Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Anomaly

 

Use the JSA Anomaly Content Extension to closely monitor for anomalies.

JSA Anomaly Content Extension V1.0.3

Content extension no longer displays an incorrect number of rules.

(Back to top)Use the JSA Anomaly Content Extension to closely monitor for anomalies.

JSA Anomaly Content Extension V1.0.2

The following table shows the rules and building blocks that are updated in JSA Anomaly Content Extension V1.0.2.

Table 1: Rules and Building Blocks in JSA Anomaly Content Extension V1.0.2

Type

Name

Description

Building Block

BB:DeviceDefinition: FW / Router / Switch

Updated building block with FW/Router/Switch devices.

Rule

Excessive Firewall Accepts From Multiple Sources to a Single Destination

Renamed rule to naming standard.

Rule

Systems using many different protocols

Renamed rule to naming standard.

Rule

Single IP with Multiple MAC Addresses

Renamed rule to naming standard.

(Back to top)Use the JSA Anomaly Content Extension to closely monitor for anomalies.

JSA Anomaly Content Extension V1.0.1

The following table shows the rules and building blocks that are updated in JSA Anomaly Content Extension V1.0.1.

Table 2: Rules and Building Blocks in JSA Anomaly Content Extension V1.0.1

Type

Name

Description

Building Block

BB:DeviceDefinition: FW / Router / Switch

No updates. Dependent on another rule and must be included in the extension framework.

Building Block

BB:HostDefinition: DHCP Servers

No updates. Dependent on another rule and must be included in the extension framework.

Building Block

BB:CategoryDefinition: Successful Communication

No updates. Dependent on another rule and must be included in the extension framework.

Rule

Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination

Added a rule test to the BB:DeviceDefinition: FW / Router / Switch building block.

Rule

Anomaly: Systems using many different protocols

Added a rule test to the BB:DeviceDefinition: FW / Router / Switch building block.

Rule

Single IP with Multiple MAC Addresses

Added a rule test to the BB:HostDefinition: DHCP Servers building block.

(Back to top)Use the JSA Anomaly Content Extension to closely monitor for anomalies.

JSA Anomaly Content Extension V1.0.0

The following table shows the rules and building blocks in JSA Anomaly Content Extension V1.0.0.

Table 3: Rules and Building Blocks in JSA Anomaly Content Extension V1.0.0

Type

Name

Description

Building Block

BB:CategoryDefinition: Pre Reverse DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel.

Building Block

BB:CategoryDefinition: Authentication Success

Edit this building block to include all events that indicate successful attempts to access the network.

Building Block

BB:CategoryDefinition: Countries/Regions with no Remote Access

Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule.

Building Block

BB:CategoryDefinition: Firewall or ACL Accept

Edit this building block to include all events that indicate access to the firewall.

Building Block

BB:CategoryDefinition: Reverse DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel.

Building Block

BB:CategoryDefinition: Successful Communication

Defines flows which are typical of a successful communication. You may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties.

Building Block

BB:CategoryDefinition: Pre DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel.

Building Block

BB:CategoryDefinition: Post DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel.

Building Block

BB:DeviceDefinition: FW / Router / Switch

Defines all firewalls, routers, and switches on the system.

Building Block

BB:HostDefinition: DHCP Servers

Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.

Building Block

BB:NetworkDefinition: DMZ Addresses

Update this building block to include addresses that are included in the DMZ.

This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.

Rule

Excessive Firewall Accepts From Multiple Sources to a Single Destination

Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes.

Rule

DMZ Reverse Tunnel

This rule will fire when connections seem to be bridged across the network's DMZ through a reverse tunnel.

Rule

Remote Inbound Communication from a Foreign Country/Region

Reports traffic from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. You may have to remove web servers in the DMZ that are often probed by remote hosts with web scanners.

Rule

Remote Access from Foreign Country/Region

Reports successful logins or access from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block.

Rule

Single IP with Multiple MAC Addresses

This rule will fire when the MAC address changes for a single IP address multiple times over a period of time.

Rule

Systems using many different protocols

Local system connecting to the internet on more than 50 DST ports in one hour. Connections must be successful. This rule can be edited to also detect failed communications which may also be useful.

(Back to top)Use the JSA Anomaly Content Extension to closely monitor for anomalies.