Several changes have been made to the Threat Detection Content in Live.
- Punycode Phishing Attempt ESA Rule - This rule looks identifies mail sessions that have a mis-match between hostname in a link and the text in the link, in addition the hostname is an identified IDN homograph. In order for the alert to trigger, there must also be a HTTP or HTTPS session that follows the mail session that contains the IDN homograph in the HTTP Host header or in the SSL certificate. IDN Homograph support was released last month, this builds on that capability. For information check out the blog post: https://community.rsa.com/community/products/netwitness/blog/2017/05/03/punycode-not-all-characters-are-created-equal
- Hunting Bundle - Added IDN_homograph parser as well as the SuperCMD parser.
- ssh_to_external App Rule - This has been re-written to leverage directionality (https://community.rsa.com/docs/DOC-44948) vs. hard-coded RFC 1918 IP space.
- HTTP_lua Parser - Updated to flag Host Headers with an integer as the host (as opposed to an IP address or FQHN) in support of: https://community.rsa.com/community/products/netwitness/blog/2017/05/11/rig-decimal-ip-campaign
- TLD_lua Parser - Numerals are now considered consonants in tagging hostnames with five or more consecutive consonants or numerals as well as two groups of four consecutive consonants or numerals.
- DNS_verbose_lua - Tag resolution of external domains and hostnames to the loopback address. This replaces the retired Application Rule below.
- RIG Exploit Kit ESA Rule - This rule was updated to support the RIG Decimal IP campaign in addition to the detection released last month. For more information on the Decimal IP campaign: https://community.rsa.com/community/products/netwitness/blog/2017/05/11/rig-decimal-ip-campaign Integer host detected was added as an initial gate into the rule in addition to the existing external iframe reference.
Other bug fixes and changes
- HTTP_lua - bug fixes
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- carberp botnet activity - No longer a relevant threat.
- Facebook Login - Facebook transmits all traffic SSL so this rule is no longer applicable in the general case.
- loopback Traffic - This has been superseded by a more accurate approach (looking for external domains resolving to 127.0.0.0/8.
- Zeus Botnet Activity - No longer an active threat.
- Botnet Report - Replaced with the Malware Activity report listed above.
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.