This table lists all of the delivered RSA Application Rules.
Note: For content that has been discontinued, see Discontinued Content.
| Display Name | Name | Description | ||
|---|---|---|---|---|
| nw20080 | Archive Extension Mismatch | creates meta when a rar or zip file is detected without a rar or zip file extension | ||
| nw20085 | Archive From IP Address | archive directly from an ip address with no corresponding alias.host meta. Often indicative of a second stage tool download after a foothold has been established. | ||
| nw00005 | Attachment Overload | Rule looks for more than 4 attachments in a single session. | ||
| nw90001 | Bozok RAT Acquisition | Detects web traffic from an internal IP address to the following URL: | ||
| nw110125 | BYOD Mobile Web Agent | Detects use of a web browsing agent for a mobile device. The following is the list of strings looked for within the 'client' meta key to indicate mobile browsing: 'iPad', 'iPhone', 'iPod', 'Android', 'BlackBerry', 'Mobile', 'Opera Mobi', 'Opera Mini', 'Symbian', 'GoBrowser', 'Minimo', 'Netfront', 'Skyfire', 'SEMC-Browser'. | ||
| nw22350 | Cerber Ransomare | Detects a set of pay-site hosts for Cerber ransomware that correlate to embedded configuration files for the malware’s set up of bitcoin wallets for each victim. This rule matches when alias.host (packet) or fqdn (web logs) begins with one of the identified pay-sites. For more details about this threat, reference these RSA Link blog posts from RSA Research: Dependencies:
Meta Keys:
| ||
| nw125025 | Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow | Customers who deploy either Cisco IPS or SourceFire Defense Center may benefit from this log-based Application Rule written to detect indicators to CVE-2016-1287: Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow. SourceFire signature IDs utilized to detect this vulnerability are '1:36903' and '1:37674' while Cisco IPS signature IDs are 7169-0 and 7169-1. | ||
| nw22310 | Cmstar Malware | Detects malicious traffic between a command and control server and custom, downloader cmstar variants. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Cmstar Variants Using Security Analytics | ||
| nw22380 | CryptoShield Ransomware | CryptoShield ransomware is being distributed through sites that have been compromised so that when a visitor goes to the site, they encounter the attack chain. Once the ransomware is executed on the victim's computer, it generates a unique ID for the victim and an encryption key. This rule detects the upload of this key to the command and control server. DEPENDENCIES: Lua Parsers:
Feeds:
Generated Meta Keys:
| ||
| nw22315 | Daserf Malware | Detects malicious inbound and outbound traffic between backdoor / malware Daserf variants and a command and control server domain over HTTP. The HTTP_lua parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Daserf Variants Using Security Analytics | ||
| nw30010 | DNS Hostnames Resolving Non-Routable IP | DNS names that resolve to non-routable IP address. Often used on parked domains. | ||
| nw60005 | DNS Over Non-Standard Port | DNS traffic over ports other than udp 53 | ||
| nw22375 | Dreambot Malware | The Dreambot is a banking Trojan spreading via exploit kits and spam e-mails with tor communication and peer-to-peer functionality. This rule detects outbound beaconing activity from the infected host. This rule has the following dependencies:
Generated Meta Keys:
| ||
| nw22365 | Dyzap Malware | Dyzap has the ability to steal user names and passwords of email, banking and social media accounts. Once the malware infects a victim machine, it starts sending data to its command and control server via an HTTP POST request. This rule detects a variant seen spreading through phishing email messages. The HTTP_lua and traffic_flow parsers are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting a Dyzap variant using RSA NetWitness | ||
| nw50005 | Etc Password Get Request | Detects a get request for \/etc/passwd\ | ||
| nw50010 | Etc Shadow Get Request | Detects attempted get request for /etc/shadow | ||
| nw110025 | File Transport over ICMP | Detects files transported over ICMP. | ||
| nw110030 | File Transport over Unknown Protocol | Detects files transported over unknown protocols. | ||
| nw140050 | Filter Adobe Updates | Filters executables associated with Adobe updates. | ||
| nw140020 | Filter Google Updates | Filters executable updates for Google tools. | ||
| nw140035 | Filter Intel Updates | Filters executables associated with Intel updates. | ||
| nw140015 | Filter Java Updates | Filters executables involved with Java updates. | ||
| nw140030 | Filter Macromedia Updates | Filters Macromedia update executables. | ||
| nw140045 | Filter McAfee Updates | Filters executables associated with McAfee updates. | ||
| nw140010 | Filter Skype Updates | Filters Skype update executables. | ||
| nw140025 | Filter Symantec Updates | Filters Symantec update executables. | ||
| nw140040 | Filter VMware Updates | Filters executables associated with VMware updates. | ||
| nw140005 | Filter Windows Updates | Filters executable downloads from Windows Update. | ||
| nw20065 | High Risk File From Blacklisted Host | Detects download of an executable file from a host on a blacklist feed. | ||
| nw60020 | HTTP over Non-Standard Port | http traffic over a port other than 80 | ||
| nw22325 | HttpBrowser Malware | Detects malicious outbound traffic between HttpBrowser Malware variants and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting HttpBrowser Variants Using Security Analytics | ||
| nw00015 | IRC File Transfer | Rules looks for file transfers via IRC. | ||
| nw110140 | jRAT Download | Detects an internal network session download of jRAT (Java Remote Administration Tool). Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers. | ||
| nw22340 | KeyBase Keylogger | Detects malicious outbound traffic between a KeyBase Keylogger infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting KeyBase Keylogger Variants Using Security Analytics | ||
| nw110045 | Large Outbound Encrypted session | Detects an Outbound encrypted session where the data size is greater than 5MB. | ||
| nw110060 | Large Outbound session | Detects Outbound session (encrypted or non-encrypted) where the data size is greater than 5MB. DEPENDENCIES Lua Parser: Traffic Flow Lua Feeds:
GENERATED META KEYS
| ||
| nw22355 | Locky Malware | Detects malicious outbound traffic between a system infected with Locky Ransomware and command and control server. This rule has the following dependencies:
Meta Key: alert.id - mapped to analysis meta. For more details about this threat, reference this RSA Link blog post from RSA Research: Nemucod and Locky. | ||
| nw22305 | Mirage Malware | Detects malicious outbound traffic due to installation of Mirage malware. The HTTP_lua parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Mirage Variants Using Security Analytics | ||
| nw22345 | NetTraveler Malware | Detects malicious outbound traffic between a NetTraveler infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting NetTraveler Variants Using Security Analytics | ||
| nw30015 | NGINX HTTP Server | Detects web servers running nginx which is often used for malicious purposes. | ||
| nw90006 | NJRAT Acquisition | 10.4 or higher. Detects web traffic from an internal IP address to the following URL: ge.tt/85SH60t/v/0. | ||
| nw60035 | Non-Standard Port Use - DHCP | Identifies dhcp traffic over a port that is not typically used for dhcp | ||
| nw60015 | Non-Standard Port Use - FTP | ftp over ports other than TCP 21 | ||
| nw60095 | Non-Standard Port Use - H323 | Identifies h323 traffic over a port that is not typically used for h323. | ||
| nw60110 | Non-Standard Port Use - IRC | Identifies irc traffic over a port that is not typically used for irc. | ||
| nw60060 | Non-Standard Port Use - NetBios | Identifies netbios traffic over a port that is not typically used for netbios. | ||
| nw60050 | Non-Standard Port Use - NNTP | Identifies nntp traffic over a port that is not typically used for nntp. | ||
| nw60045 | Non-Standard Port Use - POP3 | Identifies pop3 traffic over a port that is not typically used for pop3. | ||
| nw60080 | Non-Standard Port Use - RIP | Identifies rip traffic over a port that is not typically used for rip. | ||
| nw60055 | Non-Standard Port Use - RPC | Identifies rpc traffic over a port that is not typically used for rpc. | ||
| nw60100 | Non-Standard Port Use - RTP | Identifies rto traffic over a port that is not typically used for rtp. | ||
| nw60105 | Non-Standard Port Use - SIP | Identifies sip traffic over a port that is not typically used for sip | ||
| nw60065 | Non-Standard Port Use - SMB | Identifies smb traffic over a port that is not typically used for smb. | ||
| nw60030 | Non-Standard Port Use - SMTP | Identifies smtp traffic over a port that is not typically used for smtp. | ||
| nw60070 | Non-Standard Port Use - SNMP | Identifies snmp traffic over a port that is not typically used for snmp. | ||
| nw60025 | Non-Standard Port Use - SSH | Identifies ssh traffic over a port that is not typically used for ssh. | ||
| nw60075 | Non-Standard Port Use - SSL | Identifies ssl traffic over a port that is not typically used for ssl. | ||
| nw60085 | Non-Standard Port Use - TDS | Identifies tds traffic over a port that is not typically used for tds. | ||
| nw60010 | Non-Standard Port Use - Telnet | telnet over ports other than TCP 23 | ||
| nw60040 | Non-Standard Port Use - TFTP | Identifies tftp traffic over a port that is not typically used for tftp. | ||
| nw60090 | Non-Standard Port Use - TNS | Identifies tns traffic over a port that is not typically used for tns. | ||
| nw110130 | NTDSXTRACT Tool Download | Detects an internal network session download of NTDSXTRACT. NTDSXTRACT is a tool framework for extracting data from the active directory database file Requires a network parser that supports population of meta keys 'action' and 'filename'. HTTP, FTP, IRC and NFS are examples of such parsers. | ||
| nw50032 | NTP DDoS Attack 234-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 234-byte payload over Netflow. This is indicative of an NTP request generated by a monlist command. | ||
| nw50022 | NTP DDoS Attack 234-byte Request: Packets | Detects UDP/123 traffic with a 234-byte payload. This is indicative of an NTP request generated by a monlist command. | ||
| nw50031 | NTP DDoS Attack 60-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 60-byte payload over NetFlow. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | ||
| nw50021 | NTP DDoS Attack 60-byte Request: Packets | Detects UDP/123 traffic with a 60-byte payload. This is indicative of the NTP request size initiated by the ntpdos.py attack script. | ||
| nw50030 | NTP DDoS Attack 50-byte Request: Netflow | 10.4 or higher. Detects UDP/123 traffic with a 50-byte payload over Netflow. This is indicative of a potential NTP DDoS attack tool. | ||
| nw50020 | NTP DDoS Attack 50-byte Request: Packets | Detects UDP/123 traffic with a 50-byte payload. This is indicative of a potential NTP DDoS attack tool. | ||
| NWFL_DataAccess | NWFL_access:data-access | NWFL App Rule to support Informer Reports | ||
| NWFL_PrivEscalateFail | NWFL_access:privilege-escalation-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_PrivEscalateSuccess | NWFL_access:privilege-escalation-success | NWFL App Rule to support Informer Reports | ||
| NWFL_RemoteAccessFail | NWFL_access:remote-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_RemoteAccessSuccess | NWFL_access:remote-success | NWFL App Rule to support Informer Reports | ||
| NWFL_UserAccessRevoke | NWFL_access:user-access-revoked | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountDisabled | NWFL_account:account-disabled | NWFL App Rule to support Informer Reports | ||
| NWFL_AuthSuccess | NWFL_account:auth-success | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountCreated | NWFL_account:created | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountDeleted | NWFL_account:deleted | NWFL App Rule to support Informer Reports | ||
| NWFL_GroupMgmt | NWFL_account:group-management | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginLogout | NWFL_account:login-and-logout | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginFailure | NWFL_account:logon-failure | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginSuccess | NWFL_account:logon-success | NWFL App Rule to support Informer Reports | ||
| NWFL_LoginDirectAccessSuccess | NWFL_account:logon-success-direct-access | NWFL App Rule to support Informer Reports | ||
| NWFL_Logout | NWFL_account:logout | NWFL App Rule to support Informer Reports | ||
| NWFL_AccountModified | NWFL_account:modified | NWFL App Rule to support Informer Reports | ||
| NWFL_PasswordChange | NWFL_account:password-change | NWFL App Rule to support Informer Reports | ||
| NWFL_UserAccessFilesrv | NWFL_account:user-accessing-file-servers | NWFL App Rule to support Informer Reports | ||
| NWFL_AccessCardholderData | NWFL_alm:cardholder-data | NWFL App Rule to support Informer Reports | ||
| NWFL_ErrorEventTypes | NWFL_alm:error-event-types | NWFL App Rule to support Informer Reports | ||
| NWFL_FirmwareConfigChange | NWFL_alm:firmware-config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_InboundTraffic | NWFL_alm:inbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_OutboundTraffic | NWFL_alm:outbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_ClockSynch | NWFL_alm:system-clock-synch | NWFL App Rule to support Informer Reports | ||
| NWFL_AVSignatureUpdate | NWFL_av:signature-update | NWFL App Rule to support Informer Reports | ||
| NWFL_AVSummary | NWFL_av:virus-summary | NWFL App Rule to support Informer Reports | ||
| NWFL_AuditSettingChange | NWFL_config:change-audit-setting | NWFL App Rule to support Informer Reports | ||
| NWFL_ConfigChanges | NWFL_config:config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_FirewallConfigChange | NWFL_config:fw-config-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_RouterConfigChange | NWFL_config:router-change | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptFailures | NWFL_encryption:failures | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptKeyGenChanges | NWFL_encryption:key-gen-and-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_EncryptSuccess | NWFL_encryption:success | NWFL App Rule to support Informer Reports | ||
| NWFL_FirewallRuleCat | NWFL_fw:categories | NWFL App Rule to support Informer Reports | ||
| NWFL_FWInboundTraffic | NWFL_fw:inbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_FWOutboundTraffic | NWFL_fw:outbound-network-traffic | NWFL App Rule to support Informer Reports | ||
| NWFL_URLBlock | NWFL_fw:url-block | NWFL App Rule to support Informer Reports | ||
| NWFL_URLFiletypes | NWFL_fw:url-filetypes | NWFL App Rule to support Informer Reports | ||
| NWFL_WinAcctDisabled | NWFL_host:windows:account-disabled | NWFL App Rule to support Informer Reports | ||
| NWFL_WinFileAccess | NWFL_host:windows:file-access | NWFL App Rule to support Informer Reports | ||
| NWFL_WinLocalGrpChange | NWFL_host:windows:local-group-account-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_WinUsrGroupChange | NWFL_host:windows:user-group-account-changes | NWFL App Rule to support Informer Reports | ||
| NWFL_IntrusionAllActivity | NWFL_intrusion:all-activity | NWFL App Rule to support Informer Reports | ||
| NWFL_MailserverErrors | NWFL_ops:mailserver-errors | NWFL App Rule to support Informer Reports | ||
| NWFL_WirelessAdminOps | NWFL_wireless:AdminOperations | NWFL App Rule to support Informer Reports | ||
| nw30005 | Only ACK Flag Set in Session Containing Payload | Alerts when sessions containing payload have only ACK flag set. | ||
| nw110085 | Outbound MS Outlook PFF File | Detects outbound MS Outlook PFFs (Personal Folder Files). It does not differentiate between type of PFF (e.g.: .pst, .ost, .pab).
| ||
| outbound_session_greater_than_1gb | Outbound Session Greater Than 1GB | Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 1GB, 2GB and 3GB. VERSIONS SUPPORTED
CONFIGURATION By default, the Decoder’s capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the RSA NetWitness Platform UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers:
GENERATED META KEYS
| ||
| outbound_session_greater_than_500mb | Outbound Session Greater Than 500M | Detects and generates meta after a session with a high percentage of payload transmitted outbound reaches 500 megabytes. VERSIONS SUPPORTED
CONFIGURATION By default, the Decoder’s capture buffer size is 32MB. If you have modified this setting, then you may need to tune the condition for session.split within the rule. Once a session exceeds the capture buffer size, it is split into a separate session. Meta is generated on each split session called, session.split, which is incremented by a count of 1 with each new session. The default setting for the Decoder capture buffer size may be found through the RSA NetWitness Platform UI > Administration > Services > Explore > decoder > config > capture.buffer.size. DEPENDENCIES Lua Parsers:
GENERATED META KEYS
| ||
| nw120010 | Passwords over FTP | Identifies plaintext FTP logins | ||
| nw120005 | Passwords over HTTP | Identifies plaintext HTTP logins | ||
| nw120030 | Passwords Over Other Protocols | Identifies plaintext logins with an unidentified service type. | ||
| nw120020 | Passwords Over Pop3 | Identifies plaintext pop3 logins | ||
| nw120025 | Passwords Over SMTP | Identifies plaintext SMTP logins | ||
| nw120015 | Passwords Over Telnet | Identifies plaintext telnet logins | ||
| nw02635 | php botnet beaconing w | detects botnet beaconing with w=188 in the query string. | ||
| nw02645 | php ini checkin | Detects botnet traffic that uses PHP and .ini files for checkin traffic. | ||
| nw02580 | php put to wordpress plugin dir | Detects PHP puts to WordPress plugin directoires. This behavior has been observed by RSA-FirstWatch as potential malware traffic. | ||
| nw02575 | php put with 40x error | Detects PHP puts that create 4 series errors. This may indicate suspicoius or botnet check-in traffic. | ||
| nw110065 | Proxy Anonymous Services | Detects use of common proxy services using a list of domains matched against the alias host meta key. The following parsers are required:
| ||
| nw110070 | Proxy Client Download | Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | ||
| nw02615 | qq download client | detects download of the QQ chinese instant messaging client. | ||
| nw110050 | RDP over Non-Standard Port | Detects an RDP session over a non-standard port. | ||
| nw110080 | Remote Control Client Download | Detects remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required. | ||
| nw110075 | Remote Control Client Website | Detects use of common remote client download sites. It uses a list of domains matched against the alias host meta key. Use of an HTTP network parser is required. | ||
| nw22370 | RIG Exploit Kit | RIG exploit kit is suspected in the compromise of a vulnerable website due to patterns found within the query string. This rule has the following dependencies:
This rule generates the following meta keys:
| ||
| nw00040 | Rogue DHCP Server Detected: Packets | Detects web traffic involving UDP/67 or 68 that is not a legitimate DHCP server. Note: Users must add legitimate DHCP servers to the RogueDHCPServerDetected feed. For details, see Create Feed for Rogue DHCP Server Rule. | ||
| nw22360 | SchoolBell Malware | The SchoolBell rule detects malware associated with ShellCrew's large scale infrastructure harvesting campaign. SchoolBell targets Windows servers running vulnerable versions of Java web containers such as JBoss and Jenkins. The associated SchoolBell rule can be used to detect the malware's callbacks from an infected host. Both the HTTP_lua and traffic_flow parsers are required. | ||
| nw110015 | ScribD Document Upload | Detects document uploads to the site ScribD. | ||
| nw110150 | Shadow IT: File Sharing Apps | Detects file sharing application usage for Box, Dropbox, Github and iCloud for potential shadow IT use. | ||
| nw30050 | Shadow IT: Voice Chat Apps | Detects some voice and chat applications' (e.g. Vonage, VOIPStudio, tinychat, and Yahoo Messenger) usage for potential shadow IT use. | ||
| nw20110 | Small Executable | Forensic executable detection with a small session size. | ||
| nw20095 | Small Executable Extension Mismatch | Indicates a forensic executable detection with a file extension that is not .exe. | ||
| nw20100 | Small Executable No Directory | Indicates a forensic executable detection with no corresponding directory information. | ||
| nw20090 | Small Executable No Host | Indicates a forensic executable detection with a small session size and no corresponding alias.host information. | ||
| nw20105 | Small Executable Root Directory | Forensic executable detection from the root directory of a host. | ||
| nw22330 | Spaeshill Malware | Detects malicious traffic between Spaeshill downloader/malware and a command and control server. Either the HTTP_lua or HTTP native parser is a required dependency. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Spaeshill Using Security Analytics | ||
| spectrum_consume11 | Spectrum Consume 1.1 App Rule | Application rule required for office document/pdf consumption | ||
| spectrum_consume | spectrum_consume | Helper Rule for Spectrum | ||
| ssh to external | ssh to external | Detects when an internal IP address initiates an SSH connection to an external IP address.
An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external. | ||
| nw110105 | Stealth Email Use | Detects a user sign-up or sign-in event for the following stealth mail services:
| ||
| nw110095 | Stealth Email Use Large Session | Detects a session larger than 1 MB to the following stealth mail services:
| ||
| nw02565 | strings decode download | Detects malware that uses "strings.txt" for command and control instructions | ||
| nw02625 | suspicious long filename get request | Detects get requests that include extremely long flienames which is often a tactic used malware to encode information. | ||
| nw02585 | suspicious php put long query | Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic | ||
| nw02620 | suspicious PHP url-encoded put | Detects PHP Puts that included URL-encoded data | ||
| nw22335 | Taidoor Malware | Detects malicious outbound traffic between a Taidoor infected host and a command and control server. Either the HTTP_lua or HTTP native parser, and the traffic_flow Lua parser, are required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Taidoor Variants using Security Analytics | ||
| tdss_rootkit_variant_beaconing | tdss rootkit variant beaconing | Detects the beaconing activity of the TDSS Rootkit botnet. | ||
| app000002 | tdss_rootkit_variant_beaconing | Detects the beaconing activity of the TDSS Rootkit botnet. | ||
| nw22320 | Tendrit Malware | Detects malicious traffic between backdoor/malware Tendrit variants and a command and control server. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Tendrit Variants Using Security Analytics | ||
| nw00035 | Tor Outbound | Detects an encrypted network session, as well as log sessions to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access. The possible indicators of Tor are: Communication over a common Tor destination port of 9001, 9030, 9101, 9003, 9050, 9051 or communication with a known Tor tunnel node. DEPENDENCIES Packets:
Logs:
GENERATED META KEYS
| ||
| nw70010 | Torrent File Download | Detects the download of a .torrent file. | ||
| nw22300 | Trojan BLT | Detects malicious outbound traffic due to installation of Trojan BLT variants. Either the HTTP_lua or HTTP native parser is required. For more details about this threat, reference this RSA Link blog post from RSA Research: Detecting Trojan BLT Variants Using Security Analytics | ||
| app000003 | tsone dorkbot beaconing | Detects hosts infected with the TSONE Dorkbot. | ||
| nw60115 | Unknown Service Over DNS Port | Detects an unidentified service over a port typically used for DNS traffic. | ||
| nw60120 | Unknown Service Over FTP Port | Detects an unidentified service over a port typically used for FTP traffic. | ||
| nw60125 | Unknown Service Over HTTP Port | Detects an unidentified service over a port typically used for HTTP traffic. | ||
| nw60145 | Unknown Service Over IRC Port | Detects an unidentified service over a port typically used for IRC traffic. | ||
| nw60150 | Unknown Service Over NNTP Port | Detects an unidentified service over a port typically used for NNTP traffic. | ||
| nw60140 | Unknown Service Over POP3 Port | Detects an unidentified service over a port typically used for POP3 traffic. | ||
| nw60155 | Unknown Service Over SMB Port | Detects an unidentified service over a port typically used for SMB traffic. | ||
| nw60135 | Unknown Service Over SMTP Port | Detects an unidentified service over a port typically used for SMTP traffic. | ||
| nw60165 | Unknown Service Over SSL Port | Detects an unidentified service over a port typically used for SSL traffic. | ||
| nw60130 | Unknown Service Over Telnet Port | Detects an unidentified service over a port typically used for telnet traffic. | ||
| nw00045 | Unusual Port Utilized by Domain Controller | Detects a domain controller or directory server engaged in port activity that is outside the expected ports. For Active Directory port requirements, see the following Microsoft Windows Server article: https://technet.microsoft.com/en-us/...(v=ws.10).aspx Note: This rule must be modified to include the IP address of the local Domain Controller or Directory Server. | ||
| nw110040 | Web Access: Pastebin | Detects the existence of "pastebin.com/post.php" in a URL string. Pastebin is a very common site for quickly distributing sensitive data, posting and retrieving malicious and benign code snippets, and is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns as well as focused attacks against servers hosting the data. | ||
| nw110035 | Web Access: Rghost | Detects the existence of "rghost.net" in a URL string. Rghost is a very common site for quickly distributing sensitive data and posting and retrieving malicious ( as well as benign) code snippets. It is often used to post the output of competing Threat Actor Groups, usually in the form of usernames, passwords, and credit card numbers gained during successful harvesting campaigns, as well as focused attacks against servers hosting the data. Additionally, it is a large online repository for searchable malware executables. | ||
| nw05415 | Windows Credential Harvesting Services | Monitors the installation of Windows services known to be used for pass-the-hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, and gsecdump. | ||
| nw30060 | Windows NTLM Network Logon Successful | Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems which use the Kerberos authentication protocol. The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any usernames that end in a $. We recommend that within the rule logic, you exclude the domain for which the Domain Controller is responsible. Note: This rule detects both v1 and v2 NTLM logs. |