RSA Application Rules

Document created by RSA Information Design and Development on Oct 28, 2016Last modified by RSA Information Design and Development on Nov 16, 2017
Version 95Show Document
  • View in full screen mode
  

This table lists all of the delivered RSA Application Rules.

Note: For content that has been discontinued, see Discontinued Content.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           
Display Name

Name

Description

app000002tdss_rootkit_variant_beaconing

Detects the beaconing activity of the TDSS Rootkit botnet.

app000003

tsone dorkbot beaconing

Detects hosts infected with the TSONE Dorkbot.

nw00005Attachment Overload

Rule looks for more than 4 attachments in a single session.

nw00015

IRC File Transfer

Rules looks for file transfers via IRC.

nw00025

Direct to IP HTTP Request

session with an HTTP request directly to an IP address with no corresponding alias.host meta.

nw00035

Tor Outbound

Detects an encrypted network session, as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node.

DEPENDENCIES

Packets:

  • Lua Parsers:

    • traffic_flow
    • TLS_lua
  • Feeds:

    • Tor Exit Nodes
    • Investigation

Logs:

  • Lua Parsers: traffic_flow

  • Feeds:

    • Tor Exit Nodes
    • Investigation
  • Log Parser: at least one parser with device.class='Firewall' or device.type='rsaflow'

GENERATED META KEYS

  • analysis.session= tunneling outbound tor
  • inv.category = assurance
  • inv.context = compliance, corporate, organizational hazard, risk
nw00040

Rogue DHCP Server Detected: Packets

Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server.

Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed. For details, see Create Feed for Rogue DHCP Server Rule.

nw00045Unusual Port Utilized by Domain Controller

Detects a domain controller or directory server engaged in port activity that is outside the expected ports.

For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/...(v=ws.10).aspx

Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server.

nw02565strings decode downloadDetects malware that uses "strings.txt" for command and control instructions
nw02575php put with 40x errorDetects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic.
nw02580php put to wordpress plugin dirDetects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic.
nw02585suspicious php put long queryDetects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic
nw02615qq download clientdetects download of the QQ chinese instant messaging client.
nw02620suspicious PHP url-encoded putDetects PHP Puts that included URL-encoded data
nw02625suspicious long filename get requestDetects get requests that include extremely long flienames which is often a tactic used malware to encode information.
nw02635php botnet beaconing wdetects botnet beaconing with w=188 in the query string.
nw02645php ini checkinDetects botnet traffic that uses PHP and .ini files for checkin traffic.
nw05415Windows Credential Harvesting ServicesMonitors the installation of Windows services known to be used for pass-the-hash and brute force attacks. These may include psexecwcepwdumpcachedump, and gsecdump.

nw20065

High Risk File From Blacklisted Host

Detects download of an executable file from a host on a blacklist feed.

nw20080Archive Extension Mismatchcreates meta when a rar or zip file is detected without a rar or zip file extension
nw20085Archive From IP Addressarchive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established.

nw20090

Small Executable No Host

Indicates a forensic executable detection with a small session size and no corresponding alias.host information.

nw20095

Small Executable Extension Mismatch

Indicates a forensic executable detection with a file extension that is not .exe.

nw20100

Small Executable No Directory

Indicates a forensic executable detection with no corresponding directory information.

nw20105

Small Executable Root Directory

Forensic executable detection from the root directory of a host.

nw20110

Small Executable

Forensic executable detection with a small session size.

nw22300

Trojan BLT

Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Trojan BLT Variants Using Security Analytics

nw22305

Mirage Malware

Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Mirage Variants Using Security Analytics

nw22310

Cmstar Malware

Detects malicious traffic between a command and control server and custom, downloader cmstar variants. Either the HTTP_lua or HTTP native parser is required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Cmstar Variants Using Security Analytics

nw22315

Daserf Malware

Detects malicious inbound and outbound traffic between backdoor / malware Daserf variants and a command and control server domain over HTTP. The HTTP_lua parser is required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Daserf Variants Using Security Analytics

nw22320

Tendrit Malware

Detects malicious traffic between backdoor/malware Tendrit variants and a command and control server. Either the HTTP_lua or HTTP native parser is required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Tendrit Variants Using Security Analytics

nw22325

HttpBrowser Malware

Detects malicious outbound traffic between HttpBrowser Malware variants and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting HttpBrowser Variants Using Security Analytics

nw22330

Spaeshill Malware

Detects malicious traffic between Spaeshill downloader/malware and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Spaeshill Using Security Analytics

nw22335

Taidoor Malware

Detects malicious outbound traffic between a Taidoor infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Taidoor Variants using Security Analytics

nw22340

KeyBase Keylogger

Detects malicious outbound traffic between a KeyBase Keylogger infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting KeyBase Keylogger Variants Using Security Analytics

nw22345

NetTraveler Malware

Detects malicious outbound traffic between a NetTraveler infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting NetTraveler Variants Using Security Analytics

nw22350

Cerber Ransomare

Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim. This rule matches when alias.host (packet) or fqdn (web logs) begins with one of the identified pay-sites.

For more details about this threat, reference these RSA Link blog posts from RSA Research:

Dependencies:

  • Packets: HTTP_lua parser
  • Logs: At least one web log event source, September 2016 or later release. If you are running a Log Collector version prior to 10.6.2, you must have the Envision Config File from Live for the FQDN meta key configuration.

Meta Keys:

  • Risk Warning = cerber ransomware
  • Indicators of Compromise = cerber ransomware

nw22355

Locky Malware

Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server.

This rule has the following dependencies:

  • Dependent on the HTTP Lua and Traffic Flow Lua parsers
  • Dependent on Web proxy and security event sources such as Cisco WSA and SQUID
  • Dependent on the NetWitness feed

Meta Key: alert.id - mapped to analysis meta.

For more details about this threat, reference this RSA Link blog post from RSA Research: Nemucod and Locky.

nw22360

SchoolBell Malware

The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host.

Both the HTTP_lua and traffic_flow parsers are required.

nw22365

Dyzap Malware

Dyzap has the ability to steal user names and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages.

The HTTP_lua and traffic_flow parsers are required.

For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting a Dyzap variant using RSA NetWitness

nw22370

RIG Exploit Kit

RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string.

This rule has the following dependencies:

  • Dependent on the HTTP Lua and Traffic Flow Lua parsers
  • Dependent on Web proxy and security event sources such as Cisco WSA and SQUID
  • Dependent on the NetWitness feed

This rule generates the following meta keys:

  • ioc = rig exploit kit
  • inv.category = threat
  • inv.context = attack phase, exploit
nw22375

Dreambot Malware

The Dreambot is a banking Trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from the infected host.

This rule has the following dependencies:

  • Dependent on the HTTP Lua and Traffic Flow Lua parsers
  • Dependent on the NetWitness feed

Generated Meta Keys:

  • ioc = dreambot malware
  • inv.category = threat
  • inv.context = malware, crimeware

nw22380

CryptoShield Ransomware

CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they encounter the attack chain. Once the ransomware is executed on the victim's computer, it generates a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server.

DEPENDENCIES:

Lua Parsers:

  • HTTP_lua
  • Form_Data_lua
  • traffic_flow

Feeds:

  • NetWitness

Generated Meta Keys:

  • ioc = cryptoshield ransomware
  • inv.category = threat
  • inv.context = malware, crimeware

nw30005

Only ACK Flag Set in Session Containing Payload

Alerts when sessions containing payload have only ACK flag set.

nw30010

DNS Hostnames Resolving Non-Routable IP

DNS names that resolve to non-routable IP address. Often used on parked domains.

nw30015

NGINX HTTP Server

Detects web servers running nginx which is often used for malicious purposes.

nw30050

Shadow IT: Voice Chat Apps

Detects some voice and chat applications' (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use.

nw30060

Windows NTLM Network Logon Successful

Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol.

The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. We recommend that within the rule logic, you exclude the domain for which the Domain Controller is responsible.

Note: This rule detects both v1 and v2 NTLM logs.

nw45645

CryptoLocker Beaconing

Detects traffic indicative of the beaconing activity of the Russian CryptoLocker ransom-ware variants.

nw50005

Etc Password Get Request

Detects a get request for \/etc/passwd\

nw50010

Etc Shadow Get Request

Detects attempted get request for /etc/shadow

nw50020

NTP DDoS Attack 50-byte Request: Packets

Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool.

nw50021

NTP DDoS Attack 60-byte Request: Packets

Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script.

nw50022

NTP DDoS Attack 234-byte Request: Packets

Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command.

nw50030

NTP DDoS Attack 50-byte Request: Netflow

10.4 or higher. Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool.

nw50031

NTP DDoS Attack 60-byte Request: Netflow

10.4 or higher. Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script.

nw50032

NTP DDoS Attack 234-byte Request: Netflow

10.4 or higher. Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command.

nw60005DNS Over Non-Standard PortDNS traffic over ports other than udp 53
nw60010Non-Standard Port Use - Telnettelnet over ports other than TCP 23
nw60015Non-Standard Port Use - FTPftp over ports other than TCP 21
nw60020HTTP over Non-Standard Porthttp traffic over a port other than 80
nw60025Non-Standard Port Use - SSHIdentifies ssh traffic over a port that is not typically used for ssh.
nw60030Non-Standard Port Use - SMTPIdentifies smtp traffic over a port that is not typically used for smtp.
nw60035Non-Standard Port Use - DHCPIdentifies dhcp traffic over a port that is not typically used for dhcp
nw60040Non-Standard Port Use - TFTPIdentifies tftp traffic over a port that is not typically used for tftp.
nw60045Non-Standard Port Use - POP3Identifies pop3 traffic over a port that is not typically used for pop3.
nw60050Non-Standard Port Use - NNTPIdentifies nntp traffic over a port that is not typically used for nntp.
nw60055Non-Standard Port Use - RPCIdentifies rpc traffic over a port that is not typically used for rpc.
nw60060Non-Standard Port Use - NetBiosIdentifies netbios traffic over a port that is not typically used for netbios.
nw60065Non-Standard Port Use - SMBIdentifies smb traffic over a port that is not typically used for smb.
nw60070Non-Standard Port Use - SNMPIdentifies snmp traffic over a port that is not typically used for snmp.
nw60075Non-Standard Port Use - SSLIdentifies ssl traffic over a port that is not typically used for ssl.
nw60080Non-Standard Port Use - RIPIdentifies rip traffic over a port that is not typically used for rip.
nw60085Non-Standard Port Use - TDSIdentifies tds traffic over a port that is not typically used for tds.
nw60090Non-Standard Port Use - TNSIdentifies tns traffic over a port that is not typically used for tns.
nw60095Non-Standard Port Use - H323Identifies h323 traffic over a port that is not typically used for h323.
nw60100Non-Standard Port Use - RTPIdentifies rto traffic over a port that is not typically used for rtp.
nw60105Non-Standard Port Use - SIPIdentifies sip traffic over a port that is not typically used for sip
nw60110Non-Standard Port Use - IRCIdentifies irc traffic over a port that is not typically used for irc.
nw60115Unknown Service Over DNS PortDetects an unidentified service over a port typically used for DNS traffic.
nw60120Unknown Service Over FTP PortDetects an unidentified service over a port typically used for FTP traffic.
nw60125Unknown Service Over HTTP PortDetects an unidentified service over a port typically used for HTTP traffic.
nw60130Unknown Service Over Telnet PortDetects an unidentified service over a port typically used for telnet traffic.
nw60135Unknown Service Over SMTP PortDetects an unidentified service over a port typically used for SMTP traffic.
nw60140Unknown Service Over POP3 PortDetects an unidentified service over a port typically used for POP3 traffic.
nw60145Unknown Service Over IRC PortDetects an unidentified service over a port typically used for IRC traffic.
nw60150Unknown Service Over NNTP PortDetects an unidentified service over a port typically used for NNTP traffic.
nw60155Unknown Service Over SMB PortDetects an unidentified service over a port typically used for SMB traffic.
nw60165Unknown Service Over SSL PortDetects an unidentified service over a port typically used for SSL traffic.
nw70010Torrent File DownloadDetects the download of a .torrent file.
nw90001

Bozok RAT Aquisition

Detects web traffic from an internal IP address to the following URL: ss-rat.blogspot.com

nw90006

NJRAT Acquisition

10.4 or higher. Detects web traffic from an internal IP address to the following URL: ge.tt/85SH60t/v/0.

nw100010Facebook ProfileIdentifies visits to Facebook profile pages
nw110015

ScribD Document Upload

Detects document uploads to the site ScribD.

nw110025

File Transport over ICMP

Detects files transported over ICMP.

nw110030

File Transport over Unknown Protocol

Detects files transported over unknown protocols.

nw110035

Web Access: Rghost

Detects the existence of "rghost.net" in a URL string.

Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets.

It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data.

Additionally, it is a large online repository for searchable malware executables.

nw110040

Web Access: Pastebin

Detects the existence of "pastebin.com/post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data.

nw110045

Large Outbound Encrypted session

Detects an Outbound encrypted session where the data size is greater than 5MB.

nw110050

RDP over Non-Standard Port

Detects an RDP session over a non-standard port.

nw110060

Large Outbound session

Detects Outbound session (encrypted or non-encrypted) where the data size is greater than 5MB.

DEPENDENCIES

Lua Parser: Traffic Flow Lua

Feeds:

  • Hunting
  • Investigation

GENERATED META KEYS

  • boc = large outbound data transfer
  • inv.category = assurance
  • inv.context = compliance, corporate
nw110065

Proxy Anonymous Services

Detects use of common proxy services using a list of domains matched against the alias host meta key.

The following parsers are required:

  • HTTP network parser
  • TLS_lua parser
nw110070

Proxy Client Download

Detects proxy client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

nw110075

Remote Control Client Website

Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.

nw110080

Remote Control Client Download

Detects remote client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

nw110085

Outbound MS Outlook PFF File

Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).

         

Note

This rule depends on the Lua parserfingerprint_pff.lua for detecting the PFF filetype. This parser needs to be enabled in order for this rule to work

nw110095

Stealth Email Use Large Session

Detects a session larger than 1 MB to the following stealth mail services:

  • Stealth Email. Alias host www.stealth-email.com
  • Hush Mail. With an IP destination of 65.39.178.58 or organization destination of 'Peer 1 Network (USA)'
  • Neomailbox. Alias host www.neomailbox.com
  • Cryptoheaven. Alias host www.cryptoheaven.com
  • S-mail. Alias host www.s-mail.com
nw110105

Stealth Email Use

Detects a user sign-up or sign-in event for the following stealth mail services:

  • Stealth Email. Referer of either www.spytech-web.com/stealth-email-buy.shtml or stealth-email.com
  • Hush Mail. Any traffic with an IP destination of 65.39.178.58 or organization destination of 'Peer 1 Network (USA)'
  • Neomailbox. Any traffic to alias host www.neomailbox.com
  • Cryptoheaven. Any traffic to alias host www.cryptoheaven.com
  • S-mail. Any traffic to alias host mail.s-mail.com
nw110125

BYOD Mobile Web Agent

Detects use of a web browsing agent for a mobile device. 

The following is the list of strings looked for within the 'client' meta key to indicate mobile browsing:  'iPad', 'iPhone', 'iPod', 'Android', 'BlackBerry', 'Mobile', 'Opera Mobi', 'Opera Mini', 'Symbian', 'GoBrowser', 'Minimo', 'Netfront', 'Skyfire', 'SEMC-Browser'.

nw110130

NTDSXTRACT Tool Download

Detects an internal network session download of NTDSXTRACT.

NTDSXTRACT is a tool framework for extracting data from the active directory database file NTDS.DIT.

Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers.

nw110140

jRAT Download

Detects an internal network session download of jRAT (Java Remote Administration Tool).

Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers.

nw110145

Cybergate RAT Download

Detects an internal network session download of the Cybergate RAT (Remote Administration Tool).

Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers.

nw110150

Shadow IT: File Sharing Apps

Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use.

nw120005Passwords over HTTPIdentifies plaintext HTTP logins
nw120010Passwords over FTPIdentifies plaintext FTP logins
nw120015Passwords Over TelnetIdentifies plaintext telnet logins
nw120020Passwords Over Pop3Identifies plaintext pop3 logins
nw120025Passwords Over SMTPIdentifies plaintext SMTP logins
nw120030Passwords Over Other ProtocolsIdentifies plaintext logins with an unidentified service type.

nw125025

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow

Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow.

SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1.

nw140005

Filter Windows Updates

Filters executable downloads from Windows Update.

nw140010

Filter Skype Updates

Filters Skype update executables.

nw140015

Filter Java Updates

Filters executables involved with Java updates.

nw140020

Filter Google Updates

Filters executable updates for Google tools.

nw140025

Filter Symantec Updates

Filters Symantec update executables.

nw140030

Filter Macromedia Updates

Filters Macromedia update executables.

nw140035

Filter Intel Updates

Filters executables associated with Intel updates.

nw140040

Filter VMware Updates

Filters executables associated with VMware updates.

nw140045

Filter McAfee Updates

Filters executables associated with McAfee updates.

nw140050

Filter Adobe Updates

Filters executables associated with Adobe updates.

NWFL_AccessCardholderDataNWFL_alm:cardholder-dataNWFL App Rule to support Informer Reports
NWFL_AccountCreatedNWFL_account:createdNWFL App Rule to support Informer Reports
NWFL_AccountDeletedNWFL_account:deletedNWFL App Rule to support Informer Reports
NWFL_AccountDisabledNWFL_account:account-disabledNWFL App Rule to support Informer Reports
NWFL_AccountModifiedNWFL_account:modifiedNWFL App Rule to support Informer Reports
NWFL_AuditSettingChangeNWFL_config:change-audit-settingNWFL App Rule to support Informer Reports
NWFL_AuthSuccessNWFL_account:auth-successNWFL App Rule to support Informer Reports
NWFL_AVSignatureUpdateNWFL_av:signature-updateNWFL App Rule to support Informer Reports
NWFL_AVSummaryNWFL_av:virus-summaryNWFL App Rule to support Informer Reports
NWFL_ClockSynchNWFL_alm:system-clock-synchNWFL App Rule to support Informer Reports
NWFL_ConfigChangesNWFL_config:config-changesNWFL App Rule to support Informer Reports
NWFL_DataAccessNWFL_access:data-accessNWFL App Rule to support Informer Reports
NWFL_EncryptFailuresNWFL_encryption:failuresNWFL App Rule to support Informer Reports
NWFL_EncryptKeyGenChangesNWFL_encryption:key-gen-and-changesNWFL App Rule to support Informer Reports
NWFL_EncryptSuccessNWFL_encryption:successNWFL App Rule to support Informer Reports
NWFL_ErrorEventTypesNWFL_alm:error-event-typesNWFL App Rule to support Informer Reports
NWFL_FirewallConfigChangeNWFL_config:fw-config-changesNWFL App Rule to support Informer Reports
NWFL_FirewallRuleCatNWFL_fw:categoriesNWFL App Rule to support Informer Reports
NWFL_FirmwareConfigChangeNWFL_alm:firmware-config-changesNWFL App Rule to support Informer Reports
NWFL_FWInboundTrafficNWFL_fw:inbound-network-trafficNWFL App Rule to support Informer Reports
NWFL_FWOutboundTrafficNWFL_fw:outbound-network-trafficNWFL App Rule to support Informer Reports
NWFL_GroupMgmtNWFL_account:group-managementNWFL App Rule to support Informer Reports
NWFL_InboundTrafficNWFL_alm:inbound-network-trafficNWFL App Rule to support Informer Reports
NWFL_IntrusionAllActivityNWFL_intrusion:all-activityNWFL App Rule to support Informer Reports
NWFL_LoginDirectAccessSuccessNWFL_account:logon-success-direct-accessNWFL App Rule to support Informer Reports
NWFL_LoginFailureNWFL_account:logon-failureNWFL App Rule to support Informer Reports
NWFL_LoginLogoutNWFL_account:login-and-logoutNWFL App Rule to support Informer Reports
NWFL_LoginSuccessNWFL_account:logon-successNWFL App Rule to support Informer Reports
NWFL_LogoutNWFL_account:logoutNWFL App Rule to support Informer Reports
NWFL_MailserverErrorsNWFL_ops:mailserver-errorsNWFL App Rule to support Informer Reports
NWFL_OutboundTrafficNWFL_alm:outbound-network-trafficNWFL App Rule to support Informer Reports
NWFL_PasswordChangeNWFL_account:password-changeNWFL App Rule to support Informer Reports
NWFL_PrivEscalateFailNWFL_access:privilege-escalation-failureNWFL App Rule to support Informer Reports
NWFL_PrivEscalateSuccessNWFL_access:privilege-escalation-successNWFL App Rule to support Informer Reports
NWFL_RemoteAccessFailNWFL_access:remote-failureNWFL App Rule to support Informer Reports
NWFL_RemoteAccessSuccessNWFL_access:remote-successNWFL App Rule to support Informer Reports
NWFL_RouterConfigChangeNWFL_config:router-changeNWFL App Rule to support Informer Reports
NWFL_URLBlockNWFL_fw:url-blockNWFL App Rule to support Informer Reports
NWFL_URLFiletypesNWFL_fw:url-filetypesNWFL App Rule to support Informer Reports
NWFL_UserAccessFilesrvNWFL_account:user-accessing-file-serversNWFL App Rule to support Informer Reports
NWFL_UserAccessRevokeNWFL_access:user-access-revokedNWFL App Rule to support Informer Reports
NWFL_WinAcctDisabledNWFL_host:windows:account-disabledNWFL App Rule to support Informer Reports
NWFL_WinFileAccessNWFL_host:windows:file-accessNWFL App Rule to support Informer Reports
NWFL_WinLocalGrpChangeNWFL_host:windows:local-group-account-changesNWFL App Rule to support Informer Reports
NWFL_WinUsrGroupChangeNWFL_host:windows:user-group-account-changesNWFL App Rule to support Informer Reports
NWFL_WirelessAdminOpsNWFL_wireless:AdminOperationsNWFL App Rule to support Informer Reports

outbound_session_greater_than_1gb

Outbound Session Greater Than 1GB

Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB.

VERSIONS SUPPORTED

  • 10.5 and higher

CONFIGURATION

By default, the Decoder’s capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES

Lua Parsers:

  • traffic_flow
  • session_analysis

GENERATED META KEYS

  • boc = outbound session greater than 1gb

outbound_session_greater_than_500mb

Outbound Session Greater Than 500M

Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500 megabytes.

VERSIONS SUPPORTED

  • 10.5 and higher

CONFIGURATION

By default, the Decoder’s capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the NetWitness Suite UI > Administration > Services > Explore > decoder > config > capture.buffer.size.

DEPENDENCIES

Lua Parsers:

  • traffic_flow
  • session_analysis

GENERATED META KEYS

  • boc = outbound session greater than 500mb
spectrum_consumespectrum_consumeHelper Rule for Spectrum
spectrum_consume11Spectrum Consume 1.1 App RuleApplication rule required for office document/pdf consumption
ssh to external

ssh to external

Detects when an internal IP address initiates an SSH connection to an external IP address.
An SSH connection is identified by the following:

  • service = 22, and
  • tcp.dstport = 22

An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

tdss_rootkit_variant_beaconing

tdss rootkit variant beaconing

Detects the beaconing activity of the TDSS Rootkit botnet.

Previous Topic:Discontinued Content
You are here
Table of Contents > Rules and Reports > RSA Application Rules

Attachments

    Outcomes