RSA Admin

RSA Live February 2014 Content Announcement

Blog Post created by RSA Admin Employee on Feb 7, 2014

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. This is a large update and our format has changed a bit, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

 

The categories of new and updated content is as follows:

Event Stream Analysis Rules

Log Collector

Log Parsers

LUA Parsers

Yara Rules

Flex Parsers

Reports

Report Engine Rules

 

Seeking Customer Developed Parsers, Rules and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We would like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

1) Have you created a parser, rule, or report that you would be helpful to the broader RSA User Community? If so, let us know about it!  Reach out to us via email at:

 

ASOC.Content@rsa.com

 

Your emails will go directly to the content management team and we are looking forward to working with you to help evolve our content offering.

 

2) Do you want to request support for a new log source or protocol?


For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

3) The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

https://developer-content.emc.com/login/register.asp

 

The Latest Threat Research From RSA

 

- Our RSA Incident Response Team’s research dissecting Shell Crew and their malicious tactics, techniques, and procedures was recently released. As a supplement to this report we have released a digital appendix of content that can be utilized in Security Analytics as well as RSA ECAT to help identify stances of Shell Crew.  RSA Security Analytics customers can subscribe to this content via RSA Live.  The full report can be found here:

 

http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

 

- RSA FirstWatch Intelligence Team published a well received article about the Chewbacca Trojan and it’s role in stealing payment card data here:

 

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/30/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information

 

- Also, below are FirstWatch Intelligence Team’s recent Feeds:

 

Malicious Filename Feed

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/31/deprecated-feeds-and-the-new-malicious-filename-feed

 

Malicious UA Feed

https://community.emc.com/thread/187497

 

Zbot Detection Feed:

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/22/you-can-install-the-firstwatch-zbot-feed

 

How To Receive Notifications And Announcements

One final thought, if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.

 

We look forward to forging a stronger relationship with you in 2014 as we move to evolve our content and enhance your improve your total content experience.

 

If you have suggestions about how you would like to see this type of messaging formatted in the future, let us know about it. Please keep in mind that this is an unusually large update and future notifications will be much smaller.

 

 

 

Content Updates

 

New Event Stream Analysis Rules for Correlation and Complex Event Processing

 

 

Title: Multiple login failures from same source for username that does not exist

Desc: Alert when log events contain multiple login failures due to username that does not exist from same source in 180 seconds. It is different from the username which exists but fail to logon because of bad password. Over here, the user itself does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.

 

Title: Multiple failed logins from a single user from multiple different sources to same destination in X seconds

Desc: Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of failed logins are configurable.

Filename: esa000039.esaa

 

Title: Multiple successful logins from a single user from multiple different sources to the same destination

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of success logins are configurable.

 

Title: User added to admin group then syslog is disabled

Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.

 

Title: Single source, Same IDS / IPS message type, different destination IP

Desc: Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.

 

Title: Privilege Escalation Detected for Unix devices

Desc: Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups

 

Title: SSH traffic detected from a single source to different destinations

Desc: Detects SSH traffic(service=22) coming from single source to multiple destination in given time. Number of destination, service and time are configurable.

 

Title: Multiple failed logins from multiple different users from same source to same destination

Desc: Alert when log events contain multiple failed logins from multiple different users from same source to same destination in 180 seconds. Both the time window and number of failed logins are configurable.

 

Title: Multiple successful logins from a single user from multiple different sources to multiple destinations

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds. Both the time window and number of success logins are configurable.

 

Title: DNS Lookups From the Same Host

Desc: Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and number of lookups are configurable.

 

Title: File Transfer Using Non Standard Port

Desc: File transferred using non-standard TCP destination port. Both the list of file extensions and standard TCP ports are configurable. The statement detects if the TCP destination port does not equal those that are standard as configured.

 

Title: User added to admin group then ssh is enabled

Desc: User was added to groups configured and same user starts syslog/rsyslog service on Linux m/c. Rule relies on Event Categorization Tags (ECT) for group modification. For this rule to work, infobloxnios should be disabled. The time window, service name and a list of administrator groups are configurable. This rule uses non-standard meta key of client so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.

 

Title: Non SMTP Traffic on TCP Port 25 Containing Executable

Desc: Monitors for non-SMTP traffic on TCP destination port 25 containing executable.Both the list of executable file extensions and TCP port for SMTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

 

Title: HTTP Outbound Traffic to Multiple Destinations From Single Source

Desc: HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds.Outbound traffic is defined as that which does not have a private reserved address.Source IP must be within the RFC 1918 specification.The time window,number of unique destination IPs and source IP whitelist are all configurable.All events are grouped by ip.src and 50 must occur within 60 seconds.

 

Title: Multi-Service connection attempts_Pckt

Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes.Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.

 

Title: Root fail ESX server (x3) + Root success to ESX server + VMClone

Desc: Alert if there are Multiple (here,assumed as 3 Failures) Root Login Failures to ESX server followed by Root Login Success to ESX server followed by a VMClone event within 5 minutes.The time window is configurable.

 

Title: Non HTTP Traffic on TCP Port 80 Containing Executable

Desc: Monitors for non-HTTP traffic on TCP destination port 80 containing executable.Both the list of executable file extensions and TCP port for HTTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

 

Title: Account Created and Deleted within an hour.

Desc: Account Created and Deleted within an hour.

 

 

Log Collector Content

 

 

Title: ActivIdentity AAA Server Log Collector Configuration

Desc: Log Collector configuration content for event source ActivIdentity AAA Server

 

Title: Alcatel-Lucent OmniSwitch Log Collector Configuration

Desc: Log Collector configuration content for event source Alcatel-Lucent OmniSwitch

 

Title: Apache Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Web Server

 

Title: Apache Tomcat Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Tomcat

 

Title: AppSec DbProtect Log Collector Configuration

Desc: Log Collector configuration content for event source AppSec DbProtect

 

Title: Avocent KVM Log Collector Configuration

Desc: Log Collector configuration content for event source Avocent KVM

 

Title: BigFix Log Collector Configuration

Desc: Log Collector configuration content for event source BigFix

 

Title: Bit9 Log Collector Configuration

Desc: Log Collector configuration content for event source Bit9

 

Title: RIM Blackberry Enterprise Server Log Collector Configuration

Desc: Log Collector configuration content for event source RIM Blackberry Enterprise Server

 

Title: BMC Remedy ITSM Log Collector Configuration

Desc: Log Collector configuration content for event source BMC Remedy ITSM

 

Title: CA Integrated Threat Management Log Collector Configuration

Desc: Log Collector configuration content for event source CA Integrated Threat Management

 

Title: EMC Celerra Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Celerra

 

Title: Check Point FW-1 Log Collector Configuration

Desc: Log Collector configuration content for event source Check Point FW-1

 

Title: Cisco Ironport ESA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport ESA

 

Title: Cisco Ironport WSA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport WSA

 

Title: Cisco LMS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco LMS

 

Title: Cisco MARS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco MARS

 

Title: CiscoWorks NCM Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks NCM

 

Title: Cisco Security Agent Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Security Agent

 

Title: Cisco WCS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco WCS

 

Title: CiscoWorks Common Services/Cisco Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks Common Services/Cisco

 

Title: Citrix XenApp Log Collector Configuration

Desc: Log Collector configuration content for event source Citrix XenApp

 

Title: Courion Password Courier Log Collector Configuration

Desc: Log Collector configuration content for event source Courion Password Courier

 

Title: Dell DRAC Log Collector Configuration

Desc: Log Collector configuration content for event source Dell DRAC

 

Title: Dragon IDS Log Collector Configuration

Desc: Log Collector configuration content for event source Dragon IDS

 

Title: eEye Blink Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Blink

 

Title: eEye Retina Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Retina

 

Title: EMC Avamar Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Avamar

 

Title: EMC Documentum Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Documentum

 

Title: EMC Data Protection Advisor Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Data Protection Advisor

 

Title: EMC Ionix UIM Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Ionix UIM

 

Title: EMC Isilon Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Isilon

 

Title: EMC NetWorker Log Collector Configuration

Desc: Log Collector configuration content for event source EMC NetWorker

 

Title: EMC VPLEX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC VPLEX

 

Title: Entercept Log Collector Configuration

Desc: Log Collector configuration content for event source Entercept

 

Title: McAfee ePolicy Orchestrator Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee ePolicy Orchestrator

 

Title: FairWarning Privacy Monitoring Log Collector Configuration

Desc: Log Collector configuration content for event source FairWarning Privacy Monitoring

 

Title: F-Secure Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source F-Secure Anti-Virus

 

Title: GE Centricity Enterprise Archive Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity Enterprise Archive

 

Title: GE Centricity PACS IW Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity PACS IW

 

Title: GIT-SCM Server Log Collector Configuration

Desc: Log Collector configuration content for event source GIT-SCM Server

 

Title: EMC Greenplum Database Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Database

 

Title: EMC Greenplum Hadoop Distribution Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Hadoop Distribution

 

Title: GlobalSCAPE EFT Server Log Collector Configuration

Desc: Log Collector configuration content for event source GlobalSCAPE EFT Server

 

Title: IBM DB2 UDB Log Collector Configuration

Desc: Log Collector configuration content for event source IBM DB2 UDB

 

Title: IBM Mainframe ICSF Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe ICSF

 

Title: IBM Mainframe (IDMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IDMS)

 

Title: IBM Mainframe (IMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IMS)

 

Title: IBM Mainframe IPSec Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe IPSec

 

Title: IBM Mainframe zOS System Log Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe zOS System Log

 

Title: IBM Mainframe (RACF) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (RACF)

 

Title: IBM Tivoli Access Manager ESSO Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Access Manager ESSO

 

Title: IBM TAM WebSEAL Log Collector Configuration

Desc: Log Collector configuration content for event source IBM TAM WebSEAL

 

Title: IBM Tivoli Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Identity Manager

 

Title: IBM WebSphere MQ Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere MQ

 

Title: IntruShield Log Collector Configuration

Desc: Log Collector configuration content for event source IntruShield

 

Title: McAfee Email Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Email Gateway

 

Title: ISS Realsecure Log Collector Configuration

Desc: Log Collector configuration content for event source ISS Realsecure

 

Title: JBoss Application Server Log Collector Configuration

Desc: Log Collector configuration content for event source JBoss Application Server

 

Title: Steel-Belted Radius Log Collector Configuration

Desc: Log Collector configuration content for event source Steel-Belted Radius

 

Title: Kaspersky Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source Kaspersky Anti-Virus

 

Title: Kernel-based Virtual Machine Log Collector Configuration

Desc: Log Collector configuration content for event source Kernel-based Virtual Machine

 

Title: LANDesk Management Suite Log Collector Configuration

Desc: Log Collector configuration content for event source LANDesk Management Suite

 

Title: Lotus Domino Log Collector Configuration

Desc: Log Collector configuration content for event source Lotus Domino

 

Title: Lumension EMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Lumension EMSS

 

Title: ManageEngine Netflow Analyzer Log Collector Configuration

Desc: Log Collector configuration content for event source ManageEngine Netflow Analyzer

 

Title: Mazu Profiler Log Collector Configuration

Desc: Log Collector configuration content for event source Mazu Profiler

 

Title: McAfee Host DLP Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Host DLP

 

Title: McAfee Endpoint Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Endpoint

 

Title: McAfee Vulnerability Manager Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Vulnerability Manager

 

Title: McAfee Integrity Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Integrity Control

 

Title: McAfee Network Access Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Network Access Control

 

Title: McAfee Policy Auditor Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Policy Auditor

 

Title: McAfee Reconnex Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Reconnex

 

Title: McAfee Virus Scan Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Virus Scan

 

Title: McKesson HPF Log Collector Configuration

Desc: Log Collector configuration content for event source McKesson HPF

 

Title: Microsoft IIS Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft IIS

 

Title: Microsoft Audit Collection Services Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Audit Collection Services

 

Title: Microsoft DHCP Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft DHCP

 

Title: Microsoft Forefront Client Security Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront Client Security

 

Title: Microsoft Forefront UAG Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront UAG

 

Title: Microsoft Network Access Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Network Access Protection

 

Title: Microsoft SharePoint Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SharePoint

 

Title: Windows Server Update Service Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Server Update Service

 

Title: MySQL Log Collector Configuration

Desc: Log Collector configuration content for event source MySQL

 

Title: Netapp Log Collector Configuration

Desc: Log Collector configuration content for event source Netapp

 

Title: Rapid7 NeXpose Log Collector Configuration

Desc: Log Collector configuration content for event source Rapid7 NeXpose

 

Title: NFDump Log Collector Configuration

Desc: Log Collector configuration content for event source NFDump

 

Title: Novell eDirectory Log Collector Configuration

Desc: Log Collector configuration content for event source Novell eDirectory

 

Title: NetScreen-Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source NetScreen-Security Manager

 

Title: openvms Log Collector Configuration

Desc: Log Collector configuration content for event source openvms

 

Title: Oracle Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle

 

Title: Oracle Audit Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Audit Vault

 

Title: Oracle DB Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle DB Vault

 

Title: Oracle Internet Directory Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Internet Directory

 

Title: Oracle IM Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle IM

 

Title: Oracle iPlanet Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle iPlanet Web Server

 

Title: Oracle WebLogic Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle WebLogic

 

Title: Perforce Log Collector Configuration

Desc: Log Collector configuration content for event source Perforce

 

Title: Radware DefensePro Log Collector Configuration

Desc: Log Collector configuration content for event source Radware DefensePro

 

Title: Riverbed Steelhead Log Collector Configuration

Desc: Log Collector configuration content for event source Riverbed Steelhead

 

Title: RSA Adaptive Auth (Hosted) Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Adaptive Auth (Hosted)

 

Title: RSA Access Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Access Manager

 

Title: RSA ACE Server Log Collector Configuration

Desc: Log Collector configuration content for event source RSA ACE Server

 

Title: RSA Archer Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Archer

 

Title: RSAAveksa Log Collector Configuration

Desc: Log Collector configuration content for event source RSAAveksa

 

Title: RSA Certificate Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Certificate Manager

 

Title: RSA Federated Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Federated Identity Manager

 

Title: SAP ERP Central Component Log Collector Configuration

Desc: Log Collector configuration content for event source SAP ERP Central Component

 

Title: Secude Security Intelligence Log Collector Configuration

Desc: Log Collector configuration content for event source Secude Security Intelligence

 

Title: Solaris Basic Security Module Log Collector Configuration

Desc: Log Collector configuration content for event source Solaris Basic Security Module

 

Title: Sophos Enterprise Console Log Collector Configuration

Desc: Log Collector configuration content for event source Sophos Enterprise Console

 

Title: Sybase ASE Log Collector Configuration

Desc: Log Collector configuration content for event source Sybase ASE

 

Title: SYMANTECEP Log Collector Configuration

Desc: Log Collector configuration content for event source SYMANTECEP

 

Title: EMC Symmetrix Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Symmetrix

 

Title: Teradata Log Collector Configuration

Desc: Log Collector configuration content for event source Teradata

 

Title: Trend Micro Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro

 

Title: Trend Micro IMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IMSS

 

Title: Trend Micro IWSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IWSS

 

Title: Tripwire Enterprise Log Collector Configuration

Desc: Log Collector configuration content for event source Tripwire Enterprise

 

Title: Varonis DatAdvantage Probe Log Collector Configuration

Desc: Log Collector configuration content for event source Varonis DatAdvantage Probe

 

Title: VMware View Log Collector Configuration

Desc: Log Collector configuration content for event source VMware View

 

Title: EMC Voyence Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Voyence

 

Title: Websense Web Security Log Collector Configuration

Desc: Log Collector configuration content for event source Websense Web Security

 

Title: WhatsUp Gold Log Collector Configuration

Desc: Log Collector configuration content for event source WhatsUp Gold

 

Title: Microsoft Operations Manager Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Operations Manager

 

Title: Microsoft Exchange Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Exchange

 

Title: Microsoft SCCM Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SCCM

 

Title: Microsoft SQL Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SQL Server

 

Title: Microsoft Internet Security and Acceleration Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Internet Security and Acceleration Server.

 

Title: Microdasys XML Security Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source Microdasys XML Security Gateway.

 

Title: IBM WebSphere Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere.

 

Title: Actiance Vantage Log Collector Configuration

Desc: Log Collector configuration content for event source Actiance Vantage

 

Title: CA Siteminder Log Collector Configuration

Desc: Log Collector configuration content for event source CA Siteminder

 

Title: Cisco Secure IDS XML Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Secure IDS XML.

 

Title: EMC Clariion/VNX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Clariion/VNX

 

Title: SonicWALL GMS Log Collector Configuration

Desc: Log Collector configuration content for event source SonicWALL GMS

 

Title: Squid Log Collector Configuration

Desc: Log Collector configuration content for event source Squid

 

Title: SunOne LDAP Directory Server Log Collector Configuration

Desc: Log Collector configuration content for event source SunOne LDAP Directory Server

 

Title: Symantec Critical Systems Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Critical Systems Protection

 

Title: Symantec Intruder Alert Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Intruder Alert

 

Title: McAfee Web Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Web Gateway

 

Title: Bluecoat ProxyAV Log Collector Configuration

Desc: Log Collector configuration content for event source Bluecoat ProxyAV

 

Title: Blue Coat ELFF Log Collector Configuration

Desc: Log Collector configuration content for event source Blue Coat ELFF

 

Title: Tenable Network Security Nessus Log Collector Configuration

Desc: Log Collector configuration content for event source Tenable Network Security Nessus

 

Title: Windows Events (NIC) Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Events (NIC)

 

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

 

 

 

 

 

Log Parsers


 

New Event Sources:

 

Fortinet FortiAnalyzer version 5.0

Cyberoam UTM version 10.04.3

Aventail SSL VPN (now called SonicWall E-Class SRA)

Cisco Wireless LAN Controller (2100 Series and 4400 Series)

 

Updated Event Sources:

Alcatel-Lucent OmniSwitch version 6600

Cisco Secure ACS version 5.4

McAfee Web Gateway version 7.3

Microsoft Exchange 2013

MySQL Enterprise version 5.6

Symantec DLP versions 11 and 12

Blue Coat Proxy AV version 3.5.1.1

Check Point Security Suite version R77 GAIA OS

Citrix XenApp version 6.5

Oracle WebLogic Server version 10.3.6

Palo Alto Panorama version 5.1.4

Sybase version 15 on Solaris 2.10



 

 

 

LUA Parsers

 

Title: VNC

Desc: Identifies the Remote Framebuffer protocol used by VNC and its derivatives.

 

Title: X11_lua

Desc: Identifies the X11 protocol (RFC 1013)

 

Title: HTTP_lua

Desc: Replicates and improves the functionality of the native and flex HTTP parsers.Performs HTTP header anamoly detection, and proxy client IP extraction.Parses ICAP (HTTP) requests.

 

Title: xor_executable_lua

Desc: Detects executables that have been xor or hex encoded.

 

Title: NFS_lua

Desc: Identifies and parses RPC-related protocols NFS,MOUNT, and PORTMAP.

 

Title: DNP3_lua

Desc: DNP3 Distributed Network Protocol (SCADA)

 

Title: ethernet_oui

Desc: Determines the manufacturer of eth.src and eth.dst addresses.

 

Title: Fingerprint_Private_Key

Desc: Detects SSH and PGP private key files.

 

Title: IMAP_lua

Desc: Identifies IMAP,registers commands,errors,usernames, and passwords.

 

Title: Lync

Desc: Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger).

 

Title: pwdump

Desc: Detects output from Windows password dumping tools such as pwdump.

 

Title: QQ_lua

Desc: Identifies QQ (OICQ protocol) sessions.  Extracts number QQ user id,and login,logout events.

 

Title: shadyrat_lua

Desc: Identifies potential artifacts related to shadyrat command and control traffic.

 

Title: socks_lua

Desc: Identifies Socks protocol version 4 and 5.

 

Title: SoulSeek_lua

Desc: Identifies the SoulSeek file sharing protocol

 

Title: spectrum_lua

Desc: Determines which sessions are sent to Spectrum for analysis,based upon file types seen in the session, and total session size.

 

Title: DNS_verbose_lua

Desc: Identifies DNS sessions.Registers query and response records including record type.Registers protocol error messages.Alerts for dns anamolies.

 

Title: htran_lua

Desc: Identifies the error message generated by the htran redirection tool.

 

Title: bittorrent_lua

Desc: Identifies the bittorrent protocol and registers the name of the file being downloaded.

 

Title: fingerprint_7zip

Desc: Detects 7zip archive files.

 

Title: Derusbi_Server_Handshake

Desc: Detects Derusbi server handshake.

 

Title: fingerprint_rtf_lua

Desc: Detects RTF files

 

Title: fingerprint_zip

Desc: Detects PK format zip files and extracts filenames contained in the archive.

 

Title: NTLMSSP_lua

Desc: Extracts Active Directory user information from NTLM HTTP headers.

 

Title: SMB_lua

Desc: Parses the Microsoft SMB-CIFS protocol versions 1 and 2.

 

Title: fingerprint_rar_lua

Desc: Detects RAR archive files.  Registers names of archived files if available

 

Title: Netwitness Lua Library

Desc: Commonly used parser functions in lua.This file itself is not a parser.

 

Title: fingerprint_javascript_lua

Desc: Detect javascript and suspicious javascript actions and anomolies.

 

Title: fingerprint_office_lua

Desc: Identifies Microsoft Office 95,2007 Word,Excel, and Powerpoint documents.

 

Title: iSCSI

Desc: Identifies SCSI-over-IP.

 

Title: MAIL_lua

Desc: Replicates in lua the functionality of the native and flex MAIL parsers.Extracts from email messages values such as -from;to; and subject.

 

Title: creditcard_detection_lua

Desc: Attempts to detect possible credit card numbers and validate with Luhns Algorithm.Intended as a replacement for the credit card detection in search.ini

 

Title: phishing_lua

Desc: Registers the host portion from each URL found within an email.

 

 

FLEX Parsers

 

Title: Derusbi_Variant_Beacon

Desc: Detects Derusbi Variant Beacons

 

Title: DNS - Verbose

Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors.  Detects and registers anomalies.

 

YARA Rules

 

Title: RSA Malware PE Packers

Desc: Yara IOCs which statically analyze Windows PE files to identify Common Packers

 

Title: RSA Malware PDF Artifacts

Desc: Yara IOCs which statically analyze PDF file artifacts for signs of malware

 

Title: RSA Malware PE Artifacts

Desc: Yara IOCs which statically analyze Windows PE file artifacts for signs of malware

 

Reports

 

Title: Accounts Created SAW

Desc: SAW Compliance Report Template - Accounts Created SAW

 

Title: Accounts Deleted SAW

Desc: SAW Compliance Report Template - Accounts Deleted SAW

 

Title: Accounts Disabled SAW

Desc: SAW Compliance Report Template - Accounts Disabled SAW

 

Title: Accounts Modified SAW

Desc: SAW Compliance Report Template - Accounts Modified SAW

 

Title: Anti-Virus Signature Updates SAW

Desc: SAW Compliance Report Template - Anti-Virus Signature Updates SAW

 

Title: Change in Audit Settings SAW

Desc: SAW Compliance Report Template - Change in Audit Settings SAW

 

Title: Encryption Failures SAW

Desc: SAW Compliance Report Template - Encryption Failures SAW

 

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Report Template - Encryption Key Generation and Changes SAW

 

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Details SAW

 

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Summary SAW

 

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Report Template - Failed Remote Access Details SAW

 

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Report Template - Failed Remote Access Summary SAW

 

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Report Template - Firewall Configuration Changes SAW

 

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Report Template - Firmware Changes on Wireless Devices SAW

 

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Report Template - Inbound Network Traffic SAW

 

Title: Logon Failures Summary SAW

Desc: SAW Compliance Report Template - Logon Failures Summary SAW

 

Title: Logon Failure Details SAW

Desc: SAW Compliance Report Template - Logon Failure Details SAW

 

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Report Template - Outbound Network Traffic SAW

 

Title: Password Changes Details SAW

Desc: SAW Compliance Report Template - Password Changes Details SAW

 

Title: Password Changes Summary SAW

Desc: SAW Compliance Report Template - Password Changes Summary SAW

 

Title: Router Configuration Changes SAW

Desc: SAW Compliance Report Template - Router Configuration Changes SAW

 

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Details SAW

 

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Summary SAW

 

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Report Template - Successful Remote Access Details SAW

 

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Report Template - Successful Remote Access Summary SAW

 

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Report Template - Successful Use of Encryption SAW

 

Title: System Clock Synchronization SAW

Desc: SAW Compliance Report Template - System Clock Synchronization SAW

 

Title: User Access Revoked SAW

Desc: SAW Compliance Report Template - User Access Revoked SAW

 

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Report Template - User Session Terminated Summary SAW

 

Report Engine Rules

 

Title: Accounts Created SAW

Desc: SAW Compliance Rule - Accounts Created SAW

 

Title: Accounts Deleted SAW

Desc: SAW Compliance Rule - Accounts Deleted SAW

 

Title: Accounts Disabled SAW

Desc: SAW Compliance Rule - Accounts Disabled SAW

 

Title: Accounts Modified SAW

Desc: SAW Compliance Rule - Accounts Modified SAW

 

Title: Anti-virus Signature Update SAW

Desc: SAW Compliance Rule - Anti-virus Signature Update SAW

 

Title: Change in Audit Settings SAW

Desc: SAW Compliance Rule - Change in Audit Settings SAW

 

Title: Encryption Failures SAW

Desc: SAW Compliance Rule - Encryption Failures SAW

 

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Rule - Encryption Key Generation and Changes SAW

 

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Details SAW

 

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Summary SAW

 

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Rule - Failed Remote Access Details SAW

 

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Rule - Failed Remote Access Summary SAW

 

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Rule - Firewall Configuration Changes SAW

 

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Rule - Firmware Changes on Wireless Devices SAW

 

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Rule - Inbound Network Traffic SAW

 

Title: Logon Failures Summary SAW

Desc: SAW Compliance Rule - Logon Failures Summary SAW

 

Title: Logon Failures Details SAW

Desc: SAW Compliance Rule - Logon Failures Details SAW

 

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Rule - Outbound Network Traffic SAW

 

Title: Password Changes Details SAW

Desc: SAW Compliance Rule - Password Changes Details SAW

 

Title: Password Changes Summary SAW

Desc: SAW Compliance Rule - Password Changes Summary SAW

 

Title: Router Configuration Changes SAW

Desc: SAW Compliance Rule - Router Configuration Changes SAW

 

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Details SAW

 

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Summary SAW

 

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Rule - Successful Remote Access Details SAW

 

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Rule - Successful Remote Access Summary SAW

 

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Rule - Successful Use of Encryption SAW

 

Title: System Clock Synchronization SAW

Desc: SAW Compliance Rule - System Clock Synchronization SAW

 

Title: User Access Revoked SAW

Desc: SAW Compliance Rule - User Access Revoked SAW

 

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Rule - User Session Terminated Summary SAW

Outcomes