Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 549

Appendix D System Rules and Reports
This rule detects resource issues at a network device, e.g. router, switch, firewall or IDS. Such issues
include high CPU usage, a firewall reaching session limit, insufficient memory etc.
System Rule: Scans: SCADA Modbus.
•
This correlation rule detects scans targeted at Modbus servers. Modbus protocol is the defacto
standard in industrial control communications and is the protocol of choice in a Supervisory Control
and Data Acquisition (SCADA) communications network, where the Programmable logic
controllers (PLCs) act as Modbus servers.
System Rule: Scans: Stealth.
•
This rule detects highly suspicious scans that are performed by sending malformed TCP/IP packets
with an intent to discover host and application characteristics such as OS name, OS version etc. A
vulnerability assessment tool such as Nmap can generate such scans. The source of the scans, if from
inside the trusted network, must be investigated to see if it is from an authorized source. A MARS
appliance may be performing such a test as part of false positive analysis.
System Rule: Scans: Targeted.
•
This rule detects scans that are either (a) targeted at a host to identify its operating environment,
such as users on a host, DNS version, RPC services open etc. or (b) targeted at a well-known service
to determine the set of host that offer that service.
System Rule: Security Posture: Audit Server Issue - Network wide.
•
This rule detects excessive number of logs indicating network wide audit server issues - the
indications can come from many hosts staying in TRANSITION posture state for too long or many
AAA server reporing Audit Server communication problems. These events may indicate that the
audit server is having difficulty in auditing and updating the end host security posture status from
TRANSITION state. A host enters the TRANSITION state when it is not running the Cisco Trust
Agent (CTA) software and requires an out-of-band audit by an audit server to move it out of
TRANSITION state to any one of HEALTHY, INFECTED, QUARANTINE, CHECKUP or
UNKNOWN states. A host in a TRANSITION state is likely to have limited or no network access.
System Rule: Security Posture: Audit Server Issue - Single Host.
•
This rule detects excessive number of logs indicating audit server issues for a single host - the
indications can come from the host staying in TRANSITION posture state for too long or AAA
server reporing Audit Server communication problems for the same host. These events may indicate
that the audit server is having difficulty in auditing and updating the end host security posture status
from TRANSITION state. A host enters the TRANSITION state when it is not running the Cisco
Trust Agent (CTA) software and requires an out-of-band audit by an audit server to move it out of
TRANSITION state to any one of HEALTHY, INFECTED, QUARANTINE, CHECKUP or
UNKNOWN states. A host in a TRANSITION state is likely to have limited or no network access.
• System Rule: Security Posture: Excessive NAC Status Query Failures - Network wide.
This rule detects excessive network-wide NAC status query failures reported by distinct end host,
Network Access Device (NAD) combinations. A Status query failure indicates a change in posture
detected by the Cisco Trust Agent (CTA) after the initial authorization. Excessive status query
failures may indicate a sign of end point instability caused by the user enabling or disabling agents.
Excessive status query failures reported by distinct NAD and end host combinations may indicate a
critical software problem..
System Rule: Security Posture: Excessive NAC Status Query Failures - Single Host.
•
This rule detects excessive NAC status query failures from the same end host. A Status query failure
indicates a change in posture detected by the Cisco Trust Agent (CTA) after the initial authorization.
Excessive status query failures may indicate a sign of end point instability caused by the user
enabling or disabling agents. The end host may be compromised; at least this behavior is suspicious.
78-17020-01
User Guide for Cisco Security MARS Local Controller
List of System Rules
D-9