Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Intrusions

 

Use the JSA Intrusions Content Extension to focus on intrusion detection.

JSA Intrusions Content Extension V1.0.3

The following table shows the rules and building blocks in JSA Intrusions Content Extension V1.0.3.

Table 1: Rules and Building Blocks in JSA Intrusions Content Extension V1.0.3

Type

Name

Description

Rule

Destination Vulnerable to Detected Exploit

Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.

Rule

Destination Vulnerable to Detected Exploit on a Different Port

Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.

Rule

Destination Vulnerable to Different Exploit than Attempted on Targeted Port

Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted.

The following table shows the reference data in JSA Intrusions Content Extension V1.0.3.

Table 2: Reference Data in JSA Intrusions Content Extension V1.0.3

Type

Name

Description

Reference Set

Database Servers

List of Database IP addresses.

JSA Intrusions Content Extension V1.0.2

The following table shows the rules and building blocks that are updated in JSA Intrusions Content Extension V1.0.2.

Table 3: Rules and Building Blocks in JSA Intrusions Content Extension V1.0.2

Type

Name

Description

Building Block

BB:DeviceDefinition: FW / Router / Switch

Updated building block with FW/Router/Switch devices.

Building Block

BB:DeviceDefinition: Database

Updated building block with database devices.

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added the following QIDs:

  • 5001948: Failure Audit: An account failed to log on: Account Disabled

  • 5001959: An account failed to log on: Account Disabled

  • 5001954: Failure Audit: An account failed to log on: User Locked Out

  • 5001965: An account failed to log on: User Locked Out

  • 5001949: Failure Audit: An account failed to log on: Account Expired

  • 5001960: An account failed to log on: Account Expired

  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time

  • 5001962: An account failed to log on: Logon Outside Normal Time

Rule

Malware or Virus Clean Failed

New QIDs added to rule:

  • 42002833: Security risk found, Actual action: All actions failed

  • 42002836: Security risk found, Actual action: Left alone

  • 42002845: Virus Detected, Actual action: Left alone

  • 42003869: Virus Detected, Actual action: Actions failed

JSA Intrusions Content Extension V1.0.1

The following table shows the rules and building blocks in JSA Intrusions Content Extension V1.0.1.

Table 4: Building Blocks in JSA Intrusions Content Extension V1.0.1

Type

Name

Description

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added QID 5000475: Failure Audit: An account failed to log on.

Building Block

BB:DeviceDefinition: FW / Router / Switch

No updates. Dependent on another rule and must be included in the extension framework.

Rule

Exploit: Exploits Followed by Firewall Accepts

Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule

Rule

Anomaly: DMZ Jumping

Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule

Rule

Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination

Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule

Rule

Exploit: Destination Vulnerable to Detected Exploit on a Different Port

Updated user interface name and rule text description.

JSA Intrusions Content Extension V1.0.0

The JSA Intrusions Content Extension V1.0.0 adds the Database Servers reference set to JSA.

The following rules and building blocks are included in JSA Intrusions Content Extension V1.0.0.

Type

Name

Description

Building Block

BB:BehaviorDefinition: Compromise Activities

Edit this building block to include categories that are considered the be part of events seen during typical compromises.

Building Block

BB:CategoryDefinition: Authentication Failures

Edit this building block to include all events that indicate an unsuccessful attempt to access the network.

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Edit this building block to include all events that indicate failed attempts to access the network using a disabled account.

Building Block

BB:CategoryDefinition: Authentication to Expired Account

Edit this building block to include all events that indicate failed attempts to access the network using an expired account.

Building Block

BB:CategoryDefinition: Countries/Regions with no Remote Access

Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule.

Building Block

BB:CategoryDefinition: Database Access Denied

Identifies database events that are considered denied access.

Building Block

BB:CategoryDefinition: DDoS Attack Events

Edit this building block to include all event categories that you wish to categorize as a DDoS attack.

Building Block

BB:CategoryDefinition: Exploits Backdoors and Trojans

Edit this building block to include all events that are typically exploits, backdoor, or trojans.

Building Block

BB:CategoryDefinition: Firewall or ACL Accept

Edit this building block to include all events that indicate access to the firewall.

Building Block

BB:CategoryDefinition: Firewall or ACL Denies

Edit this building block to include all events that indicate unsuccessful attempts to access the firewall.

Building Block

BB:CategoryDefinition: Key Loggers

Edit this building block to include all events associated with the monitoring of user activities through a key logger.

Building Block

BB:CategoryDefinition: Mail Policy Violation

Edit this building block to include anything you would consider to be a mail based policy violation. An example might be outbound traffic on port 25 not originating from a mail server.

Building Block

BB:CategoryDefinition: Malware Annoyances

Edit this building block to include event categories that are typically associated with spyware infections.

Building Block

BB:CategoryDefinition: Network DoS Attack

Edit this building block to include all event categories that you wish to categorize as a network DoS attack.

Building Block

BB:CategoryDefinition: Post DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules.

Building Block

BB:CategoryDefinition: Post Exploit Account Activity

Identifies events that generally happen after an exploit.

Building Block

BB:CategoryDefinition: Pre DMZ Jump

Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules.

Building Block

BB:CategoryDefinition: Recon Event Categories

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:CategoryDefinition: Recon Events

Edit this building block to include all events that indicate reconnaissance activity.

Building Block

BB:CategoryDefinition: Recon Flows

Edit this building block to include all events that indicate suspicious activity.

Building Block

BB:CategoryDefinition: Service DoS

Edit this building block to define Denial of Service (DoS) attack events.

Building Block

BB:CategoryDefinition: Successful Communication

Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties.

Building Block

BB:CategoryDefinition: Virus Detected

This rule defines all virus detection events.

Building Block

BB:CategoryDefinition: Worm Events

Edit this building block to define worm events. This building block only applies to events not detected by a custom rule.

Building Block

BB:Database: System Action Deny

Edit this building block to include any events that indicate unsuccessful actions within a database

Building Block

BB:DeviceDefinition: Database

This rule defines all databases on the system.

Building Block

BB:DeviceDefinition: FW / Router / Switch

This rule defines all firewalls, routers, and switches on the system.

Building Block

BB:FalseNegative: Events That Indicate Successful Compromise

Defines events which indicate a successful compromise. These events generally have 100% accuracy.

Building Block

BB:HostDefinition: Database Servers

Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.

Building Block

BB:HostReference: Database Servers

 

Building Block

BB:NetworkDefinition: Darknet Addresses

Edit this building block to include networks which should be added into a Darknet list.

Building Block

BB:NetworkDefinition: DMZ Addresses

Edit this building block to include addresses that are included in the DMZ

Building Block

BB:NetworkDefinition: Honeypot like Addresses

Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access

Building Block

BB:NetworkDefinition: Undefined IP Space

Edit this building block to include areas of your network that does not contain any valid hosts.

Building Block

BB:NetworkDefinition: Watch List Addresses

Edit this building block to include networks which should be added into a watch list.

Building Block

BB:PortDefinition: Common Worm Ports

Defines ports that generally are not seen in local to remote traffic.

Building Block

BB:PortDefinition: Database Ports

Edit this building block to include all common database ports.

Building Block

BB:Threats: Port Scans: Host Scans

Identifies potential reconnaissance by flows.

Building Block

BB:Threats: Port Scans: UDP Port Scan

Identifies UDP based port scans.

Building Block

BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts

Identifies flows where a remote desktop application is being accessed from a remote host

Building Block

BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts

Identifies flows where a VNC service is being accessed from a remote host.

Building Block

BB:Threats: Scanning: Empty Responsive Flows High

This building block detects potential reconnaissance activity where the source packet count is greater than 100,000.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Low

This building block detects potential reconnaissance activity where the source packet count is greater than 500.

Building Block

BB:Threats: Scanning: Empty Responsive Flows Medium

This building block detects potential reconnaissance activity where the source packet count is greater than 5,000.

Building Block

BB:Threats: Scanning: ICMP Scan High

Identifies a high level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: ICMP Scan Low

Identifies a low level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: ICMP Scan Medium

Identifies a medium level of ICMP reconnaissance.

Building Block

BB:Threats: Scanning: Potential Scan

Identifies potential reconnaissance by flows.

Building Block

BB:Threats: Scanning: Scan High

Identifies a high level of potential reconnaissance.

Building Block

BB:Threats: Scanning: Scan Low

Identifies a low level of potential reconnaissance.

Building Block

BB:Threats: Scanning: Scan Medium

Identifies a medium level of potential reconnaissance.

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

Identifies flows with abnormaly large DNS packets

Building Block

BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

Identifies flows with abnormaly large ICMP packets

Rule

100% Accurate Events

Creates an offense when an event matches a 100% accurate signature for successful compromises.

Rule

Anomaly: DMZ Jumping

This rule will fire when connections seemed to be bridged across the network's DMZ.

Rule

Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination

Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes.

Rule

Destination Vulnerable to Detected Exploit

Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.

Rule

Exploit Followed by Suspicious Host Activity

Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the same destination host within 15 minutes of the original event.

Rule

Exploit: Destination Vulnerable to Detected Exploit on a Different Port

Reports an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.

Rule

Exploit: Exploits Followed by Firewall Accepts

Detects when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.

Rule

Exploit/Malware Events Across Multiple Destinations

Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.

Rule

Malware or Virus Clean Failed

System detected a virus and failed to clean or remote it

Rule

Multiple Vector Attack Source

Detects when an source host tries multiple attack vectors, this may indicate the source host is specifically targeting an asset.

Rule

Remote: Possible Tunneling

Detects possible tunneling, which can indicate a bypass of policy, or an infected system.

Rule

Remote: Remote Desktop Access from the Internet

Detects the Microsoft Remote Desktop Protocol from the internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule.

Rule

Remote: VNC Access from the Internet to a Local Host

Detects VNC (a remote desktop access application) from the internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule.

Rule

Source Vulnerable to any Exploit

Reports an attack from a local host where the source has at least one vulnerability. It is possible the source was targeted in an earlier offense.

Rule

Source Vulnerable to this Exploit

Reports an attack from a local host where the source host is vulnerable to the attack being used. It is possible the source host was the destination of an earlier offense.

  • Excessive Firewall Accepts From Multiple Sources to a Single Destination

  • DMZ Jumping

  • Destination Vulnerable to Detected Exploit

  • Source Vulnerable to any Exploit

  • Source Vulnerable to this Exploit

  • Exploit/Malware Events Across Multiple Destinations

  • Exploit Followed by Suspicious Host Activity

  • Destination Vulnerable to Detected Exploit on a Different Port

  • 100% Accurate Events

  • Multiple Vector Attack Source

  • Remote: Remote Desktop Access from the Internet

  • Exploits Followed by Firewall Accepts

  • Remote: VNC Access from the Internet to a Local Host

  • Malware or Virus Clean Failed

  • Remote: Possible Tunneling

The following building blocks are included in JSA Intrusions Content Extension V1.0.0.

  • BB:Database: System Action Deny

  • BB:HostDefinition: Database Servers

  • BB:HostReference: Database Servers

  • BB:PortDefinition: Database Ports

  • BB:PortDefinition: Common Worm Ports

  • BB:FalseNegative: Events That Indicate Successful Compromise

  • BB:DeviceDefinition: Database

  • BB:DeviceDefinition: FW / Router / Switch

  • BB:Threats: Scanning: Scan Medium

  • BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts

  • BB:Threats: Scanning: ICMP Scan Low

  • BB:Threats: Scanning: ICMP Scan High

  • BB:Threats: Scanning: Scan Low

  • BB:Threats: Scanning: ICMP Scan Medium

  • BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts

  • BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets

  • BB:Threats: Scanning: Empty Responsive Flows High

  • BB:Threats: Scanning: Scan High

  • BB:Threats: Scanning: Empty Responsive Flows Low

  • BB:Threats: Scanning: Empty Responsive Flows Medium

  • BB:Threats: Port Scans: UDP Port Scan

  • BB:Threats: Port Scans: Host Scans

  • BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets

  • BB:Threats: Scanning: Potential Scan

  • BB:CategoryDefinition: Post Exploit Account Activity

  • BB:CategoryDefinition: Recon Flows

  • BB:CategoryDefinition: Successful Communication

  • BB:CategoryDefinition: Firewall or ACL Denies

  • BB:CategoryDefinition: Recon Events

  • BB:CategoryDefinition: Mail Policy Violation

  • BB:CategoryDefinition: Service DoS

  • BB:CategoryDefinition: Worm Events

  • BB:CategoryDefinition: Virus Detected

  • BB:CategoryDefinition: Authentication to Expired Account

  • BB:CategoryDefinition: Countries/Regions with no Remote Access

  • BB:CategoryDefinition: Pre DMZ Jump

  • BB:CategoryDefinition: Authentication to Disabled Account

  • BB:CategoryDefinition: Network DoS Attack

  • BB:CategoryDefinition: Recon Event Categories

  • BB:CategoryDefinition: Firewall or ACL Accept

  • BB:CategoryDefinition: Exploits Backdoors and Trojans

  • BB:BehaviorDefinition: Compromise Activities

  • BB:CategoryDefinition: Post DMZ Jump

  • BB:CategoryDefinition: Authentication Failures

  • BB:CategoryDefinition: Key Loggers

  • BB:CategoryDefinition: Malware Annoyances

  • BB:CategoryDefinition: DDoS Attack Events

  • BB:CategoryDefinition: Database Access Denied

  • BB:NetworkDefinition: DMZ Addresses

    Note

    This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.

  • BB:NetworkDefinition: Honeypot like Addresses

  • BB:NetworkDefinition: Undefined IP Space

  • BB:NetworkDefinition: Darknet Addresses

  • BB:NetworkDefinition: Watch List Addresses