enVision_CRL_rules.pdf
description
Transcript of enVision_CRL_rules.pdf
RSA enVision Correlation Rules
Copyright © 2010 EMC Corporation. All Rights Reserved. July 30, 2010
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
www.rsa.com
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are
furnished under license, and may be used and copied only in accordance with the terms of such
license and with the inclusion of the copyright notice below. This software and the documentation,
and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto
is hereby transferred. Any unauthorized use or reproduction of this software and the documentation
may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by
EMC.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import,
or export of encryption technologies, and current use, import, and export regulations should be
followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an
applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The
information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION
MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO
THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
RSA enVision Correlation Rules
Contents
About Correlation Rules 6
Mapping of NIC Rules to CRL Rules 7
Correlated Rules to Event Source Mapping 9
CRL-00002-01 24
CRL-00003-01 27
CRL-00003-01.02 30
CRL-00005-1.10 32
CRL-00007-1.10 34
CRL-00008 36
CRL-00010-1.00 38
CRL-00011-01 40
CRL-00011-1.00 43
CRL-00012 44
CRL-00013 46
CRL-00013-01 48
CRL-00013-02 50
CRL-00013-04 52
CRL-00013-05 54
CRL-00013-06 56
CRL-00014 58
CRL-00016 60
CRL-00023 62
CRL-00023-01 64
CRL-00023-02 65
CRL-00036 66
CRL-00037 67
CRL-00037-01 69
CRL-00040-1.0 71
CRL-00044 73
CRL-00101 74
3
zzRSA enVision Correlation Rules
CRL-00102 75
CRL-00103 77
CRL-00105 79
CRL-00106 81
CRL-00107 82
CRL-00108 83
CRL-00109 84
CRL-00110 Rule Set 85
CRL-00111 88
CRL-00112 89
CRL-00115 90
CRL-00116 Rule Set 92
CRL-00117 94
CRL-00118 95
CRL-00119 97
CRL-00120 98
CRL-00121 99
CRL-00122 102
CRL-00123 103
CRL-00124 104
CRL-00125-01 105
CRL-00125-02 109
CRL-00126 115
CRL-00127 116
CRL-00136 117
CRL-00137 119
CRL-00139 121
CRL-00140 123
CRL-00141 124
CRL-00143 125
CRL-00147 127
CRL-00148 128
CRL-00149 129
4
RSA enVision Correlation Rules
CRL-00151 130
CRL-00153 131
CRL-00154 132
CRL-00155 133
CRL-00156 134
CRL-00157 135
CRL-00158 136
CRL-00159 137
CRL-00160 138
CRL-00161 139
CRL-00162 140
CRL-00163 142
CRL-00190 143
CRL-00191 146
CRL-00192-01 149
CRL-00192-02 152
CRL-00193 155
CRL-00193-01 156
CRL-00193-02 156
CRL-00193-03 156
CRL-00193-01 157
CRL-194 161
CRL-00195 164
CRL-00196 168
CRL-00197 171
CRL-00198 Rule Pack 174
CRL-00199 176
CRL-00200 178
CRL-00201 181
5
zzRSA enVision Correlation Rules
About Correlation RulesIn enVision, each correlated alert is set up as a correlation rule. The rule identifies a set of events and
defines a set of specific conditions to be met. When the defined conditions are met, enVision generates a
correlated alert. Each correlated alert has its own message ID and message text, as defined in the
correlation rule.
There are system-defined correlation rules. In addition, you can create your own correlation rules. A
correlation rule is made up of correlation circuits. Correlation circuits are made up of correlation
statements.
For a mapping of the NIC rules to their CRL counterparts, see Mapping of NIC Rules to CRL Rules.
Note: To use the correlation rules in the package, you must be running version 3.7.0 or higher.
6 About Correlation Rules
RSA enVision Correlation Rules
Mapping of NIC Rules to CRL RulesIn an effort to improve the behavior of correlated alerts, RSA created a set of CRL rules meant to
eventually replace the older NIC rules. The following table lists the mapping from the NIC rules to their
CRL counterparts.
NIC Rule CRL Rule
NIC002 CRL-00002-01
NIC003CRL-0003-1.02
CRL-00003-01
NIC005 CRL-00005-1.10
NIC006 CRL-00005-1.10
NIC007 CRL-00007-1.10
NIC008 CRL-00008
NIC009 CRL-00005-1.10
NIC010 CRL-00010-1.00
NIC011 CRL-00011-1.00
NIC012 CRL-00012
NIC016 CRL-00016
NIC023
CRL-00023
CRL-00023-01
CRL-00023-02
NIC027
CRL-00013
CRL-00013-01
CRL-00013-02
NIC031CRL-00014
CRL-00103
NIC036 CRL-00036
NIC037CRL-00037
CRL-00037-01
NIC040 CRL-00040-1.0
Mapping of NIC Rules to CRL Rules 7
zzRSA enVision Correlation Rules
NIC Rule CRL Rule
NIC040_CPFW
NIC040_PIXFW
NIC044 CRL-00044
NIC_SUSPICIOUS_WORM_ACTIVITY CRL-00102
8 Mapping of NIC Rules to CRL Rules
RSA enVision Correlation Rules
Correlated Rules to Event Source MappingThis table summarizes each correlated rule, lists the device class to which the rule belongs, and lists the
event sources that the rule supports.
CRL Summary Supported Event SourcesCRL-00002-01
Excessive InboundConnections Deniedby Firewalls
This rule detects excessive denied inboundconnections across a firewall. The rule canbe used to determine the host machines ofpotential intruders.
Firewall:Cisco PIX, CheckPoint
CRL-00003-01
Port Scan Detectedby a Device
This rule monitors a variety of classes forspecific port scan events that eventsources detect. Port scan events can bethe precursor to an actual attack as theyare commonly used to probe for open portson any IP address.
IDS:Entercept, Dragon IDS, NFR IDS,Snort, Symantec Network Security, ISSRealSecure, Cisco Secure IDS,IntruShieldIPS:Mazu ProfilerFirewall: Juniper Networks NetScreenFirewall, CyberGuard Classic, Sonicwall-FW, Symantec Enterprise Firewall, CiscoPIX Firewall, Cisco ASA
CRL-0003-1.02
Port Scan Detected
This rule inspects all traffic reported by fire-walls for a single source trying to createconnections on 20 ports within a given timeframe. The correlation can identify poten-tially malicious sources as a port scan istypically used before an attack.
All Firewall event sources
CRL-00005-1.10
Log Source NotRestarted AfterReboot/RestartCommand IssuedWithin 10Minutes
This rule detects if an event source on thenetwork does not restart after beingrebooted. This rule canminimize downtimeby quickly identifying event sources thatneed attention.
All Windows Host, Mainframe, Unix,Router, and Switch event sources
CRL-00007-1.10
Log SourceComponent UnderSustained HighTemperatureConditions over thePast 10Minutes
This rule detects that a log source or mon-itored event source experienced sustainedhigh temperature conditions against its inter-nal components. The rule inspects the tem-perature events generated by eventsources in the enterprise environment.
Router:Cisco Router, NortelSwitch: Foundry SwitchFirewall: IOS Firewall, Juniper NetworksNetScreen FirewallStorage:Network Appliance Data ONTAP
CRL-00008
Active SYNFloodAttack Detected byIDS-IPS or FirewallDevices
This rule filters the SYNFlood eventsdetected by security event sources in anenterprise environment.
IDS:Dragon IDS, ISS RealSecure, CiscoSecure IDS XML, Snort, LancopeStealthWatch, NFR NIDSFirewall:Secure Computing SidewinderG2, CyberGuard Classic, Juniper
Correlated Rules to Event Source Mapping 9
zzRSA enVision Correlation Rules
CRL Summary Supported Event Sources
Networks NetScreen Firewall, Sonicwall-FW
Networks NetScreen Firewall, Sonicwall-FW
Networks NetScreen Firewall, Sonicwall-FWRouter:Cisco Router/IOS Firewall
CRL-00010-1.00
Multiple LoginAttempts to aSecurity Device
This rule inspects all failed logon events toknown security event sources andmonitorsaccess attempts to the security eventsources that monitor the network.
All event sources
CRL-00011-01
Possible SuccessfulBrute Force AttackDetected
This rule detects a brute force passwordattack against an event source. The rulecorrelates a number of failed logons with asuccessful logon to a specific account.
All NIC System, Windows Hosts, AccessControl, Firewall, IDS, IPS, and VPN eventsources
CRL-00011-1.00
Several Failed LoginsFollowed by aSuccessful Login
This rule examines the failed and suc-cessful logon attempts detected by firewall-class event sources for indications of pass-word-based attacks.
All Firewall event sources
CRL-00012
Attacks ExploitingMicrosoft DirectoryService VulnerabilityDetected by IPS-IDSDevices
This rule filters events from IDS and IPSevent sources and detects an attack thatexploits theMicrosoft Directory Serviceproduct.
All IPS and IDS event sources
CRL-00013
Unusual Number ofFailed User LoginAttempts via RemoteConnections to theSame EventDestination
This rule detects any failed logon event anddetermines if the logon attempt was from aremote location. This correlation could indi-cate a brute force attack on an internalasset from a remote location.
All NIC:All discovered event sources inthe current environment, with a specialemphasis onWindows events
CRL-00013-01
Numerous FailedUser Login AttemptsLocally to the SameEvent Source
This rule detects any failed logon event thatoccurs on a local machine and checks thefrequency of such events against the nor-mal baseline for the entire network. This cor-relation could indicate a brute force attackon an internal asset.
All NIC:All discovered event sources inthe current environment, with a specialemphasis onWindows events
CRL-00013-02
Numerous FailedService AccountLogin Attempts to theSame Event Source
This rule detects any type of failed logonevent that occurs on a local machine andchecks the frequency of such eventsagainst the normal baseline of the entire net-work. This correlation could indicate that a
All NIC:All discovered event sources inthe current environment, with a specialemphasis onWindows events
10 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event Sourcesservice is incorrectly configured.
CRL-00013-04
Increase in FailedRemote LoginAttempts Detected
This rule detects numerous failed logonsusing remote protocols such as SSH/SCP,HTTP, Telnet, or Remote Desktop.
Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, and Storage event sources
CRL-00013-05
Increase in FailedInteractive UserLogins Detected
This rule detects numerous interactivefailed logons to an event source.
Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, Storage, Database, Access Con-trol, Wireless Devices, System, Con-figurationManagement, Web Logs, MailServers, Mainframe, and ApplicationServers event sourcesMidrange: IBM iSeries AS/400
CRL-00013-06
Increase in FailedService AccountLogins Detected
This rule detects numerous failed logons toan event source.
Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, Storage, Database, Access Con-trol, Wireless Devices, System, Con-figurationManagement, Web Logs, MailServers, Mainframe, and ApplicationServers event sourcesMidrange: IBM iSeries AS/400
CRL-00014
Low-Privileged orGuest AccountAdded toAdministrative Group
This rule inspects events from any eventsource for users being added to a group.The user name and group name are thenchecked against two watchlists to deter-mine whether the user is an administratorand whether the group has administrativeprivileges. The addition of a user who is notan administrator to a group with admin-istrative privileges may indicatemaliciousprivilege escalation activity.
All NIC:All discovered event sources inthe current environment
CRL-00016
Attacks ExploitingHTTP Cold FusionVulnerabilitiesDetected by IDS orIPS Devices
This rule monitors events from specific IDSor IPS event sources and detects a burst ofattacks that exploit the vulnerabilities inHTTP Cold Fusion products.
IDS:Dragon IDS, ISS RealSecure,Entercept, Snort, IntruShield, Cisco SecureIDS XML, Cisco Secure IDS
CRL-00023
Event Source NoLonger SendingEvents
This rule detects when an event sourcestops sending logmessages, indicatingincorrectly configured hardware or soft-ware, or a hardware or software failure.
Hosts:Windows Events (ER, NIC, Snare)Unix: IBM AIX, Hewlett-Packard UNIX,AppleMac OS X, Nokia IPSO, Linux,
Correlated Rules to Event Source Mapping 11
zzRSA enVision Correlation Rules
CRL Summary Supported Event Sources
Solaris, Solaris BSMSolaris, SolarisBSMSolaris, Solaris BSMFirewall:Cisco ASA, Cisco PIX, Cyber-Guard Classic Firewall, CyberGuard Fire-wall, Fortinet FortiGate Antivirus Firewall,Secure Computing Sidewinder G2 Secu-rity Appliance, SonicWALL Firewall,Symantec Enterprise, Check Point Secu-rity Suite NG/NGXIDS:Cisco Security Agent, McAfee Intru-Shield, NFR NIDS, SNORT, LancopeStealthWatch, Symantec Intruder Alert,Symantec Network Security, TippingPointSecurity Management System (SMS),McAfee Host Intrusion Prevention, CiscoSecure Intrusion Detection/PreventionSystem, Enterasys Dragon, IBM ISSSiteProtectorIPS:Arbor Networks Peakflow SP5, MazuNetworks Profiler, Top Layer Attack Mit-igator IPSVPN:Cisco VPN 3000 Concentrator, F5Firepass SSL VPN, Intel NetStructureVPN, Nortel Networks Contivity VPNSwitch, SonicWall E-Class SRA AventailSSL VPNSwitch: F5 BigIP, Cisco Content ServicesSwitch, Cisco Switch, ExtremeNetworksExtremeWare Switch, Foundry NetworksSwitch, Hewlett-Packard ProCurveSwitchRouter:Nortel Passport 8600 RoutingSwitch, Cisco RouterStorage:EMC Celerra, Network Appli-ance Data ONTAP, EMC Symmetrix Solu-tions EnablerDatabase: IBM DB2Universal Database,Microsoft SQL Server, Oracle Database,Sybase Adaptive Server Enterprise
CRL-00023
Event Source NoLonger SendingEvents
This rule detects when an event sourcestops sending logmessages, indicatingincorrectly configured hardware or soft-ware, or a hardware or software failure.
Access Control:Novell eDirectory, Net-ContinuumWeb Application Firewall, TopLayer Secure Edge Controller, Activ-Identity 4TRESS AAA Server, CiscoSecure Access Control Server, Microsoft
12 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event SourcesInternet Authentication Service, RSA Access Manager, RSA AuthenticationManager and User Credential ManagerInter-net Authentication Service, RSA AccessManager, RSA AuthenticationManagerand User Credential ManagerInternetAuthentication Service, RSA Access Man-ager, RSA AuthenticationManager andUser Credential ManagerWireless Devices:Motorola AirDefenseEnterprise Console, AirMagnet Enterprise,Aruba Networks Mobility ControllerConfiguration Management:Solsoft NP,Microsoft System Center Operations Man-ager 2007, Tripwire EnterpriseWeb Logs:WebsenseWeb SecuritySuite, Apache HTTP Server, Blue CoatSystem CacheOS, Cisco Content Engine,IBM Websphere Application Server, Micro-soft Internet Information Services, Micro-soft Internet Security and Acceleration Server, Network Appliance NetCacheMail Servers: Lotus Domino, MicrosoftExchange ServerMainframe: IBM OS390/ZOS (MainframeSMA_RT), IBM MainframeRACF, IBMMainframe Top Secret, CA ACF2Midrange: IBM iSeries AS/400Application Servers:Microsoft DynamicHost Configuration Protocol ServerNetwork:Avocent IP KVM, Cisco SecurityManagerAnti virus:CipherTrust IronMail, Syman-tec Endpoint Protection, TrendMicro Offi-ceScan and Control Manager, McAfeeePolicy Orchestrator, McAfee VirusScanEnterprise
CRL-00023-01
Event SourceInactive for the Past4 Hours
This rule detects if any event source hasstopped sending event data in the past fourhours.
All NIC:All discovered event sources inthe current environment
CRL-00023-02
Event Source
This rule detects if any event source hasstopped sending event data in the pasttwenty-four hours.
All NIC:All discovered event sources inthe current environment
Correlated Rules to Event Source Mapping 13
zzRSA enVision Correlation Rules
CRL Summary Supported Event SourcesInactive for the Past24 HoursCRL-00036
High Number of DoSAttack Alerts
This rule examines denial of service (DoS)attack alerts to determine if an activeattack on the network is occurring. The ruleinspects the events detected by the IDS,IPS, and Firewall device classes in anenterprise environment.
All IDS, IPS, and Firewall event sources
CRL-00037
Backdoor-typeActivity OriginatingFrom ExternalNetworks Detected
This rule examines attack alerts for back-door activities in the network by an attackerin the external network. The rule inspectsthe events detected by the IDS, IPS, andFirewall device classes in an enterpriseenvironment.
All IDS, IPS, and Firewall event sources
CRL-00037-01
Backdoor-typeActivity ObservedWithin InternalNetworks
This rule examines attack alerts for back-door activities in the network by an attackerin the internal network. The rule inspectsthe events detected by the IDS, IPS, andFirewall device classes in an enterpriseenvironment.
All IDS, IPS, and Firewall event sources
CRL-00040-1.0
Increase in Inter-Zone RemoteManagementConnections
This rule detects a significant increase inthe number of remotemanagement con-nections. This activity may indicate amali-cious user probing different ports to mapthe network.
All Firewall event sources
CRL-00044
Excessive InboundConnections Deniedfrom a Single IPAddress
This rule inspects the firewall for deniedconnections that have been labeled as aninbound connection across a firewall orrouter. The rule helps find potential hostilehosts and users trying to access resourceson the other side of a firewall or router.
All Firewall and Router event sources
CRL-00101
Large Number ofAttack Events fromInternal IPAddresses Detectedby IDS Devices
This rule detects attacks occurring from aninternal IP address and terminating at aninternal IP address. This activity could indi-cate that an internal attack is occurring oran internal address is being spoofed.
All IDS event sources
CRL-00102
Worm ActivityOriginating on theInternal Network
This rule detects worm activity occurring onthe internal network of an enterprise.
All IDS, IPS, and Firewall event sources
CRL-00103
Elevation of UserPrivileges Detectedon a Log Source
This rule detects events that involve theaddition of users to groups. The user nameand group name are checked against twowatchlists containing the known admin-
All NIC:All discovered event sources inthe current environment
14 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event Sourcesistrators and the groups with administrativeprivileges assigned to them. The addition ofa user who is not an administrator to agroup with administrative privileges mayindicatemalicious intent.
CRL-00105
Successful BackdoorAttack
This rule detects successful backdoorattacks. A successful attack is indicatedby a backdoor attack intercepted by secu-rity event sources, followed by a con-nection between the attacker and thedestination of the attack.
All IDS, IPS, and Firewall event sources
CRL-00106
Successful Denial ofService Attack
This rule detects successful denial of serv-ice (DoS) attacks. A successful attack isindicated by a DoS attack intercepted bysecurity event sources, followed by a sys-tem failure event from the destination of theattack.
All NIC:All discovered event sources inthe current environment
CRL-00107
Possible Tamperingof System Audit /Logs Detected
This rule detects if a log system has beenenabled or disabled, or has encounteredsome type of error. The rule also detects iflogs have been deleted on some systems.
Windows:Windows Events (BL, ER,NIC, Snare)IDS: ISS RealSecureWeb Logs:Cisco Content EngineRouter:Cisco Router/IOS Firewall,Juniper JUNOS RouterSwitch:Cisco SwitchFirewall: Juniper Networks NetScreenFirewallUnix:Solaris, IBM AIXVPN: Juniper SSL VPN
CRL-00108
Possible ARPPoisoning ActivityDetected
This rule detects if ARP poisoning is occur-ring on the network. ARP poisoning canlead to denial of service and can com-promise information.
IDS: Intrushield, Symantec NetworkSecurity, Cisco Secure IDS, CiscoSecure IDS XMLSwitch:ExtremeWare, Cisco ContentSwitch, Cisco SwitchFirewall: Juniper Networks NetScreenFirewall, Cisco ASA, Cisco PIX Firewall,SonicWALL-FW, Symantec EnterpriseFirewallConfiguration Management:Netscreen-Security ManagerUnix:Nokia IPSO, AppleMac OS XVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall
Correlated Rules to Event Source Mapping 15
zzRSA enVision Correlation Rules
CRL Summary Supported Event SourcesCRL-00109
Windows ServiceState Change
This rule detects if aWindows service hasbeen stopped, started, or restarted. Therule also detects if the startup behavior of aservice has beenmodified.
Windows Hosts:Windows Events (BL,ER, NIC, Snare)
CRL-00110
Detection of Clear-Text ConfidentialInformation usingRSA enVisionCorrelation
This correlation rule set assists in theidentification of patterns of information inclear text within the payload of events thatmay be confidential.
The rule set is a collection of the rules CRL-00110-DB, CRL-00110-Hosts, CRL-00110-File Integrity, CRL-00110-Email, CRL-00110-Web, and CRL-00110-IDS.
All Windows Hosts, Unix, Database, Con-figurationManagement, Mail Servers, WebLogs, IDS, and IPS event sources
CRL-00111
Possible SpoofingActivity Detected
This rule detects possible network spoofingactivity by inspecting the events reportedby event sources that are associated withspoofing.
All Switch, Router, Firewall, WindowsHosts, Wireless Devices, and Unix eventsources
CRL-00112
Removable StorageRemoved from aWindows EventSource
This rule monitors Windows events involv-ing USB storage.
Windows Hosts:All Windows Hostsevent sources
CRL-00115
Attacks ExploitingVulnerabilities inSANS TOP-20 2007Observed
This rule monitors events from IDS and IPSevent sources to detect attacks that exploitthe vulnerabilities in the SANS TOP-202007 list.
IDS:Dragon IDS, ISS RealSecure,Tipping Point, Snort, Cisco Secure IDSXMLIPS:NetScreen IDP
CRL-00116
BotNet DetectionRule Pack
This rule set detects machines that may bepart of a BotNet inside your network.
All NIC:All discovered event sources inthe current environment
CRL-00117
Log CollectionStopped due to FilledDisk Capacity
This rule monitors an RSA enVision sys-tem to detect if log collection has stoppeddue to filled disk capacity. This ruleinspects specific messages that theenVision system generates regarding logcollection and disk capacity.
All NIC:All discovered event sources inthe current environment
CRL-00118
Disk Array CapacityApproachingThreshold
This rule examines several specific mes-sage IDs to determine if an event source orsystem is approachingmaximum diskcapacity.
System:All NIC system event sourcesWindows Hosts:Windows Events (BL,ER, NIC, Snare)Database:Microsoft SQL ServerUnix:Nokia IPSOFirewall: Fortinet Antivirus Firewall,CyberGuard ClassicMail Servers:Microsoft Exchange
16 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event SourcesWeb Logs:Cisco Content EngineAnti virus:McAfee ePolicy Orchestrator,CipherTrust IronMail, McAfee Virus ScanStorage:Network Appliance DataONTAPVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall
CRL-00119
Password Change ona Known PrivilegedUser AccountDetected
This rule detects password changes toknown privileged user accounts. Unauthor-ized password changes to these accountscan have a significant impact on networkfunctionality and data integrity or con-fidentiality.
Windows Hosts:Windows Events (BL,ER, NIC, Snare)Unix: IBM AIX, HPUX/FreeBSD, LinuxVPN:Aventail SSL VPN, Cisco VPN3000, Juniper SSL VPN, Nortel VPN Con-tivityAll NIC:NIC SystemDatabase:Sybase ASE, Microsoft SQLServer, OracleConfiguration Management: TripwireEnterpriseFirewall: Juniper Networks NetScreenFirewall
CRL-00120
Revocation of UserPrivileges Detected
This rule inspects events from a selectionof common event sources used within a net-work for revocation of user permissions.The rule detects removal of users from usergroups or changes to the user level of userswithin the system.
Windows Hosts:All Windows Hostsevent sourcesUnix:All Unix event sourcesFirewall:All Firewall event sourcesIDS: ISS RealSecureConfiguration Management:Solsoft NP
CRL-00121
Unusual Number ofFailed Vendor UserLogin Attempts
This rule detects an increase in failed logonattempts using a vendor default account.Such attempts could indicate a brute forceattempt to break into event sources frommalicious locations. This alert is importantfor PCI-compliant organizations.
Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, Storage, Database, Access Con-trol, Wireless Devices, System, Con-figurationManagement, Web Logs, MailServers, Mainframe, and ApplicationServers event sourcesMidrange: IBM iSeries AS/400
CRL-00122
Active DirectorySchemaChangeDetected
This rule detects a change in the schema ofaMicrosoft Active Directory installation. Anunauthorized change in the schema couldindicate activity such as addition or deletionof users or modification of permissions.Such changes could indicate denial of serv-ice or unauthorized access to data.
Windows Hosts:Windows Events (BL,ER, NIC, Snare)
Correlated Rules to Event Source Mapping 17
zzRSA enVision Correlation Rules
CRL Summary Supported Event SourcesCRL-00123
Possible Non-PCICompliant InboundNetwork TrafficDetected
This rule monitors inbound connections intosecure event sources over non-compliantports as specified by PCI compliance prac-tices.
All Router and Firewall event sources
CRL-00124
Failed LoginsExceeded 6 LoginAttempts Without aLockout Event
This rule detects failed logons. To be PCI-compliant, user accounts should be lockedout after six failed logon attempts, depend-ing on the capability of themonitored eventsource to lock out user accounts.
IDS: Intrushield, Symantec NetworkSecurity, Cisco Secure IDS, CiscoSecure IDS XMLSwitch:Extremeware, Cisco ContentSwitch, Cisco SwitchFirewall: Juniper Networks NetScreenFirewall, Cisco ASA, Cisco PIX Firewall,Sonicwall-FW, Symantec Enterprise Fire-wallConfiguration Management:Netscreen-Security ManagerUnix:Nokia IPSO, AppleMac OS XVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall
CRL-00125-01
ConfigurationChange on SecurityDevice Intercepted
This rule detects a change in a core secu-rity event source, such as an IDS, IPS, Fire-wall, or VPN event source. If unexpected,such changes can lead to reduced security,denial of service, or leaking of confidentialinformation.
All IDS, IPS, Firewall, and VPN eventsources
CRL-00125-02
ConfigurationChange on NetworkDevice Intercepted
This rule detects a change in a core net-work event source, such as a router or aswitch. If unexpected, such changes canlead to denial of service or leaking of con-fidential information.
All Router and Switch event sources
CRL-00126
ConfigurationChangemade on PCIDatabase System
This rule detects a configuration change ina PCI-compliant database system. Con-figuration changes include data changesand permission changes. If unauthorized,these changes can result in a compromiseddata integrity or data theft.
All Database event sources
CRL-00127
New User AccountCreated but InitialPassword NotChanged
This rule detects if the password of a newlycreated account is not changed aftertwenty-four hours. The longer theseaccount passwords remain unchanged, thegreater the chance of compromise, such asunauthorized access.
All Windows Hosts and Unix/Linux eventsources
18 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event SourcesCRL-00136
Possible SystemInstability StateDetected
This rule detects if a system has becomeunstable.
The rule inspects for conditions including:
l Multiple restart, reboots, orshutdowns in a given time frame
l Creation of memory dump files onWindows and Linux systems
l Startup events not preceded by ashutdown or restart command
All Windows Hosts, Router, Switch, VPN,Unix, and NIC event sourcesConfiguration Management: TripwireEnterprise
CRL-00137
Unusual File AccessActivity surroundingImportant EventSource Files
This rule detects any unusual access offiles or directories that are defined in a wat-chlist of files or directories that should notbe accessed or should be accessed only byprivileged users. Access includes trav-ersing, opening, creating, modifying, anddeleting files or directories.
All Windows Hosts event sources,Tripwire EnterpriseAll ConfigurationManagement eventsources
CRL-00139
Compliance:Successful LoginAttempt(s) Using aVendor DefaultAccount Detected
This rule detects successful logonattempts using a vendor default account.This alert is important for PCI-compliantorganizations. Successful logons from avendor account can indicate a securitybreach in the account.
All Windows Hosts, Unix, Firewall, IDS,IPS, VPN, Switch, Router, Storage,Database, Access Control, WirelessDevices, System, ConfigurationManagement, Mail Servers, Mainframe,and Application Servers event sourcesMidrange: IBM iSeries AS/400
CRL-00140
Increase in P2PTraffic Detected inthe EnvironmentWithin the Past 5Minutes
This rule detects an increase in peer-to-peer (P2P) traffic in the environment for thepast fiveminutes. P2P traffic can slowdown the network and allow users to down-load potentially harmful files without theadministrator's knowledge. This rule canalso be used to discover faults in or back-doors to the network configurations.
All Router, Firewall, IDS, and IPS eventsources
CRL-00141
P2P SoftwareRunning as ActiveProcess on EventSource
This rule detects active P2P processes run-ning on event sources inside an organ-ization. P2P traffic can slow down thenetwork and allow users to download poten-tially harmful files without the admin-istrator’s knowledge. This rule can be usedto discover breaches of security policies inan environment.
Windows Hosts:Windows Events (BL,ER, NIC, Snare)
CRL-00143
Increase in FileTransfer ActivityUsing InstantMessaging Detected
This rule detects an increase in file transferactivity using Instant Messaging (IM) forthe past fiveminutes. The rule can be usedto discover faults in or backdoors to the net-work configurations as well as breach of pol-icy related to file transfer within the
All Router, Firewall, IDS, and IPS eventsources
Correlated Rules to Event Source Mapping 19
zzRSA enVision Correlation Rules
CRL Summary Supported Event Sourcesnetwork.
CRL-00147
Active DirectoryPolicy Modified
This rule detects themodification of anActive Directory policy object. Such amod-ification can indicate a privilege escalationor loss of access and can result in unauthor-ized access or more serious compromises.
Windows Hosts:Windows Events (BL,ER, NIC, Snare)
CRL-00148
Errors in ActivePulling of EventsDetected
This rule detects that theWindows Agen-tless, ODBC, File Reader, or XML servicehas encountered errors while attempting togather events from an event source in anenterprise environment. These types oferrors may indicate system problems or fail-ures of the event source.
System:All NIC system event sources
CRL-00149
Errors Detected inSFTP Collection
This rule determines if the NIC SFTP Serv-ice has encountered errors gatheringevents from various event sources. Anerror in extracting events may indicate asystem or network failure arising from anycause frommisconfiguration to networkattack.
System: Tripwire Enterprise, RSA SecuritySecurID, Microsoft SQL Server, MicrosoftISA Server, Microsoft IIS, MicrosoftExchange Server, Juniper Steel-BeltedRadius, Cisco Access Control Server
CRL-00151
Possible enVisionService HangDetected
This rule detects if an enVision service hashung or crashed unexpectedly. Such anevent may indicate a successful denial ofservice attack to an enVision resource.
System:NIC Alerter, NIC Collector, NICLocator, NIC Logger, NIC File Reader, NICPackager, NIC SDEE Collection, NICServer, NIC Web Server, NIC WindowsService, NIC DB Report Server
CRL-00153
Critical Alerting ErrorDetected
This rule detects if a critical alerting erroroccurred on enVision, whichmay indicateerrors, such as database connection errors.
Network System or NIC System:All Sys-tem Alerts
CRL-00154
Critical Web ServiceError Detected
This rule detects if a critical web serviceerror has occurred on enVision.
Network System or NIC System:All Sys-tem Alerts
CRL-00155
EPSWarning - EPSApproaching LicenseLimits
This rule detects increases in the number ofincoming events to the RSA enVision plat-form that approach the EPS license limit.An increasemay result from a newly addedevent source or a defective event source.An increasemay also indicate that anattacker is trying to hidemalicious activityinside an event flood.
Network System or NIC System:All Sys-tem Alerts
CRL-00156
EPS Critical Error,Event Drop has beenDetected
This rule detects that the number of incom-ing events to RSA enVision has increasedto the extent that enVision is droppingevents and not collecting the events. Anincreasemay result from a newly addedevent source or a defective event source.
Network System or NIC System:All Sys-tem Alerts
20 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event SourcesAn increasemay also indicate that anattacker is trying to hidemalicious activityinside an event flood.
CRL-00157
enVision ContentUpdate FailureDetected
This rule detects if any error has occurredduring the enVision content update proc-ess. Failure of an update can lower thelevel of accuracy of themessages gen-erated by the system.
Network System or NIC System:All Sys-tem Alerts
CRL-00158
Errors Detected inenVision DB System
This rule detects errors that impact theenVision DB system. This rule detectserrors from LSIndex, DBConfig, Packager,andODBC components. These errors indi-cate that enVision is not fully functional,and, as a result, malicious events may goundetected.
Network System or NIC System:All Sys-tem Alerts
CRL-00159
Critical ErrorDetected in the NIC Packager Service
This rule detects a critical error conditionwithin the Packager component.
All NIC:All discovered event sources inthe current environment
CRL-00160
Possible NetworkPerformanceDegradationDetected
This rule detects excessive network-related errors reported by Network andSecurity event sources, such as switches,routers, and firewalls, which can have a sig-nificant impact upon network performance.
All Switch, Router, and Firewall eventsources
CRL-00161
Possible Corruptionof Event Data Storedwithin the IPDB
This rule detects a number of possibleIPDB corruption events as reported by theRSA enVision system. These events couldindicate data tampering or hardware issueson the appliance itself.
Network System:All System Alerts
CRL-00162
Account PrivilegeElevation Followedby Restoration ofPrevious AccountState within a 26Hour Period
This rule detects if a user has been addedto and then removed from the same groupwithin twenty-six hours. This activity couldindicate that an account is being used formalicious activity against a network byelevating a user’s privileges temporarily toperform themalicious activities.
Hosts:Windows Events (BL, ER, NIC,Snare)Firewall:Cisco PIX Firewall, Cisco ASA
CRL-00163
RSA enVision DiskWarning
This rule detects conditions where the avail-able log storage for RSA enVision reachescritical levels that threaten to shut down logcollection or have already shut down log col-lection.
NIC System:All System Alerts
CRL-00190
Potential PhishingAttack
This rule detects and alerts users of sus-picious activity that strongly suggests thata fraudulent site is active.
Web Logs:Apache HTTP Server, Micro-soft Internet Information Services, BlueCoat Systems Security Gateway OS
Correlated Rules to Event Source Mapping 21
zzRSA enVision Correlation Rules
CRL Summary Supported Event SourcesCRL-00191
Potential PhishingAttack
This rule detects suspicious activities thatcould indicate that an active phishing siteexists.
Web Logs:Apache HTTP Server, Micro-soft Internet Information Services, BlueCoat Systems Security Gateway OS
CRL-00192-01
Policy AccessViolation
This rule detects improper use of IT sys-tems by detecting logon activities asso-ciated with either sharing credentials orfailing to properly log off of systems.
Windows event logs:Aventail SSL VPN,Cisco VPN 3000, Citrix Access Gateway,F5 Firepass, Intel VPN, Juniper SSL VPN,Nortel VPN Contivity
CRL-00192-02
Policy AccessViolation
This rule detects improper use of IT sys-tems by detecting logon activities asso-ciated with either sharing credentials orfailing to properly log off of systems.
Windows event logs:Aventail SSL VPN,Cisco VPN 3000, Citrix Access Gateway,F5 Firepass, Intel VPN, Juniper SSL VPN,Nortel VPN Contivity
CRL-00193
Malware Drive-ByDownload
This rule sends an alert whenmalware isdownloaded and installed in yourenvironment. This rule set is made up of thefollowing rules:
l CRL-00193-01
l CRL-00193-02
l CRL-00193-03
Web Logs:CRL-00193-01: Blue CoatSystems Security Gateway OSWeb Logs:CRL-00193-02: Tripwire Enter-priseWeb Logs:CRL-00193-03: Blue CoatSystems Security Gateway OS
CRL-00194
Instant MessagingKeyword FilteringRule
This rule filters keywords from instant mes-saging sessions logged by a Blue CoatProxy Security Gateway appliance. Thisrule detects anomalies or breach of adher-ence to internal trade-restrictive policiesusing internal instant messaging sessionlogs.
Web Logs:Blue Coat Systems ProxySGSGOS
CRL-00195
Search EngineOptimizationPoisoning
This rule detects malware downloadsthrough search engine optimization (SEO)poisoning.
Web Logs:Blue Coat Systems ProxySGSGOS
CRL-00196
Redirection toMalicious Web SitesThrough a Short URL
This rule detects drive-by downloadattacks, in which a user is redirected to amalicious web site through a short URL.
Web Logs:Blue Coat Systems ProxySGSGOS
CRL-00197
Post FormRedirectionMalware
This rule detects data that is compromisedthrough Post Form redirectionmalwareattacks.
Web Logs:Blue Coat Systems ProxySGSGOS
CRL-00198
Backscatter
This rule detects an increase above theaverage number of Non Delivery Reportssent by amail server.
Mail Server:Microsoft Exchange Server
CRL-00199
FairWarningSnooping
This rule detects if any violators caughtsnooping by FairWarning Privacy Mon-itoring are also detected by RSA Data LossPrevention Suite (DLP) to be involved indata leakage.
Analysis: FairWarning Privacy MonitoringDLP:RSA DLP
22 Correlated Rules to Event Source Mapping
RSA enVision Correlation Rules
CRL Summary Supported Event SourcesCRL-00200
FairWarning FailedLogins
This rule detects themisuse of employeeaccounts by identifying anomalous logonactivity.
Analysis: FairWarning Privacy MonitoringAll Access Control, Analysis, DLP, VPN,Unix, Virtualization, and Database eventsources
CRL-00201
DNS Fast FluxDetection Kit
This rule detects and alerts on possibleDNS fast-flux domains.
Web Logs:Blue Coat Systems ProxySGSGOS
Correlated Rules to Event Source Mapping 23
zzRSA enVision Correlation Rules
CRL-00002-01
Overview
NameExcessive Inbound Connections Denied by Firewalls
PurposeCorrelation rule CRL-00002-01 is triggered by excessive denied inbound connections across a firewall.
This rule finds host machines of potential intruders and also detects if a particular user is trying, and
subsequently failing, to access a resource inside a firewall.
This rule revises the default correlation rule NIC002, which is included with RSA enVision. The revised
rule uses the device class associated with firewalls and the event classes associated with denied
connections. This ensures that any new firewalls added later are supported by this correlation rule without
further updates.
AudienceThis rule is intended for organizations that are concerned with monitoring heavy inbound network traffic.
Reference Materiall Existing correlation rule NIC002
l The RSA event listings for supported firewall event sources
Requirements
Device Class or SystemsCorrelation rule CRL-00002-01 is generic and not dependent on any specific event source or event. This
rule revises the existing correlation rule NIC002, which only triggers on certain denied connections from
Cisco PIX or Check Point firewalls.
Technical Analysis
Rule LogicUnlike the existing rule, the revised rule monitors all event sources under the Firewall rule class, the
directionality in reference to the firewall in question, and any event that happens to deny a connection.
The Security.Firewall device class, and any events with an event category starting with Network.Denied
Connections and an in-out value of one (to signify inbound connections), are used for this rule. This
ensures that this rule is compatible with any new firewall support that may be created in the future.
24 CRL-00002-01
RSA enVision Correlation Rules
A threshold based on empirical observations of logon activity in large enterprise networks is used to
enhance the accuracy of the rule. A 25 percent increase in five minutes from the denied connections
baseline average triggers this alert.
Multithreading is used to enhance the performance of the current rule. To use multithreading, the
following variables are used:
l enVision Device IP Address
l enVision Site
When conditions trigger this correlation rule, you should do the following:
l Check the source IP address to determine whether this is expected traffic or traffic that should be
monitored more closely.
l Analyze the source IP addresses and destination ports. Multiple source IP addresses with similar
destination ports could indicate malicious activity.
CRL-00002-01.1
After installing rule CRL-00002-01.1, you must create a view to monitor for events created by the rule.
CRL-00002-01-1.00
After installing rule CRL-00002-01-1.00, you must create a view to monitor for events created by the
rule.
The firewalls must be properly configured to send the events required into the system. In this case, any
and all logon activity should be logged. The data contains a large number of failed logon events from a
Cisco ASA event source collected by an enVision appliance. Part of this rule looks to ensure that the
connection is inbound (based on the IP addresses of the messages) so when testing, you may need to
modify the source and target IP addresses so that the “inout” variable is set to one.
You should set the IP address of a Cisco ASA event source to the same IP address as that in the syslog
header of the sample file or, at least, ensure that the IP address used in the file is not already configured
as some other event source.
False Positive MitigationThe accuracy of this rule is based on the assumption that there will always be at least some denied
inbound connections happening on a firewall. An increase of 25 percent within five minutes may be
normal during peak usage hours depending on network factors such as the number of users and the size of
the network. You may need to set a bigger window to reduce the number of false positives.
Quick Deployment
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The monitored event sources for the rule
are the event sources of the Firewall device class.
CRL-00002-01 25
zzRSA enVision Correlation Rules
The current revision of this correlation rule specifies 20 denied connections in a sixty second time period
to trigger an alert. Modify the threshold if you receive a large number of false alarms.
Note: This rule requires the Blacklisted IP addresses watchlist. You can download sample watchlist files
from RSA SecurCare Online, import the data, and edit the default values as needed.
26 CRL-00002-01
RSA enVision Correlation Rules
CRL-00003-01
Overview
NamePort Scan Detected by an Event Source
PurposeCRL-00003-01 monitors a variety of classes for specific port scan events that are detected by event
sources. The rule does not use separate events to create the port scan event, but instead looks for port
scan events. Port scan events can be the precursor to an actual attack as they are commonly used to probe
for open ports on any IP address.
This rule revises the default enVision correlation rule NIC003. The revised rule uses a wider variety of
event sources and more events than the existing rule to detect more port scans.
AudienceThis rule is intended for organizations that are concerned with monitoring port scans.
Reference Materiall Existing correlation rule NIC003
l Event definitions within RSA enVision
CRL-00003-01 27
zzRSA enVision Correlation Rules
Requirements
Device Class or SystemsThis correlation rule supports the following event sources.
Event Source Class Event Source Type
Security.IDS
Cisco Secure IDS
Cisco Secure IDS XML
Dragon IDS
Entercept
Intrushield
ISS Realsecure
NFR NIDS
Snort
Symantec Network Security
Tipping Point
Security.IPS
Mazu Profiler
Radware DefensePro
Security.Firewall
Astaro Security Gateway
Check Point FW-1
Cyberguard Classic
Fortinet Antivirus Firewall
Netscreen
28 CRL-00003-01
RSA enVision Correlation Rules
Technical Analysis
Rule LogicThis rule creates an alert from any port scan event detected by any supported event source. Because the
classification of the events can sometimes be inconsistent, specific events have been used rather than the
event categories. When new events that specifically cover port scan events are added to any supported
event source, you should update this rule to include those events.
CRL-00003-01 uses two circuits:
l The High_Severity_PortScan circuit detects all port scan events categorized by an IDS, an IPS,
or a firewall as a high severity event. If the Netblock watchlist contains the source address of the
port scan, CRL-00003-01 triggers an alarm for the event.
l The MediumLow_Severity_PortScan circuit detects all the port scan events categorized by an
IDS, an IPS, or a firewall as medium or low severity events. If the number of such events
increases by 25 percent over the hour average and the Netblock watchlist contains the source
addresses of the port scans, CRL-00003-01 triggers an alarm.
When conditions trigger this correlation rule, you should investigate the source and target of the port scan
to determine whether this activity should be allowed. If the activity is not permitted, block or mitigate this
event.
RSA enVision ConfigurationThis rule works with the default enVision configuration settings.
As of the July 2010 Event Source Update, CRL-00003-01 requires the use of a watchlist named Netblock.
This watchlist contains IP addresses that are grouped together to form a netblock. You can download the
sample watchlists from RSA SecurCare Online and customize the Netblock watchlist.
CRL-00003-01 29
zzRSA enVision Correlation Rules
CRL-00003-01.02
Overview
NamePort Scan Detected
PurposeCorrelation rule CRL-00003-01.02 inspects the events generated by firewalls in an enterprise
environment. The rule examines all traffic reported by firewalls for a single source trying to create
connections on 20 ports within a given time frame. This correlation can identify potentially malicious
sources as a port scan is typically used before an attack.
This rule revises the default enVision correlation rule NIC003. The revised rule uses the entire
Security.Firewall device class to ensure that it catches port scans regardless of the event source or event
types. The rule does not use any specific port scan events, as these events are the end result of an event
source detecting a complete port scan without using a correlation rule. In those cases, the port scan
events should trigger an alert without using a correlation rule.
AudienceThis rule is intended for organizations that are concerned with monitoring port scans.
Reference Materiall Existing correlation rule NIC003
l Event definitions within RSA enVision
Requirements
Device Class or SystemsThis correlation rule supports the following event sources:
Device Class Device Type
Security.Firewall All
Technical Analysis
Rule LogicThis rule is a revised version of the existing correlation rule NIC003, which triggers on complete port
scan events. The revised rule is based on any firewall events with port information in which a source and
30 CRL-00003-01.02
RSA enVision Correlation Rules
a target are similar. IDS events are not used, as they primarily report complete port scan events, and
those events should be alerted on directly, without requiring the correlation rule.
This rule detects port scan events by monitoring any traffic detected by firewalls, the ports to which
connections are being made, and the source from which the connection is coming. The new rule waits for
20 separate connections to 20 different ports from one source to one destination within five minutes. The
five-minute time frame increases the likelihood of detecting scans that have been set up with a long wait
period between new connection attempts. Modify the threshold if you receive a large number of false
alarms.
In some cases, legitimate events may trigger this rule for users who connect through NAT. To address
this issue, some of the events dealing specifically with NAT translation have been filtered out,
specifically those pertaining to the Cisco PIX and ASA event sources.
When conditions trigger this correlation rule, you should do the following:
l Investigate the source IP address of the messages.
l Investigate the destination host that is being scanned to ensure that it is not vulnerable.
l Block the source at the firewall level immediately if any traffic is getting through.
Quick Deployment
RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored event
sources for the rule are the event sources of the Security.Firewall device class. After deploying the RSA
enVision appliance in the target environment, you do not need to modify the rule.
CRL-00003-01.02 31
zzRSA enVision Correlation Rules
CRL-00005-1.10
Overview
NameLog Source Not Restarted After Reboot/Restart Command Issued Within 10 Minutes
PurposeCRL-00005-1.10 determines if an event source on the network is unable to restart after being rebooted.
The rule detects if an event source generates any events after being rebooted. This rule can minimize
downtime in an enterprise environment by quickly identifying event sources that need attention.
This rule is a revision of the existing NIC005, NIC006, and NIC009 correlation rules, which are shipped
with RSA enVision. The three existing rules determine if specific event sources (Cisco routers, switches,
and Windows-based systems) are unable to restart. By combining these rules into one, and by making the
rule more general, the revised rule can detect a broader set of event sources with less configuration
required.
AudienceThis rule is intended for organizations that are interested in minimizing downtime in their environments.
Reference Materiall Existing correlation rule NIC003
l Existing correlation rule NIC006
l Existing correlation rule NIC009
Requirements
Device Class or SystemsThis correlation rule supports all event sources that are a part of device group filter NIC_ALL.
Technical Analysis
Rule LogicThis rule detects system restart failures across a network.
The rule uses a ten-minute threshold, based on empirical observations of the startup times of various
event sources.
The rule is composed of two circuits:
32 CRL-00005-1.10
RSA enVision Correlation Rules
l The first circuit, Reboot_Circuit, captures a message from an event source that is rebooting.
l The second circuit, Restart_Circuit, determines if the rebooting event source generates a
message. The generation of any message indicates that the event source is back up in a running
state. If there is no message from the event source matching the IP address captured by the first
circuit, an alert is triggered.
When conditions trigger this rule, you should do the following.
l Confirm that the event source is not running, and notify the appropriate person.
l If the event source is running,investigate whether there is a network communication issue.
Quick Deployment
RSA enVision ConfigurationThis rule uses device classes rather than specific event sources to eliminate the need for configuration.
Note: False positives may occur if communications between the enVision Collector and the event source
fails.
CRL-00005-1.10 33
zzRSA enVision Correlation Rules
CRL-00007-1.10
Overview
NameLog Source Component Under Sustained High Temperature Conditions Over the Past 10 Minutes
PurposeCorrelation rule CRL-00007-1.10 inspects the temperature that event sources generate in an enterprise
environment. The rule examines the temperature messages from various networking devices over a period
of time.
This rule revises the default enVision correlation rule NIC007. The revised rule includes additional event
sources to broaden the scope, such as more specific Cisco event sources and their ancillary equipment,
such as power supplies. Additionally, a decay time of ten minutes is used to increase accuracy.
AudienceThis rule allows you to determine if there are environmental, configuration, or loading problems on
various network elements.
Reference Materiall Existing correlation rule NIC007
l www.cisco.com
l www.nortel.com
IntroductionThe rule detects that a log source or monitored event source experienced sustained high temperature
conditions against its internal components. This condition could indicate hardware failure with one or
more internal components of the log source (such as a system fan, or internal power supply) that directly
contributes to the increased operational temperature. This condition could also indicate a problem with
HVAC facilities. Sustained high temperature conditions could lead to denial of service and could impact
the availability of critical business services.
When conditions trigger this correlation rule, the following actions should be performed:
l Inform the log source owner. This situation requires immediate attention.
l Check the configuration and loading of the event source.
l Check the physical environment to see if there has been an increase in ambient temperature or
there is some other hardware-based failure.
34 CRL-00007-1.10
RSA enVision Correlation Rules
Requirements
Device Class or SystemsThis rule works with the default enVision configuration settings. The rule assumes that the network
contains Cisco routers or switches, Foundry switches, NetApp event sources, Nortel event sources, or
NetScreen event sources. The rule requires maintenance and configuration as you add or remove event
sources.
Check that the thresholds are appropriate for your environment. Increasing the time period for this rule
will affect the performance of the enVision appliance.
Technical Analysis
Rule LogicThis correlation rule is designed to detect high temperature situations in various event sources. The rule
contains 5 circuits, one for each of five manufacturers: Cisco, Foundry, NetApp, Nortel, and NetScreen.
The circuits contain statements that either operate in pairs to detect high temperature, and reset high
temperature alert or, for event sources that do not have a high temperature reset message, operate
independently to detect high temperature. To filter out message flooding, a 5 percent increasing threshold
was placed on message detection. This threshold is based on the minute baseline.
Quick Deployment
Event Source ConfigurationThis correlation rule supports the following devices:
Device Class Device Type
Network.Router/CiscoRouter/IOS Firewall
Catalyst 6000, Catalyst 4000, and other IOS-based routers and switches (c6k,c4k, ci, PS, RPS, sys messages specifically)
Foundry Switch Foundry Switch
NetApp NetApp
Nortel Nortel WebOS
NetScreen NetScreen
Rule CustomizationThis rule works with the default configuration settings of the enVision product. At least one of the
supported event sources must be installed in the network environment.
CRL-00007-1.10 35
zzRSA enVision Correlation Rules
CRL-00008
NameActive SYNFlood attack Detected by IDS-IPS or Firewall Devices
PurposeCorrelation rule CRL-00008 filters the SYNFlood events detected by security devices in an enterprise
environment. This rule revises the default correlation rule NIC008, that is included with RSA enVision.
The revised rule employs the SYNFlood events that were originally detected by the device, which makes
it dependent upon specific environment settings.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate whether there is a network problem.
l Investigate the source IP address or username of the events.
l Investigate the destination host that was the target of the attack and diagnose potential impacts of
the attack.
l Block traffic from the attacker.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS Dragon IDS
Security.IDS ISS Realsecure
Security.IDS Cisco Secure IDS XML
Security.IDS Snort
Security.IDS Lancope StealthWatch
Security.IDS NFR NIDS
Security.Firewall Secure Computing Sidewinder G2
Security.Firewall Cyberguard Classic
Security.Firewall Netscreen
36 CRL-00008
RSA enVision Correlation Rules
Device Class Device Type
Security.Firewall SonicWALL-FW
Network.Router Cisco Router/IOS Firewall
RSA enVision ConfigurationThis rule depends on the SYNFlood events that are fired by specific security devices. Modify this rule if
you add new devices to your environment.
This rule detects SYNFlood attacks reported by IDS, IPS, and Firewall devices across the network. The
rule is a more accurate version of the existing correlation rule NIC008. Not all of the messages that were
used for developing the old rule are related to a SYNFlood attack activity. Some messages related to the
vulnerability assessment engine of the IDS and IPS devices were mistakenly used as an indication of an
active SYNFlood attack. In the revised rule, specific devices within security.IDS, security.IPS,
security.Firewall, and network.Router device classes are specified as the monitored devices.
The event category Attacks.Denial of Service.Resource Starvation is used as the major category of this
correlation rule.
A 10% increase from the minute baseline triggers the alert.
CRL-00008 37
zzRSA enVision Correlation Rules
CRL-00010-1.00
Overview
NameMultiple Login Attempts To a Security Device
PurposeCorrelation rule CRL-00010-1.00 inspects the events detected by any event source on your network. The
rule examines all failed logon events to the security event sources that monitor the network.
This rule revises the default enVision correlation rule NIC010. The revised rule includes all event
sources, rather than just NetScreen, to keep the maintenance and configuration requirements low.
AudienceThe audience for this rule is organizations that want to monitor attempts to access the security event
sources that monitor their network.
Reference MaterialExisting correlation rule NIC010.
IntroductionThe current revision of this correlation rule specifies five failed logon attempts in a sixty-second time
period as an indication of an attack. If you experience a large number of false alarms, you need to modify
this threshold.
When conditions trigger this correlation rule, you should do the following:
l Investigate the source IP address and user name of the messages.
l Investigate the destination host that refuses access.
l Monitor the source of these events closely along with the user name that is used to log on to the
event source. Verify whether the source of these events should have access to the event source.
Requirements
Device Class or SystemsThis rule works with the default enVision configuration settings. The rule uses device classes rather than
specific event sources, so the rule works with all event sources. You do not need to modify the rule to add
or remove event sources.
38 CRL-00010-1.00
RSA enVision Correlation Rules
Technical Analysis
Rule LogicThis correlation rule detects several logon attempts to a security event source on the network. The
premise behind this rule is that all events of interest to this rule fall under the umbrella of the following
event categories:
l Auth.Errors
l Any event category that starts with Auth.Failures*
l Any event category that starts with Auth.Successful*
l User.Activity.Failed Logins
l User.Activity.Successful Logins
Multithreading is used to enhance the performance of the current rule. To do so, the following variables
are used:
l enVision Device IP Address
l enVision Site
False Positive/Negative MitigationA tighter threshold, such as four failed logons in the same time period, may result in excessive false
alarms, and a looser threshold, such as six failed logons in the same time period, may result in
overlooking a password-based attack that is threatening your network. Increasing the time period for this
rule will affect the performance of the enVision appliance.
Quick Deployment
Event Source ConfigurationThis correlation rule supports the following devices.
Device Class Device Type
NIC_ALL All
Rule CustomizationThis rule works with the default configuration settings of enVision. All event sources are utilized in this
rule. You do not need to modify the rule to add or remove event sources.
CRL-00010-1.00 39
zzRSA enVision Correlation Rules
CRL-00011-01
Overview
NamePossible Successful Brute Force Attack Detected
PurposeCorrelation rule CRL-00011-01 detects a brute force password attack occurring against an event source.
The rule correlates a number of failed logons with a successful logon to a specific account.
AudienceThe audience for this rule is organizations that want to monitor failed and successful logons that could
signal a brute force attack.
Reference Materiall Existing correlation rule CRL-00011
l www.ultimatewindowssecurity.com
IntroductionThis rule correlates a number of failed logons with a successful logon to a specific account. The rule uses
a combination of event categories and messages to detect a brute force attempt. The rule also uses
specific thresholds and cached variables. You may need to adjust thresholds if activity on the network
changes. Because the Windows Event circuit uses specific messages, you may need to add new
messages for subsequent versions of Windows.
Each device class uses specific thresholds to determine if a brute force attack is occurring. You may
need to modify these thresholds depending on your network.
Upon triggering the conditions of the current correlation rule, the following action should be performed:
l Investigate the source IP address or username of the messages
Requirements
Device Class or SystemsEach device class uses specific thresholds to determine if a brute force attack is occurring. You may
need to modify these thresholds to meet the needs of your network. You may also need to adjust the decay
time, based on the environment.
40 CRL-00011-01
RSA enVision Correlation Rules
Technical Analysis
Rule LogicThis rule contains two circuits. The first circuit, Grab Failed Events captures the failed logon attempts.
The circuit contains four statements, each for a specific event category. The first category relates to the
enVision appliance. The second category is for Windows-based event sources, and the third category is
for UNIX event sources. Finally, there is a category for Security event sources, which includes Firewall,
IDS, IPS, and VPN event sources. Each of these categories has a specific threshold, for example, three
events within one hundred and eighty-one seconds for Security event sources, that the rule uses to
determine if a brute force attack is occurring. When the condition has been satisfied, a cached variable is
set, capturing the user name being exploited for the attack.
The next circuit, Get successful with cache determines if a successful logon has occurred. This circuit
compares the user name of the successful logon with the user name of the failed attempts in the first
circuit. To minimize false positives, the rule uses multithreading based on the source address of the event.
The circuits must fire within thirty-one minutes to generate an alert.
The rule uses a number of thresholds to determine if a brute force attack is occurring. You may need to
alter these thresholds, based on the network environment. You may also need to adjust the decay time,
based on the environment.
Because the rule is based on event categories, it will only be as accurate as the parsers. If messages are
categorized incorrectly, the rule has no way of accounting for them.
Quick Deployment
Event Source ConfigurationsThis correlation rule supports the following devices.
Device Class Device Type
Network.System/NIC System All
Host.Windows Hosts All
Host.Unix All
Security.Access Control All
Security.Firewall All
Security.IDS All
Security.IPS All
Security.VPN All
CRL-00011-01 41
zzRSA enVision Correlation Rules
Rule CustomizationThis rule works with the default configuration settings of the enVision product. With the exception of
Windows event sources, the rule uses device classes, reducing the amount of configuration. At least one
supported event source is required for this rule to function.
42 CRL-00011-01
RSA enVision Correlation Rules
CRL-00011-1.00
NameSeveral Failed Logins Followed by a Successful Login
PurposeCorrelation rule 00011-1.00 examines the failed and successful login attempts detected by firewall-class
devices for indications of password-based attacks. The need for this rule arises from the potential for
various password-based attacks, such as brute force attacks, that can occur in an enterprise-sized
network.
This rule revises the default enVision correlation rule NIC011. The existing correlation rule NIC011 is
triggered by failed login activities followed by any activity. The revised rule monitors for successful
logins after the failed login. The revised rule employs device classes rather than specific devices to keep
the maintenance and configuration requirements low.
When conditions trigger this correlation rule, the following action should be performed: Check the user,
source, and the device to ensure that this user should be allowed to access to this firewall.
Supported DevicesThis correlation rule supports the following device:
Device Class Device Type
Security.Firewall All
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The monitored devices for the rule are
composed of the firewall-class devices, so the rule is not dependent on any specific device. Upon
deployment, no further modification of the rule is needed.
This rule detects several login failures reported by firewall devices followed by a successful login from
the same device. The rule is meant to detect the malicious failed login activities across the network. The
event category Auth.Failed events followed by Auth.Successful events is used to filter the event
activities.
The revised rule specifies 5 failed login attempts in a 60 seconds time period followed by a successful
login as an indication of an attack. Modify the threshold if you receive a large number of false alarms.
A tighter threshold, such as 4 failed logins in the same time period, may result in excessive false alarms,
and a looser threshold, such as 6 failed logins in the same time period, may result in overlooking a
password-based attack that is threatening the monitored environment.
Increasing the time period for this rule will affect the performance of the enVision appliance.
CRL-00011-1.00 43
zzRSA enVision Correlation Rules
CRL-00012
NameAttacks Exploiting Microsoft Directory Service Vulnerability Detected by IPS-IDS Devices
PurposeCorrelation rule CRL-00012 filters events from IDS and IPS-class devices and triggers upon detecting an
attack that exploits the Microsoft Directory Service product.
This rule revises the default enVision correlation rule NIC012. The revised rule employs device classes
rather than specific devices in order to keep the maintenance and configuration requirements low.
Additionally, confidence level filtering is employed in order to enhance the accuracy of the rule.
When conditions trigger this correlation rule, the following actions should be performed:
l Identify the source of the attack and block traffic from the source.
l Identify the target host of the attack and apply the vendor-supplied patch to eliminate the
vulnerability.
l Restrict access to the affected service for trusted hosts.
l Investigate the destination host that was the target of the attack and diagnose potential impacts of
the attack.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security IPS All
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. This correlation rule is a revised version
of the existing correlation rule NIC012, which is designed to trigger on detection of attack attempts
exploiting Microsoft Directory Service. Unlike the existing rule NIC012, which is based on specific
device types, the revised rule monitors the Security.IDS and Security.IPS device classes. When enVision
is deployed, further modification of the revised rule is not needed.
The correlation rule NIC012 uses a traffic burst on port 445 as an indication of attack. This assumption
makes the rule inaccurate, so the revised rule filters events with the with event category mask Attacks.*
that have port 445 as the destination port.
44 CRL-00012
RSA enVision Correlation Rules
Using the confidence level filtering to “Filter out messages with low or medium Confidence” increases
the accuracy of the rule and reduces the number of false alarms. A threshold is set on the number of
incoming events. In the current revision of this rule, a 10% increase from the minute baseline is specified
as the triggering condition.
The event category Attacks.Access is used as the major category of this correlation rule. The
Attacks.Denial of Service category can be used as an alternative.
CRL-00012 45
zzRSA enVision Correlation Rules
CRL-00013
NameUnusual Number of Failed User Login Attempts via Remote Connections to the Same Event Destination
PurposeCorrelation rule CRL-00013 detects any failed login event and checks to see if the login type was from a
remote location from to the event destination. This correlation could indicate a brute force attack on an
internal asset from a remote location.
This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger
on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device
types, the revised rule monitors a wider class of devices and more specific login types of remote logins
only.
When conditions trigger this correlation rule, the following actions should be performed:
l Evaluate the number of times that a particular user attempts to log in to the event destination.
Determining the source of the failed attempt will assist in assessing the action’s severity.
l Investigate the source IP address and username of the messages.
l Investigate the destination host that refuses access.
Supported DevicesThis correlation rule supports the following devices:
DeviceClass
DeviceType Description
NIC_ALL AllAll devices are supported; however, given the nature of Windows events there wasspecial emphasis placed on these events.
RSA enVision ConfigurationThis rule detects any failed login event and checks to see if the login type was from a remote location to
the event destination. It also looks for occurrences that happen above the normal baseline of the network.
This correlation could indicate a brute force attack on an internal asset from a remote location or just
from another computer system internal to the network.
The threshold for this correlation is set to a default of 20% above the hour baseline. Adjust this
percentage to ensure that it does not fire too often. For instance, setting the threshold too low could cause
this correlation to start firing a large number of times as users begin logging in to systems during peak
business hours.
Increasing the time period for this rule will affect the performance of the enVision appliance.
46 CRL-00013
RSA enVision Correlation Rules
For all devices, except Windows, no maintenance or extension is needed as the rules are based on
categories and collected IP addresses. If a new collection method is created for Windows Security Logs,
you must extend this rule to cover those events.
CRL-00013 47
zzRSA enVision Correlation Rules
CRL-00013-01
NameNumerous Failed User Login Attempts Locally to the Same Event Source
PurposeCorrelation rule CRL-00013-01 detects any failed login event that occurs on a local machine and checks
the frequency of such events against the normal baseline for the entire network. This correlation could
indicate a brute force attack on an internal asset.
This rule is a revised version of the default enVision correlation rule NIC027, which triggers on malicious
user login activities. Unlike the existing rule NIC027, which is based on specific device types, the revised
rule monitors a wider class of devices and a more specific login type of local logins only.
When conditions trigger this correlation rule, the following actions should be performed:
l Evaluate the number of occurrences of a particular user attempting to log in to the event source.
Determine the source of the failed attempt as this will assist in the assessment of this action's
severity.
l Investigate the source IP address and username of the messages.
l Investigate the host that refuses access.
Supported DevicesThis correlation rule supports the following device:
DeviceClass
DeviceType Description
NIC_ALL AllAll devices are supported; however, given the nature of Windows events there wasspecial emphasis placed on these events.
RSA enVision ConfigurationThis rule detects any type of failed login event and checks to see if the login type was from a remote
location in regards to the event destination that is above the normal baseline of the network. This
correlation could indicate a brute force attack on an internal asset from a remote location or just from
another computer system internal to the network.
The threshold for this correlation is set to a default of 2% above the hour baseline. Adjust this percentage
to ensure that it does not fire too often. For instance, setting the threshold too low could cause this
correlation to start firing a large number of times as users begin logging in to systems during peak
business hours.
Increasing the time period for this rule will affect the performance of the enVision appliance.
48 CRL-00013-01
RSA enVision Correlation Rules
For all devices except Windows no maintenance or extension is needed as the rules are based on
categories and collected IP addresses. If a new collection method is created for Windows Security Logs,
you must extend this rule to cover those events.
CRL-00013-01 49
zzRSA enVision Correlation Rules
CRL-00013-02
NameNumerous Failed Service Account Login Attempts to the Same Event Source
PurposeCorrelation rule CRL-00013-02 detects any type of failed login event that occurs on a local machine and
checks the frequency of such events against the normal baseline of the entire network. This correlation
could indicate that a service is incorrectly configured.
This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger
on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device
types, the revised rule monitors a wider class of devices and more specific login type of service logins
only.
When conditions trigger this correlation rule, the following actions should be performed:
l Check to see if a Service Account was set up incorrectly. This is most likely due to a password
mismatch, or the Service Account might have been disabled. Corrective actions on the Event
Source are required. Escalate as necessary.
l Investigate the source IP address and username of the messages.
l Investigate the host that refuses access.
Supported DevicesThis correlation rule supports the following device:
DeviceClass
DeviceType Description
NIC_ALL AllAll devices are supported; however, given the nature of Windows events there wasspecial emphasis placed on these events.
RSA enVision ConfigurationThis rule detects any type of failed login event and inspects if the login type was from a service account.
It also compares the occurrences with a baseline and determines if the number of failed logins is above
the normal levels for the network. This correlation could indicate an incorrectly configured service.
Service accounts are based on discovered usernames within a message and matched against a Service
User Names watchlist. This watchlist needs to be expanded if other service accounts are used.
The threshold for this correlation is set to a default of 2% above the hour baseline. Adjust this percentage
to ensure that it does not fire too often. For instance, setting the threshold too low could cause this
50 CRL-00013-02
RSA enVision Correlation Rules
correlation to start firing a large number of times as users begin logging in to systems during peak
business hours. Also, to ensure that it does fire properly, update the System User Names with any
additional non-Windows service usernames.
Increasing the time period for this rule will affect the performance of the enVision appliance.
For all devices except Windows no maintenance or extension is needed as the rules are based on
categories and collected IP addresses. For Windows Security Logs, if a new collection method is created,
this rule will need to be extended to cover those events. To ensure that the correlation fires properly,
verify that any service user account that starts or stops a user account is in the watchlist.
Note: This rule requires the Service User Names watchlist. You can download sample watchlist files
from RSA SecurCare Online, import the data, and edit the default values as needed.
CRL-00013-02 51
zzRSA enVision Correlation Rules
CRL-00013-04
NameIncrease in Failed Remote Login Attempts Detected
PurposeCorrelation rule CRL-00013-04 detects if there have been numerous failed logins using remote protocols
such as SSH/SCP, HTTP, Telnet, or Remote Desktop.
When conditions trigger this correlation rule, the following action should be performed: Evaluate the
number of occurrences of a particular user attempting to log in to the event source. Determine the source
of the failed attempt as this will assist in the assessment of this action’s severity.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Windows.HostsWindows Events (BL, ER, NIC,Snare)
Not applicable
Host.Unix AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.Firewall AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IDS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IPS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.VPN AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Switch AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Router AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Storage.Storage AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
52 CRL-00013-04
RSA enVision Correlation Rules
RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The rule uses device
classes and all four Windows log-gathering techniques. The rule requires minimal maintenance.
To prevent a flood of events, several thresholds have been implemented. These thresholds require
adjustment depending on your environment.
CRL-00013-04 53
zzRSA enVision Correlation Rules
CRL-00013-05
NameIncrease in Failed Interactive User Logins Detected
PurposeCorrelation rule CRL-00013-05 detects if there have been numerous interactive failed logins to an event
source.
When conditions trigger this correlation rule, the following action should be performed: Evaluate the
number of occurrences of a particular user attempting to log in to the event source. Determine the source
of the failed attempt as this will assist in the assessment of this action's severity.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Device Class Device Type Description
Windows.HostsWindows Events (BL, ER,NIC, Snare)
Not applicable
Host.Unix AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.Firewall AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IDS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IPS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.VPN All
Auth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Juniper SSL VPN – 000501, 000600, 000500
Network.Switch AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Router AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
54 CRL-00013-05
RSA enVision Correlation Rules
Device Class Device Type Description
Storage.Storage AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Storage.Database AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.Access Control AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Wireless Devices AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.System AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.ConfigurationManagement
AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Web Logs AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Mail Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Mainframe AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Midrange iSeriesAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Application Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The rule uses a mix of device classes
and specific device messages. The rule requires maintenance if additional devices are added to your
network; however, this rule employs device classes rather than specific devices, which greatly reduces
the predeployment configuration effort.
Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can
download sample watchlist files from RSA SecurCare Online, import the data, and edit the default
values as needed.
CRL-00013-05 55
zzRSA enVision Correlation Rules
CRL-00013-06
NameIncrease in Failed Service Account Logins Detected
PurposeCorrelation rule CRL 00013-06 detects if there have been numerous failed logins to an event source.
When conditions trigger this correlation rule, the following action should be performed: Evaluate the
number of occurrences of a particular user attempting to log in to the event source. Determine the source
of the failed attempt as this will assist in the assessment of this action's severity.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Device Class Device Type Description
Windows.HostsWindows Events (BL, ER,NIC, Snare)
Not applicable
Host.Unix AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.Firewall AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IDS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.IPS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.VPN All
Auth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Juniper SSL VPN – 000501, 000600
Network.Switch AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Router AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
56 CRL-00013-06
RSA enVision Correlation Rules
Device Class Device Type Description
Storage.Storage AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Storage.Database AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Security.Access Control AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.Wireless Devices AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.System AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Network.ConfigurationManagement
AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Web Logs AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Mail Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Mainframe AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Midrange iSeriesAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
Host.Application Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of the enVision product. The rule
uses a mix of device classes and specific device messages. The rule requires maintenance if additional
devices are added to your network; however, this rule employs device classes rather than specific
devices, which greatly reduces the predeployment configuration effort.
Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can
download sample watchlist files from RSA SecurCare Online, import the data, and edit the default
values as needed.
CRL-00013-06 57
zzRSA enVision Correlation Rules
CRL-00014
NameLow-Privileged or Guest Account Added to Administrative Group
PurposeCorrelation rule CRL-00014 inspects events from any device for users being added to a group. The
username and group name are then checked against two watchlists that contain the known administrators
and the groups with administrative privileges assigned to them. A non-administrative user being added to
one of these groups may indicate malicious privilege escalation activity.
This rule revises the default enVision correlation rule NIC031. The revised rule employs device classes
and event categorization rather than specific devices and events. This keeps the maintenance and
configuration requirements low.
When conditions trigger this correlation rule, the following actions should be performed:
l Determine whether this was an expected change. If it was an expected change, identify the source
of this event. Remove the low-level account from the administrative group and disable access to
the user who initiated the change.
l Investigate the source IP address or username of the messages. Multiple failed login events from a
single IP address may indicate a password-based attack, such as a dictionary-based password-
guessing attack.
l Investigate the destination host that refuses access. This might be an indication of a problematic
service.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
NIC_All All
RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored devices for
the rule are composed of any device that has events classified under
User.Management.Groups.Modification.User Added. When enVision is deployed, further modification of
the rule is not needed.
58 CRL-00014
RSA enVision Correlation Rules
This rule is a revised version of the existing correlation rule NIC031, which is designed to trigger on
malicious user login activities. Unlike the existing rule NIC031, which is based on specific device types,
the revised rule monitors the wider class of devices.
This correlation needs two watchlists that require constant updating to prevent false positives. The
Administrative Groups watchlist holds all group names or IDs that are associated with administrative
groups. The Administrative Users watchlist contains all of the existing administrative usernames.
Note: You can download sample watchlist files from RSA SecurCare Online, import the data, and edit
the default values as needed.
This rule escalates any event that indicates that a non-administrator user has been added to an
administrative group from any device. The events that indicate this must be classified as
User.Management.Groups.Modification.User Added for this rule to fire properly.
Due to the severity of this event, this rule immediately escalates any event that matches the criteria
without any correlation across several devices.
CRL-00014 59
zzRSA enVision Correlation Rules
CRL-00016
NameAttacks Exploiting HTTP Cold Fusion Vulnerabilities Detected by IDS or IPS Devices
PurposeCorrelation rule CRL-00016 monitors events from specific IDS/IPS devices and triggers upon detecting a
burst on attacks which exploit the vulnerabilities in HTTP Cold Fusion products.
This rule revises the default enVision correlation rule NIC016. The revised rule is based on the events
that are originally detected by the IPS and IDS devices. The revised rule depends on specific devices and
vulnerabilities.
When conditions trigger this correlation rule, the following actions should be performed:
l Identify the source of the attack and block traffic from the source.
l Identify the target host of the attack and apply the vendor supplied patch to eliminate the
vulnerability.
l Restrict access to the affected service for trusted hosts.
l Investigate the destination host that was the target of the attack and diagnose potential impacts of
the attack.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS Dragon IDS
Security.IDS ISS Realsecure
Security.IDS Entercept
Security.IDS Snort
Security.IDS Intrushield
Security.IDS Cisco Secure IDS XML
Security.IDS Cisco Secure IDS
60 CRL-00016
RSA enVision Correlation Rules
RSA enVision ConfigurationThis rule requires further configuration settings after enVision is deployed. The rule relies on device-
specific events when it detects attacks that attempt to exploit the HTTP Cold Fusion product. The current
revision of this correlation rule covers 7 different supported security devices. Update this rule if you add
new devices to your environment or if you add support for new HTTP Cold Fusion vulnerabilities.
This rule is a revised version of the existing correlation rule NIC016, which is designed to detect
intensive attack attempts exploiting multiple vulnerabilities in HTTP Cold Fusion products. Each single
attack attempt is detected by IDS or IPS devices across the network, and the correlation rule detects an
increase in attack attempts. The revised rule is still based on specific devices within the Security.IDS
device classes and does not provide a ready to deploy rule for all environments.
In the revised rule, a 10% increase over the minute baseline is an indication of an ongoing attack against
the HTTP Cold Fusion products in the network.
The confidence level filtering at the current revision is set to “Filter out messages with low or medium
Confidence” with Destination Address as the variable. Modification of this setting might be required.
CRL-00016 61
zzRSA enVision Correlation Rules
CRL-00023
NameEvent Source No Longer Sending Events
PurposeCorrelation rule CRL-0023 detects when an event source stops sending log messages, indicating
incorrectly configured hardware or software, or a hardware or software failure.
This rule is a revised version of the default enVision correlation rule NIC023, which triggers when a
device has stops logging. Unlike the existing rule NIC023, this revised rule is able to supply a timeframe
when the device stops logging. Additionally, only devices that use real-time or near real-time transport
mechanisms are analyzed.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate network connectivity between the source and the enVision appliance.
l Check to see if logging or auditing has been disabled or misconfigured for the event source.
l Ensure that the event source is still functioning.
Supported DevicesThis correlation rule supports the following devices:
DeviceClass
DeviceType Description
N/A N/A
airdefense, airmagnetenterprise, aix, arborpeakflow, arubanetworks, avocentkvm, bigip,caetrust, celerra, ciscoasa, ciscocontenteng, ciscocss, ciscopix, ciscorouter,ciscosecagent, ciscoswitch, ciscovpn, ciscoworks, cyberguard classic, cyberguard,dragonids, edirectory, extremesw, firepass, fortinet, foundryswitch, hpprocurvesw, hpux,ibmmainframe_sma_rt, intelvpn, intrushield, ironmail, lotusdomino, macosx, mazuprofiler,netapp, netcontinuumwebappfw, nfrnids, nokiaipso, nortelpassport, nortelvpn,nortelwebos, powerconnect, rhlinux, sidewinder, snort, solaris, solsoftnp, sonicwall,stealthwatch, Symantec, symantecav, symantecintruder, symantecsns, symmetrix,tippingpoint, toplayer, toplayeram, trendmicro, websense, winevent, winevent_er,winevent_snare, actividentity, apache, aventail, cacheflow, checkpointfw, ciscoacs,ciscocontenteng, ciscoidsxml, ciscoworks, epolicy, host intrusion prevention, ibmacf2,ibmdb2, ibmdb, ibmracf, ibmtopsecret, ibmwebsphere, iseries, iss, mcafeevirusscan,microsoftiis, mom, ,msdhcp msexchang, msias, msisa, mssql, netcache, oracle,rsaaccessmgr, rsaacesrv, solarisbsm, sybasease, tripwire, winevent_nic
62 CRL-00023
RSA enVision Correlation Rules
RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored devices
correspond to those that are considered “Real-time” and “Near-real time.” For example, those devices
that send their logs via SNMP or Syslog and those devices that send their logs via SFTP, and so on. This
rule is part of a series of rules which are an enhancement on NIC023.
NIC023 currently looks for 59 events with a zero count occurring in a 1 hour period. The revised rule
looks at real-time devices not sending data in a 15 minute interval from the last received message. The
near real-time rule looks for 29 events in 30 minutes. By using this approach, it is easier to track when a
device has failed and determine the circumstances surrounding that failure.
You may need to modify the trigger time of 30 minutes for near real-time events and 15 minutes for real-
time events based on your requirements.
Increasing the time period for this rule will affect the performance of the enVision appliance.
CRL-00023 63
zzRSA enVision Correlation Rules
CRL-00023-01
NameEvent Source Inactive for the Past 4 Hours
PurposeCorrelation rule CRL-00023-01 determines if any device has stopped sending event data in the past 4
hours. It is a revised version of the default enVision correlation rule NIC023.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate network connectivity between the source and the enVision appliance.
l Check to see if the event source has logging or auditing disabled or misconfigured.
l Ensure that the event source is still functioning.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
NIC_ALL N/A All enVision supported devices
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. This rule is a revised version of the
default enVision correlation rule NIC023, which is designed to trigger when an event source does not
send any events in a 1-hour time span. The revised rule uses a 4-hour duration and specifically includes
all of the devices supported by enVision as a filter.
The 4-hour window corresponds to a typical NOC/SOC change window. After the rule is incorporated
into a view, it generates an alert when an event source fails to send any events to the enVision appliance.
You can change the duration and the number of events to capture based on your specific site
requirements.
Increasing the time period for this rule will affect the performance of the enVision appliance.
64 CRL-00023-01
RSA enVision Correlation Rules
CRL-00023-02
NameEvent Source Inactive for the Past 24 Hours
PurposeCorrelation rule CRL-00023-02 determines if any device has stopped sending event data in the past 24
hours. It is a revised version of the default enVision correlation rule NIC023.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate network connectivity between the source and the enVision appliance.
l Check to see if the event source has logging or auditing disabled or misconfigured.
l Ensure that the event source is still functioning.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
NIC_ALL N/A All enVision supported devices
RSA enVision ConfigurationThis rule works with the default enVision configuration settings. After you incorporate the rule into a
view, it alerts when an event source fails to send any events to the enVision device.
This correlation rule is a revised version of the existing correlation rule NIC023, but unlike NIC023,
which uses a 1-hour duration, the revised rule uses a 24-hour duration, and specifically includes all of the
devices supported by enVision as a filter.
You can change the time duration and the number of events to capture based upon your specific site
requirements.
Increasing the time period for this rule will affect the performance of the enVision appliance.
CRL-00023-02 65
zzRSA enVision Correlation Rules
CRL-00036
NameHigh Number of DoS Attack Alerts
PurposeCorrelation rule CRL-00036 inspects the events detected by the IDS, IPS, and Firewall device classes in
an enterprise environment. The rule examines Denial of Service (DoS) attack alerts to determine if there
is an active attack on the network. This rule is a revised version of the existing correlation rule NIC036,
that is included with RSA enVision. The revised rule covers new devices and event categories. The rule
monitors events from the Attacks.Denial of Service category and its successor categories.
When conditions trigger this correlation rule, the following actions should be performed:
l Inspect the source IP of the incoming messages and block the malicious traffic.
l Inspect the device that fires the DoS attack alerts and verify the validity of the event.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in DoS events
over the minute baseline is as an indication of an ongoing attack against the network or a worm activity.
Note: Excessive amounts of false alarms generated by a security device might be another reason for this
anomaly.
The event category Attacks.Denial of Service is used as the major category of this correlation rule.
66 CRL-00036
RSA enVision Correlation Rules
CRL-00037
NameBackdoor-type Activity Originating From External Networks Detected
PurposeCorrelation rule CRL-0037 inspects events detected by the IDS, IPS, and Firewall device classes in an
enterprise environment. The rule examines attack alerts for backdoor activities in the network when the
attacker resides in the external network. This rule is a revised version of the existing correlation rule
NIC037, that is included with RSA enVision. The revised rule covers new device and event categories.
The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category.
When conditions trigger this correlation rule, the following actions should be performed:
l Identify the source of the attack and block traffic from the source.
l Identify the target host of the attack, apply the security patch, and remove the backdoor agent .
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
To detect whether the attacker resides in the external network, on of the following filters is applied to the
events:
l Destination Address Not in Watchlist RFC 1918 List
l Source Address Not in Watchlist RFC 1918 List
The 1918.txt watchlist provides the allocated IP addresses for a private network as specified by RFC
1918.
CRL-00037 67
zzRSA enVision Correlation Rules
A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack
events over the minute baseline is an indication of an ongoing attack against the network or a worm
activity.
The event category System.Unusual Activity is used as the major category of this correlation rule.
Note: To use confidence level filtering to “Filter out messages with low Confidence” that contain the
variable “victim address,” increase the accuracy of the rule and reduce the number of false alarms.
68 CRL-00037
RSA enVision Correlation Rules
CRL-00037-01
NameBackdoor-type Activity Observed Within Internal Networks
PurposeCorrelation rule CRL-00037-01 inspects the events detected by the IDS, IPS, and Firewall device classes
in an enterprise environment. The rule examines attack alerts for backdoor activities in the network when
the attacker resides in the internal network. This rule is the revised version of the existing correlation rule
NIC037, that is included with RSA enVision. The revised rule covers new device and event categories.
The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category.
When conditions trigger this correlation rule, the following actions should be performed:
l Identify the source of the attack and block traffic from the source.
l Identify the target host of the attack, apply the security patch, and remove the backdoor agent.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
The RFC 1918 IP List watchlist provides the allocated IP addresses for a private network as specified by
RFC 1918. This watchlist requires proper configuration when the rule is deployed.
Note: You can download sample watchlist files from RSA SecurCare Online, import the data, and edit
the default values as needed.
Too detect whether the attacker resides in the internal network, the following filters are applied to the
events:
l Destination Address in Watchlist RFC 1918 List
CRL-00037-01 69
zzRSA enVision Correlation Rules
l Source Address in Watchlist RFC 1918 List
A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack
events over the minute baseline is as an indication of ongoing attack against the network or a worm
activity.
The event category System.Unusual Activity is used as the major category of this correlation rule.
Note: In order to use confidence level filtering to “Filter out messages with low Confidence” that contain
the variable “victim address”, increase the accuracy of the rule and reduce the number of false alarms.
70 CRL-00037-01
RSA enVision Correlation Rules
CRL-00040-1.0
Overview
NameIncrease in Inter-zone Remote Management Connections
PurposeCorrelation rule CRL-00040-1.0 detects a significant increase in the number of remote management
connections. This activity may be seen as a malicious user probing different ports to map the network.
IntroductionThis rule is an aggregation of NIC040, NIC040_CPFW, and NIC040_PIXFW. Device classes are used
instead of specific devices, enhancing the usefulness of the rule. The ports used by these services are
contained in a watchlist that can be easily modified by users to add and remove services that apply to
their network. Currently, RDP, SSH, and Telnet are in the list.
Requirements
Device Class or SystemsSyslog events stored in a Unix file are used to test the rule. The PIX and NetScreen event sources were
used (10.10.18.1 and 10.10.50.42 respectively) and the messages were copied into two separate files and
injected in succession.
Other RequirementsCRL 00040-1.0 was tested and developed using RSA enVision 3.7.0 build 0215. You must install the
Known Service Ports watchlist to define the known service ports in the environment. To test this
correlation rule, create a new view and add CRL 00040-1.0. Because this correlation rule uses 5% over
the hour baseline for triggering, observe the baseline to determine what to inject.
Technical Analysis
Rule LogicThis rule is composed of one circuit and one statement. A decay time of 65 minutes is used, to keep in
line with the hourly baseline. The statement looks at all the event sources contained in the
Security.Firewall group. It compares the lport variable to the Known Service Ports watchlist to see if the
port appears in that list. If it does, and the number of connections exceeds the hourly baseline by 5%, an
alert is triggered.
CRL-00040-1.0 71
zzRSA enVision Correlation Rules
To test this rule, use the injector utility to inject the attached Unix file. Use the following command to
reproduce the triggering condition of the rule:
injector -redirect -host 127.0.0.1 -file netscreen.unx -eps 1
-time 1
injector -redirect -host 127.0.0.1 –file port.unx -eps 1 -
time 1
False Positive and False Negative MitigationThe accuracy of the rule hinges on parsing the service port to the right variable for the correlation rule.
Accuracy also depends on the thresholds and activity of each site.
Quick Deployment
Event Source ConfigurationThis correlation rule supports the following event sources:
Device Class Device Type
Security.Firewall All
Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. Because this rule
uses the Security.Firewall class, event source additions or removals are handled automatically. The
watchlist may have to be updated to include the particular services running on the client’s network.
The revised rule specifies a 5% increase over the hourly average to reduce the number of times the rule is
triggered.
Note: This rule requires the Known Service Ports watchlist. You can download sample watchlist files
from RSA SecurCare Online and edit the default values as needed.
A desired threshold also needs to be determined for each site. The site needs to be using at least one of
SSH, Telnet, or RDP for the rule to function properly. Upon triggering the conditions of this correlation
rule, investigate the source IP address of the messages and the associated workstation, type, and owner.
Escalate if necessary.
72 CRL-00040-1.0
RSA enVision Correlation Rules
CRL-00044
NameExcessive Inbound Connections Denied from a Single IP Address
PurposeCorrelation rule CRL-00044 inspects the firewall for denied connections that have been labeled as an
inbound connection across a firewall or router. This rule helps find potential hostile hosts and users trying
to access resources on the other side of a firewall or router.
This rule is a revised version of the existing correlation rule NIC044, that is included with RSA enVision.
The revised rule uses the device class associated with firewalls and routers, and the event classes
associated with denied connections. This is to ensure that new firewalls or routers added later are
properly supported by this rule without further updates.
Device classes Security.Firewall and Network.Router and any event with an event category starting with
Network.Denied Connections or variations thereof are used for this correlation. The rule is developed to
be generic and not dependant to any specific device or event.
When conditions trigger this correlation rule, the following action should be performed: Check the IP
address involved to ensure that this is either expected traffic or traffic that should be monitored more
closely.
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
Note: The revised rule requires 60 denied connections in a 5 minute time period to fire properly. Modify
of this threshold if you experience a large volume of false alarms in the target environment.
A threshold based on empirical observations of login activity in large enterprise networks is used to
enhance the accuracy of the rule. This threshold is in the second statement and states for 60 events within
5 minutes that have been denied.
CRL-00044 73
zzRSA enVision Correlation Rules
CRL-00101
NameLarge Number of Attack Events from Internal IP Addresses Detected by IDS Devices
PurposeCorrelation rule CRL-00101 detects attacks occurring from an internal IP address and terminating at an
internal IP address. This may mean that an internal attack is occurring, or an internal address is being
spoofed.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate the attack source.
l Block malicious traffic.
l Inspect the target and take appropriate action.
Supported DevicesThis correlation rule supports the following device:
Device Class Device Type
Security.IDS All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The monitored
devices for the rule are in the IDS class. To make this rule function, the deployment environment must
have a device in this class.
The rule uses a baseline to prevent excessive alerts. A 25% increase over the minute baseline is used.
This may need to be adjusted depending on the requirements of the environment.
This rule is composed of the Internal IP circuit. This circuit contains one statement that is used to catch
the appropriate IDS messages. The source (saddr) and destination (daddr) addresses in the messages must
be contained in the RFC 1918 IP List watchlist. The event category Attacks.* is used to reduce the
amount of configuration required.
To filter out excessive alerts, a baseline of 25% over the minute baseline is used. Additional internal IP
ranges can be added to the watchlist as required.
Note: This rule requires the RFC 1918 IP List watchlist. You can download sample watchlist files from
RSA SecurCare Online, import the data, and edit the default values as needed.
74 CRL-00101
RSA enVision Correlation Rules
CRL-00102
NameWorm Activity Originating on the Internal Network
PurposeCorrelation rule CRL-00102 looks for worm activity occurring on the internal network of an enterprise.
This rule is a revised version of the existing correlation rule NIC_SUSPICIOUS_WORM_ACTIVITY,
that is included with RSA enVision. The device scope is increased to include IPS, IDS, and Firewall
classes. These classes, along with the included watchlist, ease maintenance of the rule.
When conditions trigger this correlation rule, the following actions should be performed:
l Determine the source of the infection.
l Update antivirus on end systems.
l Apply and revise enforcement policy regarding the use of external equipment and media.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
RSA enVision ConfigurationDepending on the network configuration of the site where this rule will be used, some further
configuration of the watchlist may be required to include internal IP ranges. The rest of the rule will
function properly without any additional configuration, provided all necessary devices are located in the
IDS, IPS, and Firewall classes.
To minimize the occurrence of a flood of alerts, a threshold of 25% over the minute baseline has been
integrated into the rule. This threshold can be modified based on the specific requirements of the
environment.
All events related to worm activity must be categorized in the Attacks.Malicious Code.Worm category. A
filter is included that uses a watchlist that only catches worm activity originating and terminating on the
IP addresses specified in the list.
CRL-00102 75
zzRSA enVision Correlation Rules
Note: This rule requires the RFC 1918 IP List watchlist. You can download sample watchlist files from
RSA SecurCare Online, import the data, and edit the default values as needed.
76 CRL-00102
RSA enVision Correlation Rules
CRL-00103
NameElevation of User Privileges Detected on a Log Source
PurposeCorrelation rule CRL-00103 looks for events that involve the addition of users to groups. The username
and group name are checked against two watchlists containing the known administrators and the groups
with administrative privileges assigned to them. A user being added to one of these groups who is not an
administrator may indicate that there is malicious intent. This rule is a revision of the existing correlation
rule NIC031, that is included with RSA enVision. The revised rule employs device classes and event
categorization rather than specific devices and events to keep the maintenance and configuration
requirements low. The monitored devices for the rule are composed devices that have events classified
under User.Management.Groups.Modification.User Added.
When conditions trigger this correlation rule, the following actions should be performed:
l Verify that the user account in question has been granted elevated privileges corresponding to a
Documented Change within the environment. If not, a deeper analysis and subsequent escalation
may be required.
l Investigate the source IP address or username of the messages.
l Investigate the destination host that refuses access.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
NIC_All All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
To ensure no false positives are made, there are two watchlists that must be kept updated. The first list,
Administrative Groups, holds all group names or IDs that are administrative groups. The second list,
Administrative Users, lists the existing administrative usernames. To trigger this rule, a username that is
not in the Administrative Users list must be added to a group that is in the Administrative Groups list.
Note: You can download sample watchlist files from RSA SecurCare Online, import the data, and edit
the default values as needed.
CRL-00103 77
zzRSA enVision Correlation Rules
78 CRL-00103
RSA enVision Correlation Rules
CRL-00105
NameSuccessful Backdoor Attack
PurposeCorrelation rule CRL-00105 detects successful backdoor attacks. This is indicated by a backdoor attack
intercepted by security devices, followed by a connection between the attacker and the destination of the
attack. IDS, IPS, and Firewall device classes are monitored. The rule is developed to be generic and not
dependant to any specific device type. The event category Attacks.Malicious Code.Trojan
Horse/Backdoor is used to filter the backdoor attack events.
When conditions trigger this correlation rule, the following actions should be performed:
l Investigate the target host for possible backdoor agents.
l Apply proper security updates to remove vulnerabilities in the target host.
l Block traffic from the attacker.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
After inspection of the backdoor event, the source and destination addresses of the attack are stored in
cache variables var_attacker and var_target, respectively. These cache variables are used to detect
backdoor connections between the destination of the attack and the attacker. To do this, messages from
the event category Network.Connections.Successful are used, where source and destination of the event
matches the var_attacker and var_target cached values.
The backdoor connection is expected to initiate within 10 minutes after the backdoor attack. Therefore,
the decay time of the rule is set for 15 minutes.
CRL-00105 79
zzRSA enVision Correlation Rules
To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false
alarms.
80 CRL-00105
RSA enVision Correlation Rules
CRL-00106
NameSuccessful Denial of Service Attack
PurposeCorrelation rule CRL-00106 detects successful Denial of Service (DoS) attacks. This is indicated by a
DoS attack intercepted by security devices, followed by a system failure event from the destination of the
attack. The rule is developed to be generic and not dependant to any specific device type. Event
categories Attacks.Denial of Service.* are used to filter the DoS attack events.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
NIC_All All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
After inspection of the DoS event, the destination address of the attack is stored in the cache variable
var_target. This cache variable is used to detect system failure error messages initiated from the
destination of the attack. To do this, the following event categories are utilized:
l System.Unusual Activity
l System.Heartbeats.Errors
l System.Errors.*
l Network.Connections.Errors
l System.Failures.*
The system error event caused by the successful DoS attack is expected to initiate within 5 minutes after
the DoS attack. Therefore, the decay time of the rule is set for 10 minutes.
To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false
alarms.
CRL-00106 81
zzRSA enVision Correlation Rules
CRL-00107
NamePossible Tampering of System Audit / Logs Detected
PurposeCorrelation rule CRL-00107 detects whether a log system has been enabled or disabled, or has
encountered some type of error. It also detects if logs have been deleted on some systems.
When conditions trigger this correlation rule, the following action should be performed: Determine why
the logging system has failed and escalate as appropriate.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Windows Events(BL, ER, NIC, Snare)
Security.IDS ISS Realsecure
Host.Web Logs Cisco Content Engine
Network.Router Cisco Router/IOS Firewall, Juniper JUNOS Router
Network.Switch Cisco Switch
Security.Firewall Netscreen
Host.Unix Unix Solaris, Unix AIX
Network.System NIC System
Security.VPN Juniper SSL VPN
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is to be used must have at least one device from the previous section to function.
82 CRL-00107
RSA enVision Correlation Rules
CRL-00108
NamePossible ARP Poisoning Activity Detected
PurposeCorrelation rule CRL-00108 determines if ARP poisoning is occurring on the network. This rule is
necessary in an enterprise environment because ARP poisoning can lead to Denial of Service (DoS) and
compromise information.
Specific messages from various devices are used to detect the spoofing attacks. In addition to specific
IDS and IPS rules, duplicate IP address messages are included.
When conditions trigger this correlation rule, the following action should be performed: Determine the
source of the IP conflict caused by the poisoned ARP table.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDSIntrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDSXML
Network.Switch ExtremeWare, Cisco Content Switch, Cisco Switch
Security.FirewallNetscreen, Cisco ASA, Cisco PIX Firewall, SonicWALL-FW, SymantecEnterprise Firewall
Network.ConfigurationManagement
Netscreen-Security Manager
Host.Unix Nokia IPSO, Apple Mac OS X
Security.VPN Nortel VPN Contivity
Network.Router Cisco Router/IOS Firewall
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the devices from in the previous section. CRL-00111
is also required for this rule to function properly.
CRL-00108 83
zzRSA enVision Correlation Rules
CRL-00109
NameWindows Service State Change
PurposeCorrelation rule CRL-00109 determines whether a service in Windows has been stopped, started, or
restarted. It also determines if the startup behavior of a service has been modified.
When conditions trigger this correlation rule, the following action should be performed: Determine why
the service state has changed on the system in question.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts Windows Events (BL, ER, NIC, Snare)
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. It assumes that
there are Windows devices on the network that use one of the four methods of event log gathering (NIC,
BL, ER, Snare).
84 CRL-00109
RSA enVision Correlation Rules
CRL-00110 Rule Set
NameDetection of Clear-Text Confidential Information using RSA enVision Correlation
PurposeThe CRL-00110 correlation rule set represents a collection of rules (CRL-00110-DB, CRL-00110-Hosts,
CRL-00110-File Integrity, CRL-00110-Email, CRL-00110-Web, and CRL-00110-IDS) that all feed into
an overall CRL-00110 rule whose collective purpose is to assist in the identification of any patterns of
information within the payload of events from key device classes that may be of a confidential nature, in
clear text.
Detecting the presence and/or activity surrounding the use of clear-text confidential information can assist
enterprises in reducing the risks associated with the misuse and/or unauthorized disclosure. Enterprises
currently deploy or are considering the deployment of many suites of tools that could assist in this
identification.
Supported DevicesThis correlation rule set supports the following devices:
Device Grouping Type
Host.Windows.Hosts Device Class
Host.Unix Device Class
Storage.Database Device Class
Network.Configuration.Management.Tripwire.Enterprise Device Type
Host Mail Servers Device Class
Host.Web Logs Device Class
Security.IDS Device Class
Security.IPS Device Class
RSA enVision ConfigurationIt is the intent of this collective rules set to work out-of-the-box with low maintenance. The rule set relies
heavily on three watchlists to provide the necessary pattern recognition for clear-text confidential
CRL-00110 Rule Set 85
zzRSA enVision Correlation Rules
information.
Note: You can download sample watchlist files from RSA SecurCare Online, import the data, and edit
the default values as needed.
The watchlists provide:
l Common credit card recognition patterns
l Social Insurance Numbers (SIN) recognition
l Social Security Numbers (SSN) recognition
l Keywords common to enterprise deployments of data storage
l Frequently used user accounts (interactive or service) that have a business requirement to access
confidential information.
l Support for events collected by the RSA Data Loss Prevention (DLP) Suite.
The use of watchlists allows you to quickly add or modify criteria to tune the individual rules contained
within the rules set to desired levels.
For the purposes of the rule, “Confidential Information” is limited to:
l Credit Card Numbers from VISA, Mastercard, American Express, JCB, Discover, and Diner's
Club
l Keywords that match “credit card, cardholder”
l Social Insurance Numbers
l Social Security Numbers
These types of “Confidential Information” are usually found within databases, or as files stored on file
systems hosted by Windows-based or UNIX-based operating systems. This information takes the form of
content within files, or as part of the actual filename itself.
In addition to these storage locations, the confidential information could be transmitted in clear text from
a front-end application such as a web-based Graphical User Interface to a back-end database.
This rule set evaluates key events from each of these sources and compares the payload to the watchlist
of confidential information looking for the patterns contained within, triggering upon successful matches.
The CRL-00110 rule set consists of seven individual rules:
l CRL-00110 – This rule collects the output of each of the subsequent CRL-00110 variants, and
triggers based on a threshold against the minute baseline.
l CRL-00110-Hosts – This rule looks specifically at events that relate to File Access, Modifications,
Creations, and Deletions using the watchlists to identify potential confidential data patterns. This
uses the device classes for Windows and UNIX.
l CRL-00110-File Integrity – This rule uses Tripwire events to identify files or elements that may
contain confidential patterns.
86 CRL-00110 Rule Set
RSA enVision Correlation Rules
l CRL-00110-DB – This rule looks for SQL commands executed against any object that matches
confidential data patterns using the database device class.
l CRL-00110-Email – This rule examines the email traffic for confidential data patterns using the
device class for email servers.
l CRL-00110-IDS – This rule examines network intrusion detection and prevention events for any
confidential data patterns within the event payload.
l CRL-00110-Web – This rule examines web server events for confidential data patterns using
device class for web servers.
Each rule selects events based on event categories most likely to contain confidential information.
Selecting event categories ensures that newer device support under these device classes with messages
matching the event categories are included within the rules set. They also reduce the out-of-the-box
maintenance required for this rule by customers and help to improve the efficiency of the rule when
loaded into the Alerter process. Examples of event categories used are:
l User.Activity
l User.Activity.File.Access
l Content.Web
l Content.Web.Successful
l Config.Changes
Three watchlists are used in various combinations within each rule. These three watchlists are:
l Confidential Data Patterns – This watchlist contains regular expression constructs that recognize
the following patterns:
l Word patterns “credit card, creditcard, cardholder”,
l Credit card Personal Asset Numbers (PAN) for VISA, Mastercard, Discover, American
Express, JCB, and Diner's Club
l Social Insurance Numbers (SIN)
l Social Security Numbers (SSN)
l Confidential Accounts – This watchlist contains a list of users that have a business need to
access potential confidential information and can be removed from the alerts as expected behavior.
It is used in a few of the rules (such as CRL-00110-Hosts) where the user is expected to be within
the payload of events.
l DLP Confidential Data Policies – This watchlist allows the CRL-00110-Email and CRL-00110-
Web correlation rules to collect events from the RSA Data Loss Prevention Suite.
With the exception of CRL-00110, each rule triggers on every event that matches the conditions outlined
within the watchlists.
CRL-00110 contains a threshold of 45 % increase in the hour baseline that receives events from the other
CRL-00110 variants. This provides notification to a significant increase in the described activity that may
require immediate attention.
CRL-00110 Rule Set 87
zzRSA enVision Correlation Rules
CRL-00111
NamePossible Spoofing Activity Detected
PurposeCorrelation rule CRL-00111 alerts on possible network spoofing activity by looking through the events
reported by devices that are associated with spoofing.
When conditions trigger this correlation rule, the following action should be performed: Investigate the
source IP address and the nature of the event to determine why a spoof was reported.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.Switch All
Security.Router All
Security.Firewall All
Host.Windows Hosts All
Network.Wireless Devices All
Host.Unix All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. Given the wide
variety of devices this correlation works against, no further configuration is needed. However, as new
events are added to a system, the rule may need to be adjusted to ensure that it captures the correct
events. The rule uses regular expressions and keywords inside the message body to match events.
Each filter inside the primary circuit is set to trigger when an increase of 25% is exceeded within a
minute. Typically you do not see these events, so any increase triggers this rule immediately.
The rule looks through all of the messages that come from the listed devices for keywords that indicate
that the event is a spoofing event. In many devices, this is not be phrased with the word “spoof”.
Additional regular expressions are used to reduce the number of false positives.
88 CRL-00111
RSA enVision Correlation Rules
CRL-00112
NameRemovable Storage Removed from a Windows Event Source
PurposeCorrelation rule CRL-00112 monitors Windows events involving USB storage. Depending on your
company policy, possessing any form of USB data device may be a violation.
When conditions trigger this correlation rule, the following action should be performed: Investigate the
source IP address and the user to ensure that he or she is authorized to use a USB device.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. However, all the
monitored Windows hosts must have sufficient audit policies to trigger the two events necessary for the
rule to function.
The first event must contain information regarding accesses of the object \Device\USB. The second event
is a device ejection event that references PlugPlayManager. An eight hour window is used to
accommodate a typical work day where the device would be plugged in at the beginning of the day and
removed at the end. However, if the plugin-access-ejection cycle is longer than eight hours, this
correlation is not triggered properly. The window for this correlation may need to be adjusted.
CRL-00112 89
zzRSA enVision Correlation Rules
CRL-00115
NameAttacks Exploiting Vulnerabilities in SANS TOP-20 2007 Observed
PurposeCorrelation rule CRL-000115 monitors events from IDS and IPS devices, and triggers when it detects
attacks that exploit the vulnerabilities in the SANS TOP-20 2007 list. Since the new revision is based on
events that are originally detected by IPS and IDS devices, limitations are introduced, such as
dependency on specific devices and vulnerabilities. Confidence level filtering is employed to enhance the
accuracy of the rule. The event category Attacks.Access is used as the major category of this rule.
When conditions trigger this correlation rule, the following actions should be performed:
l Identify the source of the attack and block traffic from the source.
l Identify the target host of the attack and apply the vendor supplied patch to eliminate the
vulnerability.
l Restrict access to the affected service for trusted hosts.
l Investigate the destination host that was the target of the attack and diagnose potential impacts of
the attack.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDS Dragon IDS
Security.IDS ISS Realsecure
Security.IDS Tipping Point
Security.IDS Snort
Security.IPS Netscreen IDP
Security.IDS Cisco Secure IDS XML
RSA enVision ConfigurationModify this rule if you add new devices to your environment.
90 CRL-00115
RSA enVision Correlation Rules
This rule uses 1800 events that are associated with the vulnerabilities in the SANS TOP-20 2007 list. This
may cause performance issues for RSA enVision, so the device must be supervised.
The confidence level filtering is set to “Filter out messages with low or medium Confidence” with
Destination Address as the variable. This setting may need to be modified for your environment.
A threshold is used to enhance the accuracy of the rule. A 10% increase over the minute baseline is an
indication of an ongoing attack against the vulnerabilities listed in the SANS TOP-20 2007 list.
CRL-00115 91
zzRSA enVision Correlation Rules
CRL-00116 Rule Set
NameBotNet Detection Rule Pack
PurposeCorrelation rule set CRL-00116 consists of a variety of correlations that can be used together to detect
machines that may be part of a BotNet inside your network. This is a set of two rules. The first rule
(CRL-00116-02) covers various AV, DNS, SMTP, IRC, and host file modifications. The second rule
(CRL-00116-01) examines failed login attempts from multiple sources to one destination. By themselves,
these attacks may indicate very little. However, when combined into one view, they can indicate a
possible BotNet agent on your system.
Supported DevicesThis correlation rule set supports the following device:
Device Class Device Type
NIC_ALL All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. This rule should
not need to be modified. Make sure that the list of valid DNS servers that are used by the network is
populated with your LAN’s local DNS servers.
After exhaustive research into the nature of BotNets and possible detection methodologies, several ways
to detect BotNets through logs were created. While each rule itself is not indicative of a BotNet, together
they point to a greater likeliness of a BotNet existing on a network.
The first correlation rule (CRL-00116-02) investigates the following possible BotNet behaviors:
l An increase in detected AV activity with special emphasis on viruses that could be used to gain
further system access. A victim host will be used to further spread the BotNet itself.
l Host file modifications detected. If the victim’s host file is modified, it could be changed so that
DNS requests are rerouted to a different location. This allows the BotNet C&C to pass down
commands, or to redirect the users’ web requests to a different web server so that it can intercept
personal information, such as passwords.
l Changes in DNS utilization. A BotNet victim may have new DNS entries added that will be used
within the BotNets for attack coordination and improved victim organization.
92 CRL-00116 Rule Set
RSA enVision Correlation Rules
l In or Out IRC traffic. IRC traffic is suspicious because it is the single most common method for
passing BotNet Command & Control commands around to victims.
l Outbound SMTP traffic volume increase. BotNets are recognized as a major source of SPAM
world wide. They accomplish this by using random victim host machines to send out SPAM. Thus,
an increase in SMTP traffic would indicate that the SMTP traffic may not be for legitimate
reasons.
l Outbound SMTP traffic to known blacklisted servers. Increase in SMTP to blacklisted servers may
indicate the existence of a BotNet in the network.
The second correlation rule (CRL-00116-01) monitors for multiple failed login attempts in to the same
target host with the same username. One of the basic functions of Bots is that they are passed to a target
PC via an infection attempt. When a command is sent, any target computer infected by a Bot may attempt
to log in to the victim machine. This indicates that the hosts trying to log in may be part of a BotNet that
is trying to expand itself or gain access to information on that particular target host.
Note: This rule set requires the Known Service Account and Known Vendor Account watchlists. You
can download sample watchlist files from RSA SecurCare Online, import the data, and edit the default
values as needed.
Correlation Rule CRL-00116 Update
Statement “IRC_Messages” has been renamed to “IDS/IPS_Messages”
New message IDs were introduced to the statement “IDS/IPS_Messages”. The Message IDs belong to
the following devices:
l Cisco Secure IDS XML
l Snort/Sourcefire
l Tipping Point
l ISS Realsecure
The new set of messages added are used to detect Bot activity.
The decay time of the rule has been changed to 65 minutes. The threshold values for the Statements
“Viruse/Botnet detected by AntiVirus” and “Increased in SMTP outbound traffic” have been modified to
check if there is an increase based on hourly average for more accuracy.
CRL-00116 Rule Set 93
zzRSA enVision Correlation Rules
CRL-00117
NameLog Collection Stopped due to Filled Disk Capacity
PurposeCorrelation rule CRL-00117 monitors an RSA enVision system to determine if log collection has stopped
due to filled disk capacity. This rule looks at specific messages which the enVision system generates
regarding log collection and disk capacity. A loss of log collection will result in reduced effectiveness of
the enVision system.
You need to free up space, by archiving or deleting logs from the enVision LogSmart IPDB. Also,
determine if you have any unused files that could be removed to recover disk space.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
NIC_All All
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the devices from in the previous section. It uses
specific NIC.System device messages rather than classes.
Upon triggering the conditions of the correlation rule, the following actions should be performed:
l Consider archiving and/or deleting logs from the enVision LogSmart IPDB
l Look for unused files that could be removed to recover disk space.
94 CRL-00117
RSA enVision Correlation Rules
CRL-00118
NameDisk Array Capacity Approaching Threshold
PurposeCorrelation rule CRL-00118 attempts to ascertain whether or not a device or system is approaching
maximum disk capacity. The rule examines several specific message IDs to determine if disc capacity is
approaching a limit. If you do not take action, you may exhaust disk space or risk other system
malfunctions.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
NIC.System All
Host.Windows Hosts Windows (NIC, BL, Snare, ER)
Storage.Database Microsoft SQL Server
Host.Unix Nokia IPSO
Security.Firewall Fortinet Antivirus Firewall, CyberGuard Classic
Host.Mail Servers Microsoft Exchange
Host.Web Logs Cisco Content Engine
Security.Anti Virus McAfee ePolicy Orchestrator, CipherTrust IronMail, McAfee Virus Scan
Storage.Storage NetApp
Security.VPN Nortel VPN Contivity
Network.Router Cisco Router / IOS Firewall
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.
CRL-00118 95
zzRSA enVision Correlation Rules
Upon triggering the conditions of the correlation rule, the following actions should be performed:
l Consider archiving aged Information as dictated by the organization’s Information Life Cycle
Management Practices
l Cleaning temporary and/or unused files could also assist in recovering storage space
l If the alert came from enVision, consider using the lsmaint command to archive/or deleting older
events.
96 CRL-00118
RSA enVision Correlation Rules
CRL-00119
NamePassword Change on a Known Privileged User Account Detected
PurposeCorrelation rule CRL-00119 This correlation rule looks for password changes to known privileged user
accounts. Unauthorized password changes to these accounts can have a significant impact on network
functionality and data integrity/confidentiality.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts Windows Events (BL, ER, NIC, Snare)
Host.Unix Unix AIX, HPUX/FreeBSD, Linux
Security.VPN Aventail SSL VPN, Cisco VPN 3000, Juniper SSL VPN, Nortel VPN Contivity
NIC_ALL NIC System
Storage.Database Sybase ASE, Microsoft SQL Server, Oracle
Network.Configuration Management Tripwire Enterprise
Security.Firewall Netscreen
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the devices from in the previous section.
Update the watchlist “Privileged User Accounts” with the appropriate usernames present in the network.
Upon triggering the rule, check the source device along with the owner of the account for any policy or
procedure violations.
CRL-00119 97
zzRSA enVision Correlation Rules
CRL-00120
NameRevocation of User Privileges detected
PurposeThis correlation rule inspects events from a selection of common devices used within a network for
revocation user permissions. In many cases, this is monitored through the user’s removal from user
groups, or with events that change the user's ‘user level’ within the system. The use case for this rule is
to ensure that user privileges are not altered without the knowledge of the network administrators; such
action, if unauthorized, may indicate that someone is preparing to perform malicious actions on your
network and does not want certain users to interfere with their actions by limiting what they can do.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts All
Host.Unix All
Security.Firewall All
Security.IDS ISS Realsecure
Network.Configuration Management Solsoft NP
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of the enVision product. The
monitored devices for this rule are composed primarily of Windows and Linux along with a few other
devices. This rule should not need further modification upon deployment.
98 CRL-00120
RSA enVision Correlation Rules
CRL-00121
NameUnusual Number of Failed Vendor User Login Attempts
PurposeCorrelation rule CRL-00121 detects an increase in failed logo\in attempts using a Vendor Default
account. This alert is important for those organizations interested in keeping Payment Card Industry (PCI)
Compliance. User names for factory default Vendor accounts assigned to devices are well known,
documented and freely available to the general public. As a best practice, organizations should not use a
vendor account to perform management activities on a regular basis, but instead as a last resort. An
increase in failed logins from vendor accounts could indicate brute force attempts to break into event
sources from malicious locations.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Device Class Device Type Description
Host.Windows Hosts
Windows Events (BL), Win-
dows Events (ER), Windows
Events (NIC), Windows Events
(Snare)
Security_529_Security, Security_530_Security, Security_531_
Security, Security_532_Security, Security_533_Security, Secu-
rity_534_Security, Security_535_Security, Security_539_Secu-
rity
Host.Unix AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Security.Firewall AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Security.IDS AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Security.IPS AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Security.VPN AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.Switch AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
CRL-00121 99
zzRSA enVision Correlation Rules
Device Class Device Type Description
Network.Router AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Storage.Storage AllAuth.Errors, Auth.Failures, Auth.Failures.User Errors, User.A-
ctivity.Failed Logins
Storage.Database AllAuth.Failures, Auth.Failures.User Errors, User.Activity.Failed
Logins
Security.Access Con-
trolAll
Auth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.Wireless
DevicesAll
Auth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.System AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Network.Configuration
ManagementAll
Auth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Web Logs AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Mail Servers AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Mainframe AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Midrange iSeriesAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
Host.Application
ServersAll
Auth.Errors, Auth.Failures, Auth.Failures.Administrative Set-
tings, Auth.Failures.User Errors, User.Activity.Failed Logins
RSA enVision ConfigurationThis correlation is designed to work with the default configuration settings of the enVision product. The
rule uses a mix of device classes and specific device messages. As a result, the rule will require some
maintenance. The “Known Vendor Accounts” Watchlist may need to be updated when new vendor
accounts become available.
100 CRL-00121
RSA enVision Correlation Rules
Upon triggering the conditions of the current correlation rule, perform the following actions:
l Determine where the source of the attempts originates from
l Escalate this event to the necessary stakeholders
l Depending upon the location of the event source, it may be necessary to put in place a temporary
firewall rule to deny Shell or Terminal Connections
l Disabling the service on the event source temporarily may also stop the attack
l Investigate further using the LogSmart IPDB and the Event Viewer to ascertain any other potential
vectors of attack or any other activity that may be of interest on the event source
CRL-00121 101
zzRSA enVision Correlation Rules
CRL-00122
NameActive Directory Schema Change Detected
PurposeThis rule is designed to detect a change in the schema of a Microsoft Active Directory installation. An
unauthorized change in the schema could indicate user addition/deletion, permission modification, etc.
The impact of such changes could result in denial of service, unauthorized access to data, etc.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts
Windows Events (BL)
Windows Events (ER)
Windows Events (NIC)
Windows Events (Snare)
RSA enVision ConfigurationIn order for this rule to fire, an Active Directory system needs to have its logs gathered by enVision.
102 CRL-00122
RSA enVision Correlation Rules
CRL-00123
NamePossible Non-PCI Compliant Inbound Network Traffic Detected
PurposeThis rule’s primary goal is to monitor inbound connections into secure devices over non-compliant ports
as specified by PCI compliance practices.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Event Categories
Network.Router All
Network.Connections
Network.Connections.Successful
Network.Connections.Successful.VPN
Security.Firewall All
Network.Connections
Network.Connections.Successful
Network.Connections.Successful.VPN
RSA enVision ConfigurationAny firewall or network device should work with this rule as it stands now. There are no thresholds
within the system as it is literally looking for any bad connections of any sort to compliance sensitive
systems.
When this rule is triggered the following action should be taken:
l An analysis of this event and corresponding traffic events should be conducted to ascertain the
destination port(s) and subsequent services/applications running behind those ports. These
identified services and ports should then be escalated to the necessary stakeholders to determine
whether or not these are approved for business use. Documentation should then follow and the
watch lists updated. If not, security incidence response should be initiated.
CRL-00123 103
zzRSA enVision Correlation Rules
CRL-00124
NameFailed logins Exceeded 6 Logon Attempts Without a Lockout Event
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Security.IDSIntrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDSXML
Network.Switch Extremeware, Cisco Content Switch, Cisco Switch
Security.FirewallNetscreen, Cisco ASA, Cisco PIX Firewall, Sonicwall-FW, SymantecEnterprise Firewall
Network.ConfigurationManagement
Netscreen-Security Manager
Host.Unix Nokia IPSO, Apple Mac OS X
Security.VPN Nortel VPN Contivity
Network.Router Cisco Router/IOS Firewall
RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the devices from in the previous section.
104 CRL-00124
RSA enVision Correlation Rules
CRL-00125-01
Overview
NameConfiguration Change on Security Device Intercepted
PurposeCorrelation rule CRL-00125-01 detects a change in a core security device, such as an IDS/IPS, firewall,
or VPN. If such changes are unexpected, then their modification can lead to reduced security, denial of
service, and leakage of confidential information.
Requirements
Device Class or SystemsThe message for this rule was created using existing Netscreen messages and the parsers. The accuracy
of this message was verified by injecting the message into the device and ensuring that it did not show up
as an unknown message in the Event Viewer (graph by Event Type).
Other RequirementsRSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the
configuration of the RSA enVision platform used for testing:
Device Class Device Type
Security.Firewall All
To test this correlation rule, create a new view and add CRL-00125-01.
Technical Analysis
Rule LogicRule CRL-00125-01 is composed of one circuit, which contains five statements. Each statement contains
a list of categories and a filter to reduce the number of false positives. The following are the descriptions
of the statements.
CRL-00125-01 105
zzRSA enVision Correlation Rules
Statement Device ClassType
EventCategory Value Filter
Device_Changed Security.IDS
Security,IPS
Security.Firewall
Security.VPN
All Attacks.Access.Modification
Auth.Errors
Auth.Failures.User Errors
Auth.Successful
Config.Changes
Config.Changes.Add
Config.Changes.Modify
Network.Connections.Terminations
Network.Denied Connections
Policies.ACL.Errors
Policies.Rules.Modified
System.Accounting
System.Crypto.Key.Manipulation
System.Errors
System.Errors.Interfaces
System.Errors.Memory
System.Errors.Services
System.Errors.Software
System.Heartbeats
System.Normal Conditions
System.Normal Conditions.Config
System.Unusual.Activity
User.Activity.Failed Logins
User.Activity.Privileged Use.Successful
User.Management
User.Management.Groups.Modification.User
Removed
User.Management.Password.Modification
User.Management.Users.Additions
User.Management.Users.Modifications
Regex on Content – look
for “changed”
Device_Modified Security.IDS
Security,IPS
Security.Firewall
Security.VPN
All Config.Changes.Modify
Policies.Rules.Modified
System.Errors.Config
System.Normal Conditions
System.Normal Conditions.Config
Regex on Content – look
for “modified”
106 CRL-00125-01
RSA enVision Correlation Rules
Statement Device ClassType
EventCategory Value Filter
User.Management.Users.Modifications
User.Management.Groups.Modifications.User
Removed
User.Management.Groups.Modifications.User
Added
User.Activity.Failed Logins
Device_Configured Security.IDS
Security,IPS
Security.Firewall
Security.VPN
All Auth.Successful
Config.Changes.Modify
Network.Connections.Errors.VPN
Network.Connections.Successful.VPN
System.Errors.Software
System.Normal Conditions
System.Normal Conditions.Config
System.Normal Conditions.Services
Regex on Content – look
for “modified”
False Positive and False Negative MitigationTo test this rule, use the injector utility to inject the attached Unix file. Use the following command to
reproduce the triggering condition of the rule:
injector -redirect -host 127.0.0.1 -file crl-00125-01.unx -
eps 1 -time 1
Quick Deployment
Event Source ConfigurationRule CRL-00125-01 requires minimal maintenance because of its use of event categories and filters. If
new event sources are added, the appropriate messages should fall under one of the associated statements
in the Rule Logic section.
This correlation rule supports the following event sources:
Device Class Device Type
Security.IDS All
Security.IPS All
Security.Firewall All
Security.VPN All
CRL-00125-01 107
zzRSA enVision Correlation Rules
Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the event sources from the previous section. Once the
rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the
appropriate escalation and reporting procedures.
108 CRL-00125-01
RSA enVision Correlation Rules
CRL-00125-02
Overview
NameConfiguration Change on Network Device Intercepted
PurposeCorrelation rule CRL-00125-02 detects a change in a core network device, such as a router or a switch. If
such changes are unexpected, their modification can lead to denial of service and leakage of confidential
information leakage.
Requirements
Device Class or SystemsThe message for this rule was crafted using existing Cisco messages and the parsers. Cisco log samples
were also collected from OSSEC.net. The accuracy of this message was verified by injecting the
message into the device and ensuring that it did not show up as unknown in the Event Viewer (graph by
Event Type).
Other RequirementsRSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the
configuration of the RSA enVision platform used for testing:
Device Class Device Type IP Address
Network.Router Cisco Router/IOS Firewall 10.10.50.51
To test this correlation rule, create a new view and add CRL-00125-02.
CRL-00125-02 109
zzRSA enVision Correlation Rules
Technical Analysis
110 CRL-00125-02
RSA enVision Correlation Rules
Rule Logic
CRL-00125-02 111
zzRSA enVision Correlation Rules
Rule CRL-00125-02 is composed of one circuit, which contains five statements. Each statement contains
a list of categories and a filter to reduce the number of false positives. The following are the descriptions
of the statements.
Statement Device ClassType
EventCategory Value Filter
Device_Changed Network.Router
Network.Switch
All Network.Routing.Changes
Config.Changes
Policies.AC
Policies.Rights.Successful.Privileged
Use
System.Error
System.Errors.Environmentals
System.Errors.Hardware
System.Error.Interface
System.Errors.Service
System.Errors.Software
System.Normal Condition
System.Normal Conditions.Confi
System.Normal Conditions.Service
System.Unusual Activity
Regex on Content – look
for “changed”
Devices_Removed Network.Router
Network.Switch
All System.Errors
System.Errors.Config
System.Errors.Resources
System.Errors.Software
System.Failures.Hardware
System.Failures.Software
System.Normal Conditions
System.Normal Conditions.Config
System.Unusual Activity
Regex on Content – look
for “removed”
Devices_Deleted Network.Router
Network.Switch
All Policies.Rights.Successful.Privileged
Use
System.Crypto.Key.Manipulation
System.Errors System.Errors.Config
System.Errors.Software
System.Failures.Software
System.Normal Conditions
System.Unusual Activity
Regex on Content – look
for “deleted”
112 CRL-00125-02
RSA enVision Correlation Rules
Statement Device ClassType
EventCategory Value Filter
Devices_Added Network.Router
Network.Switch
All Config.Changes.Add
Policies.Rights.Successful.Privileged
Use
System.Errors
System.Errors.Config
System.Errors.Software
System.Failures.Software
System.Normal Conditions
System.Normal Conditions.Config
Regex on Content – look
for “added”
Device_Configured Network.Router
Network.Switch
All Config.Changes
System.Crypto.Disabled
System.Crypto.Enabled
System.Errors
System.Errors.Software
System.Normal Conditions
Regex on Content – look
for “configured”
False Positive and False Negative MitigationTo test this rule, use the injector utility to inject the attached Unix file. Use the following command to
reproduce the triggering condition of the rule:
injector -redirect -host 127.0.0.1 -file crl-00125-02.unx -
eps 2 -time 1
Quick Deployment
Event Source ConfigurationRule CRL-00125-02 requires minimal maintenance because of its use of event categories and filters. If
new event sources are added, the appropriate messages should fall under one of the associated statements
in the Rule Logic section.
This correlation rule supports the following event sources:
Device Class Device Type
Network.Router All
Network.Switch All
CRL-00125-02 113
zzRSA enVision Correlation Rules
Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in
which this rule is used must contain at least one of the event sources from the previous section. Once the
rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the
appropriate escalation and reporting procedures.
114 CRL-00125-02
RSA enVision Correlation Rules
CRL-00126
NameConfiguration Change made on PCI Database System
PurposeThis rule has been developed to detect a configuration change in a PCI – Compliant Database System. A
configuration change can be interpreted as data changes, configuration changes, permission changes, etc.
If these changes are unauthorized, it can result in a compromise in data integrity, data theft, etc.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Storage.Database All
RSA enVision ConfigurationIn order for this rule to trigger, a device must exist in the category listed in Section 1.1. Once triggered,
the change must be inspected to see if it occurred in accordance with corporate policies and procedures.
If it has not, then the applicable escalation/notification procedures should be followed.
CRL-00126 115
zzRSA enVision Correlation Rules
CRL-00127
NameNew User Account Created but Initial Password Not Changed
PurposeThis correlation rule is designed to detect if a new account has been created, but, its password hasn’t
been changed after 24 hours. This rule is important because many large companies create new accounts
with default passwords. The longer these account passwords remain unchanged, the greater the chance of
compromise in the form of unauthorized access, etc.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Host.Windows Hosts All
Host.Unix/Linux All
RSA enVision ConfigurationIn order for this rule to fire, a device from Section 1.1 must be configured to log to enVision. A duration
of 24 hours must pass between the creation of the account and the changing of the password. Once
triggered, determine if the account creation was legitimate and/or why the password was not changed.
Escalate according to corporate policies and procedures.
116 CRL-00127
RSA enVision Correlation Rules
CRL-00136
NamePossible System Instability State Detected
PurposeThis correlation rule is designed to detect if a system has become unstable. This is done by looking for
several conditions. These conditions include:
l Multiple restart, reboots or shutdowns in a given time frame
l Creation of memory dump files on Windows and Linux systems
l Shutdown/restart command not preceding startup event
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Event Categories
Host.Windows Host All
System.Startup
System.Shutdown
System.Reboots
Network.Configuration Management Tripwire EnterpriseConfig.Changes.Add
Config.Changes.Modify
Network.Router All All
Network.Switch All All
Security.VPN All All
Host.Unix All
System.Startup
System.Shutdown
System.Reboots
NIC_ALL All
System.Shutdown
System Reboots
System.Startup
CRL-00136 117
zzRSA enVision Correlation Rules
RSA enVision ConfigurationThe event categories System.Startup, System.Shutdown, and System.Reboot are used to capture the
appropriate events for Windows, Linux, IPS and IDS devices. A threshold of 2 events in 600 seconds is
used based on average server startup and shutdown times. You may need to modify this to suit your
environment.
If Tripwire is used in your environment, it should be logging any file additions or changes. These events
will be caught by Config.Changes.Add and Config.Changes.Modify in conjunction with a filter to
determine if any memory dump files have been created on a Windows or Linux system. Creation of these
files indicates a crash.
For any Firewall, Network or VPN devices, these events will be captured by the categories
Network.Router, Network.Switch, and Security.VPN along with a search of the message contents for
“crash” or “flap”. These events reveal link state and device stability issues.
118 CRL-00136
RSA enVision Correlation Rules
CRL-00137
NameUnusual File Access Activity surrounding Important Event Source Files
PurposeThis correlation rule is designed to detect any unusual file or directory access around files or directories
defined by the end user via a watch list. By access, we refer to any file/directory that has been traversed,
opened, created, modified, or deleted. This watch list can contain files or directories that should not be
accessed or should only be accessed by privileged users. This rule is important for auditing sensitive
directories or files for non approved users.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Event Categories
Host.Windows Hosts AllSecurity_560_Security:01;
Security_560_Security
Host.Windows Hosts Tripwire Enterprise
Security_560_Security:01;
Security_560_Security;
Security_560_Security:02
Host.Windows Hosts All
Security_560_Security:02;
Security_560_Security:03;
Security_560_Security;
Security_560_Security:01
Host.Windows Hosts All
Security_560_Security:02;
Security_560_Security;
Security_560_Security:01;
Security_560_Security:03
Network.Configuration.Management All
Config.Changes.Add,
Config.Changes.Delete,
Config.Changes.Modify
CRL-00137 119
zzRSA enVision Correlation Rules
RSA enVision ConfigurationThe rule uses three watch lists: “Important Files”, “Approved Users”, and “Known Service
Accounts”. The “Important Files” watch list should be populated with files and paths that are monitored
with this rule. Similarly, watch list “Approved Users” should be populated with user names that have
permission to modify files listed in “Important Files”. Moreover, the “Known Service Accounts” lists
the services that are allowed to modify/access the monitored files or directories. These watch lists may
require adjustment according to each organization’s setup.
120 CRL-00137
RSA enVision Correlation Rules
CRL-00139
NameCompliance: Successful Login Attempt(s) Using a Vendor Default Account Detected
PurposeThis correlation rule detects successful login attempts using a Vendor Default account. This alert is
important for those organizations interested in keeping Payment Card Industry (PCI) Compliance. User
names for factory default Vendor accounts assigned to devices are well known, documented, and freely
available to the general public. As a best practice, organizations should not use a vendor account to
perform management activities on a regular basis, but instead as a last resort. The successful logins from
vendor accounts can indicate a security breach in the account.
Supported DevicesThis correlation rule supports the following devices:
Device Class DeviceType Event Categories
Host.Windows Hosts AllSecurity_560_Security:01;
Security_560_Security
Host.Unix
Security.Firewall
Security.IDS
Security.IPS
Security.VPN
Network.Switch
Network.Router
Storage.Storage
Storage.Database
Security.Access Control
Network.Wireless Devices
Network.System, Network.Configuration
Management
Host.Mail Servers
Host.Mainframe
Host.Application Servers
All
Auth.Successful
Auth.Successful.Methods
Auth.Successful.Methods.RADIUS
Auth.Successful.Methods.SSH
Auth.Successful.Methods.TACACS
User.Activity.Successful Logins
CRL-00139 121
zzRSA enVision Correlation Rules
Device Class DeviceType Event Categories
Host.Midrange iSeries
Auth.Successful,
Auth.Successful.Methods,
Auth.Successful.Methods.RADIUS,
Auth.Successful.Methods.SSH,
Auth.Successful.Methods.TACACS,
User.Activity.Successful Logins
RSA enVision ConfigurationThis rule depends on the Successful Login Attempt events against a set of known vendor accounts that
are fired by specific devices listed above. Modify this rule if you add new devices to your environment.
This rule is designed to work with the default configuration settings of the enVision product. The rule
uses a mix of device classes and specific device messages. As a result, the rule will require some
maintenance. The “Known Vendor Accounts” and “Known Service Accounts”Watchlist may need to
be updated when new vendor or service accounts become available.
122 CRL-00139
RSA enVision Correlation Rules
CRL-00140
NameIncrease in P2P Traffic Detected in the Environment Within the Past 5 Minutes
PurposeThis correlation rule is designed to detect an increase of Peer to Peer (P2P) traffic observed in the
environment for the past 5 minutes. P2P traffic is considered to be undesirable within a network since it
slows down the network dramatically and allows users to download potential harmful files without
administrator’s knowledge. This rule can also be used to discover faults or backdoors to the network
configurations.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Event Categories
Network.Router All Attacks.Malicious Code.P2P
Security.Firewall All Attacks.Malicious Code.P2P
Security.IDS All Attacks.Malicious Code.P2P
Security.IPS All Attacks.Malicious Code.P2P
RSA enVision ConfigurationThis rule compares the P2P traffic events against a set of known P2P applications and known P2P related
port numbers that are fired by the specific devices listed above. Modify this rule if you add new devices
to your environment.
This rule is designed to work with the default configuration settings of the enVision product. It searches
for P2P keywords inside the message body and message ID as well as related port numbers to match
events. The watchlist “P2P Known Ports” and the regular expression for the list of applications may
require updates periodically as new applications become available.
Each filter is set to trigger when an increase of 15% is exceeded within 5 minutes. This threshold may
require adjustment depending on the environment and security policies in place within the network.
Typically, you should never see these events at all, so any increase from what should be a baseline of
zero events would trigger this correlation immediately.
CRL-00140 123
zzRSA enVision Correlation Rules
CRL-00141
NameP2P Software Running as Active Process on Event Source
PurposeThis correlation rule is designed to detect active P2P processes running on event sources inside an
organization. P2P traffic is considered to be undesirable within a network since it slows down the
network dramatically and allows users to download potentially harmful files without the administrator’s
knowledge. This rule can be used to discover any breaches of security policies in an environment.
Supported DevicesThis correlation rule supports the following devices:
Device Class DeviceType Event Categories
Host.Windows.HostsWindowsBL
Security_592_Security
Host.Windows.HostsWindows
ERSecurity_592_Security
Host.Windows.HostsWindows
NIC
Security_592_Security
Security_592_Security:01
Host.Windows.HostsWindows
Snare
Security_592_Security
Security_592_Security:01
Security_592_Security:02
RSA enVision ConfigurationThis rule depends on the Windows event ID Security_592_Security that is fired by the specific devices
listed above. This rule is designed to work with the default configuration settings of the enVision product.
The rule uses device classes and watchlist “P2P Known Applications” to detect an active running
process of P2P traffic.
The watchlist may need some maintenance when new P2P applications become available.
124 CRL-00141
RSA enVision Correlation Rules
CRL-00143
NameIncrease in File Transfer Activity Using Instant Messaging Detected
PurposeCorrelation rule CRL-00143 detects an increase of file transfer activity using Instant Messaging (IM)
traffic observed in the environment for the past 5 minutes. File Transfers via Instant Messaging may be
prohibited within corporate environments and represents one avenue where Intellectual Property Loss
may occur. The rule can be used to discover faults or backdoors to the network configurations as well as
policy compliance related to file transfer usage within the network.
Upon triggering this rule, the following actions should be performed:
l Investigate the source IP address and the nature of the event to figure out why an increase of IM
file transfer event has been reported.
l Escalate this event to the necessary stakeholders.
l Depending upon the location of the event source, you may need to put in place a temporary firewall
rule to deny such connections.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.Router All Attacks.Malicious Code.P2P
Security.Firewall All Attacks.Malicious Code.P2P
Security.IDS All Attacks.Malicious Code.P2P
Security.IPS All Attacks.Malicious Code.P2P
RSA enVision ConfigurationThis rule compares the IM traffic events against a set of known IM file transfer keywords and known IM
file transfer port numbers that are fired by the specific devices listed above. Modify this rule if you add
new devices to your environment.
This rule is designed to work with the default configuration settings of the enVision product. It first
checks if the event is an IM event, then it searches for file transfer keywords inside the message body
and message ID with a regular expression. The rule also uses the watchlist IM Known File Transfer
CRL-00143 125
zzRSA enVision Correlation Rules
Ports to check for additional IM file transfer events. This rule may require updates periodically as new
protocols and port numbers become available.
Each filter is set to trigger when an increase of 15% is exceeded within 5 minutes. This threshold may
require adjustment depending on the environment and security policies in place within the network.
Typically, you should never see these events at all, so any increase from what should be a baseline of
zero events would trigger this correlation immediately.
126 CRL-00143
RSA enVision Correlation Rules
CRL-00147
NameActive Directory Policy Modified
PurposeCorrelation rule CRL-00147 is used to detect whether or not an Active Directory policy object was
modified. This is important in an enterprise environment because such a modification can indicate a
privilege escalation, loss of access and the like. Unauthorized policy changes can lead to unauthorized
access or more serious compromises.
Supported DevicesThis correlation rule supports the following devices:
Device Class DeviceType Event Categories
Windows.Hosts
WindowsEvents(BL)
Security_566_Security
Security_566_Security:01
Windows
Events (ER)
Security_566_Security:02
Security_566_Security
Security_566_Security:01
Windows
Events
(NIC)
Security_566_Security:02
Security_566_Security
Security_566_Security:01
Windows
Events
(Snare)
Security_566_Security:02
Security_566_Security:01
Security_566_Security
RSA enVision ConfigurationThis rule looks at the specific Windows event Security 566 (and its variants) and ensures that the logging
of this event is enabled on your Windows Active Directory servers.
CRL-00147 127
zzRSA enVision Correlation Rules
CRL-00148
NameErrors in Active Pulling of Events Detected
PurposeThis rule detects whether the Windows Agentless, ODBC, File Reader and XML services have
encountered errors while attempting to gather events from an event source in an enterprise environment.
These types of errors may indicate system problems/failures with the event sources in question.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Network.System NIC System
RSA enVision ConfigurationThis rule looks at specific messages generated by enVision to determine if there are problems pulling
events from a specific device. Thresholds are not used but may be implemented if this sort of behavior
occurs naturally in the environment. As such, this rule will trigger on every occurrence of an error related
to the pulling of events.
128 CRL-00148
RSA enVision Correlation Rules
CRL-00149
NameErrors Detected in SFTP Collection
PurposeThis rule is used to determine if the NIC SFTP service has encountered errors gathering events from
various event sources. This rule is important in an enterprise environment because this method of event
collection is used by mission critical systems such as Tripwire Enterprise, RSA Security SecurID,
Microsoft SQL Server, Microsoft ISA Server, Microsoft IIS, Microsoft Exchange Server, Juniper Steel-
Belted Radius and Cisco Access Control Server. An error in extracting events may indicate a system or
network failure arising from everything from misconfiguration to network attack.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Network.System NIC System
RSA enVision ConfigurationThis rule uses specific message IDs generated by enVision to detect an SFTP event transfer error. No
thresholds are used. As such, every occurrence of an SFTP error will trigger the event. A threshold may
be implemented if these events occur naturally in your environment.
CRL-00149 129
zzRSA enVision Correlation Rules
CRL-00151
NamePossible enVision Service Hang Detected
PurposeThis rule is designed to detect whether an enVision service has hung or crashed unexpectedly. Such an
event can be an indication of a successful Denial of Service attack to an enVision resource. This rule will
be able to alert following a crash or unstable behavior of the following services: NIC Alerter, NIC
Collector, NIC Locator, NIC Logger, NIC File Reader, NIC Packager, NIC SDEE Collection, NIC
Server, NIC Web Server, NIC Windows Service, or NIC DB Report Server.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Windows.Hosts Windows Events (NIC)
Network.System NIC System
RSA enVision ConfigurationThis rule can be triggered with various conditions. This rule captures if an application hangs on Windows
with message ID Application_1002, if the enVision services cannot restart themselves with message ID
260010 or 260011, or if a service has been restarted 4 times within the past 5 minutes.
The list of services is directly related to enVision services and require very little maintenance.
130 CRL-00151
RSA enVision Correlation Rules
CRL-00153
NameCritical Alerting Error Detected
PurposeCorrelation rule CRL-00153 detects if a critical alerting error has occurred on enVision. This is important
because it may indicate errors from database connections, Bad XML, failing to open the LS and the like.
These errors have serious consequences to the enterprise environment because enVision is not in a full
functional state and as a result, malicious events may go undetected.
Upon triggering the rule, perform the following actions:
l Investigate source IP address and determine why a critical error alert has occurred.
l Escalate and alert to necessary stakeholders.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages related to the Alerter.
RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. Events such as Open
LS error, watchlist not found, DB error, Bad XML, and write errors are some of the events that get
generated by enVision. No threshold has been provided due to the serious nature of these events on the
system.
CRL-00153 131
zzRSA enVision Correlation Rules
CRL-00154
NameCritical Web Service Error Detected
PurposeCorrelation rule CRL-00154 detects if a critical web service error has occurred on enVision. The NIC
Web Server handles the requests coming from the browser on which you are running the system. It also
builds scheduled reports and exported database tables. This service depends heavily on the NIC DB
Server. As a result, the loss of connectivity of server database is a very good indication of errors related
to the web service. This problem should be addressed immediately since the enVision GUI may fail to
launch and malicious events will go undetected.
Upon triggering the rule, perform the following actions:
l Check for the connectivity of the NIC DB Server
l Restart NIC DB Server if service stopped
l Escalate and alert to necessary stakeholders
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages related to the Web Server Service.
RSA enVision ConfigurationThis rule captures web service errors that are generated by the enVision platform itself. Events such as
DB error is one of the events that are generated by enVision. No threshold has been provided due to the
serious nature of these events on the system.
132 CRL-00154
RSA enVision Correlation Rules
CRL-00155
NameEPS Warning - EPS Approaching License Limits
PurposeCorrelation rule CRL-00155 indicates increases in the amount of incoming events to the RSA enVision
platform have been detected. If this continues, the excess events will be dropped and not collected by
enVision. This situation has serious consequences to the enterprise environment where the potential for
malicious activities may not be detected by enVision due to dropped messages. This situation might be the
result of a newly added event source in the enterprise. A defective event source may cause a similar
situation. An increasing number of events can be an indication of malicious activities in the network
where an attacker tries to hide their activities inside the event flood.
If this rule is triggered, perform the following actions:
l Determine the source of the activity and check for a defective event source.
l Purchase higher EPS threshold licenses if needed.
l Block the source of the event flood as a workaround for this problem.
l Escalate to appropriate stakeholders as necessary.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages in System.License.Violation.
RSA enVision ConfigurationThis rule captures events that are generated by enVision platform itself. Exceeding event flows to the
RSA enVision platform will result in loss of events. Since this incident may cause serious harm to an
enterprise environment, every incident needs to be addressed by the enterprise security analyst.
Therefore, no threshold has been provided for this rule. However, if this sort of behavior occurs naturally
in the environment, add a threshold to this rule.
CRL-00155 133
zzRSA enVision Correlation Rules
CRL-00156
NameEPS Critical Error, Event Drop has been Detected
PurposeCorrelation rule CRL-00156 indicates that Increases in the amount of incoming events to RSA enVision
platform have been detected to the extent that events are dropping and not collected by enVision. This
situation has serious consequences to the enterprise environment where the potential for malicious
activities may not be detected by enVision due to dropped messages. This situation might be the result of
a newly added event source in the enterprise. A defective event source may cause a similar situation. An
increasing number of events can be an indication of malicious activities in the network where an attacker
tries to hide their activities inside the event flood.
If this rule is triggered, perform the following actions:
l Determine the source of the activity and check for a defective event source.
l Purchase higher EPS threshold licenses if needed.
l Isolate the source of the event flood as a workaround for this problem.
l Escalate to appropriate stakeholders as necessary.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages in System.License.Violation.
RSA enVision ConfigurationThis rule captures events that are generated by enVision platform itself. Due to exceeding event flows to
the RSA enVision platform, enVision has started dropping the events. Since this incident may cause
serious harm to an enterprise environment, every incident needs to be addressed by the enterprise security
analyst. Therefore, no threshold has been provided for this rule. However, if this sort of behavior occurs
naturally in the environment, add a threshold to this rule.
134 CRL-00156
RSA enVision Correlation Rules
CRL-00157
NameRSA enVision Content Update Failure Detected
PurposeCorrelation rule CRL-00157 detects if any error has occurred during the enVision content update process.
Updates are very important to the enVision system as they keep the content up to date and accurate.
Having one of these updates fail potentially lowers the level of accuracy of the messages generated by
the system.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages related to the Alerter.
RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. No threshold has
been provided due to the serious nature of these events on the system.
CRL-00157 135
zzRSA enVision Correlation Rules
CRL-00158
NameErrors Detected in enVision DB System
PurposeCorrelation rule CRL-00158 detects errors that impact the enVision DB system. This rule covers errors
from LSIndex, DBConfig, Packager, and ODBC components. These errors have serious consequences to
the enterprise environment because enVision is not in a full functional state and as a result, malicious
events may go undetected.
Upon triggering the rule, perform the following actions:
l Investigate the faulting service and determine why a critical error alert has occurred.
l Escalate and alert to necessary stakeholders.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
Network.System/NIC System NIC System Specific messages related to the Alerter.
RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. Events from LSIndex,
DBConfig, Packager, and ODBC components are monitored for this rule. No threshold has been provided
due to the serious nature of these events on the system.
136 CRL-00158
RSA enVision Correlation Rules
CRL-00159
NameCritical Error Detected in the NIC Packager Service
PurposeCorrelation rule CRL-00159 detects a critical error condition within the Packager component.
Upon triggering the rule, perform the following actions:
l Monitor the NIC Packager Service, and if necessary, contact enVision Customer Service.
l If the Packager process is deadlocked on a given task, restart the Packager after seeing this event.
This clears the error condition and allows the Packager to resume normal operations.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Description
NIC_ALL N/A All enVision supported devices
RSA enVision ConfigurationThe Packager should return from its processing tasks within a certain timeframe, and when a task
requires more time than the default time period, enVision generates an event to indicate a potential error
condition.
It can take the Packager longer than expected to process very large temporary files, which can cause this
rule to fire even if there is no real problem with the packager.
CRL-00159 137
zzRSA enVision Correlation Rules
CRL-00160
NamePossible Network Performance Degradation Detected
PurposeThis rule looks for excessive network-related errors reported by Network and Security Devices (such as
Switches, Routers and Firewalls) that can have a significant impact upon network performance,
specifically:
1. Excessive Network Collisions - occurs possibly due to Faulty Network Interfaces or devices,
network loops or an extremely busy network;
2. Duplex Mismatches – occurs when networking devices have not negotiated the maximum rate with
each other;
3. Excessive Alignment Errors – occurs possibly due to excessive network noise, faulty cabling,
faulty network interfaces, faulty transmitting device, or device startups/shutdowns.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type
Network.Switch All
Network.Router All
Security.Firewall All
RSA enVision ConfigurationThis rule looks for any possible network performance degradation in the network. It uses event category
Network.Routing.Errors.Collisions as well as specific message IDs from each device class. The above
event category only covers collisions and as a result, specific events IDs are added for duplex
mismatches and CRC errors. The list of device classes that are covered includes switches, routers and
firewalls.
Under normal circumstances, events such as collisions, drops or CRC errors may occur at a relatively
infrequent rate. However, if there is an excessive amount of traffic observed, this is an indication of
problems within the network. As a result, a threshold of 35% increase from the average is set for this
rule. It should be noted that if no events have been detected for a period of time, a single event will
trigger this rule as a result of the baseline being at 0. The threshold should be fine tuned depending on the
environment of the network.
138 CRL-00160
RSA enVision Correlation Rules
CRL-00161
NamePossible Corruption of Event Data stored within the IPDB
PurposeThis rule is designed to trigger on a number of possible IPDB corruption events as reported by the RSA
enVision system. This is important to monitor as it will speak to the health of your enVision system and
could allude to possible data tampering or hardware issues occurring on the machine itself.
Supported DevicesThis correlation rule supports the following devices:
Device Class Device Type Events
Network.System NIC System505400
505405
RSA enVision ConfigurationThe rule is a single circuit that looks for two events that RSA enVision reports as possible corruption of
event data. When a file that has been corrupted is discovered, it will try to access the file several times
before it gives up the task, which creates several identical events. When this occurs, it is recommended
that the user should suppress the alerts to ensure that the view is not overwhelmed.
CRL-00161 139
zzRSA enVision Correlation Rules
CRL-00162
NameAccount privilege elevation followed by restoration of previous account state within a 26 hour period
PurposeThis rule is designed to detect if a user has been added to and then removed from the same group within
26 hours. This is important to monitor as it could indicate that an account is being used for malicious
activity against a network by elevating a user’s privileges temporarily to perform the said malicious
activities.
Supported DevicesThis correlation rule supports the following devices:
Device Class DeviceType Description
Windows.Hosts
Windows
Events (BL,
ER, NIC,
Snare)
User.Management.Groups.Modifications.User
Removed
User.Management.Groups.Modifications.User
Added
Security.Firewall
Cisco PIX
Firewall
Cisco ASA
502103
All
User.Management.Groups.Modifications.User
Removed User.Ma-
nagement.Groups.Modifications.User Added
RSA enVision ConfigurationThe rule is designed with 2 circuits to look for very specific behavior. Specifically, it searches for a user
that has been added to a group or has had their user level escalated. Then, within the next 26 hours, it
checks to see if the user was removed from the group they were added to or if their user level was reset.
Primarily this rule uses events categorized as User.Management.Groups.Modifications.User Added
and User.Management.Groups.Modifications.User Removed. However, for Cisco PIX and ASA, it
uses specific events as listed in the Supported Devices table.
Typically within a network, users would be added or removed from groups infrequently at best. A user
having their privileges escalated or modified for short periods of time may indicate that an attacker is
attempting to route around your security policies to enable greater access for a particular user to perform
140 CRL-00162
RSA enVision Correlation Rules
malicious activities. Each event is considered individually to ensure that no user events are accidentally
filtered out by the baselines themselves.
CRL-00162 141
zzRSA enVision Correlation Rules
CRL-00163
Overview
NameRSA enVision Disk Warning
PurposeThe purpose of CRL-00163 is to detect conditions where the available log storage for RSA enVision
reaches critical levels that threaten to shut down log collection or have already shut down log collection.
AudienceThe audience for this rule is any organization that approaches the capacity of their available log storage.
IntroductionRSA enVision has limited available space for storing logs. Some organizations may be unaware that their
available log storage space can reach a critical threshold. RSA enVision monitors its assigned log storage
directories and records when a configured threshold is reached. RSA enVision also records when event
collection ceases due to a lack of free space. This rule provides a simple alert for organizations to
monitor their enVision environment and take corrective action before their system is impacted.
Requirements
Device Class/SystemsThis rule requires the NIC device class.
Configuration of EnvironmentThere is no configuration required. Logging of the required events is enabled by default.
Technical Analysis
Rule LogicThis rule contains one circuit and one statement.
This rule triggers when any of the following NIC message IDs are triggered:
l 100002
l 100002:02
l 100009
142 CRL-00163
RSA enVision Correlation Rules
CRL-00190
Overview
NamePotential Phishing Attack
PurposeThe goal of this rule is to detect a phishing attack against an organization's hosted site. CRL-00190 is
designed to detect and alert users of suspicious activity that strongly suggests a fraudulent site is active.
AudienceThis rule is intended for any organization that hosts an external facing website and in turn, is concerned
about the security of their information.
IntroductionPhishing attacks have long posed a problem to online security. A common method that is used to detect
malicious phishing activity involves tracing referrer data. To avoid the detection of phishing sites,
phishing attackers often keep their malicious website footprint small. This is done by limiting the number
of images on a fraudulent website, causing the attacker to use links to the targeted organization's website.
CRL-00190 tracks these activities by examining the web referrer fields. If these fields do not originate
from the same web domain as the hosted site, an alert is issued.
Requirements
Device Class/SystemsThis rule requires the use of systems that generate web logs and detailed web referrer fields. Currently,
RSA supports three events sources that provide this information. For this rule to function, you must have
one of the following event sources configured on your RSA enVision system:
l Apache HTTP Server
l Microsoft Internet Information Services
l Blue Coat Systems Security Gateway OS
Configuration of EnvironmentIf you are running Apache HTTP Server, you must update the Web Server configuration. For the latest
configuration instructions for Apache HTTP Server, see the Apace HTTP Server configuration document
on SecurCare Online.
If you are running Microsoft Internet Information Services or Blue Coat Systems Security Gateway OS,
the configuration of these devices remain the same.
CRL-00190 143
zzRSA enVision Correlation Rules
Technical Analysis
Rule LogicThis rule monitors web logs to make sure no phishing attacker is extracting images and links from an
organization's hosted site. This rule confirms that an image and its referrer domain originate from the
main web domain. RSA has two statements in this phishing attack circuit. The first statement sets up a
cache variable to store the web domain value. The second statement detects if there are images on a site
and verifies that the web domain and the web referrer domain are the same. If the web domain and web
referrer differ, an alert is triggered.
CRL-00190 focuses on all events from the Web Logs class which have the variable webAction_domain
in the XML. RSA multi-threads through this variable.
The following tables describe the statements of this rule:
Circuit/Statement Meaning
S1 Web Domain with cache set
S2 Image and Referrer Info
S1 S2 Description Action
0 0 Trivial No Alarm
0 1
Image and
Referrer info with-
out setting a
cache
No Alarm
1 0No image or
ReferrerNo alarm
1 1
Image and
Referrer info with
the appropriate
cache set
Alarm
False Positive/Negative MitigationIf an organization hosts their images or links on different servers, the web domain and the web referrer do
not need to match. In such cases, the rule can provide a false positive. To avoid this issue, a filter with a
list of valid referrer domains should be created.
144 CRL-00190
RSA enVision Correlation Rules
Quick Deployment Guide
Device ConfigurationsFor this rule to function, the remediated XML for Apache, Microsoft Internet Information Services, or
Blue Coat Systems Security Gateway OS must be configured on the RSA enVision system.
If you are running Apache HTTP Server, you must configure the event source with the new logging
format. To view the latest configuration steps for Apache HTTP Server, refer to the Apache HTTP
Server configuration document on SecurCare Online.
Rule CustomizationIn this rule packet, there is a list of image extensions that CRL-00190 identifies. You can modify this list
to accommodate the extension of links and images on the organization's hosted site.
CRL-00190 145
zzRSA enVision Correlation Rules
CRL-00191
Overview
NamePotential Phishing Attack
PurposeThe purpose of CRL-191 is to detect behaviors associated with phishing attacks against a hosted website.
This rule focuses on hosting, and is geared towards detecting suspicious activities that might alert when
an active phishing site exists.
AudienceThe audience for this rule is any organization that hosts external-facing websites and is concerned about
attacks meant to steal their information and victimize their users.
IntroductionPhishing attacks have existed for many years in various forms. One method of detecting behaviors
associated with certain phishing attacks is to follow the referrer data. To avoid detection of their phishing
sites, some attackers keep their malicious website footprint small and link to the targeted organization’s
website instead of loading images onto their web pages. This rule tracks these attacks by looking at the
web referrer fields to ensure that they match a known, and authorized, list of web hosts.
Requirements
Device Class/SystemsThis rule requires the use of systems that generate web logs and specifically generate detailed web
referrer fields. The following devices have been remediated and are suitable for this rule:
l Apache Web Server
l Microsoft Internet Information Services (IIS)
l Blue Coat Extended Log File Format (ELFF)
Configuration of EnvironmentRefer to RSA SecurCare Online for specific instructions on device setup and logging through enVision.
Technical Analysis
Rule LogicThe rule logic is divided into Circuits, which consist of Statements that use conditional operators to form
a larger logical meaning out of smaller subunits. The smallest unit can be any specific variable from the
146 CRL-00191
RSA enVision Correlation Rules
content. The logical operators consist of logic words, such as AND and OR. They also include, but arenot limited to, logic phrases, such as followed by and not in.
CRL-00191 uses the following algorithm:
Set thread to variable=web_domain on class=host.security.nic security correlated class
Circuit1
Statement1
Cache the web_domain values for weblog devices Apache,
CacheflowELFF & MicrosoftIIS
AND
Statement2
Set filter to detect how many webpage values contain an image
(use regex, for e.g.*jpg, *gif)
AND
Compare web_referer_domain values to cached web_domain
values for a possible mis-match
AND
Check that web_referer_domain value is not an accepted one, by
comparing it with values in custom created watchlist
End Circuit1
False Positive and False Negative MitigationAvoid false positives because they decrease the level of confidence in the rules. Eliminate false
negatives because they decrease rule functionality and create a serious security lapse. The following truth
table summarizes the behavior of this correlation rule and explains when the rules should fire.
S1 S2 Description Action
False False Trivial (beware of false positives) Test for false positives
False TrueImage and Referrer information without
setting a cacheNo alarm -- test for false positives
True False No image or Referrer No alarm -- test for false positives
True TrueImage and Referrer information with the
appropriate cache set
Alarm -- The rule should fire in this case -
- Always test for false negatives
CRL-00191 147
zzRSA enVision Correlation Rules
Quick Deployment Guide
Device ConfigurationsRefer to RSA SecurCare Online for enVision device configuration documentation.
Rule CustomizationUsers can introduce a watchlist with their custom web referrer domain list. This serves as a list of valid
web referrer domains to make the comparisons for the rule. Users must create a view to use the rule.
148 CRL-00191
RSA enVision Correlation Rules
CRL-00192-01
Overview
NamePolicy Access Violation
PurposeRule CRL-00192-01 is designed to detect improper usage of IT systems. This rule focuses on detecting
login activities associated with either sharing credentials or the failure to properly sign out of systems.
AudienceThis rule is intended for any organization that is concerned with detecting violations to their acceptable
use policy regarding access credentials and permitted uses.
IntroductionPolicies surrounding corporate and remote access systems typically require users to log out when they are
finished with their activities. Other policies may be concerned with account abuse, where one account is
being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff,
(either the console of a system, or a remote access session) and then logs onto the other.
Requirements
Device Class/SystemsThis rule requires the use of Windows event logs. This version of the rule works only for Windows Server
2003. RSA envision currently supports three collection methods for Windows Server 2003:
l Agentless
l Intersect Alliance SNARE
l Adiscon EventReporter
This rule also requires the use of one of the following VPN devices that enVision currently supports:
l Aventail SSL VPN
l Cisco VPN 3000
l Citrix Access Gateway
l F5 Firepass
l Intel VPN
l Juniper SSL VPN
l Nortel VPN Contivity
CRL-00192-01 149
zzRSA enVision Correlation Rules
Configuration of EnvironmentFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to
configure your Windows event source, and your VPN event source, to send events to enVision.
Technical Analysis
Rule Logic
Note: Rule CRL-00192-01 does not work for Windows Server 2008 logon/logoff events.
Rule CRL-00192-01 checks for interactive Windows logon events (Security event ID 528 and logon type
equals 2), interactive Windows logoff events (Security event ID 538 and logon type equals 2), and VPN
logon events (events categorized under Auth.Successful and User.Activity.Successful Logins) for the
same user account.
By default, CRL-192-01 triggers an alert if a user, who is already logged into a Windows Server 2003
workstation, logs on to the same server using a different method (For example, logging into the server
using the console, then logging into the server using VPN) within 60 seconds. You can change the time
parameter in the enVision UI.
The behavior of CRL-192-01 could be described using the following truth table:
Interactive Windowslogon event followed
by
Interactive Windowslogoff event fol-
lowed by
VPN logon toevent Windowsworkstation
Action
True False False No alert
True False True Alert
True True False No alert
True True True No alert
Quick Deployment Guide
Device ConfigurationsFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to
configure your Windows event source, and your VPN event source, to send events to enVision.
150 CRL-00192-01
RSA enVision Correlation Rules
Rule CustomizationThe built-in version of CRL-192-01 filters Windows logon and logoff events based on logon type. They
could be customized by adding more filters:
Description Field Variable
Field to filter on Variable to use
Domain Domain
Workstation Name Work Station
Windows Logon events
Description Field Variable
Field to filter on Variable to use
Domain Domain
Windows logoff events
CRL-00192-01 151
zzRSA enVision Correlation Rules
CRL-00192-02
Overview
NamePolicy Access Violation
PurposeRule CRL-00192-02 is designed to detect improper usage of IT systems. This rule focuses on detecting
login activities associated with either sharing credentials or the failure to properly sign out of systems.
AudienceThis rule is intended for any organization that is concerned with detecting violations to their acceptable
use policy regarding access credentials and permitted uses.
IntroductionPolicies surrounding corporate and remote access systems typically require users to log out when they are
finished with their activities. Other policies may be concerned with account abuse, where one account is
being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff,
(either the console of a system, or a remote access session) and then logs onto the other.
Requirements
Device Class/SystemsThis rule requires the use of Windows event logs. This version of the rule works only for Windows Server
2003. RSA envision currently supports three collection methods for Windows Server 2003:
l Agentless
l Intersect Alliance SNARE
l Adiscon EventReporter
This rule also requires the use of one of the following VPN devices that enVision currently supports:
l Aventail SSL VPN
l Cisco VPN 3000
l Citrix Access Gateway
l F5 Firepass
l Intel VPN
l Juniper SSL VPN
l Nortel VPN Contivity
152 CRL-00192-02
RSA enVision Correlation Rules
Configuration of EnvironmentFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to
configure your Windows event source, and your VPN event source, to send events to enVision.
Technical Analysis
Rule Logic
Note: Rule CRL-00192-02 does not work for Windows Server 2008 logon/logoff events.
Rule CRL-192-02 checks for VPN logon events, VPN logoff events (categorized under
User.Activity.Logoff), and interactive Windows logon events for the same user account.
By default, CRL-192-02 triggers an alert if a user, who is already logged on to a Windows Server 2003
workstation, logs on to the same server using a different method (For example, logging into the server
using the console, then logging into the server using VPN) within 60 seconds. You can change the time
parameter in the enVision UI.
The behavior of CRL-192-02 could be described using the following truth table
VPN logon event toWindows workstation
followed by
VPN logoff event toWindows workstation
followed by
InteractiveWindowslogon event
Action
True False False No alert
True False True Alert
True True False No alert
True True True No alert
Quick Deployment Guide
Device ConfigurationsRefer to RSA SecurCare Online for instructions on how to configure your VPN event source and your
Windows event source to send events to enVision.
CRL-00192-02 153
zzRSA enVision Correlation Rules
Rule CustomizationThe built-in version of CRL-192-02 filters Windows logon and logoff events based on logon type. They
could be customized by adding more filters:
Description Field Variable
Field to filter on Variable to use
Domain Domain
Workstation Name Work Station
Windows Logon events
Description field Variable
Field to filter on Variable to use
Domain Domain
Windows logoff events
154 CRL-00192-02
RSA enVision Correlation Rules
CRL-00193
Overview
NameMalware Drive-By Download
PurposeRule CRL-00193 alerts you when malware is downloaded and installed. This rule is divided into the
following sub-rules:
l CRL-00193-01
l CRL-00193-02
l CRL-00193-03
Rule CRL-00193-01 detects if code from malicious web sites has been downloaded and executed. This
rule uses web proxy logs to detect redirections to malicious web sites.
Rule CRL-00193-02 detects changes to the Windows registry and the Windows file system that are
reported by Tripwire Enterprise.
Rule CRL-00193-03 detects file downloads onto the client machine using the Bluecoat Proxy logs. Based
on the file type, and in combination with CRL-00193-02, this rule helps detect web attacks through
exploited file types.
AudienceThis rule is intended for organizations that are concerned about the safety of their data and the possibility
of having malware running on their workstations.
IntroductionMalware drive-by download occurs when a malicious web site downloads and installs code without the
user's knowledge. This kind of attack exploits vulnerabilities in browsers and plug-ins to redirect users to
a malicious web site that downloads and executes code.
Although some changes to the Windows registry or to the Windows file system are legitimate, others are
not. After being run, malware usually starts its activity on a Windows workstation by altering the registry
to change the system configuration or by installing new programs that run at startup. Malware can also
add executable files to the Windows file system that can be used to install back doors, dump passwords,
obtain e-mails from servers, and many other tasks. A new form of drive-by-download web attack uses
morphed file types commonly downloaded from the Internet. For example, a .pdf file or a .doc file may be
exploited to redirect browsers to a web site that downloads a malicious executable.
CRL-00193 155
zzRSA enVision Correlation Rules
Requirements
CRL-00193-01
Device Class or SystemsCRL-00193-01 requires the use of systems that generate web proxy logs. You must have Blue Coat
Systems Security Gateway OS configured on your RSA enVision system.
Other RequirementsYou must create a watchlist named Content_Filter_Categories and add values from the Blue Coat
Systems Security Gateway OS filter categories database. For example, you might add values such as
Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information on creating
watchlists, see the enVision Help.
CRL-00193-02
Device Class or SystemsThis rule requires the use of Tripwire Enterprise. RSA enVision currently supports versions:
l 5.4
l 5.5
l 7.5
Other RequirementsYou must create a watchlist named FileSytem_Registry_Changes and add the paths of Windows
registry keys and Windows files or directories of interest. For example, you might add the following
values to your watchlist:
l HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
l HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
l C:\Documents and Settings\All Users\Start Menu\Programs\Startup
For more information about creating watchlists, see the enVision Help.
In the Tripwire Enterprise server, you must define your file system node by its IP address, not by its
hostname. For more information, see the Tripwire documentation.
CRL-00193-03
Device Class or SystemsCRL-00193-03 requires the use of systems that generate web proxy logs. You must have Blue Coat
Systems Security Gateway OS configured on your RSA enVision server.
156 CRL-00193
RSA enVision Correlation Rules
Other RequirementsYou must create a watchlist named Content_Filter_Categories, and add values from the Blue Coat
Systems Security Gateway OS filter categories database. For example, you might add values such as
Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information about creating
watchlists, see the enVision Help.
Technical Analysis
CRL-00193-01
Rule LogicThis rule examines the web proxy logs and searches for suspicious activity within these logs.
Malware drive-by download occurs through the following steps:
l A user browses to the web site.
l The attacker injects code that can exploit a browser vulnerability into a web site.
l The code redirects the browser, through one or more redirections, to a malicious web site.
l The malicious web site downloads an executable and runs it without the user's knowledge.
CRL-00193-01 looks for redirections to a malicious site that downloads an executable file and runs it on
the user's systems. This rule verifies the authenticity of the web site through the content filter provided by
Blue Coat Systems Security Gateway OS.
Circuit Meaning
C1 Look for redirections
C2 Followed by executable downloads from uncategorized sites
C1 C2 Description Action
0 0 Trivial No alarm
0 1 No redirections, executable downloads from the intended site No alarm
1 0 Redirections followed by executable downloads No alarm
1 1 Redirections followed by executable downloads from an uncategorized site Alarm
CRL-00193 157
zzRSA enVision Correlation Rules
False Positive and False Negative MitigationDepending on the web proxy setup within your environment, this rule may produce false negatives.
Because Blue Coat Systems Security Gateway OS uses SFTP, the time gap between two file uploads can
cause false negatives. By default, the circuits fire after a sixty-second delay. You can adjust this time gap
to meet the needs of your environment.
CRL-00193-02
Rule LogicRule CRL-00193-02 checks for any changes to the Windows registry and to the Windows file system as
reported by Tripwire Enterprise. On Tripwire Enterprise, you can create rules that monitor changes to the
components of Windows registry keys and registry values or rules that monitor changes to the file system
(files and directories) on a Windows system. These rules belong to Tripwire Enterprise predefined sets,
Windows file system rules and Windows registry rules.
By default, CRL-00193-02 triggers an alarm for each event enVision receives from Tripwire Enterprise if
the path of the changed object (Windows registry value or Windows file or directory) belongs to the
watchlist, FileSystem_Registry_Changes. You must create this watchlist in enVision and add the paths
of objects of interest.
False Positive and False Negative MitigationFalse positives are very common because CRL-00193-02 triggers an alert for any change to any object
whose path is in the watchlist FileSystem_Registry_Changes. An alert triggers even if the change does
not represent any suspicious behavior on the system monitored by Tripwire Enterprise.
These false positives can be reduced in two ways:
l In Tripwire Enterprise, edit the Tripwire rules so that the rules monitor only objects of interest,
such as specified directories and files on the system or specified registry keys and values. For
more information, see the Tripwire Enterprise documentation.
l In enVision, customize the correlation rule to look for specific values for specified fields in the
logs sent by Tripwire Enterprise. For more information, see Rule Customization.
CRL-00193-03
Rule LogicRule CRL-00193-03 checks for downloads onto the system of interest. This rule monitors downloaded
files with the following extensions:
l .doc and .docx
l .pdb
l .pdf
l .ppt and .pptx
158 CRL-00193
RSA enVision Correlation Rules
l .ps (PostScript files)
l .swf
l .vbd (activeX)
l .xls and .xslx
By default, CRL-00193-03 triggers an alert for every file downloaded that file that has one of these
extensions, but the rule needs a watchlist of filtered web categories, as described in "Other
Requirements." This rule is the first phase of CRL-00193, and CRL-00193-02 is the second phase..
Together, CRL-00193-03 and CRL-00193-02 detect that an exploited file type was downloaded and
redirected to malicious code, which tries to change the registry keys monitored by CRL-00193-02 using
Tripwire Enterprise.
False Positive and False Negative MitigationYou can use CRL-00193-03 can be used as a stand-alone rule in stricter server environments where you
download nothing from the Internet. However, do not add this rule to a view without an alerting system,
such as CRL-00193, because CRL-00193-03 can generate a large number of alerts in an uncontrolled
environment that is open to the Internet.
Quick Deployment
CRL-00193-01
Event Source ConfigurationConfigure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the
Blue Coat Systems Security Gateway OS configuration document on RSA SecurCare Online.
Rule CustomizationCreate a watchlist named Content_Filter_Categories. Add values from the Blue Coat Systems Security
Gateway OS filter categories database, such as Hacking, Phishing, Spyware/Malware Sources, and
Uncategorized. For information on creating watchlists, see the enVision Help.
CRL-00193-02
Event Source ConfigurationConfigure Tripwire Enterprise to send events to enVision. For instructions, see the Tripwire Enterprise
configuration document on RSA SecurCare Online.
In the Tripwire Enterprise server, you must define the file system node by the IP address, not by the
hostname in Tripwire. For more information, refer to the Tripwire Enterprise documentation.
Create a watchlist named FileSytem_Registry_Changes. Add the paths of Windows registry keys and
Windows files and directories of interest. For instructions on creating watchlists, see the enVision Help.
CRL-00193 159
zzRSA enVision Correlation Rules
Rule CustomizationYou can customize CRL-00193-02 by adding any of the filters described in the following table.
Field Variable
node Host Name
server Foreign Host
rule Rule
version Version
changeType Field 1
changeTypeName Action
severity Field 2
severityname Severity
time Time
Attributes Full Message
CRL-00193-03
Event Source ConfigurationConfigure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the
Blue Coat Systems Security Gateway OS configuration document on RSA SecurCare Online.
160 CRL-00193
RSA enVision Correlation Rules
CRL-194
Overview
NameInstant Messaging Keyword Filtering Rule
PurposeThe goal of this rule is to filter keywords from instant messaging sessions logged by a Blue Coat Proxy
Security Gateway appliance, based on business and organization policy adherence guidelines.This rule
detects anomalies or breach of employees' adherence to internal trade-restrictive policies on internal
instant messaging session logs.
AudienceThis rule is intended for any organization that is concerned about attempts by employees to trade or
disclose important business and security information.
IntroductionInstant messaging has become common within enterprises as more employees download and install free
instant messaging software to communicate with colleagues and friends over the company network. The
challenge for an enterprise is how to control access to these applications based on specific corporate
usage policies. For example, some users may use instant messaging for real-time business
communications across a distributed organization, and others may use it to chat with family and friends.
The Blue Coat Proxy Security Gateway appliance monitors these conversations along with relevant
information about the users involved in them, and sends out instant messaging logs. This rule uses a
regular expression search from chat sessions to analyze and identify keywords that could potentially
signify illegal use of the corporate network in compliance with the policies and guidelines of the
organization.
Requirements
Device Class/SystemsThis rule requires the use of systems that generate web logs, specifically detailed web_referer fields.
Currently the Blue Coat Proxy Security Gateway device is suitable for this rule.
Configuration of EnvironmentFor the latest configuration instructions for Blue Coat Proxy Security Gateway, see the Blue Coat
Systems SGOS configuration document on RSA SecurCare Online.
CRL-194 161
zzRSA enVision Correlation Rules
Technical Analysis
Rule LogicThe purpose is to analyze a chat session and monitor the various conversations between a user and a
buddy based on their instant messaging ID on all three instant messaging protocols supported by the Blue
Coat Proxy Security Gateway appliance. We counted every positive keyword match in a session between
the same user and the buddy. The current release of the implementation uses the following rule logic:
Set rule to thread on variables im_buddyid and im_userid
Circuit1
Statement1
Set the threshold (for example, three occurrences of the keyword
in 60 seconds should send an alert)
Set to only monitor instant messaging events
AND
Set monitoring of events having information for im_userid
AND
Set monitoring of events having information for im_buddyid
Set filter to find a regular expression match for keywords in the
watchlist for instant messaging text
End Circuit1
False Positive/Negative MitigationAvoid false positives because they decrease the level of confidence in the rules. More importantly,
eliminate false negatives because they decrease rule functionality and create a serious security lapse.
This version of the rule has two important situations to consider. An alert should fire if the number of
occurrences of a specified keyword in the chat session reaches the set minimum threshold. If the
threshold is not reached, the alert should not fire. The threshold for the number of matched occurrences of
a keyword is critical in mitigating false positives and false negatives.
Quick Deployment Guide
Device ConfigurationsRefer to RSA SecurCare Online for enVision device configuration documentation.
162 CRL-194
RSA enVision Correlation Rules
Rule CustomizationCustomers intending to use this rule are required to build their own watchlists with keyword patterns that
match their security criteria. For example, a keyword pattern, .*internal trade, could be used as a filter.
The threshold in the rule is also critical in determining the accuracy of alerts generated by the rule. End
users should modify this value as deemed suitable for their operating environment.
CRL-194 163
zzRSA enVision Correlation Rules
CRL-00195
Overview
NameSearch Engine Optimization Poisoning
PurposeCRL-00195 detects malware downloads through search engine optimization (SEO) poisoning. Attackers
use black hat SEO techniques to improve the ranking of malicious web sites in search results. Users who
click these links may be led to malicious sites, which download malware to the users' systems.
AudienceOrganizations that are concerned about data being stolen from their systems or their systems being
opened for remote control.
IntroductionPeople generally use online search engines to find the latest news and topics of interest. Search engine
optimization (SEO) poisoning attacks are usually attacks on legitimate web sites using cross-site
scripting, XSS, JavaScript injections, or iFrame injections. The attackers use black hat SEO techniques to
improve the ranking of the web pages in the search results. Once the victim clicks on these links, they are
directed to a malicious web site which downloads malware onto their system.
Rule CRL-00195 attempts to track SEO poisoning by looking at web proxy logs for information which
tells the user that they have been directed to a malicious web site through a search engine result.
Requirements
Device Class or SystemsThis rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source
is suitable for this rule.
Configuration of EnvironmentYou must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision
appliance.
Other RequirementsYou must create a watchlist namedWebFilter_Approved_Categories that contains Blue Coat Systems
Security Gateway OS filter categories of interest, such as Education, E-mail, and Translation.
164 CRL-00195
RSA enVision Correlation Rules
Technical Analysis
Rule LogicCRL-00195 detects the following attacks:
l While browsing, the user clicks a poisoned search engine result. The URL redirects to a web site
that hosts a third-party JavaScript code that downloads an executable on the user machine.
l While browsing, the user clicks a poisoned search engine result. The URL directs the user to a
malicious web site that exploits an unpatched browser or an unpatched plug-in to download
malware on the user's machine.
CRL-00195 consists of three circuits, named web proxy logs, EXEDownloadViaThirdParty, and
DirectEXEDownloads. The rule creates two cache variables to implement the rule logic. These
variables are cache_webdomain and cache_thirdparty_webdomain.
The circuits perform checks as follows:
l Web Proxy Logs checks to see if the user was directed to a web site or a URL from a search
engine result. The rule caches the web site domain into the cache variable named cache_
webdomain.
l EXEDownloadViaThirdParty checks if the web site that the user has visited through the search
engine result references a JavaScript hosted on a third-party server that downloads an executable
on the user machine. The circuit has two statements:
l Check for JavaScript being run from a malicious site, which checks for logs where
the web page contains JavaScript and the web referrer domain field is equal to the
variable cache_webdomain that the Web Proxy Logs cached. The statement stores
the web domain field into a cache variable called cache_thirdparty_webdomain.
l Check for executable downloads from a malicious site, which checks for logs where
the web page field ends with .exe (or any of its variations). The statement checks that
the value in the filter field is not in the watchlistWebFilter_Approved_Categories
and the value in the web domain field is the same as the value stored into the cache
variable cache_thirdparty_webdomain.
l DirectEXEDownload checks if the website that the user has visited through the search engine
result directly downloads an executable on the user machine. The circuit has only one statement,
called DirectEXEDownload, which checks for logs where the web page field ends with .exe (or
any of its variations). The statement checks that the value in the filter field is not in the watch list
WebFilter_Approved_Categories and the value in the web referrer domain field is the same as
the value stored into the cache variable cache_thirdparty_webdomain.
The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload to confirm that the
filter field is not in the watch listWebFilter_Approved_Categories help to catch malicious web sites
that are not categorized by Blue Coat System Security OS.
The rule looks to see if a user was directed to a malicious web site by a search engine result.
CRL-00195 165
zzRSA enVision Correlation Rules
Circuit or State-ment Meaning
C1 Users being directed to web sites using search engine
C2The web site may be compromised and lead to executable files being
downloaded from a third-party web site
C3 The web site is malicious and downloads an executable file
The behavior of these three circuits in combination is described in the following table.
C1 C2 C3 Description Action
0 1 0Not directed to the malicious web site by a search
engine
No
Alarm
0 0 1Not directed to the malicious web site by a search
engine
No
alarm
1 0 0 Not directed to a malicious web siteNo
alarm
1 1 0The web site may be compromised and lead to execut-
able files being downloaded from a third-party web siteAlarm
1 0 1The web site is malicious and downloads an executable
fileAlarm
False Positive and Negative MitigationDepending on the web proxy configuration in your environment, the rule may give false negatives. Blue
Coat SGOS uses FTP to send logs to enVision, and, because of time gap between the two file uploads,
the rule may not trigger. The circuits wait for one hundred and eighty seconds to receive the appropriate
data. You can adjust the time limit for the rule based on your environment.
Quick Deployment Guide
Device ConfigurationsConfigure Blue Coat Systems SGOS must be configured to send logs to your enVision appliance in
MAIN format. For instructions, see the Blue Coat Systems Security SGOS configuration document on
RSA SecurCare Online.
166 CRL-00195
RSA enVision Correlation Rules
Note: A sample watchlist, namedWebFilter_Approved_Categories.txt, has been posted on RSA
SecurCare Online as reference. You can find this watchlist at
https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.
ReferencesFor more information about search engine optimization poisoning, go to www.symantec.com and
www.websense.com.
CRL-00195 167
zzRSA enVision Correlation Rules
CRL-00196
Overview
NameRedirection to Malicious Web Sites Through a Short URL
PurposeCRL-00196 detects drive-by download attacks, in which a user is redirected to a malicious web site
through a short URL. The malicious web site downloads an executable to the user's machine.
AudienceThis rule is intended for organizations that are concerned with keeping their employees' workstations free
of malware by detecting potential drive-by download attacks.
Reference Materialhttp://www.symantec.com/connect/blogs/tweeting-misleading-applications
IntroductionURL shortening is gaining more ground with the growth of social web sites, such as Twitter and blogs. In
Twitter, for example, a tweet is limited to 140 characters. Users who want to add a link to their tweets
turn to URL-shortening services to help them find more room for their ideas. URL-shortening services
convert a long URL into a URL of fewer than 20 characters. Short URLs are obscure enough that they
can lead a user to a malicious web site that can exploit an unpatched browser or plug-in to download and
install malware on the user's machine.
Requirements
Device Class or SystemsCRL-00196 inspects proxy logs from Blue Coat System Security OS that follow the ELFF format. You
must configure Blue Coat System Security OS to send logs to enVision in ELFF format.
Technical Analysis
Rule LogicCRL-00196 detects the following attacks:
l While browsing, the user clicks on a short URL that redirects the user to a web site that hosts a
third-party JavaScript code that downloads an executable to the user's machine.
168 CRL-00196
RSA enVision Correlation Rules
l While browsing, the user clicks on a short URL that redirects the user to a malicious web site that
exploits an unpatched browser or plug-in to download malware on the user's machine.
CRL-00196 creates three cache variables to help implement the rule logic:
l InitialDomain
l LongURLDomain
l ThirdPartyDomain
CRL-00196 consists of three circuits named:
l RedirectionThroughShortURL checks for redirection from the initial web site through a short
URL. The circuit has two statements:
n RedirectionToShortURL checks for logs that have status 301(which indicates redirection)
and checks the web domain field to see if the logs belong in the watchlist Redirection_
Services. The statement stores the web referrer domain into the cache variable
InitialDomain.
n RedirectionToLongURL checks for logs that have status 2xx (which represents a
successful HTTP response) and checks whether the web referrer domain field is the same
as InitialDomain. The statement stores the web domain field into the cache variable
LongURLDomain.
l EXEDownloadViaThirdParty checks if the web site the user was redirected to references a
JavaScript file hosted on a third-party server that downloads an executable to the user machine.
The circuit has two statements:
n GettingMaliciousJavascript checks for logs in which the content type field contains
JavaScript and where the web referrer domain field is the same as LongURLDomain. The
statement stores the web domain field into the cache variable ThirdPartyDomain.
n EXEDownload checks for logs in which the web page file ends with .exe (or any of its
variations). The statement checks to ensure that the value in the filter field is not in the
watchlist Content_Filter_Categories and that the value in the web referrer domain field is
the same as the value stored in the cache variable ThirdPartyDomain.
l DirectEXEDownload checks if the web site to which the user was redirected to directly
downloads an executable on the user's machine. The circuit has only one statement,
DirectEXEDownload, which checks for logs in which the web page field ends with .exe (or any
of its variations). The statement checks to confirm that the value in the filter field is not in the
watchlist Content_Filter_Categories and that the value in the web referrer domain field is the
same as the value stored in the cache variable LongURLDomain.
The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload (to confirm that the
filter field is not in the watchlist Content_Filter_Categories) help catch malicious web sites that are
categorized by Blue Coat System Security OS.
CRL-00196 169
zzRSA enVision Correlation Rules
The following table describes the combined results of these three circuits.
RedirectionThroughShortURL EXEDownloadViaThirdParty DirectEXEDownload Action
True False False No alert
True True False Alert
True False True Alert
False Positive and False Negative MitigationFalse positives are very common. You can limit false positives by modifying one, or both, of the
watchlists (Redirection_Services and Content_Filter_Catgeories) to include only values of interest.
Because Blue Coat System Security OS uses SFTP to upload event logs to enVision, the time gap
between file uploads can lead to false negatives. You can adjust the delay between circuits from the
initial sixty seconds value to avoid these gaps.
Quick Deployment
Event Source ConfigurationsConfigure your Blue Coat event source to send proxy logs in ELFF format to enVision. For instructions,
see the configuration instructions on RSA SecurCare online.
Create two watchlists:
l A watchlist named Redirection_Services. Add values that represent domains of short URLs to
this list.
l A watchlist named Content_Filter_Categories. Add values from the Blue Coat System Security
OS filter categories database, such as Hacking, Spywar/Malware Sources, and Uncategorized.
Note: You can add values to these watchlists from their copies posted on RSA SecurCare online.
For instructions on creating watchlists, see the enVision Help.
170 CRL-00196
RSA enVision Correlation Rules
CRL-00197
Overview
NamePost Form Redirection Malware
PurposeCRL-00197 detects data that is compromised through Post form redirection malware attacks.
AudienceThis rule is intended for organizations that are concerned about data theft from their systems or their
systems being opened for remote control.
IntroductionWeb sites transfer secure information from one form to another using the "post" method. This method is
used when users must enter secure information on a web site. When a site that uses the post method to
transfer information is compromised, the secure information that users entered in forms on that web site is
sent to a malicious web site.
Requirements
Device Class or SystemsThis rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source
is necessary for this rule.
Configuration of EnvironmentYou must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision
appliance.
Other RequirementsYou must create a watchlist namedWebFilter_Approved_Categories that contains Blue Coat Systems
Security Gateway OS filter categories of interest, such as Education, Email, and Translation.
Technical Analysis
Rule LogicThis rule looks at web proxy logs for any suspicious behavior that could indicate a Post form redirection
malware attack.
The algorithm pattern for this rule is as follows:
CRL-00197 171
zzRSA enVision Correlation Rules
Set rule to thread on class=host.weblogs, variable=Source Address
Circuit: Web_Proxy_Logs
Statement1: Set_Cache_with_WebDomain
Cache the web_domain values for the web log event source Blue
Coat Systems ProxySG SGOS. Name it as cache_webdomain.
FOLLOWED BY
Statement2: Check_for_Post_Form_Redirection
Check that the HTTP method value is POST.
AND
Check that the HTTP status code is 200 or 302.
AND
Check that the web_referrer domain value is the same as the
cache_webdomain value. The web_domain value must not be
equal to the actual cache_webdomain value. If these values are
intact, the data was posted on one web site but was transferred to
a malicious web site.
AND
Check that the web_domain value is not present in the
WebFilter_Approved_Categories. If the value is not present, the
web site is malicious.
End Circuit1
The rule verifies that a user was directed to a malicious web site through a Post form redirection malware
attack.
Circuit or State-ment Meaning
S1 Cached web domain value
S2 Check for Post form redirection
The behavior of these two circuits in combination is described in the following table.
S1 S2 Description Action
0 0 Trivial No Alarm
172 CRL-00197
RSA enVision Correlation Rules
S1 S2 Description Action
0 1 Check for Post form redirection without the cached web domain value No Alarm
1 0 Post form method was not used No Alarm
1 1 Check for Post form redirection with cache set for the web domain Alarm
False Positive and False Negative MitigationDepending on the web proxy configuration in your environment, CRL-00197 may give false negatives.
Blue Coat SGOS uses FTP to send logs to enVision, and, because of the time gaps between the two file
uploads, the rule may not trigger. The circuits wait for one hundred and eighty seconds to receive the
appropriate data. You can adjust the time limit for the rule based on your environment.
Quick Deployment
Event Source ConfigurationYou must configure Blue Coat Systems SGOS to send logs to your enVision appliance in MAIN format.
For instructions, see the Blue Coat Systems Security SGOS configuration document on RSA SecurCare
Online.
Note: A sample watchlist, WebFilter_Approved_Categories.txt, has been posted on RSA SecurCare
Online as reference. You can find this watchlist at
https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.
CRL-00197 173
zzRSA enVision Correlation Rules
CRL-00198 Rule Pack
Overview
NameBackscatter
PurposeCRL-00198 detects an increase above the average number of Non Delivery Reports sent by a mail server.
This increase could indicate a potential Distributed Denial of Service (DDoS) attack on an organization’s
mail server.
AudienceThis rule is intended for organizations that want to protect their mail servers from DDoS attacks.
Reference Materialhttp://www.techzoom.net/papers/mail_non_delivery_notice_attacks_2004.pdf
IntroductionTo make their e-mail look legitimate, a spam author forges a sender address before sending an e-mail to a
nonexistent address. A poorly configured mail server will send a Non-Delivery Report (NDR) to the
forged sender address indicating delivery failure due to a nonexistent recipient address. Usually, the NDR
includes the original message, in which the spam author may have included phishing links. A user whose
e-mail address has been forged will find an NDR in the inbox and will probably open the NDR because
the user trusts the mail server. Furthermore, a spam author can launch a DDoS attack on a mail server by
sending a large number of e-mails to nonexistent addresses.
Requirements
Device Class or SystemsThe CRL-00198 rule pack works on logs collected from Microsoft Exchange through Windows event logs
or through the NIC File Reader Service. For instructions on configuring your Microsoft Exchange Server
to send logs to RSA enVision, see RSA SecurCare online.
Technical Analysis
Rule LogicThe CRL-00198 rule pack consists of two correlation rules with the same logic:
174 CRL-00198 Rule Pack
RSA enVision Correlation Rules
l CRL-00198-01 works on logs collected through Windows event logs.
l CRL-00198-02 works on logs collected through the NIC File Reader Service.
CRL-00198-01 consists of one circuit labeled, NDR_Increase, which has one statement, WindowsLogs.
CRL-00198-01 triggers an alert if the number of Microsoft Exchange messages whose Event ID is
Application_3028_MSExchangeTransport increases 10 percent above the hour average. Application_
3028_MSExchangeTransport indicates that the Microsoft Exchange Server failed to deliver an email
because the recipient address doesn’t exist.
CRL-00198-02 consists of one circuit, NDR_Increase, which has one statement, FileReader. For events
collected through the NIC File Reader Service, an NDR message due to a nonexistent recipient address
must meet the following two conditions:
l Event ID is DELIVER.
l The value parsed by enVision and stored in the Product variable is Delivery Status Notification
(Failure).
CRL-00198-02 triggers an alert if the number of NDR messages that meet these criteria increases 10
percent above the hour average.
False Positive and False Negative MitigationBoth CRL-00198-01 and CRL-00198-02 use a threshold of a 10 percent increase from the hour average.
You can customize that threshold by modifying either the percentage of the increase or the threshold
definition (average or baseline). For more information on threshold definition, see the enVision Help.
Quick Deployment
Event Source ConfigurationsFor instructions on configuring your Microsoft Exchange Server to send events to RSA enVision through
Windows event logs or through the NIC File Reader Service, see RSA SecurCare online .
CRL-00198 Rule Pack 175
zzRSA enVision Correlation Rules
CRL-00199
Overview
NameFairWarning Snooping
PurposeCorrelation Rule CRL-00199 detects if any violators caught snooping by FairWarning Privacy Monitoring
are also detected by RSA Data Loss Prevention Suite (DLP) to be involved in data leakage. This
condition could mean that an employee in a health organization is transferring patient records to an
external device, or sending them over instant messaging services or over e-mail.
AudienceThis rule is intended for any health organization interested in keeping patient records safe from malicious
use by employees.
IntroductionAccording to health industry rules and regulations, a health organization must always keep patient records
safe. FairWarning Privacy Monitoring generates events if authorized users in a health organization are
caught snooping at the medical records of their co-workers, their co-workers' family members, or VIPs.
Correlation Rule CRL-00199 leverages the information collected from FairWarning Privacy Monitoring,
along with RSA DLP Suite, to monitor whether employees are transferring medical data outside of the
healthcare organization using Instant Messenger or e-mail.
Requirements
Device Class or SystemsCorrelation Rule CRL-00199 scans logs from FairWarning Privacy Monitoring and RSA DLP Suite to
detect a snooping event followed by a data leakage incident by the same user.
Technical Analysis
Rule LogicCorrelation Rule CRL-00199 triggers an alarm if enVision receives an alert from FairWarning Privacy
Monitoring indicating a snooping event (Family Snooping, VIP Snooping, or Employee Snooping) by an
employee of a health care organization and an alert from RSA DLP Suite showing that the same
employee is involved in a data leakage incident.
Correlation Rule CRL-00199 consists of two circuits:
176 CRL-00199
RSA enVision Correlation Rules
l FairWarning_Logs has one statement, Snooping, which searches for events collected from
FairWarning Privacy Monitoring that are categorized by enVision under System.Audit. The value
stored in the rulename variable must also match the regular expression .*[Ss]nooping.* .
l RSA_DLP_Logs has one statement, Exfiltration, which searches for events collected from RSA
DLP Suite that fall in one of the following categories: Policies.Rules.Rejects,
Policies.Rules.Successful, System.Audit, Content.Email.Delivery.Error, and
Content.Email.Message.Sent.
Correlation Rule CRL-00199 multithreads on the User Name variable so the rule will not trigger an alarm
unless the user name in FairWarning event is the same one contained in the RSA DLP event.
Note: The AND operator is used to link the circuits, which means that CRL-00199 will trigger an alarm
if the events meet the selection criteria regardless of the order in which enVision receives the events.
Quick Deployment
RSA enVision ConfigurationFor instructions in configuring FairWarning Privacy Monitoring and RSA DLP Suite to send logs to
enVision, see the Device Configuration page on RSA SecurCare online.
CRL-00199 177
zzRSA enVision Correlation Rules
CRL-00200
Overview
NameFairWarning Failed Logins
PurposeCRL-00200 detects the misuse of employee accounts by identifying anomalous logon activity. HIPAA
defines and identifies this activity in Section 164.308 and Section 164.306.
The HIPAA Security Rule addresses the HIPAA logging and auditing requirements:
l Administrative Safeguards - Section 164.308
l Security Management Process – Section 164.308(a)(1)(ii)(D)
l Security Awareness and Training – Section 164.308(a)(5)(ii)(C)
l Evaluation (Required) – Section 164.308(a)(8)
l Audit Controls (Required) – Section 164.312(b) [2]
AudienceThis rule is intended for health organizations that are concerned about protecting their patient records
from malicious use.
IntroductionWhen FairWarning alerts on a failed logon, this rule checks for any failed logons with the same user
credentials from other event sources on the network.
Requirements
Device Class or SystemsThis rule requires the use of the FairWarning Privacy Monitoring event source. The logs from
FairWarning are correlated with event sources from the following device classes:
l Access Control
l Analysis
l DLP
l VPN
l Unix
l Virtualization
l Database
Note: The current state of the Windows XML does not align with data used for the logon_id variable.
The remediated Windows XML will be included in this rule when complete.
178 CRL-00200
RSA enVision Correlation Rules
Configuration of EnvironmentYou must configure FairWarning Privacy Monitoring. For instructions, see the FairWarning Privacy
Monitoring configuration document on RSA SecurCare Online.
Technical Analysis
Rule LogicThis rule looks at alerts from FairWarning that indicate a failed logon for a particular user. The user's
credentials are correlated with other event sources to check for failed logons from the same credentials.
The algorithm pattern for this rule is as follows:
Set rule to thread on variable= Logon_id
Circuit: Failed_Logins
Statement1: Other_Devices_Failed_Logins
Ensure that events with the variable logon_id are selected and
fall under the category User.Activity.Failed.Logins. None of the
events should be from FairWarning.
AND
Statement2: FairWarning_Failed_Logins
Select events from FairWarning that have the variable logon_id.
AND
FairWarning events must fall under the category Attacks.Access.
Failed logon events within the FairWarning XML fall under this
category. A filter has been set to capture events that contain the
keyword “fail.” This filter has been set because the category
Attacks.Access can include other types of events from
FairWarning.
End Circuit1
The rule verifies that .
Circuit or State-ment Meaning
S1 Failed Logons from all other event sources in the network
S2 Failed Logons from FairWarning
CRL-00200 179
zzRSA enVision Correlation Rules
The behavior of these two circuits in combination is described in the following table.
S1 S2 Description Action
0 0 Trivial No alarm
0 1 No failed logons from event sources other than FairWarning No alarm
1 0 No failed logons from FairWarning No alarm
1 1Failed logons from other event sources AND from FairWarning. The logon_id value
for both of the events match.Alarm
False Positive and False Negative MitigationDepending on the configuration of FairWarning in your environment, CRL-00200 may give false
negatives. FairWarning uses SFTP to send logs to enVision, and, because of the time gaps between the
two file uploads, the rule may not trigger. The circuits wait for 24 hours to receive the appropriate data.
You can adjust the time limit for the rule based on your environment.
Quick Deployment
Event Source ConfigurationYou must configure FairWarning Privacy Monitoring to send events to RSA enVision. For instructions,
see the FairWarning Privacy Monitoring configuration document on RSA SecurCare Online.
180 CRL-00200
RSA enVision Correlation Rules
CRL-00201
Overview
NameDNS Fast Flux Detection Kit
PurposeRule CRL-00201 detects and alerts on possible DNS fast-flux domains.
AudienceThis rule is intended for organizations that capture their web proxy traffic logs and want to receive alerts
for fast-flux domains that have been captured in the logs of the web proxy event source..
IntroductionThe primary role of the Domain Name System (DNS) is to hierarchically name computers or any other
resources connected to the Internet or a private network. The Domain Name System assigns an IP
address with a given domain name for a period of time. This Time To Live (TTL) period depends on the
type of lease. Botnets and other malicious hosts take advantage of the TTL period and use a technique
known as a DNS fast flux. The DNS servers have a very short TTL associated with a domain, which
allows for a continual reassignment of IP addresses to these event source domain names. Some of these
fast-flux domains behave as peers and share the role of a command and control server as sometimes
found in phishing attacks. However, due to the constant DNS flux, it becomes very difficult to determine
the source of such botnets or malicious hosts.
This rule attempts to track fast fluxing domains by caching on a specific domain name and checking if the
IP assignments to such domains are short-lived, which indicates that they may be part of a fast-flux
domain.
Requirements
Device Class or SystemsThis rule uses the Web Logs device class and monitors events from web proxy event sources. Currently
the rule fires alerts for logs from the Blue Coat Systems ProxySG SGOS event source.
Technical Analysis
Rule LogicAll the rules in this rule set have the same architecture and are implemented as two logical circuits joined
by a FOLLOWED BY clause.This rule examines the web proxy logs and searches for suspicious activity
within these logs.
CRL-00201 181
zzRSA enVision Correlation Rules
The characterization of all traffic happens in the first circuit, where the rule looks for specific domain,
status, category, and web page information in the event. The original IP address of the server is also
cached in this circuit. The second circuit compares the server IP address for the subsequent events within
a specified time-frame (by default, one hundred and eighty seconds).
The rule threads on the web_host variable, which contains the information about the Fully Qualified
Domain Name (FQDN). In the first circuit, the filter, status, domain, and webpage variables are filtered
during each event. This filters the traffic so that only the events that satisfy the criteria for filters are
considered by the rule.
The second circuit compares the supplier_ip variable with the cached IP variable, DestAddress. If the
cached IP variable differs from the supplier_ip, an alert is triggered.
False Positive and False Negative MitigationBecause it can generate a large number of alerts, to mitigate the false positives, the rule set is divided
into the following four separate rules:
• CRL-00201-01 - DNS Fast Flux Detection - Common Traffic Domains
• CRL-00201-02 - DNS Fast Flux Detection - Specialized Traffic Domains
• CRL-00201-03 - DNS Fast Flux Detection - Commercial Traffic Domain
• CRL-00201-04 - DNS Fast Flux Detection - Known Abused TLDs
These rules filter on separate logical clusters of Top Level Domains. For example, the .com
(commercial) domain accounts for more than 90 percent of the total Internet traffic, and so the domain
deserves its own separate rule for purposes of monitoring .
Quick Deployment
Event Source ConfigurationConfigure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the
Blue Coat Systems Security Gateway OS configuration document on RSA SecurCare Online.
182 CRL-00201