Table of Contents
Advertisement
List of System Rules
This correlation rule detects attempts to retrieve SNMP community strings or access SNMP
information by guessing SNMP community strings. Many SNMP installations have easily guessable
passwords by default. The password attack may be preceded by reconnaissance attacks to the host.
System Rule: Password Attack: SNMP - Success Likely.
•
This correlation rule detects a likely successful SNMP community string guessing attack - such an
attack consists of a community string guessing attempt followed by a SNMP modification at the
target host. The attack may be preceded by reconnaissance attacks to the host.
System Rule: Password Attack: System - Attempt.
•
This correlation rule detects attempts a to retrieve system passwords or multiple login failures while
authenticating to a particular system/domain via telnet, SSH or local console/terminal logon. These
attempts can be optionally preceded by reconnaissance attempts. Authentication failures may
sometimes be caused by a user forgetting the password.
•
System Rule: Password Attack: System - Success Likely.
This correlation rule detects a successful password attack to gain system level access to a host or to
a windows domain- such an attack consists of a successful login occurring after attempts to retrieve
passwords or guess passwords while authenticating to that host. The password attack may be
preceded by reconnaissance attacks to the host. Authentication failures may sometimes be caused
by a user forgetting the password.
System Rule: Password Attack: Web Server - Attempt.
•
This correlation rule detects a password guessing attack to a Web server, preceded by
reconnaissance attacks to the host, if any. A password guessing attack consists of multiple login
failures and may sometimes be caused by a user forgetting the password.
System Rule: Password Scan: Disabled Accounts: Distinct Hosts.
•
This rule detects repeated failed password attempts on locked, expired or disabled accounts on
distinct hosts.
System Rule: Password Scan: Disabled Accounts: Same Host.
•
This rule detects repeated failed password attempts on distinct locked, expired or disabled accounts
on a host.
System Rule: Password Scan: Distinct Hosts.
•
This rule detects repeated failed password attempts on distinct hosts.
•
System Rule: Password Scan: Same Host.
This rule detects repeated failed password attempts on multiple distinct accounts on the same host.
System Rule: Resource Issue: CS-MARS.
•
This rule detects resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
System Rule: Resource Issue: Host.
•
This rule detects resource issues at a host, e.g. event log being full, disk near capacity, too many
logged in users etc.
System Rule: Resource Issue: IOS IPS DTM.
•
This rule detects that a Cisco IOS router has too little memory for running the required set of
ACTIVE IPS signatures. CS-MARS was not successful in downloading the complete ACTIVE
signature set.
System Rule: Resource Issue: Network Device.
•
User Guide for Cisco Security MARS Local Controller
D-8
Appendix D
System Rules and Reports
78-17020-01
Advertisement
Table of Contents
Troubleshooting
