule condition: "and when Source or Destination IP is categorized by X-Force as Anonymization Services with confidence value greater than 75"

  • Rule conditions reordered.

Rule

Remote Proxy or Anonymization Service (Outbound)

  • New rule condition: "and when Source or Destination IP is categorized by X-Force as Anonymization Services with confidence value greater than 75"

  • Rule conditions reordered.

Rule

WormDetection: Successful Connections to the Internet on Common Worm Ports

Updated a rule test to remove two building blocks and use a new one to validate against successful connections only:

and when any of these BB:CategoryDefinition: Successful Communication, BB:CategoryDefinition: Firewall or ACL Accept Event for a FW/Router/Switch Device with the same source IP more than 300 times, across more than 300 destination IP within 20 minutes

Rule

Successful Inbound Connection from a Known Botnet CandC

Rule conditions updated to filter events/flows correctly.

Rule

Communication with a web site that has been involved in previous SQL injection

Rule renamed (used to be site rather than web site.)

Rule

Communication with a web site that is listed on a know blacklist or uses fast flux

Rule renamed (used to be site rather than web site.)

Rule

Chained Exploit Followed by Suspicious Events on Third Host

Reports an exploit or attack type activity from the same source IP followed by suspicious account activity from the same destination IP as the original event within 15 minutes, if the source IP is not equal to the destination IP.

This rule is disabled by default because it is intended as an alternative to the Chained Exploit Followed by Suspicious Events rule that ignores events with the same source and destination IP.

Rule

Multiple Threats Detected on Same Host

Indicates that multiple threats are detected on the same host.

Rule

Same Threat Detected on Multiple Hosts

Indicates that the same threat is detected on multiple hosts that are not servers.

Rule

Same Threat Detected on Multiple Servers

Indicates that the same threat is detected on multiple hosts that are servers.

Rule

Same Threat Detected on Same Host

Indicates that the same threat is detected on the same host. This might indicate that the AV is cleaning a file that is generated by the threat and not the threat itself. The time window should be large enough to cover at least two cycles of checks made by the AV.

Rule

Same Threat Detected on Same Network Different Hosts

Indicates that the same threat is detected on different hosts in the same network hierarchy.

Rule

Failed Communication to a Malicious Website

Alerts when a failed communication to a malicious website is made.

Rule

Successful Communication to a Malicious Website

Alerts when a successful communication to a malicious website is made.

The following table shows the reference data that is updated in IBM Security Threat Content Extension V1.1.0.

Table 3: Reference Data in IBM Security Threat Content Extension V1.1.0

Type

Name

Description

Reference Set

Malicious Web Categories

Defines malicious web categories.

It is prepopulated with seven malicious web categories.

IBM Security Threat Content Extension V1.0.3

The following table shows the rules that are updated in IBM Security Threat Content Extension V1.0.3.

Table 4: Rules in IBM Security Threat Content Extension V1.0.3

Type

Name

Change description

Rule

Successful Inbound Connection from a Known Botnet Command and Control

Updated a rule test to change an 'any' value to 'all'. Administrators who modified this rule need to review their rule tests to determine that the all value is set:

and when a flow or an event matches all of the following BB:CategoryDefinition: Firewall or ACL Accept, BB:CategoryDefinition: Successful Communication, BB:DeviceDefinition: FW / Router / Switch

IBM Security Threat Content Extension V1.0.2

The following table shows the building blocks that are updated in IBM Security Threat Content Extension V1.0.2.

Table 5: Building Blocks in IBM Security Threat Content Extension V1.0.2

Type

Name

Change description

Building Block

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Updated the last rule test of the remote flows BB to use one of the following tests:

and when BB:Threats:Suspicious IP Protocol Usage: Unidirectional UDP and Misc Flows match at least 15 times in 1 minutes

Building Block

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Updated the last rule test of the local flows BB to use on of the following tests:

and when BB:Threats:Suspicious IP Protocol Usage: Unidirectional UDP and Misc Flows match at least 15 times in 1 minutes.

IBM Security Threat Content Extension V1.0.1

The following table shows the building blocks that are updated in IBM Security Threat Content Extension V1.0.1.

Table 6: Rules and Building Blocks in IBM Security Threat Content Extension V1.0.1

Type

Description

Change description

Rule

Botnet: Potential Botnet Connection (DNS)

Added a rule test:

BB:DeviceDefinition: FW/Router/Switch to rule

Rule

WormDetection: Successful Connections to the Internet on Common Worm Ports

Added a rule test:

BB:DeviceDefinition: FW/Router/Switch to rule

Rule

Botnet: Successful Inbound Connection from a Known Botnet Command and Control

Added a rule test:

BB:DeviceDefinition: FW/Router/Switch to rule

Building Block

BB:DeviceDefinition: FW / Router / Switch

No updates. Dependent on another rule and must be included in the extension framework.

Building Block

BB:CategoryDefinition: Pre DMZ Jump

No updates. Dependent on another rule and must be included in the extension framework.

Building Block

BB:CategoryDefinition: Post DMZ Jump

No updates. Dependent on another rule and must be included in the extension framework.

IBM Security Threat Content Extension V1.0.0

The Threat Theme extension adds 2 custom event properties for identifying URLs, 10 reference sets, 58 threat-related rules, and 56 building blocks for a total of 126 content add-ons for JSA. This extension / content pack is required for any administrators with X-Force Premium IP Reputation Feeds enabled on their JSA appliances. The installation of this content adds required X-Force rules that work with the reputation feeds from the IBM X-Force Exchange.

Name

Regex

URL

\(URL=(.*?)\)

URL

(?:cs-uri=| )(?:http|ftp|tcp|https):\/\/(.+?)\s

Name

Type

DNS Servers

Reference set

Database Servers

Reference set

DHCP Servers

Reference set

FTP Servers

Reference set

LDAP Servers

Reference set

Mail Servers

Reference set

Proxy Servers

Reference set

SSH Servers

Reference set

Web Servers

Reference set

Windows Servers

Reference set

Name

Category

X-Force Premium: Internal Host Communication with Malware URL

Threats (X-Force)

X-Force Premium: Internal Connection to Host Categorized as Malware

Threats (X-Force)

X-Force Premium: Internal Host Communicating with Botnet Command and Control URL

Threats (X-Force)

X-Force Premium: Internal Hosts Communicating with Host Categorized as Anonymizers

Threats (X-Force)

X-Force Premium: Servers Communicating with External IP Classified as Dynamic

Threats (X-Force)

X-Force Premium: Non-Servers Communicating with External IP Classified as Dynamic

Threats (X-Force)

X-Force Premium: Non-Mail Server Sending Mail to Servers Categorized as SPAM

Threats (X-Force)

X-Force Premium: Mail Server Sending Mail to Servers Categorized as SPAM

Threats (X-Force)

Local Mass Mailing Host Detected

Post-Intrusion Activity

Remote: Client Based DNS Activity to the Internet

Post-Intrusion Activity

Possible Local Worm Detected

Post-Intrusion Activity

Local: Hidden FTP Server

Post-Intrusion Activity

Local: SSH or Telnet Detected on Non-Standard Port

Post-Intrusion Activity

Successful Connections to the Internet on Common Worm Ports

Post-Intrusion Activity

Worm Detected (Events)

Post-Intrusion Activity

Local Host Sending Malware

Malware

Remote: IRC Connections

Compliance

Remote: IM/Chat

Compliance

Remote: Local P2P Server Detected

Compliance

Remote: Usenet Usage

Compliance

Remote: SSH or Telnet Detected on Non-Standard Port

Compliance

Remote: Local P2P Client Detected

Compliance

Remote: Local P2P Client Connected to more than 100 Servers

Compliance

Remote: Local P2P Server connected to more than 100 Clients

Compliance

Remote: Hidden FTP Server

Compliance

Communication with a website known to be involved in botnet activity

Threats

Local: Hidden FTP Server

Threats

Local: SSH or Telnet Detected on Non-Standard Port

Threats

Remote: Local P2P Client Detected

Threats

Connection to a Remote Proxy or Anonymization Service (Outbound)

Threats

Communication with a website known to be associated with the Russian business network

Threats

Communication with a website known to aid in distribution of malware

Threats

Potential Botnet Connection (DNS)

Threats

Remote: IM/Chat

Threats

Potential Botnet Events Become Offenses

Threats

Remote: Hidden FTP Server

Threats

Potential Honeypot Access

Threats

Successful Inbound Connection from a Known Botnet CandC

Threats

Remote: Local P2P Server Detected

Threats

Remote: Local P2P Server connected to more than 100 Clients

Threats

Remote: SMTP Mail Sender

Threats

Remote: SSH or Telnet Detected on Non-Standard Port

Threats

Communication with a site that has been involved in previous SQL injection

Threats

Potential Connection to a Known Botnet CandC

Threats

Local host on Botnet CandC List (SRC)

Threats

Local host on Botnet CandC List (DST)

Threats

Communication with a website known to be delivering code which may be a trojan

Threats

Communication with a website known to be a phishing or fraud site

Threats

Communication with a site that is listed on a known blacklist or uses fast flux

Threats

Connection to a Remote Proxy or Anonymization Service (Inbound)

Threats

Remote: Local P2P Client Connected to more than 100 Servers

Threats

Remote: IRC Connections

Botnet

Potential Botnet Connection (DNS)

Botnet

Potential Botnet Events Become Offenses

Botnet

Successful Inbound Connection from a Known Botnet CandC

Botnet

Potential Connection to a Known Botnet CandC

Botnet

Local host on Botnet CandC List (SRC)

Botnet

Local host on Botnet CandC List (DST)

Botnet

Name

Category

BB:ProtocolDefinition: Windows Protocols

Port\Protocol Definition

BB:PortDefinition: Database Ports

Port\Protocol Definition

BB:PortDefinition: FTP Ports

Port\Protocol Definition

BB:PortDefinition: IRC Ports

Port\Protocol Definition

BB:PortDefinition: Windows Ports

Port\Protocol Definition

BB:PortDefinition: SNMP Ports

Port\Protocol Definition

BB:PortDefinition: RPC Ports

Port\Protocol Definition

BB:PortDefinition: Syslog Ports

Port\Protocol Definition

BB:PortDefinition: SSH Ports

Port\Protocol Definition

BB:PortDefinition: LDAP Ports

Port\Protocol Definition

BB:PortDefinition: Mail Ports

Port\Protocol Definition

BB:PortDefinition: DNS Ports

Port\Protocol Definition

BB:PortDefinition: DHCP Ports

Port\Protocol Definition

BB:PortDefinition: Web Ports

Port\Protocol Definition

BB:PortDefinition: Common Worm Ports

Port\Protocol Definition

BB:HostReference: LDAP Servers

Host Definitions

BB:HostDefinition: Virus Definition and Other Update Servers

Host Definitions

BB:HostDefinition: FTP Servers

Host Definitions

BB:HostDefinition: DMZ Assets

Host Definitions

BB:HostReference: Web Servers

Host Definitions

BB:HostDefinition: Windows Servers

Host Definitions

BB:HostDefinition: Servers

Host Definitions

BB:HostReference: FTP Servers

Host Definitions

BB:HostDefinition: SSH Servers

Host Definitions

BB:HostDefinition: Database Servers

Host Definitions

BB:HostDefinition: LDAP Servers

Host Definitions

BB:HostDefinition: Web Servers

Host Definitions

BB:HostDefinition: Syslog Servers and Senders

Host Definitions

BB:HostDefinition: Mail Servers

Host Definitions

BB:HostDefinition: DNS Servers

Host Definitions

BB:HostReference: Windows Servers

Host Definitions

BB:HostDefinition: VoIP PBX Server

Host Definitions

BB:HostReference: DNS Servers

Host Definitions

BB:HostReference: Database Servers

Host Definitions

BB:HostDefinition: RPC Servers

Host Definitions

BB:HostReference: SSH Servers

Host Definitions

BB:HostReference: Mail Servers

Host Definitions

BB:HostDefinition: Network Management Servers

Host Definitions

BB:HostDefinition: DHCP Servers

Host Definitions

BB:HostDefinition: Proxy Servers

Host Definitions

BB:HostReference: Proxy Servers

Host Definitions

BB:HostDefinition: SNMP Sender or Receiver

Host Definitions

BB:HostReference: DHCP Servers

Host Definitions

BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet

Policy

BB:Policy Violation: Mail Policy Violation: Outbound Mail Sender

Policy

BB:Policy Violation: IRC IM Policy Violation: IM Communications

Policy

BB:Policy Violation: Application Policy Violation: NNTP to Internet

Policy

BB:CategoryDefinition: IRC Detection based on Firewall Events

Category Definitions

BB:CategoryDefinition: Firewall or ACL Accept

Category Definitions

BB:CategoryDefinition: Any Flow

Category Definitions

BB:CategoryDefinition: Successful Communication

Category Definitions

BB:CategoryDefinition: IRC Detected based on Event Category

Category Definitions

BB:CategoryDefinition: IRC Detected based on Application

Category Definitions

BB:CategoryDefinition: Firewall or ACL Denies

Category Definitions

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Category Definitions

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Category Definitions

BB:NetworkDefinition: Honeypot like Addresses

Network Definition

BB:Threats: DoS: Potential Multihost Attack

Threats

Enabling X-Force Threat Intelligence in JSA

By enabling X-Force Threat Intelligence in JSA, you can receive feeds of the X-Force Threat Intelligence information to your console.

By enabling X-Force Threat Intelligence in JSA, you can receive feeds of the X-Force Threat Intelligence information to your console.

In JSA V2014.8 and later, the X-Force Threat Intelligence feed no longer needs to be purchased as a separate licensed subscription. After you update to JSA V2014.8, this feature is included with the standard license as part of the Service & Support contract.

Administrators who want access to the X-Force IP and URL reputation data feed must enable the X-Force Threat Intelligence feeds on their Console. Administrators can enable this feature from the System Settings screen of the Admin tab. All administrators must verify that the X-Force IP reputation feed is enabled before they attempt to enable X-Force rules on their appliance. Enabling the feed first prevents errors in JSA and ensures that enabled rules are supplied data to trigger rules properly.

Use the following steps to enable X-Force Threat Intelligence Feeds for JSA V2014.8 and later.

  1. Log in to JSA as an administrator.
  2. Click the Admin tab.
  3. Click the System Settings icon.
  4. From the Enable X-Force Threat Intelligence Feed drop-down menu, select Yes.
  5. Click Save.
  6. From the Admin tab, click Deploy Changes to enable the X-Force Threat Intelligence Feed for the deployment.Note

    Administrators must allow Internet access from the JSA Console to the following addresses to get X-Force Threat Intelligence Feed data from IBM. The following servers are contacted for both X-Force data updates, licensing, dashboard widget feeds, and JSA automatic updates:

    Server Description

    X-Force Threat Intelligence Feed update server for IP reputation and URL data

    X-Force Threat Intelligence licensing server

After you enable the X-Force Threat Intelligence Feed, administrators who are on new installs need to ensure that they installed the Threat Content Extension. This procedure is discussed in the Installing Extensions by Using Extensions Management section, and it enables X-Force rules that work with the Threat Intelligence Feed.

Related Documentation