Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Compliance

 

Use the JSA Compliance Content Extension to enhance the base compliance content set for new JSA installations.

JSA Compliance Content Extension V1.0.6

Saved searches are now shared by default. All building blocks are now in groups.

JSA Compliance Content Extension V1.0.5

The following table shows the custom properties that are included in JSA Compliance Content Extension V1.0.5.

Note

The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.

Table 1: Custom Properties in JSA Compliance Content Extension V1.0.5

Custom Property

Found in

AccountName

Microsoft Windows

The following table shows the building block in JSA Compliance Content Extension V1.0.5.

Table 2: Building Block in JSA Compliance Content Extension V1.0.5

Name

Description

BB:CategoryDefinition: Auditing Changed

Added new QIDs and removed some other QIDs.

JSA Compliance Content Extension V1.0.4

The following table shows the custom properties that are new or updated in JSA Compliance Content Extension V1.0.4.

Table 3: Custom Properties in JSA Compliance Content Extension V1.0.4

Name

Optimized

Capture Group

Regex

AccountName

Yes

2

Account Name:\s*(.+?)\s+Account Name:\s*(.+?)\s+

The following table shows the rules and building blocks that are new or updated in JSA Compliance Content Extension V1.0.4.

Table 4: Rules and Building Blocks in JSA Compliance Content Extension V1.0.4

Type

Name

Description

Building Block

BB:DeviceDefinition: FW / Router / Switch

Defines all firewalls, routers, and switches on the system.

Building Block

BB:DeviceDefinition: IDS / IPS

Defines all intrusion detections systems (IDS) and intrusion prevention systems (IPS) on the system.

Building Block

BB:DeviceDefinition: VPN

Defines all virtual private networks (VPN) on the system.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Identifies flows that have an illegal TCP flag combination.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Identifies Internet Control Message Protocol (ICMP) flows with suspicious ICMP type codes.

Building Block

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0

Identifies suspicious flows using port 0.

Building Block

BB:CategoryDefinition: Superuser Accounts

Defines usernames that are superuser accounts, such as admin and root.

Rule

Possible Shared Accounts

Detects shared accounts. You will need to add additional false positive system accounts.

JSA Compliance Content Extension V1.0.3

The following table shows the rules and building blocks in JSA Compliance Content Extension V1.0.3.

Table 5: Rules and Building Blocks in JSA Compliance Content Extension V1.0.3

Type

Name

Description

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added the following QIDs:

  • 5001948: Failure Audit: An account failed to log on: Account Disabled

  • 5001959: An account failed to log on: Account Disabled

  • 5001954: Failure Audit: An account failed to log on: User Locked Out

  • 5001949: Failure Audit: An account failed to log on: Account Expired

  • 5001960: An account failed to log on: Account Expired

  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time

  • 5001962: An account failed to log on: Logon Outside Normal Time

Rule

Compliance: Traffic from Untrusted Network to trusted Network

The rule test for this rule now triggers when a flow or event matches BB:NetworkDefinition: Untrusted Network Segment plus any of the following rules:

  • BB:NetworkDefinition: Trusted Source Network Segment

  • BB:NetworkDefinition: Trusted Destination Network Segment

JSA Compliance Content Extension V1.0.2

The following table shows the rules and building blocks in JSA Compliance Content Extension V1.0.2.

Table 6: Rules and Building Blocks in JSA Compliance Content Extension V1.0.2

Type

Name

Description

Building Block

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.

Building Block

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

The rule test for this building block now triggers when BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows matches at least 15 times in one minute, instead of BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows.

JSA Compliance Content Extension V1.0.1

The following table shows the rules and building blocks in JSA Compliance Content Extension V1.0.1.

Table 7: Rules and Building Blocks in JSA Compliance Content Extension V1.0.1

Type

Name

Description

Building Block

BB:NetworkDefinition: Trusted Destination Network Segemnt

References the default network hierarchy. Update this building block if you are using a different network hierarchy.

Building Block

BB:NetworkDefinition: Trusted Source Network Segemnt

Updated the building block name to include Source Network.

References the default network hierarchy. Update this building block if you are using a different network hierarchy.

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added QID 5000475: Failure Audit: An account failed to log on.

Building Block

BB:CategoryDefinition: Authentication to Expired Account

Added the following QIDs:

  • 5001653: An account failed to log on. The specified account's password has expired.

  • 5001654: The domain controller failed to validate the credentials for an account.

Building Block

BB:DeviceDefinition: FW/Router/Switch

No updates. Dependent on another rule and must be included in the extension framework.

Rule

Compliance: Traffic from Untrusted Network to Internal Network

Added new BB:NetworkDefinition: Trusted Destination Network Segemnt.

Rule

Compliance: Traffic from DMZ to Internal Network

Added new rule test: BB:DeviceDefinition: FW/Router/Switch.

References the default network hierarchy. Update this rule if you are using a different network hierarchy.

JSA Compliance Content Extension V1.0.0

The following table shows the custom properties, searches, reference sets, and reports in JSA Compliance Content Extension V1.0.0.

Table 8: Custom Properties, Searches, Reference Sets, and Reports in JSA Compliance Content Extension V1.0.0

Type

Name

Custom Event Property

Account Name

Event searches

Admin Logout by IP

Event searches

By Host Virus Summary

Event searches

By User Virus Summary

Event searches

Daily Policy Violation Summary

Event searches

DOS Attack by Source IP

Event searches

DOS Attack by Type

Event searches

DOS Attacks by Destination IP

Event searches

Event Category Distribution

Event searches

Exploit by Source

Event searches

Exploits by Destination

Event searches

Exploits by Type

Event searches

Groups Changed from Remote Hosts

Event searches

IDP Activity by Category

Event searches

IDP Activity by Event

Event searches

IDP Activity by Log Source

Event searches

Log Failures to Expired or Disabled Accounts

Event searches

Remote Access Failures (VPN and Others)

Event searches

Remote Access Success (VPN and Other)

Event searches

Top Authentication Failures by User

Event searches

Top Authentications by User

Event searches

Top IDS/IDP/IPS Rules

Event searches

Top IDS/IPS Alerts by Destination IP

Event searches

User Account Added by User

Event searches

User Account Modified by User

Event searches

User Account Removed by User

Event searches

VPN Activity by Category

Event searches

VPN Activity by event

Event searches

VPN Activity by Log Source

Event searches

Web Requests by Destination

Event searches

Web Requests by Log Source

Event searches

Web Requests by Source

Event search

Top IDS/IPS Alert by Country/Region

Flow search

Bytes in by Destination ASN

Flow search

Bytes in by Destination IF Index

Flow search

Bytes in by Source ASN

Flow search

Bytes in by Source IF Index

Flow search

Link Utilization

Flow search

Top Destination Networks - Internal

Flow search

Top Source Networks

Reference set

Database Servers

Reference set

DHCP Servers

Reference set

DNS Servers

Reference set

FTP Servers

Reference set

LDAP Servers

Reference set

Mail Servers

Reference set

Proxy Servers

Reference set

SSH Servers

Reference set

Web Servers

Reference set

Windows Servers

Reports

Daily ASN Traffic Summary

Reports

Daily Attacker and Target Summary

Reports

Daily Category Distribution

Reports

Daily IDP-IDS Activity Summary

Reports

Daily IfIndex Traffic Summary

Reports

Daily Log/Event Distribution by Category

Reports

Daily Network DOS Summary

Reports

Daily Network Exploit Summary

Reports

Daily Policy Violation Summary

Reports

Daily User Account Activity Summary

Reports

Daily Virus Summary

Reports

Daily VPN Activity Summary

Reports

Daily Web Access Summary

Reports

Last 20 Failed Logins

Reports

Last 20 Logoffs

Reports

Last 20 Successful Logins

Reports

Monthly ASN Traffic Summary

Reports

Monthly Category Distribution

Reports

Monthly IDP-IDS Activity Summary

Reports

Monthly IfIndex Traffic Summary

Reports

Monthly Network DOS Summary

Reports

Monthly Network Exploit Summary

Reports

Monthly Policy Violation Summary

Reports

Monthly User Account Activity Summary

Reports

Monthly Virus Summary

Reports

Monthly VPN Activity Summary

Reports

Monthly Web Access Summary

Reports

Network Traffic Volume

Reports

Weekly ASN Traffic Summary

Reports

Weekly Category Distribution

Reports

Weekly Group Changes from Remote Hosts

Reports

Weekly IDP-IDS Activity Summary

Reports

Weekly IfIndex Traffic Summary

Reports

Weekly Login Failures to Disabled or Enabled Accounts

Reports

Weekly Network DOS Summary

Reports

Weekly Network Exploit Summary

Reports

Weekly Policy Violation Summary

Reports

Weekly User Account Activity Summary

Reports

Weekly Virus Summary

Reports

Weekly VPN Activity Summary

Reports

Weekly Web Access Summary

The following table shows the rules and building blocks in JSA Compliance Content Extension V1.0.0.

Table 9: Rules and Building Blocks in JSA Compliance Content Extension V1.0.0

Type

Name

Description

Building Block

BB:DeviceDefinition: IDS / IPS

Defines all IDS and IPSs on the system.

Building Block

BB:CategoryDefinition: Suspicious Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Long Duration Outbound Flow

Identifies flows that have been active for more than 48 hours

Building Block

BB:CategoryDefinition: Suspicious Events

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Unidirectional Flow SRC

 

Building Block

BB:Flowshape: Outbound Only

Matches flows that are outbound only.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

Identifies flows with abnormally large ICMP packets

Building Block

BB:Threats: Suspicious IP Protocol Usage: TCP or UDP Port 0

Identifies suspicious flows using port 0.

Building Block

BB:CategoryDefinition: System Errors and Failures

Edit this building block to include all events that may indicate a system error or failure. By default, this buildig block applies when the event category for the event is one of the following System categories: Service Failure, System Error, System Failure.

Building Block

BB:CategoryDefinition: Suspicious Event Categories

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Zero Payload Bidirectional Flows

Identifies bidirectional traffic that doesn't include payload.

Building Block

BB:CategoryDefinition: Unidirectional Flow

 

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Replys

Identifies traffic where ICMP replies are seen with no request.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Unidirectional ICMP Flows

Identifies unidirectional ICMP flows.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Illegal TCP Flag Combination

Identifies flows that have an illegal TCP flag combination.

Building Block

BB:Flowshape: Inbound Only

This building block will match flows that are inbound only.

Building Block

BB:CategoryDefinition: Unidirectional Flow DST

 

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional TCP Flows

Identifies unidirectional TCP flows.

Building Block

BB:NetworkDefinition: Honeypot like Addresses

Edit this building block by replacing the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access

Building Block

BB:Threats: Suspicious IP Protocol Usage: Suspicious ICMP Type Code

Identifies ICMP flows with suspicious ICMP type codes.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

Identifies flows with abnormally large DNS packets

Building Block

BB:Threats: Suspicious IP Protocol Usage:Unidirectional UDP and Misc Flows

Identifies unidirectional UDP and other miscellaneous flows.

Building Block

BB:DeviceDefinition: VPN

This rule defines all VPNs on the system.

Building Block

BB:CategoryDefinition: Authentication Success

Edit this building block to include all events that indicate successful attempts to access the network.

Building Block

BB:CategoryDefinition: Authentication Failures

Edit this building block to include all events that indicate an unsuccessful attempt to access the network.

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Edit this building block to include all events that indicate failed attempts to access the network using a disabled account.

Building Block

BB:CategoryDefinition: Authentication to Expired Account

Edit this building block to include all events that indicate failed attempts to access the network using an expired account.

Building Block

BB:HostDefinition: Database Servers

Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.

Building Block

BB:PortDefinition: Database Ports

Edit this building block to include all common database ports.

Building Block

BB:HostReference: Database Servers

 

Building Block

BB:CategoryDefinition: Countries/Regions with no Remote Access

Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule.

Building Block

BB:CategoryDefinition: Successful Communication

Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties.

Building Block

BB:CategoryDefinition: Superuser Accounts

 

Building Block

BB:CategoryDefinition: IRC Detected Based on Application

Identifies IRC traffic that has been identified by application testing.

Building Block

BB:CategoryDefinition: IRC Detected Based on Event Category

Identifies IRC traffic that has been identified by events or categories.

Building Block

BB:Policy Violation: IRC IM Policy Violation: IRC Connection to Internet

Identifies an IRC connection to a remote host.

Building Block

BB:CategoryDefinition: IRC Detection Based on Firewall Events

Identifies IRC traffic that has been identified by events or categories.

Building Block

BB:CategoryDefinition: Firewall or ACL Accept

Edit this building block to include all events that indicate access to the firewall.

Building Block

BB:PortDefinition: IRC Ports

Edit this building block to include all common IRC ports.

Building Block

BB:ComplianceDefinition: GLBA Servers

Edit this building block to include your GLBA IP systems. You must then apply this building block to rules related to failed logins, remote access, etc.

Building Block

BB:ComplianceDefinition: HIPAA Servers

Edit this building block to include your HIPAA Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc.

Building Block

BB:ComplianceDefinition: SOX Servers

Edit this building block to include your SOX IP Servers. You must then apply this building block to rules related to failed logins, remote access, etc.

Building Block

BB:ComplianceDefinition: PCI DSS Servers

Edit this building block to include your PCI DSS Servers by IP address. You must then apply this building block to rules related to failed logins, remote access, etc.

Building Block

BB:NetworkDefinition: Untrusted Network Segment

Untrusted network locations typically used in rules to detect when an untrusted location is communicating to a trusted location.

Building Block

BB:NetworkDefinition: Untrusted Local Networks

 

Building Block

BB:NetworkDefinition: Inbound Communication from Internet to Local Host

 

Building Block

BB:NetworkDefinition: Trusted Source Network Segment

 

Building Block

BB:CategoryDefinition: System or Device Configuration Change

 

Building Block

BB:CategoryDefinition: Auditing Changed

 

Building Block

BB:PortDefinition: Authorized L2R Ports

Defines ports that commonly seen in local to remote traffic.

Building Block

BB:Policy Violation: Compliance Policy Violation: Clear Text Application Usage

Identifies flows that are using unencrypted protocols like telnet and FTP.

Building Block

BB:HostDefinition: DHCP Servers

Edit this building block to define typical DHCP servers. This building block is used in conjunction with the BB:False Positive: DHCP Server False Positives Categories and BB:FalsePositve: DHCP Server False Positive Events building blocks.

Building Block

BB:PortDefinition: DHCP Ports

Edit this building block to include all common DHCP ports.

Building Block

BB:Policy Violation: IRC IM Policy Violation: IM Communications

Identifies flows that have been identified as Instant Messaging communications.

Building Block

BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts

Identifies flows where a remote desktop application is being accessed from a remote host

Building Block

BB:Policy Violation: Application Policy Violation: NNTP to Internet

Identifies NNTP traffic to the internet

Building Block

BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts

Identifies flows where a VNC service is being accessed from a remote host.

Building Block

BB:HostDefinition: Servers

Edit this building block to define generic servers.

Building Block

BB:HostDefinition: DNS Servers

Edit this building block to define typical DNS servers. this building block is used in conjunction with the BB:FalsePositive: DNS Server False Positives Categories and BB:FalsePositve: DNS Server False Positive Events building blocks.

Building Block

BB:PortDefinition: DNS Ports

Edit this building block to include all common DNS ports.

Building Block

BB:HostDefinition: FTP Servers

Edit this building block to define typical FTP servers. this building block is used in conjunction with the BB:False Positive: FTP Server False Positives Categories and BB:FalsePositive: FTP Server False Positive Events building blocks.

Building Block

BB:PortDefinition: FTP Ports

Edit this building block to include all common FTP ports.

Building Block

BB:HostDefinition: LDAP Servers

Edit this building block to define typical LDAP servers. this building block is used in conjunction with the BB:False Positive: LDAP Server False Positives Categories and BB:FalsePositive: LDAP Server False Positive Events building blocks.

Building Block

BB:PortDefinition: LDAP Ports

Edit this building block to include all common ports used by LDAP servers.

Building Block

BB:HostDefinition: Mail Servers

Edit this building block to define typical mail servers. this building block is used in conjunction with the BB:False Positive: Mail Server False Positives Categories and BB:FalsePositive: Mail Server False Positive Events building blocks.

Building Block

BB:PortDefinition: Mail Ports

Edit this building block to include all common ports used by mail servers.

Building Block

BB:HostDefinition: Network Management Servers

Edit this building block to define typical network management servers.

Building Block

BB:HostDefinition: Proxy Servers

Edit this building block to define typical proxy servers. this building block is used in conjunction with the BB:False Positive: Proxy Server False Positives Categories and BB:FalsePositive: Proxy Server False Positive Events building blocks.

Building Block

BB:HostDefinition: RPC Servers

Edit this building block to define typical RPC servers. this building block is used in conjunction with the BB:False Positive: RPC Server False Positives Categories and BB:FalsePositive: RPC Server False Positive Events building blocks.

Building Block

BB:PortDefinition: RPC Ports

Edit this building block to include all common ports used by RPC servers.

Building Block

BB:HostDefinition: SNMP Sender or Receiver

Edit this building block to define SNMP senders or receivers. this building block is used in conjunction with the BB:PortDefinition: SNMP Ports building block.

Building Block

BB:PortDefinition: SNMP Ports

Edit this building block to include all common ports used by SNMP senders or receivers.

Building Block

BB:HostDefinition: SSH Servers

Edit this building block to define typical SSH servers. this building block is used in conjunction with the BB:False Positive: SSH Server False Positives Categories and BB:FalsePositive: SSH Server False Positive Events building blocks.

Building Block

BB:PortDefinition: SSH Ports

Edit this building block to include all common ports used by SSH servers.

Building Block

BB:HostDefinition: Virus Definition and Other Update Servers

Edit this building block to include all servers that include virus protection and update functions.

Building Block

BB:HostDefinition: Web Servers

Edit this building block to define typical web servers. this building block is used in conjunction with the BB:False Positive: Web Server False Positives Categories and BB:FalsePositive: Web Server False Positive Events building blocks.

Building Block

BB:PortDefinition: Web Ports

Edit this building block to include all common ports used by Web servers.

Building Block

BB:HostDefinition: Windows Servers

Edit this building block to define typical Windows servers, such as domain controllers or exchange servers. this building block is used in conjunction with the BB:False Positive: Windows Server False Positives Categories and BB:FalsePositive: Windows Server False Positive Events building blocks.

Building Block

BB:PortDefinition: Windows Ports

Edit this building block to include all common ports used by Windows servers.

Building Block

BB:ProtocolDefinition: Windows Protocols

Edit this building block to include all common protocols (not including TCP) used by Windows servers that will be ignored for false positive tuning rules.

Building Block

BB:HostReference: DHCP Servers

 

Building Block

BB:HostReference: DNS Servers

 

Building Block

BB:HostReference: FTP Servers

 

Building Block

BB:HostReference: LDAP Servers

 

Building Block

BB:HostReference: Mail Servers

 

Building Block

BB:HostReference: Proxy Servers

 

Building Block

BB:HostReference: SSH Servers

 

Building Block

BB:HostReference: Web Servers

 

Building Block

BB:HostReference: Windows Servers

 

Building Block

BB:CategoryDefinition: Failure Service or Hardware

Defines event categories that indicate failures within services or hardware.

Building Block

BB:HostBased: Critical Events

Defines event categories that indicate critical events.

Building Block

BB:CategoryDefinition: Service Started

 

Building Block

BB:CategoryDefinition: Service Stopped

 

Building Block

BB:DeviceDefinition: FW / Router / Switch

This rule defines all firewalls, routers, and switches on the system.

Building Block

BB:NetworkDefinition: Trusted Destination Network Segment

 

Building Block

BB:Suspicious: Remote: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.

Building Block

BB:Suspicious: Local: Unidirectional UDP or Misc Flows

Detects an excessive number of unidirectional UDP and miscellaneous flows from a single source.

Rule

Login Failure to Disabled Account

Reports a host login message from a disabled user account. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages from the same user.

Rule

Login Failure to Expired Account

Reports a host login failure message from an expired user account known. If the user is no longer a member of the organization, we recommend that you investigate any other received authentication messages.

Rule

Database Groups Changed from Remote Host

Responds when changes to groups on a database are changed from a remote network.

Rule

Remote Access from Foreign Country/Region

Reports successful logins or access from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block.

Rule

Remote Inbound Communication from a Foreign Country/Region

Reports traffic from an IP address known to be in a country/region that does not have remote access right. Before you enable this rule, we recommend that you configure the BB:CategoryDefinition: Countries/Regions with no Remote Access building block. SMTP and DNS have been removed from this test as you have little control over that activity. You may also have to remove WebServers in the DMZ that are often probed by remote hosts with web scanners

Rule

No Activity for 60 Days

This account has not logged in for over 60 days

Rule

Possible Shared Accounts

Detection of shared accounts. You will need to add in additional false positive system accounts to the and NOT when the event username matches the following ....

Rule

Remote: IRC Connections

Detects a local host issuing an excessive number of IRC connections to the Internet.

Rule

Compliance Events Become Offenses

Reports compliance-based events, such as, clear text passwords.

Rule

Excessive Failed Logins to Compliance IS

Reports excessive authentication failures to a compliance server within 10 minutes.

Rule

Multiple Failed Logins to a Compliance Asset

 

Rule

Multiple Login Failures for Single Username

Reports authentication failures for the same username

Rule

Multiple Login Failures from the Same Source

Reports authentication failures on the same source IP address with different usernames more than 10 times within 5 minutes.

Rule

Multiple Login Failures to the Same Destination

Reports when an authentication failure event happens at least 10 times to the same destination IP address from different source IP address and username within 5 minutes.

Rule

Compliance: Traffic from Untrusted Network to Trusted Network

Traffic from an "untrusted" network segment is passed to "trusted" network segment. You need to edit the building blocks for trusted and untrusted networks before enabling this rule.

Rule

Compliance: Traffic from DMZ to Internal Network

Traffic is passed from the DMZ to an internal network. This is typically not allowed under compliance regulations. You should make sure the DMZ object in the network hierarchy in defined before enabling this rule.

Rule

Configuration Changes Made to Compliance Devices

Detects when configuration changes made to compliance devices. Before enabling this rule, please add the compliance server log sources to the Compliance Servers log source group.

Rule

Auditing Services Changed on Compliance Host

Auditing services were changed on a compliance host. Before enabling this rule be sure to define the hosts in the compliance definition building blocks and verify the events for audit service changed for your host are in the BB:CategoryDefinition: Auditing Changed building block.

Rule

Connection to Internet on Unauthorized Port

Typically internet connections are limited to common applications such as web traffic and mail. Other communications may be suspicious and should be investigated. Before enabling this rule the BB:PortDefinition: Authorized L2R Ports building block must be edited with a list of acceptable ports.

Rule

Create Offenses for All Chat Traffic based on Flows

 

Rule

Create Offenses for All Instant Messenger Traffic

Reports Instant Messenger traffic or any event categorized as Instant Messenger traffic where the source is local and the destination is remote.

Rule

Create Offenses for All P2P Usage

Detects P2P traffic or any event categorized as P2P

Rule

Create Offenses for All Policy Events

Reports policy events. By default, this rule is disabled. Enable this rule if you wish all events categorized as policy to create an offense.

Rule

Create Offenses for All Porn Usage

Reports any traffic that contains illicit materials or any event categorized as porn. By default, this rule is disabled. Enable this rule if you wish all events categorized as porn to create an offense.

Rule

Local: Clear Text Application Usage

Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc.

Rule

New DHCP Server Discovered

This rule will fire when a DHCP server is discovered on the network.

Rule

New Host Discovered

Detects when a new host has been discovered on the network.

Rule

New Host Discovered in DMZ

Detects when a new host has been discovered on the network.

Rule

New Service Discovered

Detects when an existing host has a new service discovered on it.

Rule

New Service Discovered in DMZ

Detects when an existing host has a new service discovered on it.

Rule

Possible Local IRC Server

Reports a local host running a service on a typical IRC port or a flow that was detected as IRC. This is not typical for enterprises and should be investigated.

Rule

Remote: Clear Text Application Usage based on Flows

Detects flows to or from the Internet where the application type uses clear text passwords. This may include applications such as Telnet, FTP, etc.

Rule

Remote: Hidden FTP Server

Detects a remote FTP server on a non-standard port. The default port for FTP is TCP port 21. Detecting FTP on other ports may indicate an exploited host, where the attacker has installed this server to provide backdoor access to the host.

Rule

Remote: IM/Chat

Detects an excessive amount of IM/Chat traffic from a single source.

Rule

Remote: Local P2P Client Connected to more than 100 Servers

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.

Rule

Remote: Local P2P Client Detected

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.

Rule

Remote: Local P2P Server connected to more than 100 Clients

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.

Rule

Remote: Local P2P Server Detected

Detects local hosts operating as a Peer-to-Peer (P2P) server. This indicates a violation of local network policy and may indicate illegal activities, such as copyright infringement.

Rule

Remote: Remote Desktop Access from the Internet

Detects the Microsoft Remote Desktop Protocol from the Internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule.

Rule

Remote: SSH or Telnet Detected on Non-Standard Port

Detects an SSH or Telnet server on a non-standard port. The default port for SSH and Telnet servers is TCP port 22 and 23. Detecting SSH or Telnet operating on other ports may indicate an exploited host, where the attacker has installed these servers to provide backdoor access to the host.

Rule

Remote: Usenet Usage

Detects flows to or from a Usenet server. It is uncommon for legitimate business communications to use Usenet or NNTP services. The hosts involved may be violating corporate policy.

Rule

Remote: VNC Access from the Internet to a Local Host

Detects VNC (a remote desktop access application) from the Internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule.

Rule

Potential P2P or VoIP Traffic Detected

Detects potential Peer to Peer traffic

Rule

Multiple System Errors

Reports when as source has 10 system errors within 3 minutes.

Rule

Host Based Failures

This rule fires when the system sees events that indicate failures within services or hardware.

Rule

Critical System Events

This rule fires when the system sees critical events.

Rule

Service Stopped and not Restarted

Detects when a service has been stopped on a system and not restarted.