Security Related Rules and Reports
Security Rules
Access Control Violations
Network Scanning Activity
Malware
Explicit Security Exploits
Policy Violations
Security Reports
Access Control Reports
Malware Reports
Other Security Issues
Network Traffic Analysis
Access Control Violations
Network Device Access
Multiple Admin Login Failures: Net Device: Detects excessive logon failures at a network device – 5 consecutive failures in a 10 minute period.
Repeated Admin Multiple Login Failures: Net Device: Detects repeating occurrences of multiple logon failures at a network device
Account Locked: Network Device: Detects account lockout caused by excessive logon failures
Server Access
Multiple Logon Failures: Server: Detects excessive logon failures at a server – 5 consecutive failures in a 10 minute period
Repeated Multiple Logon Failures: Server: Detects repeating occurrences of multiple logon failures at a server from the same user. Multiple Privileged Logon Failures: Server: Detects excessive privileged logon failures at a server – 3 consecutive failures in a 10 minute period
Account Locked: Server: Detects account lockout caused by excessive logon failures
Network Access
Multiple Logon Failures: Domain: Detects multiple domain logon failures – 5 consecutive failures in a 10 minute period
Repeated Multiple Logon Failures: Domain: Detects repeating occurrences of multiple domain logon failures
Multiple Logon Failures: VPN: Detects multiple VPN logon failures – 5 consecutive failures in a 10 minute period
Repeated Multiple Logon Failures: VPN: Detects repeating occurrences of excessive VPN logon failures
Multiple Logon Failures: WLAN Detects multiple Wireless logon failures – 5 consecutive failures in a 10 minute period
Repeated Multiple Logon Failures: WLAN: Detects repeating occurrences of excessive wireless LAN logon failures
Account Locked: Domain: Detects account lockout caused by excessive logon failures
Application Access
Multiple Logon Failures: Web Server: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.
Repeated Multiple Logon Failures: Web Server: Detects repeating occurrences of multiple application logon failures
Multiple Logon Failures: Database: Detects excessive database logon failures – 5 consecutive failures in a 10 minute period.
Repeated Multiple Logon Failures: Database: Detects repeating occurrences of multiple application logon failures
Multiple Logon Failures: Misc App: Detects excessive application logon failures – 5 consecutive failures in a 10 minute period. Application logsons include the one that may require authentication for accessing the authentication, such as HTTP, SNMP, FTP, POP3, IMAP etc.
Repeated Multiple Logon Failures: Misc App: Detects repeating occurrences of multiple application logon failures
Special situations
Privileged Command Execution Failure: Detects excessive privileged command execution (e.g. sudo exec) failure at a server
Disabled Account Logon Attempt: Detects logon attempts to disabled accounts
Logon Time Restriction Violation: Detects logon attempts at times which are not permitted by policy
Multiple Logon Failures: Same Src, Multiple Hosts: Detects the same source having excessive logon failures at distinct hosts Multiple Logon Failures: Same Src and Dest, Multiple Accounts: Detects same source having excessive logon failures at the same destination host but multiple distinct accounts are used during the logon failure
Suspicious Logon Failure: no following successful login: Detects an unusual condition where a source has authentication failures at
a host but that is not followed by a successful authentication at the same host within the same day
Failed VPN Logon From Outside My Country: Detects VPN logon from outside my country. My Country is set to “United States” and may need to be changed for outside United States
Concurrent Failed Authentications To Same Account From Multiple Countries: Detects simultaneous failed server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries.
Concurrent Failed Authentications To Same Account From Multiple Cities: Detects simultaneous failed server/network
device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.
Concurrent Successful Authentications To Same Account From Multiple Countries: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different countries. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple countries. Concurrent Successful Authentications To Same Account From Multiple Cities: Detects simultaneous successful server/network device/domain authentications to the same system and the same account from different cities. This may indicate stolen credentials unless it is an administrative account and is supposed to be accessed by administrators from multiple cities.
Concurrent VPN Authentications To Same Account From Different Cities: Detects simultaneous VPN authentications to the same account within a short period of time from different cities. This may indicate a stolen credential.
Suspicious logon attempt detected: Detects suspicious logon attempts that indicate policy violations, e.g. root logon to database servers, default passwords, attempts to bypass authentication, root logon over unencrypted protocols such as Telnet, ftp, anonymous logons etc.
Transient Account Usage: Detects that an account was created, used and then deleted within a short period of time
Multiple Accounts Disabled by Administrator: Detects that multiple (more than 3) accounts were disabled by administrator in a short period of time
Network Scanning Activity
Heavy TCP Host Scan: Detects excessive half-open TCP sessions from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.
Heavy TCP Host Scan On Fixed Port: Detects excessive half-open TCP sessions from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy TCP Port Scan: Single Host: Detects a host performing a port scan – this involves excessive half open TCP connections from the same source to many distinct ports on a host in a short period of time. The thresholds are at least 20 distinct ports in a 2 minute window
Heavy TCP Port Scan: Multiple Hosts: Detects that a source is doing port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window
Heavy UDP Host Scan: Detects excessive number of UDP connections from the same source to many distinct destinations in a short period of time. The threshold is 200 flows within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers.
Heavy UDP Host Scan On Fixed Port: Detects excessive number of UDP connections from the same source to many distinct destinations and on the same destination port in a short period of time. The threshold is 200 flows within 3 minutes. A fixed destination port may indicate that the scanning host is attempting to find hosts on a well known port (with a vulnerability). Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted. P2P clients also exhibit this behavior when they attempt to establish connections to (non-existent) peers. Heavy UDP Port Scan: Single Host: Detects excessive UDP connections from the same source to many distinct ports on the same destination in a short period of time
Heavy UDP Port Scan: Multiple Hosts: Detects that a source is doing UDP port scans on multiple hosts. The thresholds are port scans on at least 5 hosts in 15 minute window
Heavy ICMP Ping sweep: Detects excessive number of ICMP echo request packets from the same source to many distinct destinations in a short period of time. Nachhi worm exploited pings to spread. The threshold is 50 pings within 3 minutes. Scanning may be a precursor to exploits. However, network management and mapping tools often scan the network for discovery purposes and authorized scanners need to be blacklisted.
Excessive ICMP Unreachables: Detects an usually high frequency of ICMP destination unreachable packets between the same source and destination – this indicates routing error
TCP DDOS Attack: Detects excessive number of half-open TCP connections from many distinct sources to the same destination host and on the same port in a short period of time. This may indicate that the destination server is under some sort of attack.
Excessive Denied Connections From Same Src: Detects excessive denies from the same source to many distinct destinations on the same port in a short period of time. The intent could be malicious or some sort of misconfiguration.
Excessive Denied Connections To Same Destination: Detects excessive denies from many distinct sources to the same destination on the same destination port
Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.
Invalid TCP/UDP Port Traffic: Detects invalid TCP/UDP traffic with 0 port
Invalid TCP Flags – Medium Intensity: Detects moderate (e.g. 100 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (NULL,FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) may indcate scanning and probing activity from the sender
Invalid TCP Flags – High Intensity: Detects excessive (e.g. 500 or more flows in 5 minutes) amount of traffic with invalid TCP flag combinations (FIN, SYN-FIN, SYN-FIN-PUSH, SYN-FIN-RESET, SYN-FIN-RESET-PUSH,SYN-FIN-RESET-PUSH-ACK-URG) – may indicate scanning and probing activity from the sender
Excessive ICMP Traffic From Same Source: Detects excessive (e.g. more than 5000 in 5 minutes) ICMP traffic from the same source
Malware
Source: Antivirus, Security gateway, Host IPS, Network IPS, Firewall Log
Virus outbreak: Detects potential virus outbreak – same virus found on three distinct computers/IP addresses
Virus found but not remediated: Detects that host anti-virus or content inspection devices found a virus but could not remediate it Spyware found but not remediated: Detects that host anti-virus or content inspection devices found a spyware but could not remediate it
Spam/Malicious Mail Attachment found but not remediated:
Scanner found severe vulnerability:
Rootkit found:
Phishing attack found but not remediated:
Malware found but not remediated:
Denied Blacklisted Source:
Denied Blacklisted Destination:
Multiple Distinct IPS Events From Same Src:
Permitted Blacklisted Source:
Permitted Blacklisted Destination:
Source: External threat intelligence
Traffic to Zeus Blocked IP List:
Traffic to Emerging Threat Spamhaus List:
Traffic to Emerging Threat Shadow server List:
Traffic to Emerging Threat RBN List:
Traffic to Emerging Threat Dshield List:
Permitted traffic from Emerging Threat Spamhaus List:
Permitted Traffic from Zeus Blocked IP List:
Permitted Traffic from Emerging Threat Shadow server List:
Permitted Traffic from Emerging Threat RBN List:
Permitted Traffic from Emerging Threat Dshield List:
DNS Traffic to Malware Domains:
Adware process found:
Traffic to bogon networks:
Source: Network Traffic Analysis
Excessive End User Mail: Detects a scenario where a host, that is itself not an authorized mail gateway, is sending excessive emails (more than 20 emails in 2 minutes). This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised).
Excessive Denied End User Mail To Unauthorized Mail Gateways: Detects a scenario where a host, that is itself not an authorized mail gateway, is unsuccessfully trying to send excessive emails to unauthorized mail gateways. Authorized mail gateways are represented by the “Mail Gateway” group. Such requests would be typically denied because, either the firewall would block SMTP from end hosts and/or mail gateways only receive mail from other authorized mail gateways. This behavior may indicate malware running on an end host that is trying to send spam or privileged information to its own set of mail servers (which may be compromised). End User DNS Queries to Unauthorized DNS Servers: Detects a scenario where a host, that is itself not a DNS server, is trying to send DNS requests to unauthorized DNS servers. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, end hosts always send DNS requests to authorized DNS servers which in turn communicate to other DNS servers – so this behavior may indicate malware running on the end host.
Excessive End User DNS Queries: Detects a scenario where a host, that is itself not an DNS server, is sending excessive DNS requests. Authorized DNS servers are represented by the “DNS Server” group. In a typical scenario, the frequency of end host DNS requests is not high unless, there is a script running – this might indicate the presence of malware on the end host.
Excessive Denied DNS Queries: Detects a scenario where a host, has a very high frequency of denied DNS traffic.
Excessive Uncommon DNS Queries: Detects the same host that is not a DNS server, doing an excessive amount of uncommon domain name queries – this indicates the host is likely infected with malware. An end host typically needs to perform only A and PTR queries; any other query inidicates the likely presence of malware.
Excessive Repeated DNS Queries To Same Domain: Detects an usually high frequency of DNS name resolution queries from the same host to the same domain name in a short period of time. This is not expected behavior since, in a typical scenario, the domain name resolution is cached at the end point. Repeated queries indicates that a special DNS client is likely running at the end host that is trying to make use of fast flux techniques to get back many infected hosts behind a crafted domain name.
Excessive Malware Domain Name Queries: Detects bad domain name queries which indicate malware infected end hosts.
Suspicious Botnet like End host DNS Behavior: Detects an end host meeting at least 3 requirements for suspicious use of DNS requests – this indicates that a bot is likely running on the end host
Unusually Large ICMP Echo Packets: Detects large (> 200 bytes/pkt) ICMP echo request and response packets – this is unusual since ICMP packets carry minimal information and are small in size. THis may indicate that some other traffic is being carried over ICMP protocol.
Unusual ICMP Traffic:
Explicit Security Issues
SQL Injection Attack detected by NIPS:
High Severity Non-Cisco IPS Exploit:
High Severity Inbound Permitted IPS Exploit:
High Severity Inbound Denied Security Exploit:
High Risk Rating Cisco IPS Exploit:
Excessive WLAN Exploits: Same Source:
Excessive WLAN Exploits:
DoS Attack detected by NIPS:
Distributed DoS Attack detected by NIPS:
Layer 2 Switch Port Security Violation:
Policy violations
Firewall Perimeter Policy
Outbound cleartext password usage detected:
Inbound cleartext password usage detected:
VNC from Internet:
Remote Desktop from Internet:
Large Outbound Transfer:
Large Outbound Transfer To Outside My Country:
Large Inbound Transfer From Outside My Country:
External website access policy
Inappropriate Website access: Multiple categories:
Inappropriate Website access: High volume:
Inappropriate Website access:
Internal website access policy
Executable file posting from external source:
Excessive HTTP Client Side Errors:
Excessive FTP Client Side Errors:
Change control policy
Windows Audit Log Cleared:
Windows Audit Disabled:
WLAN policy
Rogue or Unsecure AP Detected:
Excessive Rogue or Unsecure APs Detected:
Wireless Host Blacklisted:
VPN policy
Long lasting VPN session:
High throughput VPN session:
Suspicious Traffic
Tunneled traffic detected: IRC traffic detected:
P2P traffic consuming high network bandwidth:
Access Control Reports
Network Device Access
Failed Router Admin Logons: Details about failed router administrative logons
Successful Router Admin Logons: Details about successful router administrative logons
Failed Firewall Admin Logons: Details about failed firewall administrative logons
Successful Firewall Admin Logons: Details about successful firewall administrative logons
Failed VPN Admin Logon: Provides event details for all failed VPN admin logons
Successful VPN Admin Logon: Provides event details for all successful VPN admin logons
Successful WLAN Admin Logon: Tracks successful admin logons to the WLAN Controller
Failed WLAN Admin Logon: Tracks failed admin logons to the WLAN Controller
Network Access
Top Users Ranked By Successful VPN Logon: Ranks the VPN Gateways and their users by the number of successful VPN logons.
Top VPN Gateways Ranked By Distinct Users: Ranks the VPN Gateways by the total number of distinct user logons
Top VPN Users Ranked By Failed VPN Logons: Ranks the VPN Gateways and their users by the number of failed VPN logons.
Wireless Logon Failure Details: Provides details of wireless logon authentication failures
Top Wireless Controllers, Users By Failed Logon Count: Ranks wireless controllers by the total number of failed logons
Top Windows Domain Controllers, Users By Successful Domain Authentication Count: Ranks the Windows Domain Controllers and their users by the number of successful domain authentications
Top Windows Domain Controllers, Users By Failed Domain Authentication Count: Ranks the Windows Domain Controllers and the users by the number of failed authentications
Windows Domain Account Lockouts: Details windows domain account lockouts
Remote Desktop Connections to Domain Controller: Details successful remote desktop connections
Privileged Domain Controller Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account
Failed Authentication Server Logons: Captures failed AAA Server Logons
Successful Authentication Server Logons: Captures successful AAA Server Logons
Server Access
Top Unix Servers, Users By Successful Logon Count: This report ranks the UNIX servers and their users by successful logon count
Top Unix Servers, Users By Failed Logon Count: This report ranks the UNIX servers and their users by failed logon count
Top Unix Servers, Users By Successful Privilege Escalation Count: This report ranks the UNIX servers and their users by successful privilege escalations (su) count
Top Unix Servers, Users By Failed Privilege Escalation Count: This report ranks the UNIX servers and their users by failed privilege escalations (su) count
Top Windows Servers, Users By Successful Logon Count: Ranks the Windows Servers and their users by the number of successful logons
Top Windows Servers, Users By Failed Logon Count: Ranks the Windows Servers and the users by the number of failed authentications
Windows Server Account Lockouts: Details windows server lockouts
Windows Server Account Unlocks: Captures account unlocks on windows servers. Account unlocks happen after lockouts that may happen on repeated login failures
Remote Desktop Connections to Windows Servers: Details successful remote desktop connections
Privileged Server Logon Attempts using the Administrator Account: Ranks the windows servers and their users by the number of failed logons using the administrator account
Application Access
Top FTP Clients By Unauthorized Access Error Count: Ranks FTP servers and their clients by the total number of unauthorized access error count
Top Web Visitors By Unauthorized Access Error Count: Ranks web servers and visitors by the total number of unauthorized access error count
Top Users By Successful Database Server Logons: Ranks database users by the number of successful logons
Top Users By Failed Database Server Logons: Ranks database users by the number of failed logons
Malware Reports
Virus found and remediated Captures events that indicate the viruses found and remediated – the events could be from Host Anti-virus or Network Security Gateways
Virus found but not remediated Captures events that indicate viruses found but failed to remedy – the events could be from Host Anti-virus or Network Security Gateways
Spyware found and remediated Captures events that indicate spyware was found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways
Spyware found but not remediated Captures events that indicate spyware was found but the detecting software failed to remediated the vulnerability – the events could be from Host Anti-virus or Network Security Gateways
Spam/Malicious Mail Attachment found and remediated Captures events that indicate spam or mailicious mail attachments were found and remediated on a host – the events could be from Host Anti-virus or Network Security Gateways
Spam/Malicious Mail Attachment found but not remediated Captures events that indicate spyware was found but the detecting software did not remediated the vulnerability
Phishing attempt found and remediated Captures events that indicate phishing attempt
Top IPs with Malware Found By Antivirus and Security Gateways: Tracks IP addresses with Malware as found by Host Anti-virus and Security Gateways
Top Computers with Malware Found By Antivirus and Security Gateways: Tracks computers with Malware as found by Host Anti-virus and Security Gateways
Top IPs with Malware Found By IPS and Firewalls: Tracks IP addresses with Malware as found by IPS – these are somewhat less reliable than Host Anti-virus and Security Gateways
Top IPs with Malware Found By Security Gateways: Tracks IP addresses with Malware as found by Security Gateways
Non-compliant Hosts and Security Software License Expirations: Tracks non-compliant hosts and license expiry events from Security Management Gateways and Firewalls. Non-compliant hosts may not have proper security software running and therefore may pose a security threat. License expiration of security software may expose exploitable security vulnerabilities. Host Vulnerabilities discovered: Tracks vulnerabilities discovered on a host
Other Security Issues
Top Network IPS events By Severity, Count: Ranks the network IPS events by count
Top Network Scanners By Event Count: Ranks the source IP addresses by detected network scan or reconnaissance events
Top Blocked Network Attacks By Count: Ranks the network attacks attacks blocked by network IPS
Rogue APs detected: Lists the rogue APs
Rogue AP Detection Details: Provides details of rogue AP events
Top WLAN IDS Alerts: Ranks WLAN IDS alerts
Multiple Distinct IPS Events From Same Src: Detects multiple IPS events from the same source IP in a short period of time – the source IP may have been infected
Multiple IPS Scans From Same Src: Detects multiple IPS scans from the same source IP in a short period of time.
High Risk Rating Cisco IPS Exploit: Detects a high risk rating IPS exploit event. This is applicable for Cisco IPS.
High Severity IPS Exploit: Detects a high severity IPS exploit detected by non-Cisco IPS
High Severity Security Exploit: Detects a high severity security exploit detected by non IPS devices
Network Traffic Analysis
Top Conversations By Bytes: Ranks the top conversations by total bytes. A conversation includes Source IP, Destination IP, Protocol and Destination Port.
Top Conversations By Bytes: Detailed View Ranks the top conversations by total bytes but also provides, sent Bytes and received Bytes as additional information. A conversation includes Source IP, Destination IP, Protocol and Destination Port.
Top Source IPs By Bytes Ranks the top source IPs by bytes
Top Source IPs By Bytes: Detailed View Ranks the top source IPs and destination ports by bytes
Top Destination IPs By Bytes Ranks the top destination IPs by bytes
Top Destination IPs By Bytes: Detailed View Ranks the top destination IPs and ports by bytes
Top Protocols By Bytes: Ranks the top protocols and destination ports by bytes
Top Protocols By Bytes: Detailed View: Ranks the top protocol and destination ports by bytes Top Router Link Usage By Bytes Ranks the top router link usage by bytes