enVision_CRL_rules.pdf

RSA enVision Correlation Rules

Copyright © 2010 EMC Corporation. All Rights Reserved. July 30, 2010

Contact Information

Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:

www.rsa.com

Trademarks

RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation

in the United States and/or other countries. All other trademarks used herein are the property of their

respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf.

License agreement

This software and the associated documentation are proprietary and confidential to EMC, are

furnished under license, and may be used and copied only in accordance with the terms of such

license and with the inclusion of the copyright notice below. This software and the documentation,

and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto

is hereby transferred. Any unauthorized use or reproduction of this software and the documentation

may be subject to civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by

EMC.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import,

or export of encryption technologies, and current use, import, and export regulations should be

followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an

applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The

information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION

MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO

THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

http://www.rsa.com/legal/trademarks_list.pdf

http://www.rsa.com/legal/trademarks_list.pdf


Contents

About Correlation Rules 6

Mapping of NIC Rules to CRL Rules 7

Correlated Rules to Event Source Mapping 9

CRL-00002-01 24

CRL-00003-01 27

CRL-00003-01.02 30

CRL-00005-1.10 32

CRL-00007-1.10 34

CRL-00008 36

CRL-00010-1.00 38

CRL-00011-01 40

CRL-00011-1.00 43

CRL-00012 44

CRL-00013 46

CRL-00013-01 48

CRL-00013-02 50

CRL-00013-04 52

CRL-00013-05 54

CRL-00013-06 56

CRL-00014 58

CRL-00016 60

CRL-00023 62

CRL-00023-01 64

CRL-00023-02 65

CRL-00036 66

CRL-00037 67

CRL-00037-01 69

CRL-00040-1.0 71

CRL-00044 73

CRL-00101 74

3

zzRSA enVision Correlation Rules

CRL-00102 75

CRL-00103 77

CRL-00105 79

CRL-00106 81

CRL-00107 82

CRL-00108 83

CRL-00109 84

CRL-00110 Rule Set 85

CRL-00111 88

CRL-00112 89

CRL-00115 90


CRL-00117 94

CRL-00118 95

CRL-00119 97

CRL-00120 98

CRL-00121 99

CRL-00122 102

CRL-00123 103

CRL-00124 104

CRL-00125-01 105

CRL-00125-02 109

CRL-00126 115

CRL-00127 116

CRL-00136 117

CRL-00137 119

CRL-00139 121

CRL-00140 123

CRL-00141 124

CRL-00143 125

CRL-00147 127

CRL-00148 128

CRL-00149 129

4


CRL-00151 130

CRL-00153 131

CRL-00154 132

CRL-00155 133

CRL-00156 134

CRL-00157 135

CRL-00158 136

CRL-00159 137

CRL-00160 138

CRL-00161 139

CRL-00162 140

CRL-00163 142

CRL-00190 143

CRL-00191 146

CRL-00192-01 149

CRL-00192-02 152

CRL-00193 155

CRL-00193-01 156

CRL-00193-02 156

CRL-00193-03 156

CRL-00193-01 157

CRL-194 161

CRL-00195 164

CRL-00196 168

CRL-00197 171

CRL-00198 Rule Pack 174

CRL-00199 176

CRL-00200 178

CRL-00201 181

5


About Correlation RulesIn enVision, each correlated alert is set up as a correlation rule. The rule identifies a set of events and

defines a set of specific conditions to be met. When the defined conditions are met, enVision generates a

correlated alert. Each correlated alert has its own message ID and message text, as defined in the

correlation rule.

There are system-defined correlation rules. In addition, you can create your own correlation rules. A

correlation rule is made up of correlation circuits. Correlation circuits are made up of correlation

statements.

For a mapping of the NIC rules to their CRL counterparts, see Mapping of NIC Rules to CRL Rules.

Note: To use the correlation rules in the package, you must be running version 3.7.0 or higher.

6 About Correlation Rules


Mapping of NIC Rules to CRL RulesIn an effort to improve the behavior of correlated alerts, RSA created a set of CRL rules meant to

eventually replace the older NIC rules. The following table lists the mapping from the NIC rules to their

CRL counterparts.

NIC Rule CRL Rule

NIC002 CRL-00002-01

NIC003CRL-0003-1.02

CRL-00003-01

NIC005 CRL-00005-1.10

NIC006 CRL-00005-1.10

NIC007 CRL-00007-1.10

NIC008 CRL-00008

NIC009 CRL-00005-1.10

NIC010 CRL-00010-1.00

NIC011 CRL-00011-1.00

NIC012 CRL-00012

NIC016 CRL-00016

NIC023

CRL-00023

CRL-00023-01

CRL-00023-02

NIC027

CRL-00013

CRL-00013-01

CRL-00013-02

NIC031CRL-00014

CRL-00103

NIC036 CRL-00036

NIC037CRL-00037

CRL-00037-01

NIC040 CRL-00040-1.0

Mapping of NIC Rules to CRL Rules 7


NIC Rule CRL Rule

NIC040_CPFW

NIC040_PIXFW

NIC044 CRL-00044

NIC_SUSPICIOUS_WORM_ACTIVITY CRL-00102

8 Mapping of NIC Rules to CRL Rules


Correlated Rules to Event Source MappingThis table summarizes each correlated rule, lists the device class to which the rule belongs, and lists the

event sources that the rule supports.

CRL Summary Supported Event SourcesCRL-00002-01

Excessive InboundConnections Deniedby Firewalls

This rule detects excessive denied inboundconnections across a firewall. The rule canbe used to determine the host machines ofpotential intruders.

Firewall:Cisco PIX, CheckPoint

CRL-00003-01

Port Scan Detectedby a Device

This rule monitors a variety of classes forspecific port scan events that eventsources detect. Port scan events can bethe precursor to an actual attack as theyare commonly used to probe for open portson any IP address.

IDS:Entercept, Dragon IDS, NFR IDS,Snort, Symantec Network Security, ISSRealSecure, Cisco Secure IDS,IntruShieldIPS:Mazu ProfilerFirewall: Juniper Networks NetScreenFirewall, CyberGuard Classic, Sonicwall-FW, Symantec Enterprise Firewall, CiscoPIX Firewall, Cisco ASA

CRL-0003-1.02

Port Scan Detected

This rule inspects all traffic reported by fire-walls for a single source trying to createconnections on 20 ports within a given timeframe. The correlation can identify poten-tially malicious sources as a port scan istypically used before an attack.

All Firewall event sources

CRL-00005-1.10

Log Source NotRestarted AfterReboot/RestartCommand IssuedWithin 10Minutes

This rule detects if an event source on thenetwork does not restart after beingrebooted. This rule canminimize downtimeby quickly identifying event sources thatneed attention.

All Windows Host, Mainframe, Unix,Router, and Switch event sources

CRL-00007-1.10

Log SourceComponent UnderSustained HighTemperatureConditions over thePast 10Minutes

This rule detects that a log source or mon-itored event source experienced sustainedhigh temperature conditions against its inter-nal components. The rule inspects the tem-perature events generated by eventsources in the enterprise environment.

Router:Cisco Router, NortelSwitch: Foundry SwitchFirewall: IOS Firewall, Juniper NetworksNetScreen FirewallStorage:Network Appliance Data ONTAP

CRL-00008

Active SYNFloodAttack Detected byIDS-IPS or FirewallDevices

This rule filters the SYNFlood eventsdetected by security event sources in anenterprise environment.

IDS:Dragon IDS, ISS RealSecure, CiscoSecure IDS XML, Snort, LancopeStealthWatch, NFR NIDSFirewall:Secure Computing SidewinderG2, CyberGuard Classic, Juniper



CRL Summary Supported Event Sources

Networks NetScreen Firewall, Sonicwall-FW

Networks NetScreen Firewall, Sonicwall-FW

Networks NetScreen Firewall, Sonicwall-FWRouter:Cisco Router/IOS Firewall

CRL-00010-1.00

Multiple LoginAttempts to aSecurity Device

This rule inspects all failed logon events toknown security event sources andmonitorsaccess attempts to the security eventsources that monitor the network.

All event sources

CRL-00011-01

Possible SuccessfulBrute Force AttackDetected

This rule detects a brute force passwordattack against an event source. The rulecorrelates a number of failed logons with asuccessful logon to a specific account.

All NIC System, Windows Hosts, AccessControl, Firewall, IDS, IPS, and VPN eventsources

CRL-00011-1.00

Several Failed LoginsFollowed by aSuccessful Login

This rule examines the failed and suc-cessful logon attempts detected by firewall-class event sources for indications of pass-word-based attacks.


CRL-00012

Attacks ExploitingMicrosoft DirectoryService VulnerabilityDetected by IPS-IDSDevices

This rule filters events from IDS and IPSevent sources and detects an attack thatexploits theMicrosoft Directory Serviceproduct.

All IPS and IDS event sources

CRL-00013

Unusual Number ofFailed User LoginAttempts via RemoteConnections to theSame EventDestination

This rule detects any failed logon event anddetermines if the logon attempt was from aremote location. This correlation could indi-cate a brute force attack on an internalasset from a remote location.

All NIC:All discovered event sources inthe current environment, with a specialemphasis onWindows events

CRL-00013-01

Numerous FailedUser Login AttemptsLocally to the SameEvent Source

This rule detects any failed logon event thatoccurs on a local machine and checks thefrequency of such events against the nor-mal baseline for the entire network. This cor-relation could indicate a brute force attackon an internal asset.


CRL-00013-02

Numerous FailedService AccountLogin Attempts to theSame Event Source

This rule detects any type of failed logonevent that occurs on a local machine andchecks the frequency of such eventsagainst the normal baseline of the entire net-work. This correlation could indicate that a


10 Correlated Rules to Event Source Mapping


CRL Summary Supported Event Sourcesservice is incorrectly configured.

CRL-00013-04

Increase in FailedRemote LoginAttempts Detected

This rule detects numerous failed logonsusing remote protocols such as SSH/SCP,HTTP, Telnet, or Remote Desktop.

Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, and Storage event sources

CRL-00013-05

Increase in FailedInteractive UserLogins Detected

This rule detects numerous interactivefailed logons to an event source.

Hosts:Windows Events (BL, ER, NIC,Snare)All Unix, Firewall, IDS, IPS, VPN, Switch,Router, Storage, Database, Access Con-trol, Wireless Devices, System, Con-figurationManagement, Web Logs, MailServers, Mainframe, and ApplicationServers event sourcesMidrange: IBM iSeries AS/400

CRL-00013-06

Increase in FailedService AccountLogins Detected

This rule detects numerous failed logons toan event source.


CRL-00014

Low-Privileged orGuest AccountAdded toAdministrative Group

This rule inspects events from any eventsource for users being added to a group.The user name and group name are thenchecked against two watchlists to deter-mine whether the user is an administratorand whether the group has administrativeprivileges. The addition of a user who is notan administrator to a group with admin-istrative privileges may indicatemaliciousprivilege escalation activity.

All NIC:All discovered event sources inthe current environment

CRL-00016

Attacks ExploitingHTTP Cold FusionVulnerabilitiesDetected by IDS orIPS Devices

This rule monitors events from specific IDSor IPS event sources and detects a burst ofattacks that exploit the vulnerabilities inHTTP Cold Fusion products.

IDS:Dragon IDS, ISS RealSecure,Entercept, Snort, IntruShield, Cisco SecureIDS XML, Cisco Secure IDS

CRL-00023

Event Source NoLonger SendingEvents

This rule detects when an event sourcestops sending logmessages, indicatingincorrectly configured hardware or soft-ware, or a hardware or software failure.

Hosts:Windows Events (ER, NIC, Snare)Unix: IBM AIX, Hewlett-Packard UNIX,AppleMac OS X, Nokia IPSO, Linux,



CRL Summary Supported Event Sources

Solaris, Solaris BSMSolaris, SolarisBSMSolaris, Solaris BSMFirewall:Cisco ASA, Cisco PIX, Cyber-Guard Classic Firewall, CyberGuard Fire-wall, Fortinet FortiGate Antivirus Firewall,Secure Computing Sidewinder G2 Secu-rity Appliance, SonicWALL Firewall,Symantec Enterprise, Check Point Secu-rity Suite NG/NGXIDS:Cisco Security Agent, McAfee Intru-Shield, NFR NIDS, SNORT, LancopeStealthWatch, Symantec Intruder Alert,Symantec Network Security, TippingPointSecurity Management System (SMS),McAfee Host Intrusion Prevention, CiscoSecure Intrusion Detection/PreventionSystem, Enterasys Dragon, IBM ISSSiteProtectorIPS:Arbor Networks Peakflow SP5, MazuNetworks Profiler, Top Layer Attack Mit-igator IPSVPN:Cisco VPN 3000 Concentrator, F5Firepass SSL VPN, Intel NetStructureVPN, Nortel Networks Contivity VPNSwitch, SonicWall E-Class SRA AventailSSL VPNSwitch: F5 BigIP, Cisco Content ServicesSwitch, Cisco Switch, ExtremeNetworksExtremeWare Switch, Foundry NetworksSwitch, Hewlett-Packard ProCurveSwitchRouter:Nortel Passport 8600 RoutingSwitch, Cisco RouterStorage:EMC Celerra, Network Appli-ance Data ONTAP, EMC Symmetrix Solu-tions EnablerDatabase: IBM DB2Universal Database,Microsoft SQL Server, Oracle Database,Sybase Adaptive Server Enterprise

CRL-00023

Event Source NoLonger SendingEvents

This rule detects when an event sourcestops sending logmessages, indicatingincorrectly configured hardware or soft-ware, or a hardware or software failure.

Access Control:Novell eDirectory, Net-ContinuumWeb Application Firewall, TopLayer Secure Edge Controller, Activ-Identity 4TRESS AAA Server, CiscoSecure Access Control Server, Microsoft



CRL Summary Supported Event SourcesInternet Authentication Service, RSA Access Manager, RSA AuthenticationManager and User Credential ManagerInter-net Authentication Service, RSA AccessManager, RSA AuthenticationManagerand User Credential ManagerInternetAuthentication Service, RSA Access Man-ager, RSA AuthenticationManager andUser Credential ManagerWireless Devices:Motorola AirDefenseEnterprise Console, AirMagnet Enterprise,Aruba Networks Mobility ControllerConfiguration Management:Solsoft NP,Microsoft System Center Operations Man-ager 2007, Tripwire EnterpriseWeb Logs:WebsenseWeb SecuritySuite, Apache HTTP Server, Blue CoatSystem CacheOS, Cisco Content Engine,IBM Websphere Application Server, Micro-soft Internet Information Services, Micro-soft Internet Security and Acceleration Server, Network Appliance NetCacheMail Servers: Lotus Domino, MicrosoftExchange ServerMainframe: IBM OS390/ZOS (MainframeSMA_RT), IBM MainframeRACF, IBMMainframe Top Secret, CA ACF2Midrange: IBM iSeries AS/400Application Servers:Microsoft DynamicHost Configuration Protocol ServerNetwork:Avocent IP KVM, Cisco SecurityManagerAnti virus:CipherTrust IronMail, Syman-tec Endpoint Protection, TrendMicro Offi-ceScan and Control Manager, McAfeeePolicy Orchestrator, McAfee VirusScanEnterprise

CRL-00023-01

Event SourceInactive for the Past4 Hours

This rule detects if any event source hasstopped sending event data in the past fourhours.


CRL-00023-02

Event Source

This rule detects if any event source hasstopped sending event data in the pasttwenty-four hours.




CRL Summary Supported Event SourcesInactive for the Past24 HoursCRL-00036

High Number of DoSAttack Alerts

This rule examines denial of service (DoS)attack alerts to determine if an activeattack on the network is occurring. The ruleinspects the events detected by the IDS,IPS, and Firewall device classes in anenterprise environment.

All IDS, IPS, and Firewall event sources

CRL-00037

Backdoor-typeActivity OriginatingFrom ExternalNetworks Detected

This rule examines attack alerts for back-door activities in the network by an attackerin the external network. The rule inspectsthe events detected by the IDS, IPS, andFirewall device classes in an enterpriseenvironment.


CRL-00037-01

Backdoor-typeActivity ObservedWithin InternalNetworks

This rule examines attack alerts for back-door activities in the network by an attackerin the internal network. The rule inspectsthe events detected by the IDS, IPS, andFirewall device classes in an enterpriseenvironment.


CRL-00040-1.0

Increase in Inter-Zone RemoteManagementConnections

This rule detects a significant increase inthe number of remotemanagement con-nections. This activity may indicate amali-cious user probing different ports to mapthe network.


CRL-00044

Excessive InboundConnections Deniedfrom a Single IPAddress

This rule inspects the firewall for deniedconnections that have been labeled as aninbound connection across a firewall orrouter. The rule helps find potential hostilehosts and users trying to access resourceson the other side of a firewall or router.

All Firewall and Router event sources

CRL-00101

Large Number ofAttack Events fromInternal IPAddresses Detectedby IDS Devices

This rule detects attacks occurring from aninternal IP address and terminating at aninternal IP address. This activity could indi-cate that an internal attack is occurring oran internal address is being spoofed.

All IDS event sources

CRL-00102

Worm ActivityOriginating on theInternal Network

This rule detects worm activity occurring onthe internal network of an enterprise.


CRL-00103

Elevation of UserPrivileges Detectedon a Log Source

This rule detects events that involve theaddition of users to groups. The user nameand group name are checked against twowatchlists containing the known admin-




CRL Summary Supported Event Sourcesistrators and the groups with administrativeprivileges assigned to them. The addition ofa user who is not an administrator to agroup with administrative privileges mayindicatemalicious intent.

CRL-00105

Successful BackdoorAttack

This rule detects successful backdoorattacks. A successful attack is indicatedby a backdoor attack intercepted by secu-rity event sources, followed by a con-nection between the attacker and thedestination of the attack.


CRL-00106

Successful Denial ofService Attack

This rule detects successful denial of serv-ice (DoS) attacks. A successful attack isindicated by a DoS attack intercepted bysecurity event sources, followed by a sys-tem failure event from the destination of theattack.


CRL-00107

Possible Tamperingof System Audit /Logs Detected

This rule detects if a log system has beenenabled or disabled, or has encounteredsome type of error. The rule also detects iflogs have been deleted on some systems.

Windows:Windows Events (BL, ER,NIC, Snare)IDS: ISS RealSecureWeb Logs:Cisco Content EngineRouter:Cisco Router/IOS Firewall,Juniper JUNOS RouterSwitch:Cisco SwitchFirewall: Juniper Networks NetScreenFirewallUnix:Solaris, IBM AIXVPN: Juniper SSL VPN

CRL-00108

Possible ARPPoisoning ActivityDetected

This rule detects if ARP poisoning is occur-ring on the network. ARP poisoning canlead to denial of service and can com-promise information.

IDS: Intrushield, Symantec NetworkSecurity, Cisco Secure IDS, CiscoSecure IDS XMLSwitch:ExtremeWare, Cisco ContentSwitch, Cisco SwitchFirewall: Juniper Networks NetScreenFirewall, Cisco ASA, Cisco PIX Firewall,SonicWALL-FW, Symantec EnterpriseFirewallConfiguration Management:Netscreen-Security ManagerUnix:Nokia IPSO, AppleMac OS XVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall



CRL Summary Supported Event SourcesCRL-00109

Windows ServiceState Change

This rule detects if aWindows service hasbeen stopped, started, or restarted. Therule also detects if the startup behavior of aservice has beenmodified.

Windows Hosts:Windows Events (BL,ER, NIC, Snare)

CRL-00110

Detection of Clear-Text ConfidentialInformation usingRSA enVisionCorrelation

This correlation rule set assists in theidentification of patterns of information inclear text within the payload of events thatmay be confidential.

The rule set is a collection of the rules CRL-00110-DB, CRL-00110-Hosts, CRL-00110-File Integrity, CRL-00110-Email, CRL-00110-Web, and CRL-00110-IDS.

All Windows Hosts, Unix, Database, Con-figurationManagement, Mail Servers, WebLogs, IDS, and IPS event sources

CRL-00111

Possible SpoofingActivity Detected

This rule detects possible network spoofingactivity by inspecting the events reportedby event sources that are associated withspoofing.

All Switch, Router, Firewall, WindowsHosts, Wireless Devices, and Unix eventsources

CRL-00112

Removable StorageRemoved from aWindows EventSource

This rule monitors Windows events involv-ing USB storage.

Windows Hosts:All Windows Hostsevent sources

CRL-00115

Attacks ExploitingVulnerabilities inSANS TOP-20 2007Observed

This rule monitors events from IDS and IPSevent sources to detect attacks that exploitthe vulnerabilities in the SANS TOP-202007 list.

IDS:Dragon IDS, ISS RealSecure,Tipping Point, Snort, Cisco Secure IDSXMLIPS:NetScreen IDP

CRL-00116

BotNet DetectionRule Pack

This rule set detects machines that may bepart of a BotNet inside your network.


CRL-00117

Log CollectionStopped due to FilledDisk Capacity

This rule monitors an RSA enVision sys-tem to detect if log collection has stoppeddue to filled disk capacity. This ruleinspects specific messages that theenVision system generates regarding logcollection and disk capacity.


CRL-00118

Disk Array CapacityApproachingThreshold

This rule examines several specific mes-sage IDs to determine if an event source orsystem is approachingmaximum diskcapacity.

System:All NIC system event sourcesWindows Hosts:Windows Events (BL,ER, NIC, Snare)Database:Microsoft SQL ServerUnix:Nokia IPSOFirewall: Fortinet Antivirus Firewall,CyberGuard ClassicMail Servers:Microsoft Exchange



CRL Summary Supported Event SourcesWeb Logs:Cisco Content EngineAnti virus:McAfee ePolicy Orchestrator,CipherTrust IronMail, McAfee Virus ScanStorage:Network Appliance DataONTAPVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall

CRL-00119

Password Change ona Known PrivilegedUser AccountDetected

This rule detects password changes toknown privileged user accounts. Unauthor-ized password changes to these accountscan have a significant impact on networkfunctionality and data integrity or con-fidentiality.

Windows Hosts:Windows Events (BL,ER, NIC, Snare)Unix: IBM AIX, HPUX/FreeBSD, LinuxVPN:Aventail SSL VPN, Cisco VPN3000, Juniper SSL VPN, Nortel VPN Con-tivityAll NIC:NIC SystemDatabase:Sybase ASE, Microsoft SQLServer, OracleConfiguration Management: TripwireEnterpriseFirewall: Juniper Networks NetScreenFirewall

CRL-00120

Revocation of UserPrivileges Detected

This rule inspects events from a selectionof common event sources used within a net-work for revocation of user permissions.The rule detects removal of users from usergroups or changes to the user level of userswithin the system.

Windows Hosts:All Windows Hostsevent sourcesUnix:All Unix event sourcesFirewall:All Firewall event sourcesIDS: ISS RealSecureConfiguration Management:Solsoft NP

CRL-00121

Unusual Number ofFailed Vendor UserLogin Attempts

This rule detects an increase in failed logonattempts using a vendor default account.Such attempts could indicate a brute forceattempt to break into event sources frommalicious locations. This alert is importantfor PCI-compliant organizations.


CRL-00122

Active DirectorySchemaChangeDetected

This rule detects a change in the schema ofaMicrosoft Active Directory installation. Anunauthorized change in the schema couldindicate activity such as addition or deletionof users or modification of permissions.Such changes could indicate denial of serv-ice or unauthorized access to data.





Possible Non-PCICompliant InboundNetwork TrafficDetected

This rule monitors inbound connections intosecure event sources over non-compliantports as specified by PCI compliance prac-tices.

All Router and Firewall event sources

CRL-00124

Failed LoginsExceeded 6 LoginAttempts Without aLockout Event

This rule detects failed logons. To be PCI-compliant, user accounts should be lockedout after six failed logon attempts, depend-ing on the capability of themonitored eventsource to lock out user accounts.

IDS: Intrushield, Symantec NetworkSecurity, Cisco Secure IDS, CiscoSecure IDS XMLSwitch:Extremeware, Cisco ContentSwitch, Cisco SwitchFirewall: Juniper Networks NetScreenFirewall, Cisco ASA, Cisco PIX Firewall,Sonicwall-FW, Symantec Enterprise Fire-wallConfiguration Management:Netscreen-Security ManagerUnix:Nokia IPSO, AppleMac OS XVPN:Nortel VPN ContivityRouter:Cisco Router/IOS Firewall

CRL-00125-01

ConfigurationChange on SecurityDevice Intercepted

This rule detects a change in a core secu-rity event source, such as an IDS, IPS, Fire-wall, or VPN event source. If unexpected,such changes can lead to reduced security,denial of service, or leaking of confidentialinformation.

All IDS, IPS, Firewall, and VPN eventsources

CRL-00125-02

ConfigurationChange on NetworkDevice Intercepted

This rule detects a change in a core net-work event source, such as a router or aswitch. If unexpected, such changes canlead to denial of service or leaking of con-fidential information.

All Router and Switch event sources

CRL-00126

ConfigurationChangemade on PCIDatabase System

This rule detects a configuration change ina PCI-compliant database system. Con-figuration changes include data changesand permission changes. If unauthorized,these changes can result in a compromiseddata integrity or data theft.

All Database event sources

CRL-00127

New User AccountCreated but InitialPassword NotChanged

This rule detects if the password of a newlycreated account is not changed aftertwenty-four hours. The longer theseaccount passwords remain unchanged, thegreater the chance of compromise, such asunauthorized access.

All Windows Hosts and Unix/Linux eventsources




Possible SystemInstability StateDetected

This rule detects if a system has becomeunstable.

The rule inspects for conditions including:

l Multiple restart, reboots, orshutdowns in a given time frame

l Creation of memory dump files onWindows and Linux systems

l Startup events not preceded by ashutdown or restart command

All Windows Hosts, Router, Switch, VPN,Unix, and NIC event sourcesConfiguration Management: TripwireEnterprise

CRL-00137

Unusual File AccessActivity surroundingImportant EventSource Files

This rule detects any unusual access offiles or directories that are defined in a wat-chlist of files or directories that should notbe accessed or should be accessed only byprivileged users. Access includes trav-ersing, opening, creating, modifying, anddeleting files or directories.

All Windows Hosts event sources,Tripwire EnterpriseAll ConfigurationManagement eventsources

CRL-00139

Compliance:Successful LoginAttempt(s) Using aVendor DefaultAccount Detected

This rule detects successful logonattempts using a vendor default account.This alert is important for PCI-compliantorganizations. Successful logons from avendor account can indicate a securitybreach in the account.

All Windows Hosts, Unix, Firewall, IDS,IPS, VPN, Switch, Router, Storage,Database, Access Control, WirelessDevices, System, ConfigurationManagement, Mail Servers, Mainframe,and Application Servers event sourcesMidrange: IBM iSeries AS/400

CRL-00140

Increase in P2PTraffic Detected inthe EnvironmentWithin the Past 5Minutes

This rule detects an increase in peer-to-peer (P2P) traffic in the environment for thepast fiveminutes. P2P traffic can slowdown the network and allow users to down-load potentially harmful files without theadministrator's knowledge. This rule canalso be used to discover faults in or back-doors to the network configurations.

All Router, Firewall, IDS, and IPS eventsources

CRL-00141

P2P SoftwareRunning as ActiveProcess on EventSource

This rule detects active P2P processes run-ning on event sources inside an organ-ization. P2P traffic can slow down thenetwork and allow users to download poten-tially harmful files without the admin-istrator’s knowledge. This rule can be usedto discover breaches of security policies inan environment.


CRL-00143

Increase in FileTransfer ActivityUsing InstantMessaging Detected

This rule detects an increase in file transferactivity using Instant Messaging (IM) forthe past fiveminutes. The rule can be usedto discover faults in or backdoors to the net-work configurations as well as breach of pol-icy related to file transfer within the

All Router, Firewall, IDS, and IPS eventsources



CRL Summary Supported Event Sourcesnetwork.

CRL-00147

Active DirectoryPolicy Modified

This rule detects themodification of anActive Directory policy object. Such amod-ification can indicate a privilege escalationor loss of access and can result in unauthor-ized access or more serious compromises.


CRL-00148

Errors in ActivePulling of EventsDetected

This rule detects that theWindows Agen-tless, ODBC, File Reader, or XML servicehas encountered errors while attempting togather events from an event source in anenterprise environment. These types oferrors may indicate system problems or fail-ures of the event source.

System:All NIC system event sources

CRL-00149

Errors Detected inSFTP Collection

This rule determines if the NIC SFTP Serv-ice has encountered errors gatheringevents from various event sources. Anerror in extracting events may indicate asystem or network failure arising from anycause frommisconfiguration to networkattack.

System: Tripwire Enterprise, RSA SecuritySecurID, Microsoft SQL Server, MicrosoftISA Server, Microsoft IIS, MicrosoftExchange Server, Juniper Steel-BeltedRadius, Cisco Access Control Server

CRL-00151

Possible enVisionService HangDetected

This rule detects if an enVision service hashung or crashed unexpectedly. Such anevent may indicate a successful denial ofservice attack to an enVision resource.

System:NIC Alerter, NIC Collector, NICLocator, NIC Logger, NIC File Reader, NICPackager, NIC SDEE Collection, NICServer, NIC Web Server, NIC WindowsService, NIC DB Report Server

CRL-00153

Critical Alerting ErrorDetected

This rule detects if a critical alerting erroroccurred on enVision, whichmay indicateerrors, such as database connection errors.

Network System or NIC System:All Sys-tem Alerts

CRL-00154

Critical Web ServiceError Detected

This rule detects if a critical web serviceerror has occurred on enVision.


CRL-00155

EPSWarning - EPSApproaching LicenseLimits

This rule detects increases in the number ofincoming events to the RSA enVision plat-form that approach the EPS license limit.An increasemay result from a newly addedevent source or a defective event source.An increasemay also indicate that anattacker is trying to hidemalicious activityinside an event flood.


CRL-00156

EPS Critical Error,Event Drop has beenDetected

This rule detects that the number of incom-ing events to RSA enVision has increasedto the extent that enVision is droppingevents and not collecting the events. Anincreasemay result from a newly addedevent source or a defective event source.




CRL Summary Supported Event SourcesAn increasemay also indicate that anattacker is trying to hidemalicious activityinside an event flood.

CRL-00157

enVision ContentUpdate FailureDetected

This rule detects if any error has occurredduring the enVision content update proc-ess. Failure of an update can lower thelevel of accuracy of themessages gen-erated by the system.


CRL-00158

Errors Detected inenVision DB System

This rule detects errors that impact theenVision DB system. This rule detectserrors from LSIndex, DBConfig, Packager,andODBC components. These errors indi-cate that enVision is not fully functional,and, as a result, malicious events may goundetected.


CRL-00159

Critical ErrorDetected in the NIC Packager Service

This rule detects a critical error conditionwithin the Packager component.


CRL-00160

Possible NetworkPerformanceDegradationDetected

This rule detects excessive network-related errors reported by Network andSecurity event sources, such as switches,routers, and firewalls, which can have a sig-nificant impact upon network performance.

All Switch, Router, and Firewall eventsources

CRL-00161

Possible Corruptionof Event Data Storedwithin the IPDB

This rule detects a number of possibleIPDB corruption events as reported by theRSA enVision system. These events couldindicate data tampering or hardware issueson the appliance itself.

Network System:All System Alerts

CRL-00162

Account PrivilegeElevation Followedby Restoration ofPrevious AccountState within a 26Hour Period

This rule detects if a user has been addedto and then removed from the same groupwithin twenty-six hours. This activity couldindicate that an account is being used formalicious activity against a network byelevating a user’s privileges temporarily toperform themalicious activities.

Hosts:Windows Events (BL, ER, NIC,Snare)Firewall:Cisco PIX Firewall, Cisco ASA

CRL-00163

RSA enVision DiskWarning

This rule detects conditions where the avail-able log storage for RSA enVision reachescritical levels that threaten to shut down logcollection or have already shut down log col-lection.

NIC System:All System Alerts

CRL-00190

Potential PhishingAttack

This rule detects and alerts users of sus-picious activity that strongly suggests thata fraudulent site is active.

Web Logs:Apache HTTP Server, Micro-soft Internet Information Services, BlueCoat Systems Security Gateway OS




Potential PhishingAttack

This rule detects suspicious activities thatcould indicate that an active phishing siteexists.

Web Logs:Apache HTTP Server, Micro-soft Internet Information Services, BlueCoat Systems Security Gateway OS

CRL-00192-01

Policy AccessViolation

This rule detects improper use of IT sys-tems by detecting logon activities asso-ciated with either sharing credentials orfailing to properly log off of systems.

Windows event logs:Aventail SSL VPN,Cisco VPN 3000, Citrix Access Gateway,F5 Firepass, Intel VPN, Juniper SSL VPN,Nortel VPN Contivity

CRL-00192-02

Policy AccessViolation

This rule detects improper use of IT sys-tems by detecting logon activities asso-ciated with either sharing credentials orfailing to properly log off of systems.

Windows event logs:Aventail SSL VPN,Cisco VPN 3000, Citrix Access Gateway,F5 Firepass, Intel VPN, Juniper SSL VPN,Nortel VPN Contivity

CRL-00193

Malware Drive-ByDownload

This rule sends an alert whenmalware isdownloaded and installed in yourenvironment. This rule set is made up of thefollowing rules:

l CRL-00193-01

l CRL-00193-02

l CRL-00193-03

Web Logs:CRL-00193-01: Blue CoatSystems Security Gateway OSWeb Logs:CRL-00193-02: Tripwire Enter-priseWeb Logs:CRL-00193-03: Blue CoatSystems Security Gateway OS

CRL-00194

Instant MessagingKeyword FilteringRule

This rule filters keywords from instant mes-saging sessions logged by a Blue CoatProxy Security Gateway appliance. Thisrule detects anomalies or breach of adher-ence to internal trade-restrictive policiesusing internal instant messaging sessionlogs.

Web Logs:Blue Coat Systems ProxySGSGOS

CRL-00195

Search EngineOptimizationPoisoning

This rule detects malware downloadsthrough search engine optimization (SEO)poisoning.


CRL-00196

Redirection toMalicious Web SitesThrough a Short URL

This rule detects drive-by downloadattacks, in which a user is redirected to amalicious web site through a short URL.


CRL-00197

Post FormRedirectionMalware

This rule detects data that is compromisedthrough Post Form redirectionmalwareattacks.


CRL-00198

Backscatter

This rule detects an increase above theaverage number of Non Delivery Reportssent by amail server.

Mail Server:Microsoft Exchange Server

CRL-00199

FairWarningSnooping

This rule detects if any violators caughtsnooping by FairWarning Privacy Mon-itoring are also detected by RSA Data LossPrevention Suite (DLP) to be involved indata leakage.

Analysis: FairWarning Privacy MonitoringDLP:RSA DLP




FairWarning FailedLogins

This rule detects themisuse of employeeaccounts by identifying anomalous logonactivity.

Analysis: FairWarning Privacy MonitoringAll Access Control, Analysis, DLP, VPN,Unix, Virtualization, and Database eventsources

CRL-00201

DNS Fast FluxDetection Kit

This rule detects and alerts on possibleDNS fast-flux domains.




CRL-00002-01

Overview

NameExcessive Inbound Connections Denied by Firewalls

PurposeCorrelation rule CRL-00002-01 is triggered by excessive denied inbound connections across a firewall.

This rule finds host machines of potential intruders and also detects if a particular user is trying, and

subsequently failing, to access a resource inside a firewall.

This rule revises the default correlation rule NIC002, which is included with RSA enVision. The revised

rule uses the device class associated with firewalls and the event classes associated with denied

connections. This ensures that any new firewalls added later are supported by this correlation rule without

further updates.

AudienceThis rule is intended for organizations that are concerned with monitoring heavy inbound network traffic.

Reference Materiall Existing correlation rule NIC002

l The RSA event listings for supported firewall event sources

Requirements

Device Class or SystemsCorrelation rule CRL-00002-01 is generic and not dependent on any specific event source or event. This

rule revises the existing correlation rule NIC002, which only triggers on certain denied connections from

Cisco PIX or Check Point firewalls.

Technical Analysis

Rule LogicUnlike the existing rule, the revised rule monitors all event sources under the Firewall rule class, the

directionality in reference to the firewall in question, and any event that happens to deny a connection.

The Security.Firewall device class, and any events with an event category starting with Network.Denied

Connections and an in-out value of one (to signify inbound connections), are used for this rule. This

ensures that this rule is compatible with any new firewall support that may be created in the future.

24 CRL-00002-01


A threshold based on empirical observations of logon activity in large enterprise networks is used to

enhance the accuracy of the rule. A 25 percent increase in five minutes from the denied connections

baseline average triggers this alert.

Multithreading is used to enhance the performance of the current rule. To use multithreading, the

following variables are used:

l enVision Device IP Address

l enVision Site

When conditions trigger this correlation rule, you should do the following:

l Check the source IP address to determine whether this is expected traffic or traffic that should be

monitored more closely.

l Analyze the source IP addresses and destination ports. Multiple source IP addresses with similar

destination ports could indicate malicious activity.

CRL-00002-01.1

After installing rule CRL-00002-01.1, you must create a view to monitor for events created by the rule.

CRL-00002-01-1.00

After installing rule CRL-00002-01-1.00, you must create a view to monitor for events created by the

rule.

The firewalls must be properly configured to send the events required into the system. In this case, any

and all logon activity should be logged. The data contains a large number of failed logon events from a

Cisco ASA event source collected by an enVision appliance. Part of this rule looks to ensure that the

connection is inbound (based on the IP addresses of the messages) so when testing, you may need to

modify the source and target IP addresses so that the “inout” variable is set to one.

You should set the IP address of a Cisco ASA event source to the same IP address as that in the syslog

header of the sample file or, at least, ensure that the IP address used in the file is not already configured

as some other event source.

False Positive MitigationThe accuracy of this rule is based on the assumption that there will always be at least some denied

inbound connections happening on a firewall. An increase of 25 percent within five minutes may be

normal during peak usage hours depending on network factors such as the number of users and the size of

the network. You may need to set a bigger window to reduce the number of false positives.

Quick Deployment

RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The monitored event sources for the rule

are the event sources of the Firewall device class.

CRL-00002-01 25


The current revision of this correlation rule specifies 20 denied connections in a sixty second time period

to trigger an alert. Modify the threshold if you receive a large number of false alarms.

Note: This rule requires the Blacklisted IP addresses watchlist. You can download sample watchlist files

from RSA SecurCare Online, import the data, and edit the default values as needed.

26 CRL-00002-01


CRL-00003-01

Overview

NamePort Scan Detected by an Event Source

PurposeCRL-00003-01 monitors a variety of classes for specific port scan events that are detected by event

sources. The rule does not use separate events to create the port scan event, but instead looks for port

scan events. Port scan events can be the precursor to an actual attack as they are commonly used to probe

for open ports on any IP address.

This rule revises the default enVision correlation rule NIC003. The revised rule uses a wider variety of

event sources and more events than the existing rule to detect more port scans.

AudienceThis rule is intended for organizations that are concerned with monitoring port scans.


l Event definitions within RSA enVision

CRL-00003-01 27


Requirements

Device Class or SystemsThis correlation rule supports the following event sources.

Event Source Class Event Source Type

Security.IDS

Cisco Secure IDS

Cisco Secure IDS XML

Dragon IDS

Entercept

Intrushield

ISS Realsecure

NFR NIDS

Snort

Symantec Network Security

Tipping Point

Security.IPS

Mazu Profiler

Radware DefensePro

Security.Firewall

Astaro Security Gateway

Check Point FW-1

Cyberguard Classic

Fortinet Antivirus Firewall

Netscreen

28 CRL-00003-01


Technical Analysis

Rule LogicThis rule creates an alert from any port scan event detected by any supported event source. Because the

classification of the events can sometimes be inconsistent, specific events have been used rather than the

event categories. When new events that specifically cover port scan events are added to any supported

event source, you should update this rule to include those events.

CRL-00003-01 uses two circuits:

l The High_Severity_PortScan circuit detects all port scan events categorized by an IDS, an IPS,

or a firewall as a high severity event. If the Netblock watchlist contains the source address of the

port scan, CRL-00003-01 triggers an alarm for the event.

l The MediumLow_Severity_PortScan circuit detects all the port scan events categorized by an

IDS, an IPS, or a firewall as medium or low severity events. If the number of such events

increases by 25 percent over the hour average and the Netblock watchlist contains the source

addresses of the port scans, CRL-00003-01 triggers an alarm.

When conditions trigger this correlation rule, you should investigate the source and target of the port scan

to determine whether this activity should be allowed. If the activity is not permitted, block or mitigate this

event.

RSA enVision ConfigurationThis rule works with the default enVision configuration settings.

As of the July 2010 Event Source Update, CRL-00003-01 requires the use of a watchlist named Netblock.

This watchlist contains IP addresses that are grouped together to form a netblock. You can download the

sample watchlists from RSA SecurCare Online and customize the Netblock watchlist.

CRL-00003-01 29


CRL-00003-01.02

Overview

NamePort Scan Detected

PurposeCorrelation rule CRL-00003-01.02 inspects the events generated by firewalls in an enterprise

environment. The rule examines all traffic reported by firewalls for a single source trying to create

connections on 20 ports within a given time frame. This correlation can identify potentially malicious

sources as a port scan is typically used before an attack.

This rule revises the default enVision correlation rule NIC003. The revised rule uses the entire

Security.Firewall device class to ensure that it catches port scans regardless of the event source or event

types. The rule does not use any specific port scan events, as these events are the end result of an event

source detecting a complete port scan without using a correlation rule. In those cases, the port scan

events should trigger an alert without using a correlation rule.

AudienceThis rule is intended for organizations that are concerned with monitoring port scans.


l Event definitions within RSA enVision

Requirements

Device Class or SystemsThis correlation rule supports the following event sources:

Device Class Device Type

Security.Firewall All

Technical Analysis

Rule LogicThis rule is a revised version of the existing correlation rule NIC003, which triggers on complete port

scan events. The revised rule is based on any firewall events with port information in which a source and

30 CRL-00003-01.02


a target are similar. IDS events are not used, as they primarily report complete port scan events, and

those events should be alerted on directly, without requiring the correlation rule.

This rule detects port scan events by monitoring any traffic detected by firewalls, the ports to which

connections are being made, and the source from which the connection is coming. The new rule waits for

20 separate connections to 20 different ports from one source to one destination within five minutes. The

five-minute time frame increases the likelihood of detecting scans that have been set up with a long wait

period between new connection attempts. Modify the threshold if you receive a large number of false

alarms.

In some cases, legitimate events may trigger this rule for users who connect through NAT. To address

this issue, some of the events dealing specifically with NAT translation have been filtered out,

specifically those pertaining to the Cisco PIX and ASA event sources.


l Investigate the source IP address of the messages.

l Investigate the destination host that is being scanned to ensure that it is not vulnerable.

l Block the source at the firewall level immediately if any traffic is getting through.

Quick Deployment

RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored event

sources for the rule are the event sources of the Security.Firewall device class. After deploying the RSA

enVision appliance in the target environment, you do not need to modify the rule.

CRL-00003-01.02 31


CRL-00005-1.10

Overview

NameLog Source Not Restarted After Reboot/Restart Command Issued Within 10 Minutes

PurposeCRL-00005-1.10 determines if an event source on the network is unable to restart after being rebooted.

The rule detects if an event source generates any events after being rebooted. This rule can minimize

downtime in an enterprise environment by quickly identifying event sources that need attention.

This rule is a revision of the existing NIC005, NIC006, and NIC009 correlation rules, which are shipped

with RSA enVision. The three existing rules determine if specific event sources (Cisco routers, switches,

and Windows-based systems) are unable to restart. By combining these rules into one, and by making the

rule more general, the revised rule can detect a broader set of event sources with less configuration

required.

AudienceThis rule is intended for organizations that are interested in minimizing downtime in their environments.


l Existing correlation rule NIC006

l Existing correlation rule NIC009

Requirements

Device Class or SystemsThis correlation rule supports all event sources that are a part of device group filter NIC_ALL.

Technical Analysis

Rule LogicThis rule detects system restart failures across a network.

The rule uses a ten-minute threshold, based on empirical observations of the startup times of various

event sources.

The rule is composed of two circuits:

32 CRL-00005-1.10


l The first circuit, Reboot_Circuit, captures a message from an event source that is rebooting.

l The second circuit, Restart_Circuit, determines if the rebooting event source generates a

message. The generation of any message indicates that the event source is back up in a running

state. If there is no message from the event source matching the IP address captured by the first

circuit, an alert is triggered.

When conditions trigger this rule, you should do the following.

l Confirm that the event source is not running, and notify the appropriate person.

l If the event source is running,investigate whether there is a network communication issue.

Quick Deployment

RSA enVision ConfigurationThis rule uses device classes rather than specific event sources to eliminate the need for configuration.

Note: False positives may occur if communications between the enVision Collector and the event source

fails.

CRL-00005-1.10 33


CRL-00007-1.10

Overview

NameLog Source Component Under Sustained High Temperature Conditions Over the Past 10 Minutes

PurposeCorrelation rule CRL-00007-1.10 inspects the temperature that event sources generate in an enterprise

environment. The rule examines the temperature messages from various networking devices over a period

of time.

This rule revises the default enVision correlation rule NIC007. The revised rule includes additional event

sources to broaden the scope, such as more specific Cisco event sources and their ancillary equipment,

such as power supplies. Additionally, a decay time of ten minutes is used to increase accuracy.

AudienceThis rule allows you to determine if there are environmental, configuration, or loading problems on

various network elements.


l www.cisco.com

l www.nortel.com

IntroductionThe rule detects that a log source or monitored event source experienced sustained high temperature

conditions against its internal components. This condition could indicate hardware failure with one or

more internal components of the log source (such as a system fan, or internal power supply) that directly

contributes to the increased operational temperature. This condition could also indicate a problem with

HVAC facilities. Sustained high temperature conditions could lead to denial of service and could impact

the availability of critical business services.

When conditions trigger this correlation rule, the following actions should be performed:

l Inform the log source owner. This situation requires immediate attention.

l Check the configuration and loading of the event source.

l Check the physical environment to see if there has been an increase in ambient temperature or

there is some other hardware-based failure.

34 CRL-00007-1.10

http://cisco.com/

http://nortel.com/


Requirements

Device Class or SystemsThis rule works with the default enVision configuration settings. The rule assumes that the network

contains Cisco routers or switches, Foundry switches, NetApp event sources, Nortel event sources, or

NetScreen event sources. The rule requires maintenance and configuration as you add or remove event

sources.

Check that the thresholds are appropriate for your environment. Increasing the time period for this rule

will affect the performance of the enVision appliance.

Technical Analysis

Rule LogicThis correlation rule is designed to detect high temperature situations in various event sources. The rule

contains 5 circuits, one for each of five manufacturers: Cisco, Foundry, NetApp, Nortel, and NetScreen.

The circuits contain statements that either operate in pairs to detect high temperature, and reset high

temperature alert or, for event sources that do not have a high temperature reset message, operate

independently to detect high temperature. To filter out message flooding, a 5 percent increasing threshold

was placed on message detection. This threshold is based on the minute baseline.

Quick Deployment

Event Source ConfigurationThis correlation rule supports the following devices:


Network.Router/CiscoRouter/IOS Firewall

Catalyst 6000, Catalyst 4000, and other IOS-based routers and switches (c6k,c4k, ci, PS, RPS, sys messages specifically)

Foundry Switch Foundry Switch

NetApp NetApp

Nortel Nortel WebOS

NetScreen NetScreen

Rule CustomizationThis rule works with the default configuration settings of the enVision product. At least one of the

supported event sources must be installed in the network environment.

CRL-00007-1.10 35


CRL-00008

NameActive SYNFlood attack Detected by IDS-IPS or Firewall Devices

PurposeCorrelation rule CRL-00008 filters the SYNFlood events detected by security devices in an enterprise

environment. This rule revises the default correlation rule NIC008, that is included with RSA enVision.

The revised rule employs the SYNFlood events that were originally detected by the device, which makes

it dependent upon specific environment settings.


l Investigate whether there is a network problem.

l Investigate the source IP address or username of the events.

l Investigate the destination host that was the target of the attack and diagnose potential impacts of

the attack.

l Block traffic from the attacker.

Supported DevicesThis correlation rule supports the following devices:


Security.IDS Dragon IDS

Security.IDS ISS Realsecure

Security.IDS Cisco Secure IDS XML

Security.IDS Snort

Security.IDS Lancope StealthWatch

Security.IDS NFR NIDS

Security.Firewall Secure Computing Sidewinder G2

Security.Firewall Cyberguard Classic

Security.Firewall Netscreen

36 CRL-00008



Security.Firewall SonicWALL-FW

Network.Router Cisco Router/IOS Firewall

RSA enVision ConfigurationThis rule depends on the SYNFlood events that are fired by specific security devices. Modify this rule if

you add new devices to your environment.

This rule detects SYNFlood attacks reported by IDS, IPS, and Firewall devices across the network. The

rule is a more accurate version of the existing correlation rule NIC008. Not all of the messages that were

used for developing the old rule are related to a SYNFlood attack activity. Some messages related to the

vulnerability assessment engine of the IDS and IPS devices were mistakenly used as an indication of an

active SYNFlood attack. In the revised rule, specific devices within security.IDS, security.IPS,

security.Firewall, and network.Router device classes are specified as the monitored devices.

The event category Attacks.Denial of Service.Resource Starvation is used as the major category of this

correlation rule.

A 10% increase from the minute baseline triggers the alert.

CRL-00008 37


CRL-00010-1.00

Overview

NameMultiple Login Attempts To a Security Device

PurposeCorrelation rule CRL-00010-1.00 inspects the events detected by any event source on your network. The

rule examines all failed logon events to the security event sources that monitor the network.

This rule revises the default enVision correlation rule NIC010. The revised rule includes all event

sources, rather than just NetScreen, to keep the maintenance and configuration requirements low.

AudienceThe audience for this rule is organizations that want to monitor attempts to access the security event

sources that monitor their network.

Reference MaterialExisting correlation rule NIC010.

IntroductionThe current revision of this correlation rule specifies five failed logon attempts in a sixty-second time

period as an indication of an attack. If you experience a large number of false alarms, you need to modify

this threshold.


l Investigate the source IP address and user name of the messages.

l Investigate the destination host that refuses access.

l Monitor the source of these events closely along with the user name that is used to log on to the

event source. Verify whether the source of these events should have access to the event source.

Requirements

Device Class or SystemsThis rule works with the default enVision configuration settings. The rule uses device classes rather than

specific event sources, so the rule works with all event sources. You do not need to modify the rule to add

or remove event sources.

38 CRL-00010-1.00


Technical Analysis

Rule LogicThis correlation rule detects several logon attempts to a security event source on the network. The

premise behind this rule is that all events of interest to this rule fall under the umbrella of the following

event categories:

l Auth.Errors

l Any event category that starts with Auth.Failures*

l Any event category that starts with Auth.Successful*

l User.Activity.Failed Logins

l User.Activity.Successful Logins

Multithreading is used to enhance the performance of the current rule. To do so, the following variables

are used:

l enVision Device IP Address

l enVision Site

False Positive/Negative MitigationA tighter threshold, such as four failed logons in the same time period, may result in excessive false

alarms, and a looser threshold, such as six failed logons in the same time period, may result in

overlooking a password-based attack that is threatening your network. Increasing the time period for this

rule will affect the performance of the enVision appliance.

Quick Deployment

Event Source ConfigurationThis correlation rule supports the following devices.


NIC_ALL All

Rule CustomizationThis rule works with the default configuration settings of enVision. All event sources are utilized in this

rule. You do not need to modify the rule to add or remove event sources.

CRL-00010-1.00 39


CRL-00011-01

Overview

NamePossible Successful Brute Force Attack Detected

PurposeCorrelation rule CRL-00011-01 detects a brute force password attack occurring against an event source.

The rule correlates a number of failed logons with a successful logon to a specific account.

AudienceThe audience for this rule is organizations that want to monitor failed and successful logons that could

signal a brute force attack.

Reference Materiall Existing correlation rule CRL-00011

l www.ultimatewindowssecurity.com

IntroductionThis rule correlates a number of failed logons with a successful logon to a specific account. The rule uses

a combination of event categories and messages to detect a brute force attempt. The rule also uses

specific thresholds and cached variables. You may need to adjust thresholds if activity on the network

changes. Because the Windows Event circuit uses specific messages, you may need to add new

messages for subsequent versions of Windows.

Each device class uses specific thresholds to determine if a brute force attack is occurring. You may

need to modify these thresholds depending on your network.

Upon triggering the conditions of the current correlation rule, the following action should be performed:

l Investigate the source IP address or username of the messages

Requirements

Device Class or SystemsEach device class uses specific thresholds to determine if a brute force attack is occurring. You may

need to modify these thresholds to meet the needs of your network. You may also need to adjust the decay

time, based on the environment.

40 CRL-00011-01

http://www.ultimatewindowssecurity.com/Default.aspx


Technical Analysis

Rule LogicThis rule contains two circuits. The first circuit, Grab Failed Events captures the failed logon attempts.

The circuit contains four statements, each for a specific event category. The first category relates to the

enVision appliance. The second category is for Windows-based event sources, and the third category is

for UNIX event sources. Finally, there is a category for Security event sources, which includes Firewall,

IDS, IPS, and VPN event sources. Each of these categories has a specific threshold, for example, three

events within one hundred and eighty-one seconds for Security event sources, that the rule uses to

determine if a brute force attack is occurring. When the condition has been satisfied, a cached variable is

set, capturing the user name being exploited for the attack.

The next circuit, Get successful with cache determines if a successful logon has occurred. This circuit

compares the user name of the successful logon with the user name of the failed attempts in the first

circuit. To minimize false positives, the rule uses multithreading based on the source address of the event.

The circuits must fire within thirty-one minutes to generate an alert.

The rule uses a number of thresholds to determine if a brute force attack is occurring. You may need to

alter these thresholds, based on the network environment. You may also need to adjust the decay time,

based on the environment.

Because the rule is based on event categories, it will only be as accurate as the parsers. If messages are

categorized incorrectly, the rule has no way of accounting for them.

Quick Deployment

Event Source ConfigurationsThis correlation rule supports the following devices.


Network.System/NIC System All

Host.Windows Hosts All

Host.Unix All

Security.Access Control All


Security.IDS All

Security.IPS All

Security.VPN All

CRL-00011-01 41


Rule CustomizationThis rule works with the default configuration settings of the enVision product. With the exception of

Windows event sources, the rule uses device classes, reducing the amount of configuration. At least one

supported event source is required for this rule to function.

42 CRL-00011-01


CRL-00011-1.00

NameSeveral Failed Logins Followed by a Successful Login

PurposeCorrelation rule 00011-1.00 examines the failed and successful login attempts detected by firewall-class

devices for indications of password-based attacks. The need for this rule arises from the potential for

various password-based attacks, such as brute force attacks, that can occur in an enterprise-sized

network.

This rule revises the default enVision correlation rule NIC011. The existing correlation rule NIC011 is

triggered by failed login activities followed by any activity. The revised rule monitors for successful

logins after the failed login. The revised rule employs device classes rather than specific devices to keep

the maintenance and configuration requirements low.

When conditions trigger this correlation rule, the following action should be performed: Check the user,

source, and the device to ensure that this user should be allowed to access to this firewall.

Supported DevicesThis correlation rule supports the following device:



RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The monitored devices for the rule are

composed of the firewall-class devices, so the rule is not dependent on any specific device. Upon

deployment, no further modification of the rule is needed.

This rule detects several login failures reported by firewall devices followed by a successful login from

the same device. The rule is meant to detect the malicious failed login activities across the network. The

event category Auth.Failed events followed by Auth.Successful events is used to filter the event

activities.

The revised rule specifies 5 failed login attempts in a 60 seconds time period followed by a successful

login as an indication of an attack. Modify the threshold if you receive a large number of false alarms.

A tighter threshold, such as 4 failed logins in the same time period, may result in excessive false alarms,

and a looser threshold, such as 6 failed logins in the same time period, may result in overlooking a

password-based attack that is threatening the monitored environment.

Increasing the time period for this rule will affect the performance of the enVision appliance.

CRL-00011-1.00 43


CRL-00012

NameAttacks Exploiting Microsoft Directory Service Vulnerability Detected by IPS-IDS Devices

PurposeCorrelation rule CRL-00012 filters events from IDS and IPS-class devices and triggers upon detecting an

attack that exploits the Microsoft Directory Service product.

This rule revises the default enVision correlation rule NIC012. The revised rule employs device classes

rather than specific devices in order to keep the maintenance and configuration requirements low.

Additionally, confidence level filtering is employed in order to enhance the accuracy of the rule.


l Identify the source of the attack and block traffic from the source.

l Identify the target host of the attack and apply the vendor-supplied patch to eliminate the

vulnerability.

l Restrict access to the affected service for trusted hosts.


the attack.



Security.IDS All

Security IPS All

RSA enVision ConfigurationThis rule works with the default enVision configuration settings. This correlation rule is a revised version

of the existing correlation rule NIC012, which is designed to trigger on detection of attack attempts

exploiting Microsoft Directory Service. Unlike the existing rule NIC012, which is based on specific

device types, the revised rule monitors the Security.IDS and Security.IPS device classes. When enVision

is deployed, further modification of the revised rule is not needed.

The correlation rule NIC012 uses a traffic burst on port 445 as an indication of attack. This assumption

makes the rule inaccurate, so the revised rule filters events with the with event category mask Attacks.*

that have port 445 as the destination port.

44 CRL-00012


Using the confidence level filtering to “Filter out messages with low or medium Confidence” increases

the accuracy of the rule and reduces the number of false alarms. A threshold is set on the number of

incoming events. In the current revision of this rule, a 10% increase from the minute baseline is specified

as the triggering condition.

The event category Attacks.Access is used as the major category of this correlation rule. The

Attacks.Denial of Service category can be used as an alternative.

CRL-00012 45


CRL-00013

NameUnusual Number of Failed User Login Attempts via Remote Connections to the Same Event Destination

PurposeCorrelation rule CRL-00013 detects any failed login event and checks to see if the login type was from a

remote location from to the event destination. This correlation could indicate a brute force attack on an

internal asset from a remote location.

This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger

on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device

types, the revised rule monitors a wider class of devices and more specific login types of remote logins

only.


l Evaluate the number of times that a particular user attempts to log in to the event destination.

Determining the source of the failed attempt will assist in assessing the action’s severity.

l Investigate the source IP address and username of the messages.



DeviceClass

DeviceType Description

NIC_ALL AllAll devices are supported; however, given the nature of Windows events there wasspecial emphasis placed on these events.

RSA enVision ConfigurationThis rule detects any failed login event and checks to see if the login type was from a remote location to

the event destination. It also looks for occurrences that happen above the normal baseline of the network.

This correlation could indicate a brute force attack on an internal asset from a remote location or just

from another computer system internal to the network.

The threshold for this correlation is set to a default of 20% above the hour baseline. Adjust this

percentage to ensure that it does not fire too often. For instance, setting the threshold too low could cause

this correlation to start firing a large number of times as users begin logging in to systems during peak

business hours.


46 CRL-00013


For all devices, except Windows, no maintenance or extension is needed as the rules are based on

categories and collected IP addresses. If a new collection method is created for Windows Security Logs,

you must extend this rule to cover those events.

CRL-00013 47


CRL-00013-01

NameNumerous Failed User Login Attempts Locally to the Same Event Source

PurposeCorrelation rule CRL-00013-01 detects any failed login event that occurs on a local machine and checks

the frequency of such events against the normal baseline for the entire network. This correlation could

indicate a brute force attack on an internal asset.

This rule is a revised version of the default enVision correlation rule NIC027, which triggers on malicious

user login activities. Unlike the existing rule NIC027, which is based on specific device types, the revised

rule monitors a wider class of devices and a more specific login type of local logins only.


l Evaluate the number of occurrences of a particular user attempting to log in to the event source.

Determine the source of the failed attempt as this will assist in the assessment of this action's

severity.


l Investigate the host that refuses access.


DeviceClass



RSA enVision ConfigurationThis rule detects any type of failed login event and checks to see if the login type was from a remote

location in regards to the event destination that is above the normal baseline of the network. This

correlation could indicate a brute force attack on an internal asset from a remote location or just from

another computer system internal to the network.

The threshold for this correlation is set to a default of 2% above the hour baseline. Adjust this percentage

to ensure that it does not fire too often. For instance, setting the threshold too low could cause this

correlation to start firing a large number of times as users begin logging in to systems during peak

business hours.


48 CRL-00013-01


For all devices except Windows no maintenance or extension is needed as the rules are based on

categories and collected IP addresses. If a new collection method is created for Windows Security Logs,

you must extend this rule to cover those events.

CRL-00013-01 49


CRL-00013-02

NameNumerous Failed Service Account Login Attempts to the Same Event Source

PurposeCorrelation rule CRL-00013-02 detects any type of failed login event that occurs on a local machine and

checks the frequency of such events against the normal baseline of the entire network. This correlation

could indicate that a service is incorrectly configured.

This rule is a revised version of the default enVision correlation rule NIC027, which is designed to trigger

on malicious user login activities. Unlike the existing rule NIC027, which is based on specific device

types, the revised rule monitors a wider class of devices and more specific login type of service logins

only.


l Check to see if a Service Account was set up incorrectly. This is most likely due to a password

mismatch, or the Service Account might have been disabled. Corrective actions on the Event

Source are required. Escalate as necessary.


l Investigate the host that refuses access.


DeviceClass



RSA enVision ConfigurationThis rule detects any type of failed login event and inspects if the login type was from a service account.

It also compares the occurrences with a baseline and determines if the number of failed logins is above

the normal levels for the network. This correlation could indicate an incorrectly configured service.

Service accounts are based on discovered usernames within a message and matched against a Service

User Names watchlist. This watchlist needs to be expanded if other service accounts are used.

The threshold for this correlation is set to a default of 2% above the hour baseline. Adjust this percentage

to ensure that it does not fire too often. For instance, setting the threshold too low could cause this

50 CRL-00013-02


correlation to start firing a large number of times as users begin logging in to systems during peak

business hours. Also, to ensure that it does fire properly, update the System User Names with any

additional non-Windows service usernames.


For all devices except Windows no maintenance or extension is needed as the rules are based on

categories and collected IP addresses. For Windows Security Logs, if a new collection method is created,

this rule will need to be extended to cover those events. To ensure that the correlation fires properly,

verify that any service user account that starts or stops a user account is in the watchlist.

Note: This rule requires the Service User Names watchlist. You can download sample watchlist files

from RSA SecurCare Online, import the data, and edit the default values as needed.

CRL-00013-02 51


CRL-00013-04

NameIncrease in Failed Remote Login Attempts Detected

PurposeCorrelation rule CRL-00013-04 detects if there have been numerous failed logins using remote protocols

such as SSH/SCP, HTTP, Telnet, or Remote Desktop.

When conditions trigger this correlation rule, the following action should be performed: Evaluate the

number of occurrences of a particular user attempting to log in to the event source. Determine the source

of the failed attempt as this will assist in the assessment of this action’s severity.


Device Class Device Type Description

Windows.HostsWindows Events (BL, ER, NIC,Snare)

Not applicable

Host.Unix AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.Firewall AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.IDS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.IPS AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.VPN AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.Switch AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.Router AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Storage.Storage AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

52 CRL-00013-04


RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The rule uses device

classes and all four Windows log-gathering techniques. The rule requires minimal maintenance.

To prevent a flood of events, several thresholds have been implemented. These thresholds require

adjustment depending on your environment.

CRL-00013-04 53


CRL-00013-05

NameIncrease in Failed Interactive User Logins Detected

PurposeCorrelation rule CRL-00013-05 detects if there have been numerous interactive failed logins to an event

source.



of the failed attempt as this will assist in the assessment of this action's severity.




Windows.HostsWindows Events (BL, ER,NIC, Snare)

Not applicable





Security.VPN All

Auth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Juniper SSL VPN – 000501, 000600, 000500



54 CRL-00013-05




Storage.Database AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.Access Control AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.Wireless Devices AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.System AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.ConfigurationManagement

AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Web Logs AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Mail Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Mainframe AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Midrange iSeriesAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Application Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

RSA enVision ConfigurationThis rule works with the default enVision configuration settings. The rule uses a mix of device classes

and specific device messages. The rule requires maintenance if additional devices are added to your

network; however, this rule employs device classes rather than specific devices, which greatly reduces

the predeployment configuration effort.

Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can

download sample watchlist files from RSA SecurCare Online, import the data, and edit the default

values as needed.

CRL-00013-05 55


CRL-00013-06

NameIncrease in Failed Service Account Logins Detected

PurposeCorrelation rule CRL 00013-06 detects if there have been numerous failed logins to an event source.



of the failed attempt as this will assist in the assessment of this action's severity.




Windows.HostsWindows Events (BL, ER,NIC, Snare)

Not applicable





Security.VPN All

Auth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Juniper SSL VPN – 000501, 000600



56 CRL-00013-06




Storage.Database AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Security.Access Control AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.Wireless Devices AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Network.System AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins


AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Web Logs AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Mail Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Mainframe AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Midrange iSeriesAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

Host.Application Servers AllAuth.Failures, Auth.Failures.User Errors,User.Activity.Failed Logins

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of the enVision product. The rule

uses a mix of device classes and specific device messages. The rule requires maintenance if additional

devices are added to your network; however, this rule employs device classes rather than specific

devices, which greatly reduces the predeployment configuration effort.

Note: This rule requires the Known Service Accounts and Known Vendor Accounts watchlists. You can

download sample watchlist files from RSA SecurCare Online, import the data, and edit the default

values as needed.

CRL-00013-06 57


CRL-00014

NameLow-Privileged or Guest Account Added to Administrative Group

PurposeCorrelation rule CRL-00014 inspects events from any device for users being added to a group. The

username and group name are then checked against two watchlists that contain the known administrators

and the groups with administrative privileges assigned to them. A non-administrative user being added to

one of these groups may indicate malicious privilege escalation activity.

This rule revises the default enVision correlation rule NIC031. The revised rule employs device classes

and event categorization rather than specific devices and events. This keeps the maintenance and

configuration requirements low.


l Determine whether this was an expected change. If it was an expected change, identify the source

of this event. Remove the low-level account from the administrative group and disable access to

the user who initiated the change.

l Investigate the source IP address or username of the messages. Multiple failed login events from a

single IP address may indicate a password-based attack, such as a dictionary-based password-

guessing attack.

l Investigate the destination host that refuses access. This might be an indication of a problematic

service.



NIC_All All

RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored devices for

the rule are composed of any device that has events classified under

User.Management.Groups.Modification.User Added. When enVision is deployed, further modification of

the rule is not needed.

58 CRL-00014


This rule is a revised version of the existing correlation rule NIC031, which is designed to trigger on

malicious user login activities. Unlike the existing rule NIC031, which is based on specific device types,

the revised rule monitors the wider class of devices.

This correlation needs two watchlists that require constant updating to prevent false positives. The

Administrative Groups watchlist holds all group names or IDs that are associated with administrative

groups. The Administrative Users watchlist contains all of the existing administrative usernames.

Note: You can download sample watchlist files from RSA SecurCare Online, import the data, and edit

the default values as needed.

This rule escalates any event that indicates that a non-administrator user has been added to an

administrative group from any device. The events that indicate this must be classified as

User.Management.Groups.Modification.User Added for this rule to fire properly.

Due to the severity of this event, this rule immediately escalates any event that matches the criteria

without any correlation across several devices.

CRL-00014 59


CRL-00016

NameAttacks Exploiting HTTP Cold Fusion Vulnerabilities Detected by IDS or IPS Devices

PurposeCorrelation rule CRL-00016 monitors events from specific IDS/IPS devices and triggers upon detecting a

burst on attacks which exploit the vulnerabilities in HTTP Cold Fusion products.

This rule revises the default enVision correlation rule NIC016. The revised rule is based on the events

that are originally detected by the IPS and IDS devices. The revised rule depends on specific devices and

vulnerabilities.



l Identify the target host of the attack and apply the vendor supplied patch to eliminate the

vulnerability.



the attack.





Security.IDS Entercept

Security.IDS Snort

Security.IDS Intrushield


Security.IDS Cisco Secure IDS

60 CRL-00016


RSA enVision ConfigurationThis rule requires further configuration settings after enVision is deployed. The rule relies on device-

specific events when it detects attacks that attempt to exploit the HTTP Cold Fusion product. The current

revision of this correlation rule covers 7 different supported security devices. Update this rule if you add

new devices to your environment or if you add support for new HTTP Cold Fusion vulnerabilities.

This rule is a revised version of the existing correlation rule NIC016, which is designed to detect

intensive attack attempts exploiting multiple vulnerabilities in HTTP Cold Fusion products. Each single

attack attempt is detected by IDS or IPS devices across the network, and the correlation rule detects an

increase in attack attempts. The revised rule is still based on specific devices within the Security.IDS

device classes and does not provide a ready to deploy rule for all environments.

In the revised rule, a 10% increase over the minute baseline is an indication of an ongoing attack against

the HTTP Cold Fusion products in the network.

The confidence level filtering at the current revision is set to “Filter out messages with low or medium

Confidence” with Destination Address as the variable. Modification of this setting might be required.

CRL-00016 61


CRL-00023

NameEvent Source No Longer Sending Events

PurposeCorrelation rule CRL-0023 detects when an event source stops sending log messages, indicating

incorrectly configured hardware or software, or a hardware or software failure.

This rule is a revised version of the default enVision correlation rule NIC023, which triggers when a

device has stops logging. Unlike the existing rule NIC023, this revised rule is able to supply a timeframe

when the device stops logging. Additionally, only devices that use real-time or near real-time transport

mechanisms are analyzed.


l Investigate network connectivity between the source and the enVision appliance.

l Check to see if logging or auditing has been disabled or misconfigured for the event source.

l Ensure that the event source is still functioning.


DeviceClass


N/A N/A

airdefense, airmagnetenterprise, aix, arborpeakflow, arubanetworks, avocentkvm, bigip,caetrust, celerra, ciscoasa, ciscocontenteng, ciscocss, ciscopix, ciscorouter,ciscosecagent, ciscoswitch, ciscovpn, ciscoworks, cyberguard classic, cyberguard,dragonids, edirectory, extremesw, firepass, fortinet, foundryswitch, hpprocurvesw, hpux,ibmmainframe_sma_rt, intelvpn, intrushield, ironmail, lotusdomino, macosx, mazuprofiler,netapp, netcontinuumwebappfw, nfrnids, nokiaipso, nortelpassport, nortelvpn,nortelwebos, powerconnect, rhlinux, sidewinder, snort, solaris, solsoftnp, sonicwall,stealthwatch, Symantec, symantecav, symantecintruder, symantecsns, symmetrix,tippingpoint, toplayer, toplayeram, trendmicro, websense, winevent, winevent_er,winevent_snare, actividentity, apache, aventail, cacheflow, checkpointfw, ciscoacs,ciscocontenteng, ciscoidsxml, ciscoworks, epolicy, host intrusion prevention, ibmacf2,ibmdb2, ibmdb, ibmracf, ibmtopsecret, ibmwebsphere, iseries, iss, mcafeevirusscan,microsoftiis, mom, ,msdhcp msexchang, msias, msisa, mssql, netcache, oracle,rsaaccessmgr, rsaacesrv, solarisbsm, sybasease, tripwire, winevent_nic

62 CRL-00023


RSA enVision ConfigurationThis rule is designed to work with the default enVision configuration settings. The monitored devices

correspond to those that are considered “Real-time” and “Near-real time.” For example, those devices

that send their logs via SNMP or Syslog and those devices that send their logs via SFTP, and so on. This

rule is part of a series of rules which are an enhancement on NIC023.

NIC023 currently looks for 59 events with a zero count occurring in a 1 hour period. The revised rule

looks at real-time devices not sending data in a 15 minute interval from the last received message. The

near real-time rule looks for 29 events in 30 minutes. By using this approach, it is easier to track when a

device has failed and determine the circumstances surrounding that failure.

You may need to modify the trigger time of 30 minutes for near real-time events and 15 minutes for real-

time events based on your requirements.


CRL-00023 63


CRL-00023-01

NameEvent Source Inactive for the Past 4 Hours

PurposeCorrelation rule CRL-00023-01 determines if any device has stopped sending event data in the past 4

hours. It is a revised version of the default enVision correlation rule NIC023.



l Check to see if the event source has logging or auditing disabled or misconfigured.




NIC_ALL N/A All enVision supported devices

RSA enVision ConfigurationThis rule works with the default enVision configuration settings. This rule is a revised version of the

default enVision correlation rule NIC023, which is designed to trigger when an event source does not

send any events in a 1-hour time span. The revised rule uses a 4-hour duration and specifically includes

all of the devices supported by enVision as a filter.

The 4-hour window corresponds to a typical NOC/SOC change window. After the rule is incorporated

into a view, it generates an alert when an event source fails to send any events to the enVision appliance.

You can change the duration and the number of events to capture based on your specific site

requirements.


64 CRL-00023-01


CRL-00023-02

NameEvent Source Inactive for the Past 24 Hours

PurposeCorrelation rule CRL-00023-02 determines if any device has stopped sending event data in the past 24

hours. It is a revised version of the default enVision correlation rule NIC023.



l Check to see if the event source has logging or auditing disabled or misconfigured.





RSA enVision ConfigurationThis rule works with the default enVision configuration settings. After you incorporate the rule into a

view, it alerts when an event source fails to send any events to the enVision device.

This correlation rule is a revised version of the existing correlation rule NIC023, but unlike NIC023,

which uses a 1-hour duration, the revised rule uses a 24-hour duration, and specifically includes all of the

devices supported by enVision as a filter.

You can change the time duration and the number of events to capture based upon your specific site

requirements.


CRL-00023-02 65


CRL-00036

NameHigh Number of DoS Attack Alerts

PurposeCorrelation rule CRL-00036 inspects the events detected by the IDS, IPS, and Firewall device classes in

an enterprise environment. The rule examines Denial of Service (DoS) attack alerts to determine if there

is an active attack on the network. This rule is a revised version of the existing correlation rule NIC036,

that is included with RSA enVision. The revised rule covers new devices and event categories. The rule

monitors events from the Attacks.Denial of Service category and its successor categories.


l Inspect the source IP of the incoming messages and block the malicious traffic.

l Inspect the device that fires the DoS attack alerts and verify the validity of the event.



Security.IDS All

Security.IPS All


RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision.

A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in DoS events

over the minute baseline is as an indication of an ongoing attack against the network or a worm activity.

Note: Excessive amounts of false alarms generated by a security device might be another reason for this

anomaly.

The event category Attacks.Denial of Service is used as the major category of this correlation rule.

66 CRL-00036


CRL-00037

NameBackdoor-type Activity Originating From External Networks Detected

PurposeCorrelation rule CRL-0037 inspects events detected by the IDS, IPS, and Firewall device classes in an

enterprise environment. The rule examines attack alerts for backdoor activities in the network when the

attacker resides in the external network. This rule is a revised version of the existing correlation rule

NIC037, that is included with RSA enVision. The revised rule covers new device and event categories.

The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category.



l Identify the target host of the attack, apply the security patch, and remove the backdoor agent .



Security.IDS All

Security.IPS All



To detect whether the attacker resides in the external network, on of the following filters is applied to the

events:

l Destination Address Not in Watchlist RFC 1918 List

l Source Address Not in Watchlist RFC 1918 List

The 1918.txt watchlist provides the allocated IP addresses for a private network as specified by RFC

1918.

CRL-00037 67


A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack

events over the minute baseline is an indication of an ongoing attack against the network or a worm

activity.

The event category System.Unusual Activity is used as the major category of this correlation rule.

Note: To use confidence level filtering to “Filter out messages with low Confidence” that contain the

variable “victim address,” increase the accuracy of the rule and reduce the number of false alarms.

68 CRL-00037


CRL-00037-01

NameBackdoor-type Activity Observed Within Internal Networks

PurposeCorrelation rule CRL-00037-01 inspects the events detected by the IDS, IPS, and Firewall device classes

in an enterprise environment. The rule examines attack alerts for backdoor activities in the network when

the attacker resides in the internal network. This rule is the revised version of the existing correlation rule

NIC037, that is included with RSA enVision. The revised rule covers new device and event categories.

The rule monitors events from the Attacks.Malicious Code.Trojan Horse/Backdoor category.



l Identify the target host of the attack, apply the security patch, and remove the backdoor agent.



Security.IDS All

Security.IPS All



The RFC 1918 IP List watchlist provides the allocated IP addresses for a private network as specified by

RFC 1918. This watchlist requires proper configuration when the rule is deployed.



Too detect whether the attacker resides in the internal network, the following filters are applied to the

events:

l Destination Address in Watchlist RFC 1918 List

CRL-00037-01 69


l Source Address in Watchlist RFC 1918 List

A threshold is used to enhance the accuracy of the rule. In the revised rule, a 25% increase in attack

events over the minute baseline is as an indication of ongoing attack against the network or a worm

activity.

The event category System.Unusual Activity is used as the major category of this correlation rule.

Note: In order to use confidence level filtering to “Filter out messages with low Confidence” that contain

the variable “victim address”, increase the accuracy of the rule and reduce the number of false alarms.

70 CRL-00037-01


CRL-00040-1.0

Overview

NameIncrease in Inter-zone Remote Management Connections

PurposeCorrelation rule CRL-00040-1.0 detects a significant increase in the number of remote management

connections. This activity may be seen as a malicious user probing different ports to map the network.

IntroductionThis rule is an aggregation of NIC040, NIC040_CPFW, and NIC040_PIXFW. Device classes are used

instead of specific devices, enhancing the usefulness of the rule. The ports used by these services are

contained in a watchlist that can be easily modified by users to add and remove services that apply to

their network. Currently, RDP, SSH, and Telnet are in the list.

Requirements

Device Class or SystemsSyslog events stored in a Unix file are used to test the rule. The PIX and NetScreen event sources were

used (10.10.18.1 and 10.10.50.42 respectively) and the messages were copied into two separate files and

injected in succession.

Other RequirementsCRL 00040-1.0 was tested and developed using RSA enVision 3.7.0 build 0215. You must install the

Known Service Ports watchlist to define the known service ports in the environment. To test this

correlation rule, create a new view and add CRL 00040-1.0. Because this correlation rule uses 5% over

the hour baseline for triggering, observe the baseline to determine what to inject.

Technical Analysis

Rule LogicThis rule is composed of one circuit and one statement. A decay time of 65 minutes is used, to keep in

line with the hourly baseline. The statement looks at all the event sources contained in the

Security.Firewall group. It compares the lport variable to the Known Service Ports watchlist to see if the

port appears in that list. If it does, and the number of connections exceeds the hourly baseline by 5%, an

alert is triggered.

CRL-00040-1.0 71


To test this rule, use the injector utility to inject the attached Unix file. Use the following command to

reproduce the triggering condition of the rule:

injector -redirect -host 127.0.0.1 -file netscreen.unx -eps 1

-time 1

injector -redirect -host 127.0.0.1 –file port.unx -eps 1 -

time 1

False Positive and False Negative MitigationThe accuracy of the rule hinges on parsing the service port to the right variable for the correlation rule.

Accuracy also depends on the thresholds and activity of each site.

Quick Deployment

Event Source ConfigurationThis correlation rule supports the following event sources:



Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. Because this rule

uses the Security.Firewall class, event source additions or removals are handled automatically. The

watchlist may have to be updated to include the particular services running on the client’s network.

The revised rule specifies a 5% increase over the hourly average to reduce the number of times the rule is

triggered.

Note: This rule requires the Known Service Ports watchlist. You can download sample watchlist files

from RSA SecurCare Online and edit the default values as needed.

A desired threshold also needs to be determined for each site. The site needs to be using at least one of

SSH, Telnet, or RDP for the rule to function properly. Upon triggering the conditions of this correlation

rule, investigate the source IP address of the messages and the associated workstation, type, and owner.

Escalate if necessary.

72 CRL-00040-1.0


CRL-00044

NameExcessive Inbound Connections Denied from a Single IP Address

PurposeCorrelation rule CRL-00044 inspects the firewall for denied connections that have been labeled as an

inbound connection across a firewall or router. This rule helps find potential hostile hosts and users trying

to access resources on the other side of a firewall or router.

This rule is a revised version of the existing correlation rule NIC044, that is included with RSA enVision.

The revised rule uses the device class associated with firewalls and routers, and the event classes

associated with denied connections. This is to ensure that new firewalls or routers added later are

properly supported by this rule without further updates.

Device classes Security.Firewall and Network.Router and any event with an event category starting with

Network.Denied Connections or variations thereof are used for this correlation. The rule is developed to

be generic and not dependant to any specific device or event.

When conditions trigger this correlation rule, the following action should be performed: Check the IP

address involved to ensure that this is either expected traffic or traffic that should be monitored more

closely.


Note: The revised rule requires 60 denied connections in a 5 minute time period to fire properly. Modify

of this threshold if you experience a large volume of false alarms in the target environment.

A threshold based on empirical observations of login activity in large enterprise networks is used to

enhance the accuracy of the rule. This threshold is in the second statement and states for 60 events within

5 minutes that have been denied.

CRL-00044 73


CRL-00101

NameLarge Number of Attack Events from Internal IP Addresses Detected by IDS Devices

PurposeCorrelation rule CRL-00101 detects attacks occurring from an internal IP address and terminating at an

internal IP address. This may mean that an internal attack is occurring, or an internal address is being

spoofed.


l Investigate the attack source.

l Block malicious traffic.

l Inspect the target and take appropriate action.



Security.IDS All

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The monitored

devices for the rule are in the IDS class. To make this rule function, the deployment environment must

have a device in this class.

The rule uses a baseline to prevent excessive alerts. A 25% increase over the minute baseline is used.

This may need to be adjusted depending on the requirements of the environment.

This rule is composed of the Internal IP circuit. This circuit contains one statement that is used to catch

the appropriate IDS messages. The source (saddr) and destination (daddr) addresses in the messages must

be contained in the RFC 1918 IP List watchlist. The event category Attacks.* is used to reduce the

amount of configuration required.

To filter out excessive alerts, a baseline of 25% over the minute baseline is used. Additional internal IP

ranges can be added to the watchlist as required.

Note: This rule requires the RFC 1918 IP List watchlist. You can download sample watchlist files from

RSA SecurCare Online, import the data, and edit the default values as needed.

74 CRL-00101


CRL-00102

NameWorm Activity Originating on the Internal Network

PurposeCorrelation rule CRL-00102 looks for worm activity occurring on the internal network of an enterprise.

This rule is a revised version of the existing correlation rule NIC_SUSPICIOUS_WORM_ACTIVITY,

that is included with RSA enVision. The device scope is increased to include IPS, IDS, and Firewall

classes. These classes, along with the included watchlist, ease maintenance of the rule.


l Determine the source of the infection.

l Update antivirus on end systems.

l Apply and revise enforcement policy regarding the use of external equipment and media.



Security.IDS All

Security.IPS All


RSA enVision ConfigurationDepending on the network configuration of the site where this rule will be used, some further

configuration of the watchlist may be required to include internal IP ranges. The rest of the rule will

function properly without any additional configuration, provided all necessary devices are located in the

IDS, IPS, and Firewall classes.

To minimize the occurrence of a flood of alerts, a threshold of 25% over the minute baseline has been

integrated into the rule. This threshold can be modified based on the specific requirements of the

environment.

All events related to worm activity must be categorized in the Attacks.Malicious Code.Worm category. A

filter is included that uses a watchlist that only catches worm activity originating and terminating on the

IP addresses specified in the list.

CRL-00102 75


Note: This rule requires the RFC 1918 IP List watchlist. You can download sample watchlist files from

RSA SecurCare Online, import the data, and edit the default values as needed.

76 CRL-00102


CRL-00103

NameElevation of User Privileges Detected on a Log Source

PurposeCorrelation rule CRL-00103 looks for events that involve the addition of users to groups. The username

and group name are checked against two watchlists containing the known administrators and the groups

with administrative privileges assigned to them. A user being added to one of these groups who is not an

administrator may indicate that there is malicious intent. This rule is a revision of the existing correlation

rule NIC031, that is included with RSA enVision. The revised rule employs device classes and event

categorization rather than specific devices and events to keep the maintenance and configuration

requirements low. The monitored devices for the rule are composed devices that have events classified

under User.Management.Groups.Modification.User Added.


l Verify that the user account in question has been granted elevated privileges corresponding to a

Documented Change within the environment. If not, a deeper analysis and subsequent escalation

may be required.

l Investigate the source IP address or username of the messages.




NIC_All All


To ensure no false positives are made, there are two watchlists that must be kept updated. The first list,

Administrative Groups, holds all group names or IDs that are administrative groups. The second list,

Administrative Users, lists the existing administrative usernames. To trigger this rule, a username that is

not in the Administrative Users list must be added to a group that is in the Administrative Groups list.



CRL-00103 77


78 CRL-00103


CRL-00105

NameSuccessful Backdoor Attack

PurposeCorrelation rule CRL-00105 detects successful backdoor attacks. This is indicated by a backdoor attack

intercepted by security devices, followed by a connection between the attacker and the destination of the

attack. IDS, IPS, and Firewall device classes are monitored. The rule is developed to be generic and not

dependant to any specific device type. The event category Attacks.Malicious Code.Trojan

Horse/Backdoor is used to filter the backdoor attack events.


l Investigate the target host for possible backdoor agents.

l Apply proper security updates to remove vulnerabilities in the target host.

l Block traffic from the attacker.



Security.IDS All

Security.IPS All



After inspection of the backdoor event, the source and destination addresses of the attack are stored in

cache variables var_attacker and var_target, respectively. These cache variables are used to detect

backdoor connections between the destination of the attack and the attacker. To do this, messages from

the event category Network.Connections.Successful are used, where source and destination of the event

matches the var_attacker and var_target cached values.

The backdoor connection is expected to initiate within 10 minutes after the backdoor attack. Therefore,

the decay time of the rule is set for 15 minutes.

CRL-00105 79


To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false

alarms.

80 CRL-00105


CRL-00106

NameSuccessful Denial of Service Attack

PurposeCorrelation rule CRL-00106 detects successful Denial of Service (DoS) attacks. This is indicated by a

DoS attack intercepted by security devices, followed by a system failure event from the destination of the

attack. The rule is developed to be generic and not dependant to any specific device type. Event

categories Attacks.Denial of Service.* are used to filter the DoS attack events.



NIC_All All


After inspection of the DoS event, the destination address of the attack is stored in the cache variable

var_target. This cache variable is used to detect system failure error messages initiated from the

destination of the attack. To do this, the following event categories are utilized:

l System.Unusual Activity

l System.Heartbeats.Errors

l System.Errors.*

l Network.Connections.Errors

l System.Failures.*

The system error event caused by the successful DoS attack is expected to initiate within 5 minutes after

the DoS attack. Therefore, the decay time of the rule is set for 10 minutes.

To increase the accuracy of the rule, confidence filtering may be used to reduce the number of false

alarms.

CRL-00106 81


CRL-00107

NamePossible Tampering of System Audit / Logs Detected

PurposeCorrelation rule CRL-00107 detects whether a log system has been enabled or disabled, or has

encountered some type of error. It also detects if logs have been deleted on some systems.

When conditions trigger this correlation rule, the following action should be performed: Determine why

the logging system has failed and escalate as appropriate.



Host.Windows Windows Events(BL, ER, NIC, Snare)


Host.Web Logs Cisco Content Engine

Network.Router Cisco Router/IOS Firewall, Juniper JUNOS Router

Network.Switch Cisco Switch


Host.Unix Unix Solaris, Unix AIX

Network.System NIC System

Security.VPN Juniper SSL VPN

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in

which this rule is to be used must have at least one device from the previous section to function.

82 CRL-00107


CRL-00108

NamePossible ARP Poisoning Activity Detected

PurposeCorrelation rule CRL-00108 determines if ARP poisoning is occurring on the network. This rule is

necessary in an enterprise environment because ARP poisoning can lead to Denial of Service (DoS) and

compromise information.

Specific messages from various devices are used to detect the spoofing attacks. In addition to specific

IDS and IPS rules, duplicate IP address messages are included.

When conditions trigger this correlation rule, the following action should be performed: Determine the

source of the IP conflict caused by the poisoned ARP table.



Security.IDSIntrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDSXML

Network.Switch ExtremeWare, Cisco Content Switch, Cisco Switch

Security.FirewallNetscreen, Cisco ASA, Cisco PIX Firewall, SonicWALL-FW, SymantecEnterprise Firewall


Netscreen-Security Manager

Host.Unix Nokia IPSO, Apple Mac OS X

Security.VPN Nortel VPN Contivity



which this rule is used must contain at least one of the devices from in the previous section. CRL-00111

is also required for this rule to function properly.

CRL-00108 83


CRL-00109

NameWindows Service State Change

PurposeCorrelation rule CRL-00109 determines whether a service in Windows has been stopped, started, or

restarted. It also determines if the startup behavior of a service has been modified.

When conditions trigger this correlation rule, the following action should be performed: Determine why

the service state has changed on the system in question.



Host.Windows Hosts Windows Events (BL, ER, NIC, Snare)

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. It assumes that

there are Windows devices on the network that use one of the four methods of event log gathering (NIC,

BL, ER, Snare).

84 CRL-00109


CRL-00110 Rule Set

NameDetection of Clear-Text Confidential Information using RSA enVision Correlation

PurposeThe CRL-00110 correlation rule set represents a collection of rules (CRL-00110-DB, CRL-00110-Hosts,

CRL-00110-File Integrity, CRL-00110-Email, CRL-00110-Web, and CRL-00110-IDS) that all feed into

an overall CRL-00110 rule whose collective purpose is to assist in the identification of any patterns of

information within the payload of events from key device classes that may be of a confidential nature, in

clear text.

Detecting the presence and/or activity surrounding the use of clear-text confidential information can assist

enterprises in reducing the risks associated with the misuse and/or unauthorized disclosure. Enterprises

currently deploy or are considering the deployment of many suites of tools that could assist in this

identification.

Supported DevicesThis correlation rule set supports the following devices:

Device Grouping Type

Host.Windows.Hosts Device Class

Host.Unix Device Class

Storage.Database Device Class

Network.Configuration.Management.Tripwire.Enterprise Device Type

Host Mail Servers Device Class

Host.Web Logs Device Class

Security.IDS Device Class

Security.IPS Device Class

RSA enVision ConfigurationIt is the intent of this collective rules set to work out-of-the-box with low maintenance. The rule set relies

heavily on three watchlists to provide the necessary pattern recognition for clear-text confidential



information.



The watchlists provide:

l Common credit card recognition patterns

l Social Insurance Numbers (SIN) recognition

l Social Security Numbers (SSN) recognition

l Keywords common to enterprise deployments of data storage

l Frequently used user accounts (interactive or service) that have a business requirement to access

confidential information.

l Support for events collected by the RSA Data Loss Prevention (DLP) Suite.

The use of watchlists allows you to quickly add or modify criteria to tune the individual rules contained

within the rules set to desired levels.

For the purposes of the rule, “Confidential Information” is limited to:

l Credit Card Numbers from VISA, Mastercard, American Express, JCB, Discover, and Diner's

Club

l Keywords that match “credit card, cardholder”

l Social Insurance Numbers

l Social Security Numbers

These types of “Confidential Information” are usually found within databases, or as files stored on file

systems hosted by Windows-based or UNIX-based operating systems. This information takes the form of

content within files, or as part of the actual filename itself.

In addition to these storage locations, the confidential information could be transmitted in clear text from

a front-end application such as a web-based Graphical User Interface to a back-end database.

This rule set evaluates key events from each of these sources and compares the payload to the watchlist

of confidential information looking for the patterns contained within, triggering upon successful matches.

The CRL-00110 rule set consists of seven individual rules:

l CRL-00110 – This rule collects the output of each of the subsequent CRL-00110 variants, and

triggers based on a threshold against the minute baseline.

l CRL-00110-Hosts – This rule looks specifically at events that relate to File Access, Modifications,

Creations, and Deletions using the watchlists to identify potential confidential data patterns. This

uses the device classes for Windows and UNIX.

l CRL-00110-File Integrity – This rule uses Tripwire events to identify files or elements that may

contain confidential patterns.

86 CRL-00110 Rule Set


l CRL-00110-DB – This rule looks for SQL commands executed against any object that matches

confidential data patterns using the database device class.

l CRL-00110-Email – This rule examines the email traffic for confidential data patterns using the

device class for email servers.

l CRL-00110-IDS – This rule examines network intrusion detection and prevention events for any

confidential data patterns within the event payload.

l CRL-00110-Web – This rule examines web server events for confidential data patterns using

device class for web servers.

Each rule selects events based on event categories most likely to contain confidential information.

Selecting event categories ensures that newer device support under these device classes with messages

matching the event categories are included within the rules set. They also reduce the out-of-the-box

maintenance required for this rule by customers and help to improve the efficiency of the rule when

loaded into the Alerter process. Examples of event categories used are:

l User.Activity

l User.Activity.File.Access

l Content.Web

l Content.Web.Successful

l Config.Changes

Three watchlists are used in various combinations within each rule. These three watchlists are:

l Confidential Data Patterns – This watchlist contains regular expression constructs that recognize

the following patterns:

l Word patterns “credit card, creditcard, cardholder”,

l Credit card Personal Asset Numbers (PAN) for VISA, Mastercard, Discover, American

Express, JCB, and Diner's Club

l Social Insurance Numbers (SIN)

l Social Security Numbers (SSN)

l Confidential Accounts – This watchlist contains a list of users that have a business need to

access potential confidential information and can be removed from the alerts as expected behavior.

It is used in a few of the rules (such as CRL-00110-Hosts) where the user is expected to be within

the payload of events.

l DLP Confidential Data Policies – This watchlist allows the CRL-00110-Email and CRL-00110-

Web correlation rules to collect events from the RSA Data Loss Prevention Suite.

With the exception of CRL-00110, each rule triggers on every event that matches the conditions outlined

within the watchlists.

CRL-00110 contains a threshold of 45 % increase in the hour baseline that receives events from the other

CRL-00110 variants. This provides notification to a significant increase in the described activity that may

require immediate attention.



CRL-00111

NamePossible Spoofing Activity Detected

PurposeCorrelation rule CRL-00111 alerts on possible network spoofing activity by looking through the events

reported by devices that are associated with spoofing.

When conditions trigger this correlation rule, the following action should be performed: Investigate the

source IP address and the nature of the event to determine why a spoof was reported.



Security.Switch All

Security.Router All



Network.Wireless Devices All

Host.Unix All

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. Given the wide

variety of devices this correlation works against, no further configuration is needed. However, as new

events are added to a system, the rule may need to be adjusted to ensure that it captures the correct

events. The rule uses regular expressions and keywords inside the message body to match events.

Each filter inside the primary circuit is set to trigger when an increase of 25% is exceeded within a

minute. Typically you do not see these events, so any increase triggers this rule immediately.

The rule looks through all of the messages that come from the listed devices for keywords that indicate

that the event is a spoofing event. In many devices, this is not be phrased with the word “spoof”.

Additional regular expressions are used to reduce the number of false positives.

88 CRL-00111


CRL-00112

NameRemovable Storage Removed from a Windows Event Source

PurposeCorrelation rule CRL-00112 monitors Windows events involving USB storage. Depending on your

company policy, possessing any form of USB data device may be a violation.

When conditions trigger this correlation rule, the following action should be performed: Investigate the

source IP address and the user to ensure that he or she is authorized to use a USB device.




RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. However, all the

monitored Windows hosts must have sufficient audit policies to trigger the two events necessary for the

rule to function.

The first event must contain information regarding accesses of the object \Device\USB. The second event

is a device ejection event that references PlugPlayManager. An eight hour window is used to

accommodate a typical work day where the device would be plugged in at the beginning of the day and

removed at the end. However, if the plugin-access-ejection cycle is longer than eight hours, this

correlation is not triggered properly. The window for this correlation may need to be adjusted.

CRL-00112 89


CRL-00115

NameAttacks Exploiting Vulnerabilities in SANS TOP-20 2007 Observed

PurposeCorrelation rule CRL-000115 monitors events from IDS and IPS devices, and triggers when it detects

attacks that exploit the vulnerabilities in the SANS TOP-20 2007 list. Since the new revision is based on

events that are originally detected by IPS and IDS devices, limitations are introduced, such as

dependency on specific devices and vulnerabilities. Confidence level filtering is employed to enhance the

accuracy of the rule. The event category Attacks.Access is used as the major category of this rule.



l Identify the target host of the attack and apply the vendor supplied patch to eliminate the

vulnerability.



the attack.





Security.IDS Tipping Point

Security.IDS Snort

Security.IPS Netscreen IDP


RSA enVision ConfigurationModify this rule if you add new devices to your environment.

90 CRL-00115


This rule uses 1800 events that are associated with the vulnerabilities in the SANS TOP-20 2007 list. This

may cause performance issues for RSA enVision, so the device must be supervised.

The confidence level filtering is set to “Filter out messages with low or medium Confidence” with

Destination Address as the variable. This setting may need to be modified for your environment.

A threshold is used to enhance the accuracy of the rule. A 10% increase over the minute baseline is an

indication of an ongoing attack against the vulnerabilities listed in the SANS TOP-20 2007 list.

CRL-00115 91


CRL-00116 Rule Set

NameBotNet Detection Rule Pack

PurposeCorrelation rule set CRL-00116 consists of a variety of correlations that can be used together to detect

machines that may be part of a BotNet inside your network. This is a set of two rules. The first rule

(CRL-00116-02) covers various AV, DNS, SMTP, IRC, and host file modifications. The second rule

(CRL-00116-01) examines failed login attempts from multiple sources to one destination. By themselves,

these attacks may indicate very little. However, when combined into one view, they can indicate a

possible BotNet agent on your system.

Supported DevicesThis correlation rule set supports the following device:


NIC_ALL All

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of RSA enVision. This rule should

not need to be modified. Make sure that the list of valid DNS servers that are used by the network is

populated with your LAN’s local DNS servers.

After exhaustive research into the nature of BotNets and possible detection methodologies, several ways

to detect BotNets through logs were created. While each rule itself is not indicative of a BotNet, together

they point to a greater likeliness of a BotNet existing on a network.

The first correlation rule (CRL-00116-02) investigates the following possible BotNet behaviors:

l An increase in detected AV activity with special emphasis on viruses that could be used to gain

further system access. A victim host will be used to further spread the BotNet itself.

l Host file modifications detected. If the victim’s host file is modified, it could be changed so that

DNS requests are rerouted to a different location. This allows the BotNet C&C to pass down

commands, or to redirect the users’ web requests to a different web server so that it can intercept

personal information, such as passwords.

l Changes in DNS utilization. A BotNet victim may have new DNS entries added that will be used

within the BotNets for attack coordination and improved victim organization.

92 CRL-00116 Rule Set


l In or Out IRC traffic. IRC traffic is suspicious because it is the single most common method for

passing BotNet Command & Control commands around to victims.

l Outbound SMTP traffic volume increase. BotNets are recognized as a major source of SPAM

world wide. They accomplish this by using random victim host machines to send out SPAM. Thus,

an increase in SMTP traffic would indicate that the SMTP traffic may not be for legitimate

reasons.

l Outbound SMTP traffic to known blacklisted servers. Increase in SMTP to blacklisted servers may

indicate the existence of a BotNet in the network.

The second correlation rule (CRL-00116-01) monitors for multiple failed login attempts in to the same

target host with the same username. One of the basic functions of Bots is that they are passed to a target

PC via an infection attempt. When a command is sent, any target computer infected by a Bot may attempt

to log in to the victim machine. This indicates that the hosts trying to log in may be part of a BotNet that

is trying to expand itself or gain access to information on that particular target host.

Note: This rule set requires the Known Service Account and Known Vendor Account watchlists. You

can download sample watchlist files from RSA SecurCare Online, import the data, and edit the default

values as needed.

Correlation Rule CRL-00116 Update

Statement “IRC_Messages” has been renamed to “IDS/IPS_Messages”

New message IDs were introduced to the statement “IDS/IPS_Messages”. The Message IDs belong to

the following devices:

l Cisco Secure IDS XML

l Snort/Sourcefire

l Tipping Point

l ISS Realsecure

The new set of messages added are used to detect Bot activity.

The decay time of the rule has been changed to 65 minutes. The threshold values for the Statements

“Viruse/Botnet detected by AntiVirus” and “Increased in SMTP outbound traffic” have been modified to

check if there is an increase based on hourly average for more accuracy.



CRL-00117

NameLog Collection Stopped due to Filled Disk Capacity

PurposeCorrelation rule CRL-00117 monitors an RSA enVision system to determine if log collection has stopped

due to filled disk capacity. This rule looks at specific messages which the enVision system generates

regarding log collection and disk capacity. A loss of log collection will result in reduced effectiveness of

the enVision system.

You need to free up space, by archiving or deleting logs from the enVision LogSmart IPDB. Also,

determine if you have any unused files that could be removed to recover disk space.



NIC_All All


which this rule is used must contain at least one of the devices from in the previous section. It uses

specific NIC.System device messages rather than classes.

Upon triggering the conditions of the correlation rule, the following actions should be performed:

l Consider archiving and/or deleting logs from the enVision LogSmart IPDB

l Look for unused files that could be removed to recover disk space.

94 CRL-00117


CRL-00118

NameDisk Array Capacity Approaching Threshold

PurposeCorrelation rule CRL-00118 attempts to ascertain whether or not a device or system is approaching

maximum disk capacity. The rule examines several specific message IDs to determine if disc capacity is

approaching a limit. If you do not take action, you may exhaust disk space or risk other system

malfunctions.



NIC.System All

Host.Windows Hosts Windows (NIC, BL, Snare, ER)

Storage.Database Microsoft SQL Server

Host.Unix Nokia IPSO

Security.Firewall Fortinet Antivirus Firewall, CyberGuard Classic

Host.Mail Servers Microsoft Exchange

Host.Web Logs Cisco Content Engine

Security.Anti Virus McAfee ePolicy Orchestrator, CipherTrust IronMail, McAfee Virus Scan

Storage.Storage NetApp


Network.Router Cisco Router / IOS Firewall


CRL-00118 95


Upon triggering the conditions of the correlation rule, the following actions should be performed:

l Consider archiving aged Information as dictated by the organization’s Information Life Cycle

Management Practices

l Cleaning temporary and/or unused files could also assist in recovering storage space

l If the alert came from enVision, consider using the lsmaint command to archive/or deleting older

events.

96 CRL-00118


CRL-00119

NamePassword Change on a Known Privileged User Account Detected

PurposeCorrelation rule CRL-00119 This correlation rule looks for password changes to known privileged user

accounts. Unauthorized password changes to these accounts can have a significant impact on network

functionality and data integrity/confidentiality.



Host.Windows Hosts Windows Events (BL, ER, NIC, Snare)

Host.Unix Unix AIX, HPUX/FreeBSD, Linux

Security.VPN Aventail SSL VPN, Cisco VPN 3000, Juniper SSL VPN, Nortel VPN Contivity

NIC_ALL NIC System

Storage.Database Sybase ASE, Microsoft SQL Server, Oracle

Network.Configuration Management Tripwire Enterprise



which this rule is used must contain at least one of the devices from in the previous section.

Update the watchlist “Privileged User Accounts” with the appropriate usernames present in the network.

Upon triggering the rule, check the source device along with the owner of the account for any policy or

procedure violations.

CRL-00119 97


CRL-00120

NameRevocation of User Privileges detected

PurposeThis correlation rule inspects events from a selection of common devices used within a network for

revocation user permissions. In many cases, this is monitored through the user’s removal from user

groups, or with events that change the user's ‘user level’ within the system. The use case for this rule is

to ensure that user privileges are not altered without the knowledge of the network administrators; such

action, if unauthorized, may indicate that someone is preparing to perform malicious actions on your

network and does not want certain users to interfere with their actions by limiting what they can do.




Host.Unix All



Network.Configuration Management Solsoft NP

RSA enVision ConfigurationThis rule is designed to work with the default configuration settings of the enVision product. The

monitored devices for this rule are composed primarily of Windows and Linux along with a few other

devices. This rule should not need further modification upon deployment.

98 CRL-00120


CRL-00121

NameUnusual Number of Failed Vendor User Login Attempts

PurposeCorrelation rule CRL-00121 detects an increase in failed logo\in attempts using a Vendor Default

account. This alert is important for those organizations interested in keeping Payment Card Industry (PCI)

Compliance. User names for factory default Vendor accounts assigned to devices are well known,

documented and freely available to the general public. As a best practice, organizations should not use a

vendor account to perform management activities on a regular basis, but instead as a last resort. An

increase in failed logins from vendor accounts could indicate brute force attempts to break into event

sources from malicious locations.




Host.Windows Hosts

Windows Events (BL), Win-

dows Events (ER), Windows

Events (NIC), Windows Events

(Snare)

Security_529_Security, Security_530_Security, Security_531_

Security, Security_532_Security, Security_533_Security, Secu-

rity_534_Security, Security_535_Security, Security_539_Secu-

rity

Host.Unix AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-

tings, Auth.Failures.User Errors, User.Activity.Failed Logins

Security.Firewall AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Security.IDS AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Security.IPS AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Security.VPN AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Network.Switch AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


CRL-00121 99



Network.Router AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Storage.Storage AllAuth.Errors, Auth.Failures, Auth.Failures.User Errors, User.A-

ctivity.Failed Logins

Storage.Database AllAuth.Failures, Auth.Failures.User Errors, User.Activity.Failed

Logins

Security.Access Con-

trolAll

Auth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Network.Wireless

DevicesAll



Network.System AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Network.Configuration

ManagementAll



Host.Web Logs AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Host.Mail Servers AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Host.Mainframe AllAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Host.Midrange iSeriesAuth.Errors, Auth.Failures, Auth.Failures.Administrative Set-


Host.Application

ServersAll



RSA enVision ConfigurationThis correlation is designed to work with the default configuration settings of the enVision product. The

rule uses a mix of device classes and specific device messages. As a result, the rule will require some

maintenance. The “Known Vendor Accounts” Watchlist may need to be updated when new vendor

accounts become available.

100 CRL-00121


Upon triggering the conditions of the current correlation rule, perform the following actions:

l Determine where the source of the attempts originates from

l Escalate this event to the necessary stakeholders

l Depending upon the location of the event source, it may be necessary to put in place a temporary

firewall rule to deny Shell or Terminal Connections

l Disabling the service on the event source temporarily may also stop the attack

l Investigate further using the LogSmart IPDB and the Event Viewer to ascertain any other potential

vectors of attack or any other activity that may be of interest on the event source

CRL-00121 101


CRL-00122

NameActive Directory Schema Change Detected

PurposeThis rule is designed to detect a change in the schema of a Microsoft Active Directory installation. An

unauthorized change in the schema could indicate user addition/deletion, permission modification, etc.

The impact of such changes could result in denial of service, unauthorized access to data, etc.



Host.Windows Hosts

Windows Events (BL)

Windows Events (ER)

Windows Events (NIC)

Windows Events (Snare)

RSA enVision ConfigurationIn order for this rule to fire, an Active Directory system needs to have its logs gathered by enVision.

102 CRL-00122


CRL-00123

NamePossible Non-PCI Compliant Inbound Network Traffic Detected

PurposeThis rule’s primary goal is to monitor inbound connections into secure devices over non-compliant ports

as specified by PCI compliance practices.


Device Class Device Type Event Categories

Network.Router All

Network.Connections

Network.Connections.Successful

Network.Connections.Successful.VPN


Network.Connections

Network.Connections.Successful


RSA enVision ConfigurationAny firewall or network device should work with this rule as it stands now. There are no thresholds

within the system as it is literally looking for any bad connections of any sort to compliance sensitive

systems.

When this rule is triggered the following action should be taken:

l An analysis of this event and corresponding traffic events should be conducted to ascertain the

destination port(s) and subsequent services/applications running behind those ports. These

identified services and ports should then be escalated to the necessary stakeholders to determine

whether or not these are approved for business use. Documentation should then follow and the

watch lists updated. If not, security incidence response should be initiated.

CRL-00123 103


CRL-00124

NameFailed logins Exceeded 6 Logon Attempts Without a Lockout Event



Security.IDSIntrushield, Symantec Network Security, Cisco Secure IDS, Cisco Secure IDSXML

Network.Switch Extremeware, Cisco Content Switch, Cisco Switch

Security.FirewallNetscreen, Cisco ASA, Cisco PIX Firewall, Sonicwall-FW, SymantecEnterprise Firewall


Netscreen-Security Manager

Host.Unix Nokia IPSO, Apple Mac OS X




which this rule is used must contain at least one of the devices from in the previous section.

104 CRL-00124


CRL-00125-01

Overview

NameConfiguration Change on Security Device Intercepted

PurposeCorrelation rule CRL-00125-01 detects a change in a core security device, such as an IDS/IPS, firewall,

or VPN. If such changes are unexpected, then their modification can lead to reduced security, denial of

service, and leakage of confidential information.

Requirements

Device Class or SystemsThe message for this rule was created using existing Netscreen messages and the parsers. The accuracy

of this message was verified by injecting the message into the device and ensuring that it did not show up

as an unknown message in the Event Viewer (graph by Event Type).

Other RequirementsRSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the

configuration of the RSA enVision platform used for testing:



To test this correlation rule, create a new view and add CRL-00125-01.

Technical Analysis

Rule LogicRule CRL-00125-01 is composed of one circuit, which contains five statements. Each statement contains

a list of categories and a filter to reduce the number of false positives. The following are the descriptions

of the statements.

CRL-00125-01 105


Statement Device ClassType

EventCategory Value Filter

Device_Changed Security.IDS

Security,IPS

Security.Firewall

Security.VPN

All Attacks.Access.Modification

Auth.Errors

Auth.Failures.User Errors

Auth.Successful

Config.Changes

Config.Changes.Add

Config.Changes.Modify

Network.Connections.Terminations

Network.Denied Connections

Policies.ACL.Errors

Policies.Rules.Modified

System.Accounting

System.Crypto.Key.Manipulation

System.Errors

System.Errors.Interfaces

System.Errors.Memory

System.Errors.Services

System.Errors.Software

System.Heartbeats

System.Normal Conditions

System.Normal Conditions.Config

System.Unusual.Activity

User.Activity.Failed Logins

User.Activity.Privileged Use.Successful

User.Management

User.Management.Groups.Modification.User

Removed

User.Management.Password.Modification

User.Management.Users.Additions

User.Management.Users.Modifications

Regex on Content – look

for “changed”

Device_Modified Security.IDS

Security,IPS

Security.Firewall

Security.VPN

All Config.Changes.Modify

Policies.Rules.Modified

System.Errors.Config




for “modified”

106 CRL-00125-01




User.Management.Users.Modifications

User.Management.Groups.Modifications.User

Removed


Added

User.Activity.Failed Logins

Device_Configured Security.IDS

Security,IPS

Security.Firewall

Security.VPN

All Auth.Successful


Network.Connections.Errors.VPN





System.Normal Conditions.Services


for “modified”

False Positive and False Negative MitigationTo test this rule, use the injector utility to inject the attached Unix file. Use the following command to


injector -redirect -host 127.0.0.1 -file crl-00125-01.unx -

eps 1 -time 1

Quick Deployment

Event Source ConfigurationRule CRL-00125-01 requires minimal maintenance because of its use of event categories and filters. If

new event sources are added, the appropriate messages should fall under one of the associated statements

in the Rule Logic section.

This correlation rule supports the following event sources:


Security.IDS All

Security.IPS All


Security.VPN All

CRL-00125-01 107


Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in

which this rule is used must contain at least one of the event sources from the previous section. Once the

rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the

appropriate escalation and reporting procedures.

108 CRL-00125-01


CRL-00125-02

Overview

NameConfiguration Change on Network Device Intercepted

PurposeCorrelation rule CRL-00125-02 detects a change in a core network device, such as a router or a switch. If

such changes are unexpected, their modification can lead to denial of service and leakage of confidential

information leakage.

Requirements

Device Class or SystemsThe message for this rule was crafted using existing Cisco messages and the parsers. Cisco log samples

were also collected from OSSEC.net. The accuracy of this message was verified by injecting the

message into the device and ensuring that it did not show up as unknown in the Event Viewer (graph by

Event Type).

Other RequirementsRSA enVision 3.7.0 build 0215 was used to test this correlation rule. The following table describes the

configuration of the RSA enVision platform used for testing:

Device Class Device Type IP Address

Network.Router Cisco Router/IOS Firewall 10.10.50.51

To test this correlation rule, create a new view and add CRL-00125-02.

CRL-00125-02 109


Technical Analysis

110 CRL-00125-02


Rule Logic

CRL-00125-02 111


Rule CRL-00125-02 is composed of one circuit, which contains five statements. Each statement contains

a list of categories and a filter to reduce the number of false positives. The following are the descriptions

of the statements.



Device_Changed Network.Router

Network.Switch

All Network.Routing.Changes

Config.Changes

Policies.AC

Policies.Rights.Successful.Privileged

Use

System.Error

System.Errors.Environmentals

System.Errors.Hardware

System.Error.Interface

System.Errors.Service


System.Normal Condition

System.Normal Conditions.Confi

System.Normal Conditions.Service

System.Unusual Activity


for “changed”

Devices_Removed Network.Router

Network.Switch

All System.Errors


System.Errors.Resources


System.Failures.Hardware

System.Failures.Software





for “removed”

Devices_Deleted Network.Router

Network.Switch

All Policies.Rights.Successful.Privileged

Use

System.Crypto.Key.Manipulation

System.Errors System.Errors.Config






for “deleted”

112 CRL-00125-02




Devices_Added Network.Router

Network.Switch

All Config.Changes.Add

Policies.Rights.Successful.Privileged

Use

System.Errors







for “added”

Device_Configured Network.Router

Network.Switch

All Config.Changes

System.Crypto.Disabled

System.Crypto.Enabled

System.Errors




for “configured”

False Positive and False Negative MitigationTo test this rule, use the injector utility to inject the attached Unix file. Use the following command to


injector -redirect -host 127.0.0.1 -file crl-00125-02.unx -

eps 2 -time 1

Quick Deployment

Event Source ConfigurationRule CRL-00125-02 requires minimal maintenance because of its use of event categories and filters. If

new event sources are added, the appropriate messages should fall under one of the associated statements

in the Rule Logic section.

This correlation rule supports the following event sources:


Network.Router All

Network.Switch All

CRL-00125-02 113


Rule CustomizationThis rule is designed to work with the default configuration settings of RSA enVision. The environment in

which this rule is used must contain at least one of the event sources from the previous section. Once the

rule is triggered, determine if the change has been authorized. If the change is not authorized, follow the

appropriate escalation and reporting procedures.

114 CRL-00125-02


CRL-00126

NameConfiguration Change made on PCI Database System

PurposeThis rule has been developed to detect a configuration change in a PCI – Compliant Database System. A

configuration change can be interpreted as data changes, configuration changes, permission changes, etc.

If these changes are unauthorized, it can result in a compromise in data integrity, data theft, etc.



Storage.Database All

RSA enVision ConfigurationIn order for this rule to trigger, a device must exist in the category listed in Section 1.1. Once triggered,

the change must be inspected to see if it occurred in accordance with corporate policies and procedures.

If it has not, then the applicable escalation/notification procedures should be followed.

CRL-00126 115


CRL-00127

NameNew User Account Created but Initial Password Not Changed

PurposeThis correlation rule is designed to detect if a new account has been created, but, its password hasn’t

been changed after 24 hours. This rule is important because many large companies create new accounts

with default passwords. The longer these account passwords remain unchanged, the greater the chance of

compromise in the form of unauthorized access, etc.




Host.Unix/Linux All

RSA enVision ConfigurationIn order for this rule to fire, a device from Section 1.1 must be configured to log to enVision. A duration

of 24 hours must pass between the creation of the account and the changing of the password. Once

triggered, determine if the account creation was legitimate and/or why the password was not changed.

Escalate according to corporate policies and procedures.

116 CRL-00127


CRL-00136

NamePossible System Instability State Detected

PurposeThis correlation rule is designed to detect if a system has become unstable. This is done by looking for

several conditions. These conditions include:

l Multiple restart, reboots or shutdowns in a given time frame

l Creation of memory dump files on Windows and Linux systems

l Shutdown/restart command not preceding startup event



Host.Windows Host All

System.Startup

System.Shutdown

System.Reboots

Network.Configuration Management Tripwire EnterpriseConfig.Changes.Add


Network.Router All All

Network.Switch All All

Security.VPN All All

Host.Unix All

System.Startup

System.Shutdown

System.Reboots

NIC_ALL All

System.Shutdown

System Reboots

System.Startup

CRL-00136 117


RSA enVision ConfigurationThe event categories System.Startup, System.Shutdown, and System.Reboot are used to capture the

appropriate events for Windows, Linux, IPS and IDS devices. A threshold of 2 events in 600 seconds is

used based on average server startup and shutdown times. You may need to modify this to suit your

environment.

If Tripwire is used in your environment, it should be logging any file additions or changes. These events

will be caught by Config.Changes.Add and Config.Changes.Modify in conjunction with a filter to

determine if any memory dump files have been created on a Windows or Linux system. Creation of these

files indicates a crash.

For any Firewall, Network or VPN devices, these events will be captured by the categories

Network.Router, Network.Switch, and Security.VPN along with a search of the message contents for

“crash” or “flap”. These events reveal link state and device stability issues.

118 CRL-00136


CRL-00137

NameUnusual File Access Activity surrounding Important Event Source Files

PurposeThis correlation rule is designed to detect any unusual file or directory access around files or directories

defined by the end user via a watch list. By access, we refer to any file/directory that has been traversed,

opened, created, modified, or deleted. This watch list can contain files or directories that should not be

accessed or should only be accessed by privileged users. This rule is important for auditing sensitive

directories or files for non approved users.



Host.Windows Hosts AllSecurity_560_Security:01;

Security_560_Security

Host.Windows Hosts Tripwire Enterprise

Security_560_Security:01;

Security_560_Security;

Security_560_Security:02











Network.Configuration.Management All

Config.Changes.Add,

Config.Changes.Delete,


CRL-00137 119


RSA enVision ConfigurationThe rule uses three watch lists: “Important Files”, “Approved Users”, and “Known Service

Accounts”. The “Important Files” watch list should be populated with files and paths that are monitored

with this rule. Similarly, watch list “Approved Users” should be populated with user names that have

permission to modify files listed in “Important Files”. Moreover, the “Known Service Accounts” lists

the services that are allowed to modify/access the monitored files or directories. These watch lists may

require adjustment according to each organization’s setup.

120 CRL-00137


CRL-00139

NameCompliance: Successful Login Attempt(s) Using a Vendor Default Account Detected

PurposeThis correlation rule detects successful login attempts using a Vendor Default account. This alert is

important for those organizations interested in keeping Payment Card Industry (PCI) Compliance. User

names for factory default Vendor accounts assigned to devices are well known, documented, and freely

available to the general public. As a best practice, organizations should not use a vendor account to

perform management activities on a regular basis, but instead as a last resort. The successful logins from

vendor accounts can indicate a security breach in the account.


Device Class DeviceType Event Categories

Host.Windows Hosts AllSecurity_560_Security:01;


Host.Unix

Security.Firewall

Security.IDS

Security.IPS

Security.VPN

Network.Switch

Network.Router

Storage.Storage

Storage.Database

Security.Access Control

Network.Wireless Devices

Network.System, Network.Configuration

Management

Host.Mail Servers

Host.Mainframe

Host.Application Servers

All

Auth.Successful

Auth.Successful.Methods

Auth.Successful.Methods.RADIUS

Auth.Successful.Methods.SSH

Auth.Successful.Methods.TACACS

User.Activity.Successful Logins

CRL-00139 121



Host.Midrange iSeries

Auth.Successful,

Auth.Successful.Methods,

Auth.Successful.Methods.RADIUS,

Auth.Successful.Methods.SSH,

Auth.Successful.Methods.TACACS,

User.Activity.Successful Logins

RSA enVision ConfigurationThis rule depends on the Successful Login Attempt events against a set of known vendor accounts that

are fired by specific devices listed above. Modify this rule if you add new devices to your environment.

This rule is designed to work with the default configuration settings of the enVision product. The rule

uses a mix of device classes and specific device messages. As a result, the rule will require some

maintenance. The “Known Vendor Accounts” and “Known Service Accounts”Watchlist may need to

be updated when new vendor or service accounts become available.

122 CRL-00139


CRL-00140

NameIncrease in P2P Traffic Detected in the Environment Within the Past 5 Minutes

PurposeThis correlation rule is designed to detect an increase of Peer to Peer (P2P) traffic observed in the

environment for the past 5 minutes. P2P traffic is considered to be undesirable within a network since it

slows down the network dramatically and allows users to download potential harmful files without

administrator’s knowledge. This rule can also be used to discover faults or backdoors to the network

configurations.



Network.Router All Attacks.Malicious Code.P2P

Security.Firewall All Attacks.Malicious Code.P2P

Security.IDS All Attacks.Malicious Code.P2P

Security.IPS All Attacks.Malicious Code.P2P

RSA enVision ConfigurationThis rule compares the P2P traffic events against a set of known P2P applications and known P2P related

port numbers that are fired by the specific devices listed above. Modify this rule if you add new devices

to your environment.

This rule is designed to work with the default configuration settings of the enVision product. It searches

for P2P keywords inside the message body and message ID as well as related port numbers to match

events. The watchlist “P2P Known Ports” and the regular expression for the list of applications may

require updates periodically as new applications become available.

Each filter is set to trigger when an increase of 15% is exceeded within 5 minutes. This threshold may

require adjustment depending on the environment and security policies in place within the network.

Typically, you should never see these events at all, so any increase from what should be a baseline of

zero events would trigger this correlation immediately.

CRL-00140 123


CRL-00141

NameP2P Software Running as Active Process on Event Source

PurposeThis correlation rule is designed to detect active P2P processes running on event sources inside an

organization. P2P traffic is considered to be undesirable within a network since it slows down the

network dramatically and allows users to download potentially harmful files without the administrator’s

knowledge. This rule can be used to discover any breaches of security policies in an environment.



Host.Windows.HostsWindowsBL


Host.Windows.HostsWindows

ERSecurity_592_Security


NIC




Snare




RSA enVision ConfigurationThis rule depends on the Windows event ID Security_592_Security that is fired by the specific devices

listed above. This rule is designed to work with the default configuration settings of the enVision product.

The rule uses device classes and watchlist “P2P Known Applications” to detect an active running

process of P2P traffic.

The watchlist may need some maintenance when new P2P applications become available.

124 CRL-00141


CRL-00143

NameIncrease in File Transfer Activity Using Instant Messaging Detected

PurposeCorrelation rule CRL-00143 detects an increase of file transfer activity using Instant Messaging (IM)

traffic observed in the environment for the past 5 minutes. File Transfers via Instant Messaging may be

prohibited within corporate environments and represents one avenue where Intellectual Property Loss

may occur. The rule can be used to discover faults or backdoors to the network configurations as well as

policy compliance related to file transfer usage within the network.

Upon triggering this rule, the following actions should be performed:

l Investigate the source IP address and the nature of the event to figure out why an increase of IM

file transfer event has been reported.

l Escalate this event to the necessary stakeholders.

l Depending upon the location of the event source, you may need to put in place a temporary firewall

rule to deny such connections.



Network.Router All Attacks.Malicious Code.P2P

Security.Firewall All Attacks.Malicious Code.P2P

Security.IDS All Attacks.Malicious Code.P2P

Security.IPS All Attacks.Malicious Code.P2P

RSA enVision ConfigurationThis rule compares the IM traffic events against a set of known IM file transfer keywords and known IM

file transfer port numbers that are fired by the specific devices listed above. Modify this rule if you add

new devices to your environment.

This rule is designed to work with the default configuration settings of the enVision product. It first

checks if the event is an IM event, then it searches for file transfer keywords inside the message body

and message ID with a regular expression. The rule also uses the watchlist IM Known File Transfer

CRL-00143 125


Ports to check for additional IM file transfer events. This rule may require updates periodically as new

protocols and port numbers become available.

Each filter is set to trigger when an increase of 15% is exceeded within 5 minutes. This threshold may

require adjustment depending on the environment and security policies in place within the network.

Typically, you should never see these events at all, so any increase from what should be a baseline of

zero events would trigger this correlation immediately.

126 CRL-00143


CRL-00147

NameActive Directory Policy Modified

PurposeCorrelation rule CRL-00147 is used to detect whether or not an Active Directory policy object was

modified. This is important in an enterprise environment because such a modification can indicate a

privilege escalation, loss of access and the like. Unauthorized policy changes can lead to unauthorized

access or more serious compromises.



Windows.Hosts

WindowsEvents(BL)



Windows

Events (ER)




Windows

Events

(NIC)




Windows

Events

(Snare)




RSA enVision ConfigurationThis rule looks at the specific Windows event Security 566 (and its variants) and ensures that the logging

of this event is enabled on your Windows Active Directory servers.

CRL-00147 127


CRL-00148

NameErrors in Active Pulling of Events Detected

PurposeThis rule detects whether the Windows Agentless, ODBC, File Reader and XML services have

encountered errors while attempting to gather events from an event source in an enterprise environment.

These types of errors may indicate system problems/failures with the event sources in question.




RSA enVision ConfigurationThis rule looks at specific messages generated by enVision to determine if there are problems pulling

events from a specific device. Thresholds are not used but may be implemented if this sort of behavior

occurs naturally in the environment. As such, this rule will trigger on every occurrence of an error related

to the pulling of events.

128 CRL-00148


CRL-00149

NameErrors Detected in SFTP Collection

PurposeThis rule is used to determine if the NIC SFTP service has encountered errors gathering events from

various event sources. This rule is important in an enterprise environment because this method of event

collection is used by mission critical systems such as Tripwire Enterprise, RSA Security SecurID,

Microsoft SQL Server, Microsoft ISA Server, Microsoft IIS, Microsoft Exchange Server, Juniper Steel-

Belted Radius and Cisco Access Control Server. An error in extracting events may indicate a system or

network failure arising from everything from misconfiguration to network attack.




RSA enVision ConfigurationThis rule uses specific message IDs generated by enVision to detect an SFTP event transfer error. No

thresholds are used. As such, every occurrence of an SFTP error will trigger the event. A threshold may

be implemented if these events occur naturally in your environment.

CRL-00149 129


CRL-00151

NamePossible enVision Service Hang Detected

PurposeThis rule is designed to detect whether an enVision service has hung or crashed unexpectedly. Such an

event can be an indication of a successful Denial of Service attack to an enVision resource. This rule will

be able to alert following a crash or unstable behavior of the following services: NIC Alerter, NIC

Collector, NIC Locator, NIC Logger, NIC File Reader, NIC Packager, NIC SDEE Collection, NIC

Server, NIC Web Server, NIC Windows Service, or NIC DB Report Server.



Windows.Hosts Windows Events (NIC)


RSA enVision ConfigurationThis rule can be triggered with various conditions. This rule captures if an application hangs on Windows

with message ID Application_1002, if the enVision services cannot restart themselves with message ID

260010 or 260011, or if a service has been restarted 4 times within the past 5 minutes.

The list of services is directly related to enVision services and require very little maintenance.

130 CRL-00151


CRL-00153

NameCritical Alerting Error Detected

PurposeCorrelation rule CRL-00153 detects if a critical alerting error has occurred on enVision. This is important

because it may indicate errors from database connections, Bad XML, failing to open the LS and the like.

These errors have serious consequences to the enterprise environment because enVision is not in a full

functional state and as a result, malicious events may go undetected.

Upon triggering the rule, perform the following actions:

l Investigate source IP address and determine why a critical error alert has occurred.

l Escalate and alert to necessary stakeholders.



Network.System/NIC System NIC System Specific messages related to the Alerter.

RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. Events such as Open

LS error, watchlist not found, DB error, Bad XML, and write errors are some of the events that get

generated by enVision. No threshold has been provided due to the serious nature of these events on the

system.

CRL-00153 131


CRL-00154

NameCritical Web Service Error Detected

PurposeCorrelation rule CRL-00154 detects if a critical web service error has occurred on enVision. The NIC

Web Server handles the requests coming from the browser on which you are running the system. It also

builds scheduled reports and exported database tables. This service depends heavily on the NIC DB

Server. As a result, the loss of connectivity of server database is a very good indication of errors related

to the web service. This problem should be addressed immediately since the enVision GUI may fail to

launch and malicious events will go undetected.


l Check for the connectivity of the NIC DB Server

l Restart NIC DB Server if service stopped

l Escalate and alert to necessary stakeholders



Network.System/NIC System NIC System Specific messages related to the Web Server Service.

RSA enVision ConfigurationThis rule captures web service errors that are generated by the enVision platform itself. Events such as

DB error is one of the events that are generated by enVision. No threshold has been provided due to the

serious nature of these events on the system.

132 CRL-00154


CRL-00155

NameEPS Warning - EPS Approaching License Limits

PurposeCorrelation rule CRL-00155 indicates increases in the amount of incoming events to the RSA enVision

platform have been detected. If this continues, the excess events will be dropped and not collected by

enVision. This situation has serious consequences to the enterprise environment where the potential for

malicious activities may not be detected by enVision due to dropped messages. This situation might be the

result of a newly added event source in the enterprise. A defective event source may cause a similar

situation. An increasing number of events can be an indication of malicious activities in the network

where an attacker tries to hide their activities inside the event flood.

If this rule is triggered, perform the following actions:

l Determine the source of the activity and check for a defective event source.

l Purchase higher EPS threshold licenses if needed.

l Block the source of the event flood as a workaround for this problem.

l Escalate to appropriate stakeholders as necessary.



Network.System/NIC System NIC System Specific messages in System.License.Violation.

RSA enVision ConfigurationThis rule captures events that are generated by enVision platform itself. Exceeding event flows to the

RSA enVision platform will result in loss of events. Since this incident may cause serious harm to an

enterprise environment, every incident needs to be addressed by the enterprise security analyst.

Therefore, no threshold has been provided for this rule. However, if this sort of behavior occurs naturally

in the environment, add a threshold to this rule.

CRL-00155 133


CRL-00156

NameEPS Critical Error, Event Drop has been Detected

PurposeCorrelation rule CRL-00156 indicates that Increases in the amount of incoming events to RSA enVision

platform have been detected to the extent that events are dropping and not collected by enVision. This

situation has serious consequences to the enterprise environment where the potential for malicious

activities may not be detected by enVision due to dropped messages. This situation might be the result of

a newly added event source in the enterprise. A defective event source may cause a similar situation. An

increasing number of events can be an indication of malicious activities in the network where an attacker

tries to hide their activities inside the event flood.

If this rule is triggered, perform the following actions:

l Determine the source of the activity and check for a defective event source.

l Purchase higher EPS threshold licenses if needed.

l Isolate the source of the event flood as a workaround for this problem.

l Escalate to appropriate stakeholders as necessary.



Network.System/NIC System NIC System Specific messages in System.License.Violation.

RSA enVision ConfigurationThis rule captures events that are generated by enVision platform itself. Due to exceeding event flows to

the RSA enVision platform, enVision has started dropping the events. Since this incident may cause

serious harm to an enterprise environment, every incident needs to be addressed by the enterprise security

analyst. Therefore, no threshold has been provided for this rule. However, if this sort of behavior occurs

naturally in the environment, add a threshold to this rule.

134 CRL-00156


CRL-00157

NameRSA enVision Content Update Failure Detected

PurposeCorrelation rule CRL-00157 detects if any error has occurred during the enVision content update process.

Updates are very important to the enVision system as they keep the content up to date and accurate.

Having one of these updates fail potentially lowers the level of accuracy of the messages generated by

the system.




RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. No threshold has

been provided due to the serious nature of these events on the system.

CRL-00157 135


CRL-00158

NameErrors Detected in enVision DB System

PurposeCorrelation rule CRL-00158 detects errors that impact the enVision DB system. This rule covers errors

from LSIndex, DBConfig, Packager, and ODBC components. These errors have serious consequences to

the enterprise environment because enVision is not in a full functional state and as a result, malicious

events may go undetected.


l Investigate the faulting service and determine why a critical error alert has occurred.

l Escalate and alert to necessary stakeholders.




RSA enVision ConfigurationThis rule captures alerting errors that are generated by the enVision platform itself. Events from LSIndex,

DBConfig, Packager, and ODBC components are monitored for this rule. No threshold has been provided

due to the serious nature of these events on the system.

136 CRL-00158


CRL-00159

NameCritical Error Detected in the NIC Packager Service

PurposeCorrelation rule CRL-00159 detects a critical error condition within the Packager component.


l Monitor the NIC Packager Service, and if necessary, contact enVision Customer Service.

l If the Packager process is deadlocked on a given task, restart the Packager after seeing this event.

This clears the error condition and allows the Packager to resume normal operations.




RSA enVision ConfigurationThe Packager should return from its processing tasks within a certain timeframe, and when a task

requires more time than the default time period, enVision generates an event to indicate a potential error

condition.

It can take the Packager longer than expected to process very large temporary files, which can cause this

rule to fire even if there is no real problem with the packager.

CRL-00159 137


CRL-00160

NamePossible Network Performance Degradation Detected

PurposeThis rule looks for excessive network-related errors reported by Network and Security Devices (such as

Switches, Routers and Firewalls) that can have a significant impact upon network performance,

specifically:

1. Excessive Network Collisions - occurs possibly due to Faulty Network Interfaces or devices,

network loops or an extremely busy network;

2. Duplex Mismatches – occurs when networking devices have not negotiated the maximum rate with

each other;

3. Excessive Alignment Errors – occurs possibly due to excessive network noise, faulty cabling,

faulty network interfaces, faulty transmitting device, or device startups/shutdowns.



Network.Switch All

Network.Router All


RSA enVision ConfigurationThis rule looks for any possible network performance degradation in the network. It uses event category

Network.Routing.Errors.Collisions as well as specific message IDs from each device class. The above

event category only covers collisions and as a result, specific events IDs are added for duplex

mismatches and CRC errors. The list of device classes that are covered includes switches, routers and

firewalls.

Under normal circumstances, events such as collisions, drops or CRC errors may occur at a relatively

infrequent rate. However, if there is an excessive amount of traffic observed, this is an indication of

problems within the network. As a result, a threshold of 35% increase from the average is set for this

rule. It should be noted that if no events have been detected for a period of time, a single event will

trigger this rule as a result of the baseline being at 0. The threshold should be fine tuned depending on the

environment of the network.

138 CRL-00160


CRL-00161

NamePossible Corruption of Event Data stored within the IPDB

PurposeThis rule is designed to trigger on a number of possible IPDB corruption events as reported by the RSA

enVision system. This is important to monitor as it will speak to the health of your enVision system and

could allude to possible data tampering or hardware issues occurring on the machine itself.


Device Class Device Type Events

Network.System NIC System505400

505405

RSA enVision ConfigurationThe rule is a single circuit that looks for two events that RSA enVision reports as possible corruption of

event data. When a file that has been corrupted is discovered, it will try to access the file several times

before it gives up the task, which creates several identical events. When this occurs, it is recommended

that the user should suppress the alerts to ensure that the view is not overwhelmed.

CRL-00161 139


CRL-00162

NameAccount privilege elevation followed by restoration of previous account state within a 26 hour period

PurposeThis rule is designed to detect if a user has been added to and then removed from the same group within

26 hours. This is important to monitor as it could indicate that an account is being used for malicious

activity against a network by elevating a user’s privileges temporarily to perform the said malicious

activities.


Device Class DeviceType Description

Windows.Hosts

Windows

Events (BL,

ER, NIC,

Snare)


Removed


Added

Security.Firewall

Cisco PIX

Firewall

Cisco ASA

502103

All


Removed User.Ma-

nagement.Groups.Modifications.User Added

RSA enVision ConfigurationThe rule is designed with 2 circuits to look for very specific behavior. Specifically, it searches for a user

that has been added to a group or has had their user level escalated. Then, within the next 26 hours, it

checks to see if the user was removed from the group they were added to or if their user level was reset.

Primarily this rule uses events categorized as User.Management.Groups.Modifications.User Added

and User.Management.Groups.Modifications.User Removed. However, for Cisco PIX and ASA, it

uses specific events as listed in the Supported Devices table.

Typically within a network, users would be added or removed from groups infrequently at best. A user

having their privileges escalated or modified for short periods of time may indicate that an attacker is

attempting to route around your security policies to enable greater access for a particular user to perform

140 CRL-00162


malicious activities. Each event is considered individually to ensure that no user events are accidentally

filtered out by the baselines themselves.

CRL-00162 141


CRL-00163

Overview

NameRSA enVision Disk Warning

PurposeThe purpose of CRL-00163 is to detect conditions where the available log storage for RSA enVision

reaches critical levels that threaten to shut down log collection or have already shut down log collection.

AudienceThe audience for this rule is any organization that approaches the capacity of their available log storage.

IntroductionRSA enVision has limited available space for storing logs. Some organizations may be unaware that their

available log storage space can reach a critical threshold. RSA enVision monitors its assigned log storage

directories and records when a configured threshold is reached. RSA enVision also records when event

collection ceases due to a lack of free space. This rule provides a simple alert for organizations to

monitor their enVision environment and take corrective action before their system is impacted.

Requirements

Device Class/SystemsThis rule requires the NIC device class.

Configuration of EnvironmentThere is no configuration required. Logging of the required events is enabled by default.

Technical Analysis

Rule LogicThis rule contains one circuit and one statement.

This rule triggers when any of the following NIC message IDs are triggered:

l 100002

l 100002:02

l 100009

142 CRL-00163


CRL-00190

Overview

NamePotential Phishing Attack

PurposeThe goal of this rule is to detect a phishing attack against an organization's hosted site. CRL-00190 is

designed to detect and alert users of suspicious activity that strongly suggests a fraudulent site is active.

AudienceThis rule is intended for any organization that hosts an external facing website and in turn, is concerned

about the security of their information.

IntroductionPhishing attacks have long posed a problem to online security. A common method that is used to detect

malicious phishing activity involves tracing referrer data. To avoid the detection of phishing sites,

phishing attackers often keep their malicious website footprint small. This is done by limiting the number

of images on a fraudulent website, causing the attacker to use links to the targeted organization's website.

CRL-00190 tracks these activities by examining the web referrer fields. If these fields do not originate

from the same web domain as the hosted site, an alert is issued.

Requirements

Device Class/SystemsThis rule requires the use of systems that generate web logs and detailed web referrer fields. Currently,

RSA supports three events sources that provide this information. For this rule to function, you must have

one of the following event sources configured on your RSA enVision system:

l Apache HTTP Server

l Microsoft Internet Information Services

l Blue Coat Systems Security Gateway OS

Configuration of EnvironmentIf you are running Apache HTTP Server, you must update the Web Server configuration. For the latest

configuration instructions for Apache HTTP Server, see the Apace HTTP Server configuration document

on SecurCare Online.

If you are running Microsoft Internet Information Services or Blue Coat Systems Security Gateway OS,

the configuration of these devices remain the same.

CRL-00190 143


Technical Analysis

Rule LogicThis rule monitors web logs to make sure no phishing attacker is extracting images and links from an

organization's hosted site. This rule confirms that an image and its referrer domain originate from the

main web domain. RSA has two statements in this phishing attack circuit. The first statement sets up a

cache variable to store the web domain value. The second statement detects if there are images on a site

and verifies that the web domain and the web referrer domain are the same. If the web domain and web

referrer differ, an alert is triggered.

CRL-00190 focuses on all events from the Web Logs class which have the variable webAction_domain

in the XML. RSA multi-threads through this variable.

The following tables describe the statements of this rule:

Circuit/Statement Meaning

S1 Web Domain with cache set

S2 Image and Referrer Info

S1 S2 Description Action

0 0 Trivial No Alarm

0 1

Image and

Referrer info with-

out setting a

cache

No Alarm

1 0No image or

ReferrerNo alarm

1 1

Image and

Referrer info with

the appropriate

cache set

Alarm

False Positive/Negative MitigationIf an organization hosts their images or links on different servers, the web domain and the web referrer do

not need to match. In such cases, the rule can provide a false positive. To avoid this issue, a filter with a

list of valid referrer domains should be created.

144 CRL-00190


Quick Deployment Guide

Device ConfigurationsFor this rule to function, the remediated XML for Apache, Microsoft Internet Information Services, or

Blue Coat Systems Security Gateway OS must be configured on the RSA enVision system.

If you are running Apache HTTP Server, you must configure the event source with the new logging

format. To view the latest configuration steps for Apache HTTP Server, refer to the Apache HTTP

Server configuration document on SecurCare Online.

Rule CustomizationIn this rule packet, there is a list of image extensions that CRL-00190 identifies. You can modify this list

to accommodate the extension of links and images on the organization's hosted site.

CRL-00190 145


CRL-00191

Overview

NamePotential Phishing Attack

PurposeThe purpose of CRL-191 is to detect behaviors associated with phishing attacks against a hosted website.

This rule focuses on hosting, and is geared towards detecting suspicious activities that might alert when

an active phishing site exists.

AudienceThe audience for this rule is any organization that hosts external-facing websites and is concerned about

attacks meant to steal their information and victimize their users.

IntroductionPhishing attacks have existed for many years in various forms. One method of detecting behaviors

associated with certain phishing attacks is to follow the referrer data. To avoid detection of their phishing

sites, some attackers keep their malicious website footprint small and link to the targeted organization’s

website instead of loading images onto their web pages. This rule tracks these attacks by looking at the

web referrer fields to ensure that they match a known, and authorized, list of web hosts.

Requirements

Device Class/SystemsThis rule requires the use of systems that generate web logs and specifically generate detailed web

referrer fields. The following devices have been remediated and are suitable for this rule:

l Apache Web Server

l Microsoft Internet Information Services (IIS)

l Blue Coat Extended Log File Format (ELFF)

Configuration of EnvironmentRefer to RSA SecurCare Online for specific instructions on device setup and logging through enVision.

Technical Analysis

Rule LogicThe rule logic is divided into Circuits, which consist of Statements that use conditional operators to form

a larger logical meaning out of smaller subunits. The smallest unit can be any specific variable from the

146 CRL-00191


content. The logical operators consist of logic words, such as AND and OR. They also include, but arenot limited to, logic phrases, such as followed by and not in.

CRL-00191 uses the following algorithm:

Set thread to variable=web_domain on class=host.security.nic security correlated class

Circuit1

Statement1

Cache the web_domain values for weblog devices Apache,

CacheflowELFF & MicrosoftIIS

AND

Statement2

Set filter to detect how many webpage values contain an image

(use regex, for e.g.*jpg, *gif)

AND

Compare web_referer_domain values to cached web_domain

values for a possible mis-match

AND

Check that web_referer_domain value is not an accepted one, by

comparing it with values in custom created watchlist

End Circuit1

False Positive and False Negative MitigationAvoid false positives because they decrease the level of confidence in the rules. Eliminate false

negatives because they decrease rule functionality and create a serious security lapse. The following truth

table summarizes the behavior of this correlation rule and explains when the rules should fire.


False False Trivial (beware of false positives) Test for false positives

False TrueImage and Referrer information without

setting a cacheNo alarm -- test for false positives

True False No image or Referrer No alarm -- test for false positives

True TrueImage and Referrer information with the

appropriate cache set

Alarm -- The rule should fire in this case -

- Always test for false negatives

CRL-00191 147



Device ConfigurationsRefer to RSA SecurCare Online for enVision device configuration documentation.

Rule CustomizationUsers can introduce a watchlist with their custom web referrer domain list. This serves as a list of valid

web referrer domains to make the comparisons for the rule. Users must create a view to use the rule.

148 CRL-00191


CRL-00192-01

Overview

NamePolicy Access Violation

PurposeRule CRL-00192-01 is designed to detect improper usage of IT systems. This rule focuses on detecting

login activities associated with either sharing credentials or the failure to properly sign out of systems.

AudienceThis rule is intended for any organization that is concerned with detecting violations to their acceptable

use policy regarding access credentials and permitted uses.

IntroductionPolicies surrounding corporate and remote access systems typically require users to log out when they are

finished with their activities. Other policies may be concerned with account abuse, where one account is

being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff,

(either the console of a system, or a remote access session) and then logs onto the other.

Requirements

Device Class/SystemsThis rule requires the use of Windows event logs. This version of the rule works only for Windows Server

2003. RSA envision currently supports three collection methods for Windows Server 2003:

l Agentless

l Intersect Alliance SNARE

l Adiscon EventReporter

This rule also requires the use of one of the following VPN devices that enVision currently supports:

l Aventail SSL VPN

l Cisco VPN 3000

l Citrix Access Gateway

l F5 Firepass

l Intel VPN

l Juniper SSL VPN

l Nortel VPN Contivity

CRL-00192-01 149


Configuration of EnvironmentFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to

configure your Windows event source, and your VPN event source, to send events to enVision.

Technical Analysis

Rule Logic

Note: Rule CRL-00192-01 does not work for Windows Server 2008 logon/logoff events.

Rule CRL-00192-01 checks for interactive Windows logon events (Security event ID 528 and logon type

equals 2), interactive Windows logoff events (Security event ID 538 and logon type equals 2), and VPN

logon events (events categorized under Auth.Successful and User.Activity.Successful Logins) for the

same user account.

By default, CRL-192-01 triggers an alert if a user, who is already logged into a Windows Server 2003

workstation, logs on to the same server using a different method (For example, logging into the server

using the console, then logging into the server using VPN) within 60 seconds. You can change the time

parameter in the enVision UI.

The behavior of CRL-192-01 could be described using the following truth table:

Interactive Windowslogon event followed

by

Interactive Windowslogoff event fol-

lowed by

VPN logon toevent Windowsworkstation

Action

True False False No alert

True False True Alert

True True False No alert

True True True No alert


Device ConfigurationsFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to


150 CRL-00192-01


Rule CustomizationThe built-in version of CRL-192-01 filters Windows logon and logoff events based on logon type. They

could be customized by adding more filters:

Description Field Variable

Field to filter on Variable to use

Domain Domain

Workstation Name Work Station

Windows Logon events



Domain Domain

Windows logoff events

CRL-00192-01 151


CRL-00192-02

Overview

NamePolicy Access Violation

PurposeRule CRL-00192-02 is designed to detect improper usage of IT systems. This rule focuses on detecting

login activities associated with either sharing credentials or the failure to properly sign out of systems.

AudienceThis rule is intended for any organization that is concerned with detecting violations to their acceptable

use policy regarding access credentials and permitted uses.

IntroductionPolicies surrounding corporate and remote access systems typically require users to log out when they are

finished with their activities. Other policies may be concerned with account abuse, where one account is

being used by multiple people. This rule monitors the activity for accounts where the user fails to logoff,

(either the console of a system, or a remote access session) and then logs onto the other.

Requirements

Device Class/SystemsThis rule requires the use of Windows event logs. This version of the rule works only for Windows Server

2003. RSA envision currently supports three collection methods for Windows Server 2003:

l Agentless

l Intersect Alliance SNARE

l Adiscon EventReporter

This rule also requires the use of one of the following VPN devices that enVision currently supports:

l Aventail SSL VPN

l Cisco VPN 3000

l Citrix Access Gateway

l F5 Firepass

l Intel VPN

l Juniper SSL VPN

l Nortel VPN Contivity

152 CRL-00192-02


Configuration of EnvironmentFor the latest configuration instructions, refer to RSA SecurCare Online for instructions on how to


Technical Analysis

Rule Logic

Note: Rule CRL-00192-02 does not work for Windows Server 2008 logon/logoff events.

Rule CRL-192-02 checks for VPN logon events, VPN logoff events (categorized under

User.Activity.Logoff), and interactive Windows logon events for the same user account.

By default, CRL-192-02 triggers an alert if a user, who is already logged on to a Windows Server 2003

workstation, logs on to the same server using a different method (For example, logging into the server

using the console, then logging into the server using VPN) within 60 seconds. You can change the time

parameter in the enVision UI.

The behavior of CRL-192-02 could be described using the following truth table

VPN logon event toWindows workstation

followed by

VPN logoff event toWindows workstation

followed by

InteractiveWindowslogon event

Action



True True False No alert

True True True No alert


Device ConfigurationsRefer to RSA SecurCare Online for instructions on how to configure your VPN event source and your

Windows event source to send events to enVision.

CRL-00192-02 153


Rule CustomizationThe built-in version of CRL-192-02 filters Windows logon and logoff events based on logon type. They

could be customized by adding more filters:



Domain Domain

Workstation Name Work Station

Windows Logon events

Description field Variable


Domain Domain

Windows logoff events

154 CRL-00192-02


CRL-00193

Overview

NameMalware Drive-By Download

PurposeRule CRL-00193 alerts you when malware is downloaded and installed. This rule is divided into the

following sub-rules:

l CRL-00193-01

l CRL-00193-02

l CRL-00193-03

Rule CRL-00193-01 detects if code from malicious web sites has been downloaded and executed. This

rule uses web proxy logs to detect redirections to malicious web sites.

Rule CRL-00193-02 detects changes to the Windows registry and the Windows file system that are

reported by Tripwire Enterprise.

Rule CRL-00193-03 detects file downloads onto the client machine using the Bluecoat Proxy logs. Based

on the file type, and in combination with CRL-00193-02, this rule helps detect web attacks through

exploited file types.

AudienceThis rule is intended for organizations that are concerned about the safety of their data and the possibility

of having malware running on their workstations.

IntroductionMalware drive-by download occurs when a malicious web site downloads and installs code without the

user's knowledge. This kind of attack exploits vulnerabilities in browsers and plug-ins to redirect users to

a malicious web site that downloads and executes code.

Although some changes to the Windows registry or to the Windows file system are legitimate, others are

not. After being run, malware usually starts its activity on a Windows workstation by altering the registry

to change the system configuration or by installing new programs that run at startup. Malware can also

add executable files to the Windows file system that can be used to install back doors, dump passwords,

obtain e-mails from servers, and many other tasks. A new form of drive-by-download web attack uses

morphed file types commonly downloaded from the Internet. For example, a .pdf file or a .doc file may be

exploited to redirect browsers to a web site that downloads a malicious executable.

CRL-00193 155


Requirements

CRL-00193-01

Device Class or SystemsCRL-00193-01 requires the use of systems that generate web proxy logs. You must have Blue Coat

Systems Security Gateway OS configured on your RSA enVision system.

Other RequirementsYou must create a watchlist named Content_Filter_Categories and add values from the Blue Coat

Systems Security Gateway OS filter categories database. For example, you might add values such as

Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information on creating

watchlists, see the enVision Help.

CRL-00193-02

Device Class or SystemsThis rule requires the use of Tripwire Enterprise. RSA enVision currently supports versions:

l 5.4

l 5.5

l 7.5

Other RequirementsYou must create a watchlist named FileSytem_Registry_Changes and add the paths of Windows

registry keys and Windows files or directories of interest. For example, you might add the following

values to your watchlist:

l HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

l HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

l C:\Documents and Settings\All Users\Start Menu\Programs\Startup

For more information about creating watchlists, see the enVision Help.

In the Tripwire Enterprise server, you must define your file system node by its IP address, not by its

hostname. For more information, see the Tripwire documentation.

CRL-00193-03

Device Class or SystemsCRL-00193-03 requires the use of systems that generate web proxy logs. You must have Blue Coat

Systems Security Gateway OS configured on your RSA enVision server.

156 CRL-00193


Other RequirementsYou must create a watchlist named Content_Filter_Categories, and add values from the Blue Coat

Systems Security Gateway OS filter categories database. For example, you might add values such as

Hacking, Phishing, Spyware/Malware Sources, and Uncategorized. For information about creating

watchlists, see the enVision Help.

Technical Analysis

CRL-00193-01

Rule LogicThis rule examines the web proxy logs and searches for suspicious activity within these logs.

Malware drive-by download occurs through the following steps:

l A user browses to the web site.

l The attacker injects code that can exploit a browser vulnerability into a web site.

l The code redirects the browser, through one or more redirections, to a malicious web site.

l The malicious web site downloads an executable and runs it without the user's knowledge.

CRL-00193-01 looks for redirections to a malicious site that downloads an executable file and runs it on

the user's systems. This rule verifies the authenticity of the web site through the content filter provided by

Blue Coat Systems Security Gateway OS.

Circuit Meaning

C1 Look for redirections

C2 Followed by executable downloads from uncategorized sites

C1 C2 Description Action

0 0 Trivial No alarm

0 1 No redirections, executable downloads from the intended site No alarm

1 0 Redirections followed by executable downloads No alarm

1 1 Redirections followed by executable downloads from an uncategorized site Alarm

CRL-00193 157


False Positive and False Negative MitigationDepending on the web proxy setup within your environment, this rule may produce false negatives.

Because Blue Coat Systems Security Gateway OS uses SFTP, the time gap between two file uploads can

cause false negatives. By default, the circuits fire after a sixty-second delay. You can adjust this time gap

to meet the needs of your environment.

CRL-00193-02

Rule LogicRule CRL-00193-02 checks for any changes to the Windows registry and to the Windows file system as

reported by Tripwire Enterprise. On Tripwire Enterprise, you can create rules that monitor changes to the

components of Windows registry keys and registry values or rules that monitor changes to the file system

(files and directories) on a Windows system. These rules belong to Tripwire Enterprise predefined sets,

Windows file system rules and Windows registry rules.

By default, CRL-00193-02 triggers an alarm for each event enVision receives from Tripwire Enterprise if

the path of the changed object (Windows registry value or Windows file or directory) belongs to the

watchlist, FileSystem_Registry_Changes. You must create this watchlist in enVision and add the paths

of objects of interest.

False Positive and False Negative MitigationFalse positives are very common because CRL-00193-02 triggers an alert for any change to any object

whose path is in the watchlist FileSystem_Registry_Changes. An alert triggers even if the change does

not represent any suspicious behavior on the system monitored by Tripwire Enterprise.

These false positives can be reduced in two ways:

l In Tripwire Enterprise, edit the Tripwire rules so that the rules monitor only objects of interest,

such as specified directories and files on the system or specified registry keys and values. For

more information, see the Tripwire Enterprise documentation.

l In enVision, customize the correlation rule to look for specific values for specified fields in the

logs sent by Tripwire Enterprise. For more information, see Rule Customization.

CRL-00193-03

Rule LogicRule CRL-00193-03 checks for downloads onto the system of interest. This rule monitors downloaded

files with the following extensions:

l .doc and .docx

l .pdb

l .pdf

l .ppt and .pptx

158 CRL-00193


l .ps (PostScript files)

l .swf

l .vbd (activeX)

l .xls and .xslx

By default, CRL-00193-03 triggers an alert for every file downloaded that file that has one of these

extensions, but the rule needs a watchlist of filtered web categories, as described in "Other

Requirements." This rule is the first phase of CRL-00193, and CRL-00193-02 is the second phase..

Together, CRL-00193-03 and CRL-00193-02 detect that an exploited file type was downloaded and

redirected to malicious code, which tries to change the registry keys monitored by CRL-00193-02 using

Tripwire Enterprise.

False Positive and False Negative MitigationYou can use CRL-00193-03 can be used as a stand-alone rule in stricter server environments where you

download nothing from the Internet. However, do not add this rule to a view without an alerting system,

such as CRL-00193, because CRL-00193-03 can generate a large number of alerts in an uncontrolled

environment that is open to the Internet.

Quick Deployment

CRL-00193-01

Event Source ConfigurationConfigure Blue Coat Systems Security Gateway OS to send logs to enVision. For instructions, see the

Blue Coat Systems Security Gateway OS configuration document on RSA SecurCare Online.

Rule CustomizationCreate a watchlist named Content_Filter_Categories. Add values from the Blue Coat Systems Security

Gateway OS filter categories database, such as Hacking, Phishing, Spyware/Malware Sources, and

Uncategorized. For information on creating watchlists, see the enVision Help.

CRL-00193-02

Event Source ConfigurationConfigure Tripwire Enterprise to send events to enVision. For instructions, see the Tripwire Enterprise

configuration document on RSA SecurCare Online.

In the Tripwire Enterprise server, you must define the file system node by the IP address, not by the

hostname in Tripwire. For more information, refer to the Tripwire Enterprise documentation.

Create a watchlist named FileSytem_Registry_Changes. Add the paths of Windows registry keys and

Windows files and directories of interest. For instructions on creating watchlists, see the enVision Help.

CRL-00193 159


Rule CustomizationYou can customize CRL-00193-02 by adding any of the filters described in the following table.

Field Variable

node Host Name

server Foreign Host

rule Rule

version Version

changeType Field 1

changeTypeName Action

severity Field 2

severityname Severity

time Time

Attributes Full Message

CRL-00193-03



160 CRL-00193


CRL-194

Overview

NameInstant Messaging Keyword Filtering Rule

PurposeThe goal of this rule is to filter keywords from instant messaging sessions logged by a Blue Coat Proxy

Security Gateway appliance, based on business and organization policy adherence guidelines.This rule

detects anomalies or breach of employees' adherence to internal trade-restrictive policies on internal

instant messaging session logs.

AudienceThis rule is intended for any organization that is concerned about attempts by employees to trade or

disclose important business and security information.

IntroductionInstant messaging has become common within enterprises as more employees download and install free

instant messaging software to communicate with colleagues and friends over the company network. The

challenge for an enterprise is how to control access to these applications based on specific corporate

usage policies. For example, some users may use instant messaging for real-time business

communications across a distributed organization, and others may use it to chat with family and friends.

The Blue Coat Proxy Security Gateway appliance monitors these conversations along with relevant

information about the users involved in them, and sends out instant messaging logs. This rule uses a

regular expression search from chat sessions to analyze and identify keywords that could potentially

signify illegal use of the corporate network in compliance with the policies and guidelines of the

organization.

Requirements

Device Class/SystemsThis rule requires the use of systems that generate web logs, specifically detailed web_referer fields.

Currently the Blue Coat Proxy Security Gateway device is suitable for this rule.

Configuration of EnvironmentFor the latest configuration instructions for Blue Coat Proxy Security Gateway, see the Blue Coat

Systems SGOS configuration document on RSA SecurCare Online.

CRL-194 161


Technical Analysis

Rule LogicThe purpose is to analyze a chat session and monitor the various conversations between a user and a

buddy based on their instant messaging ID on all three instant messaging protocols supported by the Blue

Coat Proxy Security Gateway appliance. We counted every positive keyword match in a session between

the same user and the buddy. The current release of the implementation uses the following rule logic:

Set rule to thread on variables im_buddyid and im_userid

Circuit1

Statement1

Set the threshold (for example, three occurrences of the keyword

in 60 seconds should send an alert)

Set to only monitor instant messaging events

AND

Set monitoring of events having information for im_userid

AND

Set monitoring of events having information for im_buddyid

Set filter to find a regular expression match for keywords in the

watchlist for instant messaging text

End Circuit1

False Positive/Negative MitigationAvoid false positives because they decrease the level of confidence in the rules. More importantly,

eliminate false negatives because they decrease rule functionality and create a serious security lapse.

This version of the rule has two important situations to consider. An alert should fire if the number of

occurrences of a specified keyword in the chat session reaches the set minimum threshold. If the

threshold is not reached, the alert should not fire. The threshold for the number of matched occurrences of

a keyword is critical in mitigating false positives and false negatives.


Device ConfigurationsRefer to RSA SecurCare Online for enVision device configuration documentation.

162 CRL-194


Rule CustomizationCustomers intending to use this rule are required to build their own watchlists with keyword patterns that

match their security criteria. For example, a keyword pattern, .*internal trade, could be used as a filter.

The threshold in the rule is also critical in determining the accuracy of alerts generated by the rule. End

users should modify this value as deemed suitable for their operating environment.

CRL-194 163


CRL-00195

Overview

NameSearch Engine Optimization Poisoning

PurposeCRL-00195 detects malware downloads through search engine optimization (SEO) poisoning. Attackers

use black hat SEO techniques to improve the ranking of malicious web sites in search results. Users who

click these links may be led to malicious sites, which download malware to the users' systems.

AudienceOrganizations that are concerned about data being stolen from their systems or their systems being

opened for remote control.

IntroductionPeople generally use online search engines to find the latest news and topics of interest. Search engine

optimization (SEO) poisoning attacks are usually attacks on legitimate web sites using cross-site

scripting, XSS, JavaScript injections, or iFrame injections. The attackers use black hat SEO techniques to

improve the ranking of the web pages in the search results. Once the victim clicks on these links, they are

directed to a malicious web site which downloads malware onto their system.

Rule CRL-00195 attempts to track SEO poisoning by looking at web proxy logs for information which

tells the user that they have been directed to a malicious web site through a search engine result.

Requirements

Device Class or SystemsThis rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source

is suitable for this rule.

Configuration of EnvironmentYou must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision

appliance.

Other RequirementsYou must create a watchlist namedWebFilter_Approved_Categories that contains Blue Coat Systems

Security Gateway OS filter categories of interest, such as Education, E-mail, and Translation.

164 CRL-00195


Technical Analysis

Rule LogicCRL-00195 detects the following attacks:

l While browsing, the user clicks a poisoned search engine result. The URL redirects to a web site

that hosts a third-party JavaScript code that downloads an executable on the user machine.

l While browsing, the user clicks a poisoned search engine result. The URL directs the user to a

malicious web site that exploits an unpatched browser or an unpatched plug-in to download

malware on the user's machine.

CRL-00195 consists of three circuits, named web proxy logs, EXEDownloadViaThirdParty, and

DirectEXEDownloads. The rule creates two cache variables to implement the rule logic. These

variables are cache_webdomain and cache_thirdparty_webdomain.

The circuits perform checks as follows:

l Web Proxy Logs checks to see if the user was directed to a web site or a URL from a search

engine result. The rule caches the web site domain into the cache variable named cache_

webdomain.

l EXEDownloadViaThirdParty checks if the web site that the user has visited through the search

engine result references a JavaScript hosted on a third-party server that downloads an executable

on the user machine. The circuit has two statements:

l Check for JavaScript being run from a malicious site, which checks for logs where

the web page contains JavaScript and the web referrer domain field is equal to the

variable cache_webdomain that the Web Proxy Logs cached. The statement stores

the web domain field into a cache variable called cache_thirdparty_webdomain.

l Check for executable downloads from a malicious site, which checks for logs where

the web page field ends with .exe (or any of its variations). The statement checks that

the value in the filter field is not in the watchlistWebFilter_Approved_Categories

and the value in the web domain field is the same as the value stored into the cache

variable cache_thirdparty_webdomain.

l DirectEXEDownload checks if the website that the user has visited through the search engine

result directly downloads an executable on the user machine. The circuit has only one statement,

called DirectEXEDownload, which checks for logs where the web page field ends with .exe (or

any of its variations). The statement checks that the value in the filter field is not in the watch list

WebFilter_Approved_Categories and the value in the web referrer domain field is the same as

the value stored into the cache variable cache_thirdparty_webdomain.

The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload to confirm that the

filter field is not in the watch listWebFilter_Approved_Categories help to catch malicious web sites

that are not categorized by Blue Coat System Security OS.

The rule looks to see if a user was directed to a malicious web site by a search engine result.

CRL-00195 165


Circuit or State-ment Meaning

C1 Users being directed to web sites using search engine

C2The web site may be compromised and lead to executable files being

downloaded from a third-party web site

C3 The web site is malicious and downloads an executable file

The behavior of these three circuits in combination is described in the following table.

C1 C2 C3 Description Action

0 1 0Not directed to the malicious web site by a search

engine

No

Alarm

0 0 1Not directed to the malicious web site by a search

engine

No

alarm

1 0 0 Not directed to a malicious web siteNo

alarm

1 1 0The web site may be compromised and lead to execut-

able files being downloaded from a third-party web siteAlarm

1 0 1The web site is malicious and downloads an executable

fileAlarm

False Positive and Negative MitigationDepending on the web proxy configuration in your environment, the rule may give false negatives. Blue

Coat SGOS uses FTP to send logs to enVision, and, because of time gap between the two file uploads,

the rule may not trigger. The circuits wait for one hundred and eighty seconds to receive the appropriate

data. You can adjust the time limit for the rule based on your environment.


Device ConfigurationsConfigure Blue Coat Systems SGOS must be configured to send logs to your enVision appliance in

MAIN format. For instructions, see the Blue Coat Systems Security SGOS configuration document on

RSA SecurCare Online.

166 CRL-00195


Note: A sample watchlist, namedWebFilter_Approved_Categories.txt, has been posted on RSA

SecurCare Online as reference. You can find this watchlist at

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.

ReferencesFor more information about search engine optimization poisoning, go to www.symantec.com and

www.websense.com.

CRL-00195 167

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479

http://www.symantec.com/index.jsp

http://www.websense.com/content/home.aspx


CRL-00196

Overview

NameRedirection to Malicious Web Sites Through a Short URL

PurposeCRL-00196 detects drive-by download attacks, in which a user is redirected to a malicious web site

through a short URL. The malicious web site downloads an executable to the user's machine.

AudienceThis rule is intended for organizations that are concerned with keeping their employees' workstations free

of malware by detecting potential drive-by download attacks.

Reference Materialhttp://www.symantec.com/connect/blogs/tweeting-misleading-applications

IntroductionURL shortening is gaining more ground with the growth of social web sites, such as Twitter and blogs. In

Twitter, for example, a tweet is limited to 140 characters. Users who want to add a link to their tweets

turn to URL-shortening services to help them find more room for their ideas. URL-shortening services

convert a long URL into a URL of fewer than 20 characters. Short URLs are obscure enough that they

can lead a user to a malicious web site that can exploit an unpatched browser or plug-in to download and

install malware on the user's machine.

Requirements

Device Class or SystemsCRL-00196 inspects proxy logs from Blue Coat System Security OS that follow the ELFF format. You

must configure Blue Coat System Security OS to send logs to enVision in ELFF format.

Technical Analysis

Rule LogicCRL-00196 detects the following attacks:

l While browsing, the user clicks on a short URL that redirects the user to a web site that hosts a

third-party JavaScript code that downloads an executable to the user's machine.

168 CRL-00196


l While browsing, the user clicks on a short URL that redirects the user to a malicious web site that

exploits an unpatched browser or plug-in to download malware on the user's machine.

CRL-00196 creates three cache variables to help implement the rule logic:

l InitialDomain

l LongURLDomain

l ThirdPartyDomain

CRL-00196 consists of three circuits named:

l RedirectionThroughShortURL checks for redirection from the initial web site through a short

URL. The circuit has two statements:

n RedirectionToShortURL checks for logs that have status 301(which indicates redirection)

and checks the web domain field to see if the logs belong in the watchlist Redirection_

Services. The statement stores the web referrer domain into the cache variable

InitialDomain.

n RedirectionToLongURL checks for logs that have status 2xx (which represents a

successful HTTP response) and checks whether the web referrer domain field is the same

as InitialDomain. The statement stores the web domain field into the cache variable

LongURLDomain.

l EXEDownloadViaThirdParty checks if the web site the user was redirected to references a

JavaScript file hosted on a third-party server that downloads an executable to the user machine.

The circuit has two statements:

n GettingMaliciousJavascript checks for logs in which the content type field contains

JavaScript and where the web referrer domain field is the same as LongURLDomain. The

statement stores the web domain field into the cache variable ThirdPartyDomain.

n EXEDownload checks for logs in which the web page file ends with .exe (or any of its

variations). The statement checks to ensure that the value in the filter field is not in the

watchlist Content_Filter_Categories and that the value in the web referrer domain field is

the same as the value stored in the cache variable ThirdPartyDomain.

l DirectEXEDownload checks if the web site to which the user was redirected to directly

downloads an executable on the user's machine. The circuit has only one statement,

DirectEXEDownload, which checks for logs in which the web page field ends with .exe (or any

of its variations). The statement checks to confirm that the value in the filter field is not in the

watchlist Content_Filter_Categories and that the value in the web referrer domain field is the

same as the value stored in the cache variable LongURLDomain.

The checks in circuits EXEDownloadViaThirdParty and DirectEXEDownload (to confirm that the

filter field is not in the watchlist Content_Filter_Categories) help catch malicious web sites that are

categorized by Blue Coat System Security OS.

CRL-00196 169


The following table describes the combined results of these three circuits.

RedirectionThroughShortURL EXEDownloadViaThirdParty DirectEXEDownload Action


True True False Alert


False Positive and False Negative MitigationFalse positives are very common. You can limit false positives by modifying one, or both, of the

watchlists (Redirection_Services and Content_Filter_Catgeories) to include only values of interest.

Because Blue Coat System Security OS uses SFTP to upload event logs to enVision, the time gap

between file uploads can lead to false negatives. You can adjust the delay between circuits from the

initial sixty seconds value to avoid these gaps.

Quick Deployment

Event Source ConfigurationsConfigure your Blue Coat event source to send proxy logs in ELFF format to enVision. For instructions,

see the configuration instructions on RSA SecurCare online.

Create two watchlists:

l A watchlist named Redirection_Services. Add values that represent domains of short URLs to

this list.

l A watchlist named Content_Filter_Categories. Add values from the Blue Coat System Security

OS filter categories database, such as Hacking, Spywar/Malware Sources, and Uncategorized.

Note: You can add values to these watchlists from their copies posted on RSA SecurCare online.

For instructions on creating watchlists, see the enVision Help.

170 CRL-00196


CRL-00197

Overview

NamePost Form Redirection Malware

PurposeCRL-00197 detects data that is compromised through Post form redirection malware attacks.

AudienceThis rule is intended for organizations that are concerned about data theft from their systems or their

systems being opened for remote control.

IntroductionWeb sites transfer secure information from one form to another using the "post" method. This method is

used when users must enter secure information on a web site. When a site that uses the post method to

transfer information is compromised, the secure information that users entered in forms on that web site is

sent to a malicious web site.

Requirements

Device Class or SystemsThis rule requires the use of web proxy logs. The Blue Coat Systems Security Gateway OS event source

is necessary for this rule.

Configuration of EnvironmentYou must configure Blue Coat Security Gateway OS to send logs in MAIN format to your RSA enVision

appliance.

Other RequirementsYou must create a watchlist namedWebFilter_Approved_Categories that contains Blue Coat Systems

Security Gateway OS filter categories of interest, such as Education, Email, and Translation.

Technical Analysis

Rule LogicThis rule looks at web proxy logs for any suspicious behavior that could indicate a Post form redirection

malware attack.

The algorithm pattern for this rule is as follows:

CRL-00197 171


Set rule to thread on class=host.weblogs, variable=Source Address

Circuit: Web_Proxy_Logs

Statement1: Set_Cache_with_WebDomain

Cache the web_domain values for the web log event source Blue

Coat Systems ProxySG SGOS. Name it as cache_webdomain.

FOLLOWED BY

Statement2: Check_for_Post_Form_Redirection

Check that the HTTP method value is POST.

AND

Check that the HTTP status code is 200 or 302.

AND

Check that the web_referrer domain value is the same as the

cache_webdomain value. The web_domain value must not be

equal to the actual cache_webdomain value. If these values are

intact, the data was posted on one web site but was transferred to

a malicious web site.

AND

Check that the web_domain value is not present in the

WebFilter_Approved_Categories. If the value is not present, the

web site is malicious.

End Circuit1

The rule verifies that a user was directed to a malicious web site through a Post form redirection malware

attack.


S1 Cached web domain value

S2 Check for Post form redirection

The behavior of these two circuits in combination is described in the following table.


0 0 Trivial No Alarm

172 CRL-00197



0 1 Check for Post form redirection without the cached web domain value No Alarm

1 0 Post form method was not used No Alarm

1 1 Check for Post form redirection with cache set for the web domain Alarm

False Positive and False Negative MitigationDepending on the web proxy configuration in your environment, CRL-00197 may give false negatives.

Blue Coat SGOS uses FTP to send logs to enVision, and, because of the time gaps between the two file

uploads, the rule may not trigger. The circuits wait for one hundred and eighty seconds to receive the

appropriate data. You can adjust the time limit for the rule based on your environment.

Quick Deployment

Event Source ConfigurationYou must configure Blue Coat Systems SGOS to send logs to your enVision appliance in MAIN format.

For instructions, see the Blue Coat Systems Security SGOS configuration document on RSA SecurCare

Online.

Note: A sample watchlist, WebFilter_Approved_Categories.txt, has been posted on RSA SecurCare

Online as reference. You can find this watchlist at

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479.

CRL-00197 173

https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8479


CRL-00198 Rule Pack

Overview

NameBackscatter

PurposeCRL-00198 detects an increase above the average number of Non Delivery Reports sent by a mail server.

This increase could indicate a potential Distributed Denial of Service (DDoS) attack on an organization’s

mail server.

AudienceThis rule is intended for organizations that want to protect their mail servers from DDoS attacks.

Reference Materialhttp://www.techzoom.net/papers/mail_non_delivery_notice_attacks_2004.pdf

IntroductionTo make their e-mail look legitimate, a spam author forges a sender address before sending an e-mail to a

nonexistent address. A poorly configured mail server will send a Non-Delivery Report (NDR) to the

forged sender address indicating delivery failure due to a nonexistent recipient address. Usually, the NDR

includes the original message, in which the spam author may have included phishing links. A user whose

e-mail address has been forged will find an NDR in the inbox and will probably open the NDR because

the user trusts the mail server. Furthermore, a spam author can launch a DDoS attack on a mail server by

sending a large number of e-mails to nonexistent addresses.

Requirements

Device Class or SystemsThe CRL-00198 rule pack works on logs collected from Microsoft Exchange through Windows event logs

or through the NIC File Reader Service. For instructions on configuring your Microsoft Exchange Server

to send logs to RSA enVision, see RSA SecurCare online.

Technical Analysis

Rule LogicThe CRL-00198 rule pack consists of two correlation rules with the same logic:

174 CRL-00198 Rule Pack


l CRL-00198-01 works on logs collected through Windows event logs.

l CRL-00198-02 works on logs collected through the NIC File Reader Service.

CRL-00198-01 consists of one circuit labeled, NDR_Increase, which has one statement, WindowsLogs.

CRL-00198-01 triggers an alert if the number of Microsoft Exchange messages whose Event ID is

Application_3028_MSExchangeTransport increases 10 percent above the hour average. Application_

3028_MSExchangeTransport indicates that the Microsoft Exchange Server failed to deliver an email

because the recipient address doesn’t exist.

CRL-00198-02 consists of one circuit, NDR_Increase, which has one statement, FileReader. For events

collected through the NIC File Reader Service, an NDR message due to a nonexistent recipient address

must meet the following two conditions:

l Event ID is DELIVER.

l The value parsed by enVision and stored in the Product variable is Delivery Status Notification

(Failure).

CRL-00198-02 triggers an alert if the number of NDR messages that meet these criteria increases 10

percent above the hour average.

False Positive and False Negative MitigationBoth CRL-00198-01 and CRL-00198-02 use a threshold of a 10 percent increase from the hour average.

You can customize that threshold by modifying either the percentage of the increase or the threshold

definition (average or baseline). For more information on threshold definition, see the enVision Help.

Quick Deployment

Event Source ConfigurationsFor instructions on configuring your Microsoft Exchange Server to send events to RSA enVision through

Windows event logs or through the NIC File Reader Service, see RSA SecurCare online .

CRL-00198 Rule Pack 175


CRL-00199

Overview

NameFairWarning Snooping

PurposeCorrelation Rule CRL-00199 detects if any violators caught snooping by FairWarning Privacy Monitoring

are also detected by RSA Data Loss Prevention Suite (DLP) to be involved in data leakage. This

condition could mean that an employee in a health organization is transferring patient records to an

external device, or sending them over instant messaging services or over e-mail.

AudienceThis rule is intended for any health organization interested in keeping patient records safe from malicious

use by employees.

IntroductionAccording to health industry rules and regulations, a health organization must always keep patient records

safe. FairWarning Privacy Monitoring generates events if authorized users in a health organization are

caught snooping at the medical records of their co-workers, their co-workers' family members, or VIPs.

Correlation Rule CRL-00199 leverages the information collected from FairWarning Privacy Monitoring,

along with RSA DLP Suite, to monitor whether employees are transferring medical data outside of the

healthcare organization using Instant Messenger or e-mail.

Requirements

Device Class or SystemsCorrelation Rule CRL-00199 scans logs from FairWarning Privacy Monitoring and RSA DLP Suite to

detect a snooping event followed by a data leakage incident by the same user.

Technical Analysis

Rule LogicCorrelation Rule CRL-00199 triggers an alarm if enVision receives an alert from FairWarning Privacy

Monitoring indicating a snooping event (Family Snooping, VIP Snooping, or Employee Snooping) by an

employee of a health care organization and an alert from RSA DLP Suite showing that the same

employee is involved in a data leakage incident.

Correlation Rule CRL-00199 consists of two circuits:

176 CRL-00199


l FairWarning_Logs has one statement, Snooping, which searches for events collected from

FairWarning Privacy Monitoring that are categorized by enVision under System.Audit. The value

stored in the rulename variable must also match the regular expression .*[Ss]nooping.* .

l RSA_DLP_Logs has one statement, Exfiltration, which searches for events collected from RSA

DLP Suite that fall in one of the following categories: Policies.Rules.Rejects,

Policies.Rules.Successful, System.Audit, Content.Email.Delivery.Error, and

Content.Email.Message.Sent.

Correlation Rule CRL-00199 multithreads on the User Name variable so the rule will not trigger an alarm

unless the user name in FairWarning event is the same one contained in the RSA DLP event.

Note: The AND operator is used to link the circuits, which means that CRL-00199 will trigger an alarm

if the events meet the selection criteria regardless of the order in which enVision receives the events.

Quick Deployment

RSA enVision ConfigurationFor instructions in configuring FairWarning Privacy Monitoring and RSA DLP Suite to send logs to

enVision, see the Device Configuration page on RSA SecurCare online.

CRL-00199 177


CRL-00200

Overview

NameFairWarning Failed Logins

PurposeCRL-00200 detects the misuse of employee accounts by identifying anomalous logon activity. HIPAA

defines and identifies this activity in Section 164.308 and Section 164.306.

The HIPAA Security Rule addresses the HIPAA logging and auditing requirements:

l Administrative Safeguards - Section 164.308

l Security Management Process – Section 164.308(a)(1)(ii)(D)

l Security Awareness and Training – Section 164.308(a)(5)(ii)(C)

l Evaluation (Required) – Section 164.308(a)(8)

l Audit Controls (Required) – Section 164.312(b) [2]

AudienceThis rule is intended for health organizations that are concerned about protecting their patient records

from malicious use.

IntroductionWhen FairWarning alerts on a failed logon, this rule checks for any failed logons with the same user

credentials from other event sources on the network.

Requirements

Device Class or SystemsThis rule requires the use of the FairWarning Privacy Monitoring event source. The logs from

FairWarning are correlated with event sources from the following device classes:

l Access Control

l Analysis

l DLP

l VPN

l Unix

l Virtualization

l Database

Note: The current state of the Windows XML does not align with data used for the logon_id variable.

The remediated Windows XML will be included in this rule when complete.

178 CRL-00200


Configuration of EnvironmentYou must configure FairWarning Privacy Monitoring. For instructions, see the FairWarning Privacy

Monitoring configuration document on RSA SecurCare Online.

Technical Analysis

Rule LogicThis rule looks at alerts from FairWarning that indicate a failed logon for a particular user. The user's

credentials are correlated with other event sources to check for failed logons from the same credentials.

The algorithm pattern for this rule is as follows:

Set rule to thread on variable= Logon_id

Circuit: Failed_Logins

Statement1: Other_Devices_Failed_Logins

Ensure that events with the variable logon_id are selected and

fall under the category User.Activity.Failed.Logins. None of the

events should be from FairWarning.

AND

Statement2: FairWarning_Failed_Logins

Select events from FairWarning that have the variable logon_id.

AND

FairWarning events must fall under the category Attacks.Access.

Failed logon events within the FairWarning XML fall under this

category. A filter has been set to capture events that contain the

keyword “fail.” This filter has been set because the category

Attacks.Access can include other types of events from

FairWarning.

End Circuit1

The rule verifies that .


S1 Failed Logons from all other event sources in the network

S2 Failed Logons from FairWarning

CRL-00200 179


The behavior of these two circuits in combination is described in the following table.


0 0 Trivial No alarm

0 1 No failed logons from event sources other than FairWarning No alarm

1 0 No failed logons from FairWarning No alarm

1 1Failed logons from other event sources AND from FairWarning. The logon_id value

for both of the events match.Alarm

False Positive and False Negative MitigationDepending on the configuration of FairWarning in your environment, CRL-00200 may give false

negatives. FairWarning uses SFTP to send logs to enVision, and, because of the time gaps between the

two file uploads, the rule may not trigger. The circuits wait for 24 hours to receive the appropriate data.

You can adjust the time limit for the rule based on your environment.

Quick Deployment

Event Source ConfigurationYou must configure FairWarning Privacy Monitoring to send events to RSA enVision. For instructions,

see the FairWarning Privacy Monitoring configuration document on RSA SecurCare Online.

180 CRL-00200


CRL-00201

Overview

NameDNS Fast Flux Detection Kit

PurposeRule CRL-00201 detects and alerts on possible DNS fast-flux domains.

AudienceThis rule is intended for organizations that capture their web proxy traffic logs and want to receive alerts

for fast-flux domains that have been captured in the logs of the web proxy event source..

IntroductionThe primary role of the Domain Name System (DNS) is to hierarchically name computers or any other

resources connected to the Internet or a private network. The Domain Name System assigns an IP

address with a given domain name for a period of time. This Time To Live (TTL) period depends on the

type of lease. Botnets and other malicious hosts take advantage of the TTL period and use a technique

known as a DNS fast flux. The DNS servers have a very short TTL associated with a domain, which

allows for a continual reassignment of IP addresses to these event source domain names. Some of these

fast-flux domains behave as peers and share the role of a command and control server as sometimes

found in phishing attacks. However, due to the constant DNS flux, it becomes very difficult to determine

the source of such botnets or malicious hosts.

This rule attempts to track fast fluxing domains by caching on a specific domain name and checking if the

IP assignments to such domains are short-lived, which indicates that they may be part of a fast-flux

domain.

Requirements

Device Class or SystemsThis rule uses the Web Logs device class and monitors events from web proxy event sources. Currently

the rule fires alerts for logs from the Blue Coat Systems ProxySG SGOS event source.

Technical Analysis

Rule LogicAll the rules in this rule set have the same architecture and are implemented as two logical circuits joined

by a FOLLOWED BY clause.This rule examines the web proxy logs and searches for suspicious activity

within these logs.

CRL-00201 181


The characterization of all traffic happens in the first circuit, where the rule looks for specific domain,

status, category, and web page information in the event. The original IP address of the server is also

cached in this circuit. The second circuit compares the server IP address for the subsequent events within

a specified time-frame (by default, one hundred and eighty seconds).

The rule threads on the web_host variable, which contains the information about the Fully Qualified

Domain Name (FQDN). In the first circuit, the filter, status, domain, and webpage variables are filtered

during each event. This filters the traffic so that only the events that satisfy the criteria for filters are

considered by the rule.

The second circuit compares the supplier_ip variable with the cached IP variable, DestAddress. If the

cached IP variable differs from the supplier_ip, an alert is triggered.

False Positive and False Negative MitigationBecause it can generate a large number of alerts, to mitigate the false positives, the rule set is divided

into the following four separate rules:

• CRL-00201-01 - DNS Fast Flux Detection - Common Traffic Domains

• CRL-00201-02 - DNS Fast Flux Detection - Specialized Traffic Domains

• CRL-00201-03 - DNS Fast Flux Detection - Commercial Traffic Domain

• CRL-00201-04 - DNS Fast Flux Detection - Known Abused TLDs

These rules filter on separate logical clusters of Top Level Domains. For example, the .com

(commercial) domain accounts for more than 90 percent of the total Internet traffic, and so the domain

deserves its own separate rule for purposes of monitoring .

Quick Deployment



182 CRL-00201

enVision_CRL_rules.pdf

Documents

Transcript of enVision_CRL_rules.pdf