Table of Contents
Advertisement
List of System Rules
sharing freeware such as KaZaA, iMesh, and AudioGalaxy. Once installed, the spyware
automatically runs each time the host PC is started and records URLs visited, the username,
password, and credit card information used, and then sends this information to the spyware writers.
System Rule: Client Exploit - Attempt.
•
This rule detects a client workstation exploit - this means a workstation is either downloading
executable content via Web or email or sending web requests that contain scripts or is the target of
an (client side) exploit via protocols such as IRC, DHCP, DNS, P2P Worms.
System Rule: Client Exploit - Mass Mailing Worm.
•
This signature detects excessive amount of e-mail (at least 20/min) from a single host. To sharpen
this rule for non-mail server hosts, create a group of mail server hosts and then create an exception
by excluding these hosts in the source of this rule.
•
System Rule: Client Exploit - Sasser Worm.
This correlation rule detects a successful infection spread of the Sasser worm - an attack on port 445
followed by the any of the following (a)command shell connection to the victim on port 9996, (b)
an FTP connection back to the victim on port 5554, (c) excessive scans on port 445 from the victim.
This indicates that both the source and the destinations are likely infected with the Sasser worm.
This worm exploits the Microsoft Windows vulnerability as described in Microsoft Security
Bulletin MS04-011
System Rule: Client Exploit - Success Likely.
•
This correlation rule detects a client workstation exploit followed by the client performing
anomalous activities. Client exploits include download of dynamically executable content via Web
or email, web requests containing scripts, client side exploits via protocols such as IRC, DHCP,
DNS, P2P Worms. Client anomalous activities include the client originating excessive denies and
scans, attempting to connect to backdoors, propagating worms over the network. The presence of
such activities may indicate that the client exploit is successful.
•
System Rule: Client Exploit - Sysbug Trojan.
This correlation rule detects a Sysbug Trojan exploit on a client workstation - the workstation
downloaded executable content via email and the code executed and likely opened up Sysbug Trojan
service on port 5555 to which other machines attempted to connect. Here, the source represents the
client workstation and the destination represents the systems to which a connection is made after the
trojan is installed.
System Rule: Configuration Issue: Firewall.
•
This rule detects configuration errors reported by a firewall - this may cause certain traffic to be
dropped by the firewall.
System Rule: Configuration Issue: Server.
•
This rule detects configuration errors reported by a server - this may cause certain services to be not
available at the server.
System Rule: Connectivity Issue: IOS IPS DTM.
•
This rule detects connectivity issues between CS-MARS and IOS - CS-MARS may not be able to
dynamically turn on ACTIVE signatures on IOS.
•
System Rule: CS-MARS Database Partition Usage.
User Guide for Cisco Security MARS Local Controller
D-2
Appendix D
System Rules and Reports
78-17020-01
Advertisement
Table of Contents
Troubleshooting
