Table of Contents
Advertisement
List of System Rules
This correlation rule detects malicious attempts to access customer data stored by web applications,
preceded by reconnaissance attempts to that host, if any. Customer data typically contains sensitive
information such as purchasing history, credit card numbers etc.
System Rule: Misc. Attacks: Application Admin Escalation.
•
This correlation rule detects attempts by a non-administrative user to perform administrative
functions for Web applications by bypassing the required authentication. Several web applications
have vulnerabilities that may allow an attacker to do so. These attempts may be preceded by
reconnaissance attempts to that host.
•
System Rule: Misc. Attacks: ARP Poisoning.
This correlation rule detects ARP Poisoning attacks preceded by reconnaissance attempts to that
host, if any.
•
System Rule: Misc. Attacks: Evasion.
This correlation rule detects generic attempts by an attacker to bypass network IDS systems. The
attempts may be preceded by reconnaissance attempts to that host.
•
System Rule: Misc. Attacks: Identity Spoofing.
This correlation rule detects attempts to used spoofed source IP addresses.
System Rule: Misc. Attacks: Replay.
•
This correlation rule detects replay attacks on a host, preceded by reconnaissance attempts to that
host, if any. Successful replay attacks may allow the attacker to gain access by bypassing
authentication.
System Rule: Misc. Attacks: Session Hijacking.
•
This correlation rule detects attempts to hijack a TCP connection to that host, preceded by
reconnaissance attempts to that host, if any.
System Rule: Misc. Attacks: TCP/IP Protocol Anomaly.
•
This correlation rule detects events that indicate errors in standard TCP/IP headers - these may be
caused by broken protocol implementations on the source host or may be malicious attempts by the
source host to test the robustness of protocol implementations on the destination host.
System Rule: Modify Host: Database Object - Failures.
•
This correlation rule detects multiple failed attempts from the same database user to modify
database objects such as tables, indices etc.
System Rule: Modify Host: Database User/Group - Failures.
•
This correlation rule detects multiple failed attempts from the same database user to modify
database user groups
System Rule: Modify Host: Files.
•
This rule detects attempts to modify files on a host.
System Rule: Modify Host: Logs.
•
This rule detects attempts to modify log files on a host.
•
System Rule: Modify Host: Registry.
This rule detects attempts to modify windows registry entries on a host.
System Rule: Modify Host: Security.
•
This rule detects attempts to modify the security settings on a host.
System Rule: Modify Host: Service.
•
User Guide for Cisco Security MARS Local Controller
D-4
Appendix D
System Rules and Reports
78-17020-01
Advertisement
Table of Contents
Troubleshooting
