Table of Contents
Advertisement
Appendix D
System Rules and Reports
This rule detects attempts to modify the settings of services on a host.
System Rule: Modify Host: User Group.
•
This rule detects attempts to modify the user group definitions on a host.
System Rule: Modify Network Config.
•
This rule detects attempts to modify the configurations on a network device such as routers,
switches, firewalls etc.
System Rule: Modify Server: SCADA Modbus.
•
This rule detects attempts to modify the counters and diagnostics on a Modbus Servers. Modbus
protocol is the defacto standard in industrial control communications and is the protocol of choice
in a Supervisory Control and Data Acquisition (SCADA) communications network, where the
Programmable logic controllers (PLCs) act as Modbus servers.
System Rule: Network Activity: Chat/IM - Active.
•
This rule detects person-to-person Chat or Instant Messenger protocol activity.
System Rule: Network Activity: Chat/IM - File Transfer.
•
This rule detects file transfers via person-to-person Chat or Instant Messengers along with increase
in network traffic if any. File transfer is not a normal use of Chat/IM and is suspicious. In addition,
files shared with other IM users could contain viruses or other backdoor programs.
System Rule: Network Activity: Excessive Denies - Host Compromise Likely.
•
This correlation rule detects a large frequency (excess of 10/sec) of denies from a particular host to
a particular destination port. This is a typical behavior of a compromised host looking to exploit
hosts with a specififc vulnerability.
System Rule: Network Activity: Excessive IRC.
•
This correlation rule detects excessive Internet relay Chat (IRC) connections from the same source
- this indicates that a Remote Admin Trojan (RAT) is likely running on the source and is likely
compromised.
System Rule: Network Activity: P2P File Sharing - Active.
•
This rule detects person-to-person file sharing activity via applications such as KaZaa, Napster,
EDonkey, Gnutella, Bearshare etc.
System Rule: Network Activity: P2P File Sharing - File Transfer.
•
This rule detects a file transfer via a person-to-person file sharing application such as KaZaa,
Napster, EDonkey, Gnutella, Bearshare etc. along with increase in network traffic if any. The
programs may consume significant amount of network bandwidth and furthermore, inappropriate
materials possibly containing viruses and backdoors may be distributed.
System Rule: Network Activity: Recreational.
•
This rule detects recreational activities such as games, visiting adult web sites etc.
System Rule: Network Activity: Uncommon Traffic.
•
This rule detects traffic that are not common in modern networks, for example (a) uncommon ICMP
types - ICMP Router advertisement, ICMP Timestamp request/reply etc., (b) packets with
uncommon TCP/IP options such source routing, timestamp etc, (c) standard protocols such as
SMTP, HTTP, POP3 running on non-standard ports, (d) uncommon protocols such as FSP.
System Rule: Network Activity: Windows Popup Spam.
•
This correlation detects excessive traffic (likely pop up spam) from the same source to the Windows
Messenger service.
78-17020-01
User Guide for Cisco Security MARS Local Controller
List of System Rules
D-5
Advertisement
Table of Contents
Troubleshooting
