Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors RSA Admin
1 2 3 Previous Next

RSA NetWitness Platform

74 Posts authored by: RSA Admin Employee

GlassRAT is a new zero detection Remote Access Trojan (RAT) that has been associated with different targeted attack recently, and suspected dwell time going under the radar is about several years.

In this blog post we will discuss how to detect its dropper, malicious files, and C2 communication.

 

Below you can see GlassRAT lifecycle from infection to persistency.

 

125079

 

Once it infects a machine, the attacker using reverse shell is able to get access to infected victim’s pc.

Once the installer program (aka “dropper”) flash.exe landed and triggered on the device, it was detected by RSA ECAT and automatically been downloaded for investigation. Specifically for the dropper, there was a chain revoked alert triggered for it.

 

RSA ECAT Module view

125080

The screenshot below from RSA ECAT as well, shows how the dropper is writing the malicious code to the device creating updatef.dll

125081

 

The screenshot below shows the network activity in RSA Security Analytics investigator beaconing out from rundll32.exe triggering new GlassRAT parser created (available in report annex and in RSA Live), and identifying infected host to C2 handshake with the following hard coded sting ‘0x cb ff 5d c9 ad 3f 5b a1 54 13 fe fb 05 c6 22’:

 

125082

 

Assuming the appropriate meta keys are enabled, the following query can also be used to identify the:

  • Windows command shell communication: service = 0 && tcp.dstport = 80 && risk.warning = ‘windows command shell’
  • Protocol-abusing raw socket connection flagged as ‘unknown service over http port’ and ’unknown service over ssl port’ under ‘Risk: Informational” meta value using ‘nw60125’ application rule.

 

125083

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

 

To read the full report navigate here: https://blogs.rsa.com/peering-into-glassrat/

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library! 

 

During the month of September, we have made the following content available through RSA Live:

 

 

  • Updated ESA Rule that detects remote data harvesting

 

  • New Log parser support for Airtight Management Console that allows visibility into security and system events

 

  • 23 Updates to Log parsers that improves parsing accuracy and supports newer versions of event sources

 

 

For a full breakdown of new/updated content released to RSA Live, go here:

 

Content Announcement

 

Also, you can view our entire content library and content request portals here:

 

RSA Live Content

Content Request Portals

 

 

In the future, the Content Team will continue to concentrate on improving the turn-around on content defects. Our primary focus is to increase parsing accuracy and eliminate parsing inconsistencies. We also are working on a meta dictionary output which will allow you to see what meta is generated on a per parser basis. Last but not least, we are investigating multiple threat intelligence content opportunities to ensure we are delivering the best of breed threat detection content!

 

We look forward to sharing some great updates with you next month!

 

 

Regards,

 

The ASOC Content Team

ASOC.Content@rsa.com

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library! 

 

During the month of August, we have made the following content available through RSA Live:

 

  • New Event Steaming Analysis (ESA) rules (4) that will help analyst detect RATS, and Suspicious AWS environment changes. We also released a rule that indicates a potential two-stage malware dropper

 

  • Updates to Event Streaming (ESA) rules (7) that will limit noise in customer ESA environments and ensure the most targeted and up to date intelligence in our rule library

 

  • 1 Addition to our Application rule set allows analysts to detect a domain controller or directory server engaged in port activity that is outside expected ports

 

  • Updated feeds from our RSA FirstWatch team that ensures the most targeted and up to date intelligence in our feed library

 

  • New Log parser support for Radiator Radius Server that allows visibility into security access control


  • 36 Updates to Log parsers that improves parsing accuracy and supports newer versions of event sources

 

 

For a full breakdown of new/updated content released to RSA Live, go here:

 

Content Announcement

 

 

Also, you can view our holistic content library and content request portals here:

 

RSA Live Content

Content Request Portals

 

 

In the future, the Content Team will continue to focus speeding the turn-around on content defects. Our primary focus is to increase parsing accuracy and eliminate parsing inconsistencies for our customers. We also are working on a meta dictionary output which will allow you to see what meta is generated on a per parser basis. Last but not least, we are working on categorizing content in Live by data source (Log, Packet, Log/Packet) so you can navigate to the content that is most important and valid for your environment.

 

We look forward to sharing some great updates with you next month!

 

 

Regards,

 

The ASOC Content Team

ASOC.Content@rsa.com

The RSA Content Team is pleased to announce the addition of new and updated content to the RSA Live Content Library! 

 

Let’s take a look at what we have released to RSA Live during the month of June and July:

 

  • 1 New Event Steaming Analysis (ESA) rules
    • This addition to our ESA rule library will help analysts detect potential APT service installation


  • 7 Updates to Event Streaming (ESA) rules
    • This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library


  • 3 New Application rules
    • These additions to our Application rule set allows analysts to detect potential ShadowIT within their environment. We also released a rule to detect rogue DHCP servers


  • 1 Update to RSA Security Analytics List
    • This made changes to our User Watchlist by IP list

 

  • 11 New RSA Security Analytics Rules
    • These rules are focused on ShadowIT detection and Security Analytics Administration reports

 

  • 2 New RSA Security Analytics Reports
    • These reports are focused on ShadowIT detection and Security Analytics Administration reports


  • 3 New Log parsers
    • RSA Via Access
    • Evidian
    • IBM Mainframe (Top Secret)


  • 60 Updates to Log parsers
    • Improves parsing accuracy and supports newer versions of event sources

 

 

For a full breakdown of new/updated content released to RSA Live, go here:

 

Content Announcement

 

Also, you can view our holistic content library and content request portals here:

 

RSA Live Content

Content Request Portals

 

 

The next few months will be busy on the content front! We have realigned our team to be much more agile with content releases, so turn around on content defects will increase tremendously. We also are in the final stages of releasing a meta dictionary output which will allow you to see what parser generates what meta. Last but not least, we are working on categorizing content in Live to give you the ability to pinpoint the content that is most important for your enterprise!

 

We look forward to sharing some great updates with you next month!

 

 

Regards,

 

The ASOC Content Team

ASOC.Content@rsa.com

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library! 

 

Let’s take a look at what we have released to RSA Live during the month of May:

 

  • 2 New Event Steaming Analysis (ESA) rules
    • These additions to our ESA rule library will help analysts detect rogue DHCP servers. This is important detection in order for customers to defend against man-in-the-middle attacks


  • 6 Updates to Event Streaming (ESA) rules
    • This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library


  • 6 New Application rules
    • These additions to our Application rule set allows analysts to detect potential denial of service attacks


  • 10 Updates to Application rules
    • This will increase the accuracy of our out-of-the-box Application rules


  • 1 New Lua parser
    • This new FTP protocol parser provides visibility into file transfers


  • 6 Updates to Lua parsers
    • Improves protocol parsing accuracy


  • 1 New Log parser
    • BigIP Advanced Firewall Manager – Network based firewall. Based on the set policies, AFM has the ability to accept/reject/drop the traffic


  • 24 Updates to Log parsers
    • Improves parsing accuracy and supports newer versions of event sources

 

 

 

For a full breakdown of new/updated content released to RSA Live, go here:

 

May Announcements


 

Also, you can view our holistic content library and content request portals here:

 

RSA Live Content

Content Request Portals

 

 

The next few months will be busy on the content front! In addition to our ESA rule library project , we will be releasing rules and reports to help our customers detect ShadowIT within their organization. We also will be releasing some great content that provides visibility into AWS environments. To top it all off, we will be delivering reports for Security Analytics auditing use cases!

 

We look forward to sharing some great updates with you next month!

 

 

Regards,


The ASOC Content Team

ASOC.Content@rsa.com

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library! As always the Content team has been heads down reviewing our existing Event Stream Analysis (ESA) rule library. This massive effort is focused on ensuring accuracy and organization around our current correlative capabilities. We are going above and beyond validating the logic of the rules, and we are leveraging our team of subject matter experts to eliminate false positives and ensure an extremely targeted rule set.

 

Let’s take a look at what we have released to RSA Live during the month of April:

 

  • 18 Updates to Event Streaming Analysis (ESA) rules
    • This will limit noise in customer ESA environments and ensure the most targeted intelligence in our rule library

 

  • 25 Lua parser updates
    • This effort enhances parser performance, relieves memory issues, and ensures no duplication of generated meta

 

  • 11 Application Rule updates
    • Addresses an issue where the “filter” app rules were not set to “filter”

 

  • 2 New Log parsers
    • Microsoft URL Scan  - MS URL Scan is a tool that identifies the different types of HTTP requests that are sent to an IIS, giving SA visibility into blocked/rejected URLs
    • UnboundID Identity Store access log events are supported

 

  • 26 Log parser updates
    • Improves parsing accuracy and supports newer versions of event sources


 

For a full breakdown of new/updated content released to RSA Live, go here:

 

April Announcements

 

Also, you can view our holistic content library and content request portals here:

 

RSA Live Content

Content Request Portals

 

 

The next few months will be an exciting time for the Content Team! We will be finishing up our ESA rule library project and also focusing on rules and reports to enable alerting for critical activity with AWS environments. We are also planning on releasing some cool content for ShadowIT detection!

 

We look forward to sharing some great updates with you next month!

 

 

Regards,


The ASOC Content Team

ASOC.Content@rsa.com

RSA Security Analytics customers,


RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library. New content added to RSA Live during the month of March:

 

  • 2 new Application rules for detecting internal web traffic to remote administration tools
  • 29 Updates to Event Streaming Analysis (ESA) rules to provide more targeted rule logic
  • 5 Lua parser updates
  • New Log parser support for Entrust Identity Guard
  • 40 Log parser updates that improve parsing accuracy and support newer versions of event sources

 

 

You can find our latest content catalog here:

 

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

 

Additionally, the RSA Content Team will continue our intensive review of our current ESA rule library.  This effort means there will be less noise and more targeted intelligence with our ESA (correlation) rules.

 

If you have an interesting use case for a piece of content, let us know about it by mailing us at:

 

ASOC.Content@rsa.com

 

Regards,

The ASOC Content Team

 

RSA Security Analytics customers,


The first couple of months of 2015 have been very busy on the content front! Our RSA Live and Content Team is mid-way through a Herculean effort to review (and in some cases rewrite) our current ESA rule library to provide more targeted rule logic. Through all of this activity the content factory keeps rolling. Let’s take a quick look at what we have released so far this year:


  • Application rules for detecting the downloads of remote access and Active Directory database extraction tools
  • ESA rules for using NetFlow to detect spamming internal hosts, worm propagation, and web-based DoS attacks
  • ESA rules for detecting suspicious administrative activity as well as service and protected account manipulation
  • 34 ESA rule updates
  • Lua parsers for parsing SIP and NetBIOS, as well as isolating the queries from common search engines
  • Log parser for VMware NSX
  • 43 Log parser updates

 

 

 

 

The year has started out strong and we have a lot of content in the development pipeline for the first half of this year!

 

As always, we look forward to working with you to further refine our content offering and help make Security Analytics the undisputed market leader for detecting advanced threats. You can find our latest content catalog here:

 

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources


If you have an interesting use case for a piece of content, let us know about it by mailing us at:

 

ASOC.content@rsa.com

 

Regards,

The ASOC Content Team

Season’s Greetings!

It’s December and we’re bringing another year of content delivery to a close. This year we’ve worked closely with you to develop processes to provide a more streamlined content production pipeline, as well as provide a more consistent method of communicating content availability. The net result is that the team produced more content in 2014 than ever before!

So how productive were we? I’m glad you asked! The team produced 574 new pieces of content this year. Let’s take a look at the breakdown:

Content Type
Log Parsers and Collectors294
Net New Report Engine (RE) Rules102
Net New Event Stream Analysis (ESA) Rules74
Net New Reports43
Net New Application Rules23
Net New Basic Correlation Rules14
Net New LUA Parsers12
Net New Report Engine (RE) Lists7
Net New Feeds3
Net New Advanced Analytics / Data Science Models1
Net New Flex Parser1


Of particular note is that we’ve produced some significant content “firsts” in regards to the type of content we are providing. I’m referring to our NetFlow, ECAT, and Advanced Analytics / Data Science content. These will lay the foundation for even more advanced content offerings in 2015 with Security Analytics 10.5 and beyond.  While not as glamorous or exciting, we’ve also done quite a bit of content housekeeping with over 50 feeds retired and countless log parsers updated. All in all, not a bad year. Next year will be even better.
   

Our content release notification for December can be found here.

 

The RSA Content Team wishes you and yours a happy holiday season and an excellent New Year.  See you in 2015!

Regards,

 

The ASOC Content Team

 

RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library.

 

RSA Research

Just in time for shopping season we’d like to bring to your attention to two research papers written by our RSA Incident Response team. Both papers are excellent examples of how RSA Security Analytics and RSA ECAT can be used together to identify malicious activity, specifically focused on point-of-sale attacks and malware. They can be found on the Community here https://community.emc.com/docs/DOC-40472 and here https://community.emc.com/docs/DOC-40473

Our research team, RSA FirstWatch, have also posted a blog on the Community outlining how to use Security Analytics to detect variants of the YAKES Trojan. You can find the blog post here:

https://community.emc.com/docs/DOC-40349

New Content

We have created a bundle of new rules that are utilizing both our own intelligence feeds as well as RSA ECAT endpoint alerts that can now be used for incident detection with the Event Stream Analysis (ESA) appliance. We’ve also created rules utilizing IPS logs and host logs to detect DoS style attacks and service shutdowns as well as instances of mass audit log clearing. Lastly we’ve updated our 3rd party IOC feeds to include IOCs common to the activity of APT28, the suspected Russian threat group.

On the log front we have added log support for Bluecoat IPAM, DNS & DHCP as well as the Jenkins integration platform. We’ve also performed updates to 28 of our device log parsers

For a full list of New and Updated Content for November, please go here:

November Announcements

 

NEW! To view the entire library of content go to the  “Content and Resource” section on RSA Security Analytics Docs (SA Docs):

https://sadocs.emc.com/0_en-us/300_RSA_ContentAndResources

 

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

RSA Admin

Point of Sale Best Practices

Posted by RSA Admin Employee Nov 18, 2014

The Financial Services Information Sharing and Analysis Center (FS-ISAC), the United States Secret Service (USSS), and the Retail Cyber Intelligence Sharing Center (R-CISC) has published and advisory on Point of Sale (POS) best practices.

 

The advisory provides information on and recommends possible mitigations for common cyber exploitation tactics, techniques and procedures (TTPs) consistently and successfully leveraged by attackers in the past year.

 

Many of these TTPs have been observed by the FS-ISAC, through its members, and identified in Secret Service investigations.

 

You can find the advisory on the FS-ISAC website at :

https://www.fsisac.com/sites/default/files/news/HolidaySeason-PointOfSale-BestPractices-11072014.pdf

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library. We have added several useful submission links this month, so please take a moment to review this announcement about the latest tools we are providing you to detect threats to your environment.

 

New and updated content includes:

 

Application Rules new rules include the ability to detect outbound MS Outlook PFF files, outbound TOR connections and proxy detection and more

Reporting Engine (RE) ReportsA new report on anonymous proxy and remote control activity has been added

Reporting Engine (RE) Rules – new rules to detect anonymous access, use of remote client download sites and suspicious tunneling and more

Event Stream Analysis (ESA) Rules – There are many new correlation rules including aggressive scan detection, logins across multiple platforms, password cracker tools and many more

Log (Device) Parsers (ESU 73) – New parsers for vCenter and many updated parsers

 

As a reminder we are always  seeking your input and custom developed parsers rules and reports.  Please see instruction below to learn how to submit or leverage the RSA Security Analytics Community where you’ll also find previous RSA Live Content updates https://community.emc.com/community/connect/rsaxchange/netwitness

 

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

 

Content Updates

 

New Application Rules

 

Title: Outbound MS Outlook PFF file

Desc: Detects outbound MS Outlook (Personal folder files) PFF filetype.

  • It does not differentiate between type of pff (e.g.: .pst, .ost, .pab).
  • NOTE:

 

Title: Tor Outbound

Desc: Detects an encrypted network session to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access.

The possible indicators of Tor are communication:

  • Over a common Tor destination port of 9001,9030,9050 or 9051
  • Communication with a known Tor tunnel node.  RSA Feeds of Tor Nodes and Tor Exit Nodes are required for this indicator.

An encrypted network session is identified as service 443 (HTTPS), 22 (SSH) or IP protocol 50 (IPSec).  A network parser for TLS is required.

 

Title: Proxy Anonymous Services

Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key.  Use of an HTTP network parser is required.

 

Title: Proxy Client Download

Desc: Detects proxy client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

 

Title: Remote Control Client Download

Desc: Detects remote client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

 

Title: Remote Control Client Website

Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.

 

New Reporting Engine (RE) Reports

 

Title: Anonymous Proxy and Remote Control Activity

Desc: Displays suspected use of services, clients or protocols for anonymous access or remote control activites.

 

New Reporting Engine (RE) Rules

 

Title: Anonymous Access by Suspicious Source

Desc: Displays when a user enters or exists through a suspected criminal SOCKS or VPN node. RSA FirstWatch feeds populate the meta keys used within the rule.  The rule requies threat.category equal to  'anonymous access'  plus threat.desc as either 'suspicious-ip' or 'criminal vpn service exit node' or 'criminal vpn service entry node' or 'criminal socks node'.

 

Title: Anonymous Proxy Service Connection

Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key.  Use of an HTTP network parser is required.

 

Title: Remote Control Client Site

Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.

 

Title: Remote Control or Proxy Client Download

Desc: Detects proxy and remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.

 

Title: Tunneling Protocols Outbound

Desc: Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access.  This rule includes SSH and Tor tunneling protocols..

 

 

New Event Stream Analysis (ESA) Rules

 

Title: Aggressive internal web portal scan

Desc: Detects a single host making connection attempts to 20 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. The time window and unique target number are configurable.

 

Title: Aggressive NetBIOS scan

Desc: Detects a single host making connection attempts to 10 or more unique IP addresses over 2 of the three following ports within 1 minute: UDP/137, UDP/138, TCP139 .

 

Title: Aggressive Internal Database Scan

Desc: Detects a single host making connections to 10 or more unique IP addresses in 1 minute over any combination of the following ports TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1583.

 

Title: Consecutive Login without Logout

Desc: Detects consecutive logins by the same user to the same system without a Logout

 

Title: Suspicious Login without any activity

Desc: Detects a login and logout from a single user with no other recorded activity. Rule is limited to windows hosts.

 

Title: Low Orbit Ion Cannon DoS tool download

Desc: Detects Low Orbit Ion Cannon DoS tool download from sourceforge.

 

Title: WebSploit tool download

Desc: Detects WebSploit tool download from sourceforge.

 

Title: Suspicious Communication Channel: Sender

Desc: Detects servers that are generating multiple SYN/ACKs to the same host without ever having received a SYN packet from the host. In normal TCP communications SYN/ACKs should only be presented after receiving an initiating SYN packet

 

Title: Suspicious Communication Channel: Receiver

Desc: Detects server responding with a TCP RST in response to a SYN/ACK multiple times to the same host in one minute. The IP sending the RST (not RST / ACK) may potentially be receiving side of a covert communication channel.

 

Title: Logins across multiple platforms

Desc: Detects logins from the same user across 3 or more separate platforms within 5 minutes. The time window and unique destination number are configurable.

 

Title: DoS Logged and Service Shutdown

Desc: Detects 2 DoS log events to a host followed by a service on the host shutting down within 5 minutes. This rule requires a IPS/IDS monitoring the segment and reporting to SA as well as having host based logging configured on the protected servers.

The time window and DoS log event number are configurable.  This module uses non-standard meta key 'disposition'.

 

Title: Remote Password Cracking Tool Use

Desc: Detects login failures from a IP or host source to 3 different IP or host destinations. The time window and login failures number are configurable.  This module uses non-standard meta keys host.src and host.dst.

 

 

New Log Parsers

 

Title: VMware vCenter Orchestrator

Desc: Log Device content for event source VMware vCenter Orchestrator – vmware_vco

 

Title: vCenter Operations Manager

Desc: Log Device content for event source VMware vCenter Operations Manager

 

Title: vCloud Automation Center

Desc: Log Device content for event source VMware vCloud Automation Center

 

 

Updated Log Parsers

 

Title: Tipping Point

Desc: Log Device content for event source Tipping Point

 

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF

 

Title: Windows Events (Snare)

Desc: Log Device content for event source Windows Events (Snare)

 

Title: Windows Events (NIC)

Desc: Log Device content for event source Windows Events (NIC)

 

Title: VMware vShield

Desc: Log Device content for event source VMware vShield

 

Title: Trend Micro Deep Security Agent

Desc: Log Device content for event source Trend Micro Deep Security Agent

 

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire

 

Title: Web Threat Detection

Desc: Log Device content for event source Web Threat Detection

 

Title: RSA DLP

Desc: Log Device content for event source RSA DLP

 

Title: RSA Access Manager

Desc: Log Device content for event source RSA Access Manager

 

Title: RSA Adaptive Authentication On Premise

Desc: Log Device content for event source RSA Adaptive Authentication On Premise

 

Title: Rapid7 NeXpose

Desc: Log Device content for event source Rapid7 NeXpose

 

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP

 

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange

 

Title: Lotus Domino

Desc: Log Device content for event source Lotus Domino

 

Title: Juniper JUNOS

Desc: Log Device content for event source Juniper JUNOS

 

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure

 

Title: IntruShield

Desc: Log Device content for event source IntruShield

 

Title: IBM WebSphere

Desc: Log Device content for event source IBM WebSphere

 

Title: IBM Mainframe zOS System Log

Desc: Log Device content for event source IBM Mainframe zOS System Log

 

Title: CA ACF2

Desc: Log Device content for event source CA ACF2

 

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate

 

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS

 

Title: Cyberoam UTM

Desc: Log Device content for event source Cyberoam UTM

 

Title: Citrix NetScaler

Desc: Log Device content for event source Citrix NetScaler

 

Title: Cisco Secure ACS Appliance

Desc: Log Device content for event source Cisco Secure ACS Appliance

 

Title: Cisco IOS

Desc: Log Device content for event source Cisco IOS

 

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML

 

 

 

Seeking Customer Developed Parsers, Rules, and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:

 

ASOC.CONTENT@emc.com


Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.


Do you want to request support for a new log source or protocol?

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ash

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

Do you want to request use cases for Event Stream Analysis Rules?

Please use our request form: https://emcinformation.com/204401/REG/.ashx

 

The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

https://developer-content.emc.com/login/register.asp

I previously wrote about Kargen here.  It's main characteristics are a set beacon filename length put to a /b/req/ or /b//opt/ directory on a compromised webserver.

 

I previously wrote about Chameleon encoding here, which primary characteristics were domains that were actually hexadecimal color codes, registered, I think, to frustrate researchers looking to search the internet for these domain names involved in an incident.  Instead of information about the incident, results from web searches only include any embedded matching hex color code in thousands of web pages crawled by the search engines.

 

In the sample below, we can see similar Kargen activity, coupled with beaconing to a Chameleon encoded domain.  The Kargen beacon has changed length strings a bit, and the Chameleon Encoding put commands are now url-encoded beacons rather than search engine strings.  Here is a screenshot of that beacon.

 

87508

 

This PCAP, attached below, is available for everyone to evaluate for new rules to detect this threat.  It came from MalwareTrafficAnalysis here, dated 6/29.  The infection is a result of the Magnitude Exploit Kit, but the post-infection network traffic should be familiar as Kargen.  This threat is new, but it builds on older techniques and methods of botnet masters that we have previously discussed in this space.  As always, the domains here will be added to the Live C2 domains list.

 

Please discuss among yourselves how best to detect this new combined variant.

 

Good Luck and Happy Hunting!

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

 

The categories of new and updated content is as follows:

 

Application Rules

Correlation Rules

RE Rules

RE Reports

Event Stream Analysis Rules

Log (Device) Parsers

Lua Parsers

 

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

 

Content Updates

 

New Application Rules

Title: ScribD Document Upload

Desc: Detects document uploads to the site ScribD.

 

Title: Wikileaks Email Submission

Desc: Detects emails being sent to the Wikileaks domain, sunshinepress.org.

 

New Correlation Rules

Title: IPv4 Bulk Data Transfer 20 Mb

Desc: Detects when a IPV4 source and destination addresses exchange more than 20MB of data in 5 min

 

Title: IPv6 Bulk Data Transfer 20 Mb

Desc: Detects when a IPV6 source and destination addresses exchange more than 20MB of data in 5 min

 

Title: IPv4 Bulk Data Transfer 50 Mb

Desc: Detects when a IPV4 source and destination addresses exchange more than 50MB of data in 5 min

 

Title: IPv6 Bulk Data Transfer 50 Mb

Desc: Detects when a IPV6 source and destination addresses exchange more than 50MB of data in 5 min

 

New RE Rules

Title: Top Alias Host Destination by Session Count

Desc: Aggregates sessions by alias.host and displays the top five results by session count in descending order.

 

Title: Top Alias Host Destination by Source IP

Desc: Aggregates sessions by alias.host and displays the top five results grouped by ip.src and summarized by session count in descending order.

 

Title: Top Destination Country by Session Count

Desc: Aggregates sessions by country.dst and displays the top five results by session count in descending order.

 

Title: Top Destination Country by Session Size

Desc: Aggregates sessions by country.dst and displays the top five results by session size in descending order.

 

Title: Top Destination Country by Source IP

Desc: Aggregates sessions by country.dst and displays the top five results grouped by ip.src and summarized by session count in descending order.

 

Title: Top HTTPS Destination IP by Session Size

Desc: Aggregates sessions by ip.dst and displays the top five results where the tcp.dstport equals 443 or the client equals HTTPS.  The results are summarized by session count in descending order.

 

Title: Top Network Service by Session Count

Desc: Aggregates sessions by service and displays the top five results by session count in descending order.

 

Title: Botnet Activity

Desc: Botnet Activity,This rule fires when any or one of 128 different Botnets has been detected.

 

Title: Cleartext Authentications

Desc: This rule displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.

 

Title: Bulk Data Transfer

Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

 

Title: Known Service detected over Non Standard Network Port

Desc: Displays sessions whose service is detected on a non-standard network port. For example, DNS detected on port 555 when the default port is 53.

 

Title: Unknown Service detected over Standard Network Port

Desc: Displays sessions where unknown service is detected on the standard network port. For example, unknown service detected on port 53, which is the standard DNS port

 

Title: Top 10 Risk Warning by Source IP

Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.src in descending order.

 

Title: Top 10 Risk Warning by Destination IP

Desc: Aggregates sessions by risk.warning and displays the top ten results by ip.dst in descending order.

 

Title: Top 10 Risk Warning by Session Size

Desc: Aggregates sessions by risk.warning and displays the top ten results by session size in descending order.

 

Title: Top 10 Risk Suspicious by Source IP

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.src in descending order.

 

Title: Top 10 Risk Suspicious by Destination IP

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by ip.dst in descending order.

 

Title: Top 10 Risk Suspicious by Session Size

Desc: Aggregates sessions by risk.suspicious and displays the top ten results by session size in descending order.

 

Title: All Risk Warning by Source IP

Desc: Aggregates sessions by risk.warning and displays all results by ip.src in descending order.

 

Title: All Risk Warning by Destination IP

Desc: Aggregates sessions by risk.warning and displays all results by ip.dst in descending order.

 

Title: All Risk Warning by Session Size

Desc: Aggregates sessions by risk.warning and displays all results by session size in descending order.

 

Title: All Risk Suspicious by Source IP

Desc: Aggregates sessions by risk.suspicious and displays all results by ip.src in descending order.

 

Title: All Risk Suspicious by Destination IP

Desc: Aggregates sessions by risk.suspicious and displays all results by ip.dst in descending order.

 

Title: All Risk Suspicious by Session Size

Desc: Aggregates sessions by risk.suspicious and displays all results by session size in descending order.

 

New RE Reports

Title: SSAE 16 - Compliance Report

Desc: Statement on Standards for Attestation Engagements (SSAE 16) is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) specifically geared towards addressing engagements conducted by service organizations to report on the design of controls and their operating effectiveness.

 

Title: FFIEC - Compliance Report

Desc: This article introduces the Federal Financial Institutions Examination Council (FFIEC) compliance templates available in Security Analytics. The Federal Financial Institutions Examination Council (FFIEC) is a body of the United States government empowered to prescribe principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), Mergers & Acquisitions International Clearing (MAIC), and the Consumer Financial Protection Bureau (CFPB).

 

Title: FISMA - Compliance Report

Desc: This article introduces the Federal Information Security Management Act (FISMA) compliance templates available in RSA Security Analytics. The Federal Information Security Management Act (FISMA) is designed to ensure appropriate security controls for government information systems.

 

Title: Botnet Activity

Desc: This report can display Botnet activity of 128 different Botnets. It reports based on threat.category=botnet.

Filename: Botnet Activity

 

Title: Cleartext Authentications

Desc: This report displays events in which passwords were sent over cleartext using network protocols such as FTP, HTTP, POP3 and SMTP.

 

Title: Bulk Data Transfer - Report

Desc: Displays events where the amount of data transferred between the Source-Destination IP pairs is over 20 Mb or 50 Mb.

 

Title: Non-Standard Traffic

Desc: This report displays sessions which are categorized as unusual based on service and port usage. Sessions will either include session found on non standard port or unknown service on standard port

 

Title: Network Activity

Desc: This report displays summary data for top network activity for the following:Top Alias Host Destination by Session Count,Top Alias Host Destination by Source IP,Top Destination Country by Session Count,Top Destination Country by Session Size,Top Destination Country by Source IP,Top HTTPS Destination IP by Session Size,Top Network Service by Session Count

 

Title: Top 10 Risk Warning

Desc: This report summarizes Top 10 Risk Warning by Source, Destination and Session Size

 

Title: Top 10 Risk Suspicious

Desc: This report summarizes Top 10 Risk Suspicious by Source, Destination and Session Size

 

Title: All Risk Suspicious

Desc: This report lists All Risk Suspicious by Source, Destination and Session Size

 

Title: All Risk Warning

Desc: This report lists All Risk Warning by Source, Destination and Session Size

 

Title: PCI-Compliance Report

Desc: The Payment Card Industry (PCI) Data Security Standard applies to all payment card industry members, merchants, and service providers that store, process, or transmit payment cardholder data. Additionally, these security requirements apply to all "system components" - any network component, server, or application included in, or connected to, the cardholder data environment.

 

Title: SOX - Compliance Report

Desc: Sarbanes-Oxley Act of 2002 (SOX). Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws. Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.

 

Title: HIPAA - Compliance Report

Desc: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that providers, health plans, clearinghouses, and their business associates establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information.

 

Title: BASEL II - Compliance Report

Desc: This article introduces Basel II report templates available for use with Security Analytics Reporter. Basel II compliance reports are based on recommendations by bank supervisors and central bankers to improve the consistency of capital regulations internationally, make regulatory capital more risk sensitive, and promote enhanced risk-management practices among international banking organizations.

 

Title: BILL 198 - Compliance Report

Desc: This article introduces Bill 198 compliance reports available in RSA Security Analytics. Bill 198 empowers the Ontario Securities Commission to develop guidelines to protect investors in public Canadian companies by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

 

Title: FERPA - Compliance Report

Desc: This article introduces the Family Educational Rights and Privacy Act (FERPA) compliance report templates available in Security Analytics. The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. 1232g, 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

 

Title: NISPOM - Compliance Report

Desc: This article introduces the National Industrial Security Program Operating Manual (NISPOM) templates available in Security Analytics Reporter. The National Industrial Security Program Operating Manual (NISPOM) developed by the Department of Defense, sets comprehensive standards for protecting classified data. All government agencies and commercial contractors who have access to classified data are required to implement system protection processes to ensure continued availability and integrity of this data, and prevent its unauthorized disclosure. These regulations apply to systems used in the capture, creation, storage, processing, or distribution of restricted information.

 

Title: GLBA - Compliance Report

Desc: This article introduces the Gramm-Leach-Bliley Act (GLBA) compliance templates available in RSA Security Analytics. The Gramm-Leach-Bliley Act (GLBA) requires companies defined under the law as "financial institutions" to ensure the security and confidentiality of this type of information. As part of its implementation of GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

 

Title: GPG-13 - Compliance Report

Desc: Good Practice Guide 13 (GPG13) defines requirements for protective monitoring-for example, the use of intrusion detection and prevention systems(IDS/IPS)-with which local authorities must comply in order to prevent accidental or malicious data loss.

 

Title: NERC-CIP - Compliance Report

Desc: The NERC CIP compliance reports in RSA Security Analytics are based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) program requirements. The CIP program coordinates NERCs efforts to improve physical and cyber security for the bulk power system of North America as it pertains to reliability. This includes standards development, compliance enforcement, assessments of risk and preparedness, disseminating critical information via alerts to industry, and raising awareness of key issues.

 

 

Title: ISO27002 - Compliance Report

Desc: ISO 27002 establishes guidelines and general principles for initiating, implementing, maintaining and improving information security management in an organization. ISO 27002 is used as the foundation and technical guidelines for many international and industry compliance standards and are generally good practices for all organizations.

 

New ESA Rules

Title: SSH connection from internet routable IP followed by HTTP/SSH service restart on destination: Log

Desc: SSH connection is detected from an internet routable IP (non-RFC 1918 standard IP or external IP addresses) followed by a HTTP/SSH service restart on destination. The default time is 5 minutes and the default service names being monitored are sshd and httpd. This rule uses a non-indexed key - service.name. It needs to be indexed on Log Decoder in table-map.xml and added to Concentrator through index_concentrator_custom.xml.

 

Title: Windows Worm Activity Detected Packets

Desc: Detects a single source IP reaching out to 10 distinct destination IP addresses on ports 137, 138, 139, or 445 within 1 minute.   The list of destination ports, event time window and number of unique destination IPs are configurable

 

Title: Windows Worm Activity Detected Logs

Desc: Detects log messages indicative of a worm with a destination port of 137, 138, 139 or 445 from at least 10 unique RFC-1918 source IPs within 1 minute. The list of destination ports, event time window and number of unique source IPs are configurable.

 

Updated Log Parsers

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS - dragonids

 

Title: Tipping Point

Desc: Log Device content for event source Tipping Point - tippingpoint

 

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

 

Title: Microsoft IIS

Desc: Log Device content for event source Microsoft IIS - microsoftiis

 

Title: Airdefense Enterprise

Desc: Log Device content for event source Airdefense Enterprise - airdefense

 

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

 

Title: F5 Big-IP Application Security Manager

Desc: Log Device content for event source F5 Big-IP Application Security Manager - bigipasm

 

Title: Check Point FW-1

Desc: Log Device content for event source Check Point FW-1 - checkpointfw1

 

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

 

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML - ciscoidsxml

 

Title: Citrix NetScaler

Desc: Log Device content for event source Citrix NetScaler - citrixns

 

Title: Cyberoam UTM

Desc: Log Device content for event source Cyberoam UTM - cyberoamutm

 

Title: McAfee ePolicy Orchestrator

Desc: Log Device content for event source McAfee ePolicy Orchestrator - epolicy

 

Title: Fabric OS

Desc: Log Device content for event source Fabric OS - fabricos

 

Title: Infoblox NIOS

Desc: Log Device content for event source Infoblox NIOS - infobloxnios

 

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

 

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

 

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

 

Title: McAfee Web Gateway

Desc: Log Device content for event source McAfee Web Gateway - mcafeewg

 

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

 

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP - netscreenidp

 

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks

 

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

 

Title: RSA Access Manager

Desc: Log Device content for event source RSA Access Manager - rsaaccessmanager

 

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

 

Title: UNIX Solaris

Desc: Log Device content for event source UNIX Solaris - solaris

 

Title: Solaris Basic Security Module

Desc: Log Device content for event source Solaris Basic Security Module - solarisbsm

 

Title: Symantec AntiVirus/Endpoint Protection

Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav

 

Title: Symantec Brightmail

Desc: Log Device content for event source Symantec Brightmail - symantecbrightmail

 

Title: Symantec Critical Systems Protection

Desc: Log Device content for event source Symantec Critical Systems Protection - symanteccsp

 

Title: Voltage SecureData

Desc: Log Device content for event source Voltage SecureData - voltagesecuredata

 

Title: Windows Events (ER)

Desc: Log Device content for event source Windows Events (ER) - winevent_er

 

Title: Windows Events (Snare)

Desc: Log Device content for event source Windows Events (Snare) - winevent_snare

 

Title: Envision Config File

Desc: This file is used to update the Log Device base config files: table-map.xml,ipaddr.tab,etc.ini

 

Title: Cisco Secure ACS Appliance

Desc: Log Device content for event source Cisco Secure ACS Appliance - ciscosecureacs

 

Title: Cisco UCS Manager

Desc: Log Device content for event source Cisco UCS Manager - ciscoucs

 

Title: Netwitness Spectrum

Desc: Log Device content for event source Netwitness Spectrum - netwitnessspectrum

 

Title: RSA ECAT

Desc: Log Device content for event source RSA ECAT – rsaecat

 

New Lua Parsers

Title: Poison_Ivy

Desc: Detects Poison Ivy RAT activity

 

Title: Proxy_Block_Page

Desc: Parses proxy denied exception pages. Registers the url that was requested and the reason for denial. Blue Coat and Palo Alto are currently supported.

 

Seeking Customer Developed Parsers, Rules, and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it!  Reach out to us at:

ASOC-LIVE-CONTENT@emc.com

Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.

2.  Do you want to request support for a new log source or protocol?

              For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

               For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

3.  Do you want to request use cases for Event Stream Analysis Rules?

                           Please use our request form: https://emcinformation.com/204401/REG/.ashx

 

4. The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

https://developer-content.emc.com/login/register.asp

 

 

 

           

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

 

The categories of new and updated content is as follows:

 

Application Rules

Correlation Rules

RE Rules

RE Lists

RE Reports

Event Stream Analysis Rules

Log (Device) Parsers

LUA Parsers

Flex Parsers

Security Analytics Rules

 

 

The Latest Research from RSA

 

Introducing a new blog that details GameOver Zeus and How to Detect It

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/04/22/gameover-zeus-and-how-to-detect-it

 

RSA’s FirstWatch team has posted a blog detailing a specific botnet variant: The Kargen Zbot and How to Detect It

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/04/30/the-kargen-zbot-and-how-to-detect-it

 

We look forward to presenting you new content updates next month!


Regards,

The RSA Security Analytics Content Team

 

Content Updates

 

New Application Rules

Title: zusy_botnet

Desc: Detects the beaconing activity of the Zusy botnet.

 

Title: tsone_dorkbot_beaconing

Desc: Detects hosts infected with the TSONE Dorkbot.

 

Title: ssh to external

Desc: Detects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following:service = 22, and tcp.dstport = 22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

 

Title: tdss_rootkit_variant_beaconing

Desc: Detects the beaconing activity of the TDSS Rootkit botnet.

 

New Correlation Rules

Title: IPv4 Potential DB Server Sweep 5

Desc: Detects when packet or log decoder receives sessions from a unique source IPV4 address that connects to five or more unique destination IPV4 addresses on destination ports 1433 (MSSQL), 1521(Oracle), and 3306 (mysql) within one minute.This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ip.src and ip.dst metadata.

 

Title: IPv4 Horizontal Port Scan 5

Desc: Detects when a unique IPv4 source address communicates with five or more unique IP destination addresses within one minute across network sessions.

 

Title: IPv4 Vertical TCP Port Scan 5

Desc: Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique TCP ports within one minute across network sessions.

 

Title: IPv4 Vertical UDP Port Scan 5

Desc: Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique UDP ports within one minute across network sessions.

 

Title: IPv6 Horizontal Port Scan 5

Desc: Detects when a unique IPv6 source address communicates with five or more unique IP destination addresses within one minute across network sessions.

 

Title: IPv6 Vertical TCP Port Scan 5

Desc: Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique TCP ports within one minute across network sessions.

 

Title: IPv6 Vertical UDP Port Scan 5

Desc: Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique UDP ports within one minute.

 

Title: IPv4 Potential Web Sweep 10

Desc: Detects when a unique IPv4 source address communicates over ten or more unique IP destination addresses over port 80 within one minute.

 

Title: IPv6 Potential Web Sweep 10

Desc: Detects when a unique IPv6 source address communicates over ten or more unique IP destination addresses over port 80 within one minute.

 

Title: IPv6 Potential DB Server Sweep 5

Desc: Detects when packet or log decoder receives sessions from a unique source IPV6 address that connects to five or more unique destination IPV6addresses on destination ports 1433 (MSSQL), 1521 (Oracle), and 3306 (mysql) within one minute.This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ipv6.src and ipv6.dst metadata.

 

New RE Rules

Title: Ad Servers by Bandwidth

Desc: Aggregates sessions that contain ad sites, which are listed in the Ad Servers List.Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.This rule feeds data to the Global Filtering Candidate report.

 

Title: Content Delivery Networks by Bandwidth

Desc: Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.

 

Title: IPv4 Horizontal Port Scans

Desc: Fires when either IPv4 Horizontal Port Scan 5, IPv4 Potential Web Sweep 10 or IPv4 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

 

Title: IPv4 Vertical Port Scans

Desc: Fires when either IPv4 Vertical TCP Port Scan 5 or IPv4 Vertical UDP Port Scan 5 has been generated within the report date range across network sessions.

 

Title: IPv6 Horizontal Port Scans

Desc: Fires when either IPv6 Horizontal Port Scan 5, IPv6 Potential Web Sweep 10 or IPv6 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

 

Title: IPv6 Vertical Port Scans

Desc: Fires when either IPv6 Vertical TCP Port Scan 5 or IPv6 Vertical UDP Port Scan has been generated within the report date range across network sessions.

 

Title: News Portals by Bandwidth

Desc: Aggregates sessions that contain news sites, which are listed in the News Portal List.If you are not worried about these sites, you should filter them from capture.

 

Title: SSH to External Address

Desc: Fires when alert.id =ssh to external.This rule is indirectly dependent on the app rule ssh_internal_to_external.nwr.App rule appends alert.id =ssh to external when there is SSH traffic detected between internal to external IP address.An SSH connection is identified by the following:service = 22, and tcp.dstport = 22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

 

Title: Streaming Media by Bandwidth

Desc: Aggregates sessions that contain streaming media sites, which are listed in the Streaming Media List. Capturing streaming media is a huge problem for disk retention. These are good filtering candidates.

 

Title: Top Social Sites by Bandwidth

Desc: Aggregates sessions that contain social sites, which are listed in the Social Sites List. If social media is not blocked or considered a risk, filter traffic to reduce amount of data captured.

 

Title: Vendor Update Sites by Bandwidth

Desc: Rule aggregates sessions that contain vendor update sites defined in Vendor Update SitesList. Traffic from most of vendor sites is considered normal and hence can act as good filtering candidates.

 

Title: SSH Over Non Standard Port

Desc: Fires when ssh traffic is detected over a port that is not typically used for ssh.

 

New RE Lists

Title: Ad Servers

Desc: List of popular Ad sites.Ad services consume a lot of disk space If the traffic is acceptable, ad servers are a good candidate for filtering.

 

Title: Content Delivery Networks

Desc: List of popular Content Delivery Networks. Most popular content is spread across CDNs.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.

 

Title: News Portals

Desc: List of popular News Portal sites.If you are not worried about these sites, you should filter them from capture.

 

Title: Social Sites

Desc: List of popular Social Sites.If social media is not blocked, and not considered a risk, filter traffic from capture.

 

Title: Streaming Media Sites

Desc: List of popular Streaming Media Sites.Capturing streaming media is a huge problem for disk retention therefore,it makes sense to filter them.

 

Title: Vendor Update Sites

Desc: List of popular Vendor Update Sites providing updates to your endpoints.Traffic from most of vendor sites is considered normal and hence can be filtered from capture.

 

New RE Reports

Title: SSH Activity

Desc: Reports 2 activities:ANY ssh going to external IP addresses and ANY ssh detected over a port other than 22.

 

Title: Scanning Activity

Desc: Reports veritcal and horizontal port scans for both IPv4 and IPv6 addresses across network sessions.

 

Title: Global Filtering Candidate Report

Desc: Shows an aggregated view of traffic that is being captured in your SA deployment.Use this view to determine candidates for filtering. For instance, if the entire company reads CNN throughout the day, this report will show that usage. You could then make a decision to filter the CNN traffic from view,so that suspicious traffic becomes more noticeable.Available rules and lists cover different browsing categories, such as Ad servers, streaming sites,social networks,and so on.

 

New ESA Rules

Title: SYN Flood Log Messages

Desc: SYN flood log messages with a count of 10 within 60 seconds from the device classes of either IDS, IPS or Firewall.The rule will trigger when the Event Classification Tags (ECT) of ec.theme is equal to "TEV" and ec.activity is equal to "Detect" and ec.subject is equal to "NetworkComm" in combination with a variation of the keyword "Syn Flood" found within policy.name,event.desc or msg.id.This alert uses non-standard meta key of "event.desc" and so it must be made available to the Log Decoder and Concentrator.

 

Title: Multiple Intrusion scan events from same username to unique destinations

Desc: Detects scan events from intrusion devices to unique destination from same username. All events leading to alert will have same username and different destination address. The rule will trigger when Event Classification Tags (ECT) of ec.activity is equal to "Scan" in combination with list of user defined message ids and-or policy.name and count matches number of unique destination address. Messageids and policy.name should be in lower case.

 

Title: User Added to Administrative Group + SIGHUP Detected within 5 Minutes

Desc: Detects when a user is upgraded to one of the admin groups(custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices.

 

Updated ESA Rules

Title: Non DNS Traffic on TCP or UDP Port 53 Containing Executable

Desc: Detects non-DNS traffic on UDP destination port 53 that contains an executable file. You can configure the list of executable file extensions and the UDP port for DNS traffic

 

Title: User added to admin group then iptables is restarted

Desc: Detects when a user is added to one of specified groups and then the same user restarts IPtables on the same device IP. This rule is specific to Linux devices.

 

Title: Basic Rule Template

Desc: This template is for basic rule content module creation.

 

Title: User added to admin group then syslog is disabled

Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.

 

New Log Parsers

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP - netscreenidp

 

Title: Nortel Web OS

Desc: Log Device content for event source Nortel Web OS - nortelwebos

 

Title: Atlassian Stash

Desc: Log Device content for event source Atlassian Stash - stash

 

Title: Zscaler NSS

Desc: Log Device content for event source Zscaler NSS - zscalernss

 

Title: Sonicwall-FW

Desc: Log Device content for event source Sonicwall-FW - sonicwall

 

Updated Log Parsers

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

 

Title: Airdefense Enterprise

Desc: Log Device content for event source Airdefense Enterprise - airdefense

 

Title: UNIX AIX

Desc: Log Device content for event source UNIX AIX - aix

 

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

 

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff

 

Title: Check Point FW-1

Desc: Log Device content for event source Check Point FW-1 - checkpointfw1

 

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

 

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML - ciscoidsxml

 

Title: Cisco IOS

Desc: Log Device content for event source Cisco IOS - ciscorouter

 

Title: Cisco UCS Manager

Desc: Log Device content for event source Cisco UCS Manager - ciscoucs

 

Title: Cyberguard Classic

Desc: Log Device content for event source Cyberguard Classic - cyberguardclassic

 

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS - dragonids

 

Title: Envision Config File

Desc: This file is used to update the Log Device base config files: table-map.xml,ipaddr.tab,etc.ini

 

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate - fortinet

 

Title: IBM DB2 UDB

Desc: Log Device content for event source IBM DB2 UDB - ibmdb2

 

 

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

 

Title: McAfee Email Gateway

Desc: Log Device content for event source McAfee Email Gateway - ironmail

 

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

 

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

 

Title: Microsoft Operations Manager

Desc: Log Device content for event source Microsoft Operations Manager - mom

 

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

 

Title: Microsoft SharePoint

Desc: Log Device content for event source Microsoft SharePoint - mssharepoint

 

Title: NFR NIDS

Desc: Log Device content for event source NFR NIDS - nfrnids

 

Title: Nortel VPN Contivity

Desc: Log Device content for event source Nortel VPN Contivity - nortelvpn

 

Title: Oracle Access manager

Desc: Log Device content for event source Oracle Access manager - oracleam

 

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall – paloaltonetworks

 

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

 

Title: RSA DLP

Desc: Log Device content for event source RSA DLP - rsadlp

 

Title: Silver Tail Systems Forensics

Desc: Log Device content for event source Silver Tail Systems Forensics - silvertailforensics

 

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

 

Title: Sophos Enterprise Console

Desc: Log Device content for event source Sophos Enterprise Console - sophos

 

Title: Tipping Point

Desc: Log Device content for event source Tipping Point - tippingpoint

 

Title: Trend Micro

Desc: Log Device content for event source Trend Micro - trendmicro

 

Title: Trend Micro IWSS

Desc: Log Device content for event source Trend Micro IWSS - trendmicroiwss

 

Title: VMware ESX / ESXi

Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi

 

Title: VMware vCenter

Desc: Log Device content for event source VMware vCenter - vmware_vc

 

Title: VMware View

Desc: Log Device content for event source VMware View - vmware_view

 

Updated Lua Parsers

Title: TLS_lua

Desc: Identifies TLS and SSL sessions.Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.

 

Updated Flex Parsers

Title: TLS

Desc: Parses SSL/TLS certificates.  Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizational Name (meta ssl.subject), and Subject Common Name (meta alias.host).

 

Seeking Customer Developed Parsers, Rules, and Reports

 

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

 

1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:

ASOC-LIVE-CONTENT@emc.com

Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.


2. Do you want to request support for a new log source or protocol?

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

 

3. Do you want to request use cases for Event Stream Analysis Rules?

Please use our request form: https://emcinformation.com/204401/REG/.ashx


The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

https://developer-content.emc.com/login/register.asp

 

 

 

           

Filter Blog

By date: By tag: