Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment. Of particular note this month, we have created parsers for identifying servers vulnerable to the latest Heartbleed exploits, as well as exploit attempts:
How to detect the Heartbleed Vulnerability using RSA Security Analytics
Parsers that have been created to address Heartbleed are now available in RSA Live. These are available for all RSA Live subscription tiers. The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.
To detect vulnerable servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.
Search for tag “heartbleed” on Live for a full list of parsers associated with Heartbleed.
The categories of new and updated content is as follows:
Event Stream Analysis Rules
Log (Device) Parsers
Security Analytics Rules
The Latest Research from RSA
Introducing a new blog that details how emergent malware is designed to defeat hash-based solutions.
The Malware Factory and Massive Morphing Malware
RSA’s FirstWatch team has posted a blog detailing a new variant of Kazy that uses a wrapped JSON file for its Command and Control. A simple detection rule is included, as is a PCAP for analysis and testing purposes.
New Kazy Variant: Kazy Force
Additionally, RSA’s Content team is updating log parser support for major IDS/IPS vendors as they release Heartbleed specific signatures. Currently RSA’s Content team has updated support for Cisco, Snort, and SourceFire, with more being added as they become available.
We look forward to presenting you new content updates next month!
The RSA Security Analytics Content Team
Updated Application Rules
Title: suspicious php put long query
Desc: Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic.
New ESA Rules
Title: Detect Port Knocking Packet
Desc: Detects when four failed port connection attempts are followed by a successful connection from a single source within the specified time period. You can configure the time period (default is five minutes), IP sources (list of IP addresses to exclude from the alert), and the port range (RANGE followed by the port numbers).
Title: Multiple Login Failures from Same Source IP with Unique Usernames
Desc: Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).
Title: Detects Router configuration attempts
Desc: Detects when someone tries to change a router configuration. The alerts triggers when the Event Classification Tags (ECT) of ec.subject is equal to Configuration, ec.activity isequal to Modify, and device.class is equal to Router. The alert also triggers when NWFL_config:router-change application rule is matched.
Title: Multiple SYN packets from Same Source
Desc: Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets).
Title: Backdoor Activity Detected
Desc: Detects backdoor activity within log files. The rule triggers an alert when the Event Classification Tags (ECT) of ec.theme is equal to TEV and ec.activity is equal to Detect in combination with a variation of the backdoor keyword found in policy.name or event.category.name. You can add a list of backdoor names that the rule looks for by default in both policy.name and event.category.name.
Title: Windows User Added to Administrators Group and Security Disable.
Desc: Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specific time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the accesses and event.desc non-standard meta keys. You must implement these non-standard meta keys after you download this rule.
Title: Detection of Encrypted Traffic to Countries
Desc: Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries.Note :- You must upload and enable the TLS_lua parser, the SSH_lua parser and their dependencies on the Decoder.You can configure the list of destination countries using a colon ":" as a delimiter to separate each country in the list.
Title: Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP
Desc: Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).
Title: Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP
Desc: Detects when the specified number of log events from the specified list of message IDs (each log has to have a unique message ID among the specified set of IDs) with Same Source IP and Destination IP occur in the specified time period. You can configure the number of log events, (default value is 3), the list of message IDs, and the time period (default is 300 seconds).
Updated ESA Rules
Title: Multi-Service connection attempts_Pckt
Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes. Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.
Title: Account Created and Deleted within an hour.
Desc: Account Created and Deleted within an hour.
New Log Parsers
Title: Oracle Access manager
Desc: Log Device content for event source Oracle Access manager - oracleam
Updated Log Parsers
Title: Envision Content File
Desc: This file is used to update the content file for NWFL
Title: Arbor Peakflow SP
Desc: Log Device content for event source Arbor Peakflow SP - arborpeakflowsp
Title: F5 BigIP
Desc: Log Device content for event source F5 BigIP - bigip
Title: Blue Coat ELFF
Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff
Title: Cisco ASA
Desc: Log Device content for event source Cisco ASA - ciscoasa
Title: Cisco Secure IDS XML
Desc: Log Device content for event source Cisco Secure IDS XML – ciscoidsxml
Title: Cisco Security Agent
Desc: Log Device content for event source Cisco Security Agent - ciscosecagent
Title: Dragon IDS
Desc: Log Device content for event source Dragon IDS – dragonids
Title: eEye Blink
Desc: Log Device content for event source eEye Blink - eeyeblink
Title: eEye REM
Desc: Log Device content for event source eEye REM - eeyerem
Title: F5 Firepass
Desc: Log Device content for event source F5 Firepass - firepass
Title: Fortinet FortiGate
Desc: Log Device content for event source Fortinet FortiGate - fortinet
Title: Infoblox NIOS
Desc: Log Device content for event source Infoblox NIOS - infobloxnios
Desc: Log Device content for event source IntruShield - intrushield
Desc: Log Device content for event source Invincea - invincea
Title: McAfee Email Gateway
Desc: Log Device content for event source McAfee Email Gateway - ironmail
Desc: Log Device content for event source iSeries - iseries
Title: ISS Realsecure
Desc: Log Device content for event source ISS Realsecure - iss
Title: Juniper SSL VPN
Desc: Log Device content for event source Juniper SSL VPN - junipervpn
Title: Kaspersky Anti-Virus
Desc: Log Device content for event source Kaspersky Anti-Virus - kasperskyav
Title: Microsoft Exchange
Desc: Log Device content for event source Microsoft Exchange - msexchange
Desc: Log Device content for event source Netapp - netapp
Desc: Log Device content for event source Netscreen - netscreen
Desc: Log Device content for event source Oracle - oracle
Title: Palo Alto Networks Firewall
Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks
Title: SAP ERP Central Component
Desc: Log Device content for event source SAP ERP Central Component - sap
Desc: Log Device content for event source Snort/Sourcefire - snort
Title: Symantec AntiVirus/Endpoint Protection
Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav
Title: Trend Micro Deep Security
Desc: Log Device content for event source Trend Micro Deep Security - trendmicrods
Title: Trend Micro Deep Security Agent
Desc: Log Device content for event source Trend Micro Deep Security Agent - trendmicrodsa
Title: VMware ESX / ESXi
Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi
Title: VMware View
Desc: Log Device content for event source VMware View - vmware_view
Title: Windows Events (NIC)
Desc: Log Device content for event source Windows Events (NIC) - winevent_nic
Desc: Log Device content for event source Linux - rhlinux
New Lua Parsers
Desc: Identifies Trivial File Transfer Protocol and extracts names of files transferred.
Updated Lua Parsers
Desc: Identifies TLS and SSL sessions. Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.
Desc: Replicates in lua the functionality of the native and flex MAIL parsers. Extracts from email messages values such as -from;to; and subject.
Desc: Identify Tunneled Real Time Messaging Protocol packets.
Desc: Identifies windows .job task scheduling files.
Desc: Identifies the Microsoft Remote Desktop Protocol
Title: windows executable
Desc: Identifies windows executables and analyzes them for anomalies and other suspicious characteristics
Desc: Expanded IRC parsing implemented in lua.
Updated Flex Parsers
Desc: Parses SSL/TLS certificates. Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizataional Name (meta ssl.subject), and Subjecet Common Name (meta alias.host).
Title: DNS - Verbose
Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors. Detects and registers anomalies.
Title: Advanced Windows Executable
Desc: Detects executable content and threat rates it according to the level of code obfuscation that is evident in the binary structure.
Title: Botnet Traffic Patterns
Desc: Detects patterns associated with many known botnets.
Title: File Fingerprints
Desc: Forensically fingerprints various filetypes.
NOTE: This parser is deprecated and the individual "fingerprint_*" parsers should be used in its place.
Updated Security Analytics Rules
Title: Failed Remote Access Summary
Desc: Compliance Rule- Failed Remote Access Summary
Title: Successful Remote Access Summary
Desc: Compliance Rule- Successful Remote Access Summary
Seeking Customer Developed Parsers, Rules, and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
-Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:
Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.
-Do you want to request support for a new log source or protocol?
For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx
For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx
-Do you want to request use cases for Event Stream Analysis Rules?
Please use our request form: https://emcinformation.com/204401/REG/.ashx
-The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here: