Cisco CS-MARS-20-K9 - Security MARS 20 User Manual page 550

List of System Rules
System Rule: Security Posture: Excessive NAC Status Query Failures - Single NAD.
•
This rule detects excessive NAC status query failures from distinct hosts to the same Network
Access Device (NAD). A Status query failure indicates a change in posture detected by the Cisco
Trust Agent (CTA) after the initial authorization. Excessive status query failures may indicate a sign
of end point instability caused by the user enabling or disabling agents. Excessive status query
failures from distinct hosts reported by the same NAD may indicate a problem at the NAD.
• System Rule: Security Posture: Infected - Network wide.
This rule detects that many distinct hosts are reporting INFECTED security posture status for an
excessive period of time. This implies that a significant number of hosts are having trouble getting
cleaned.
• System Rule: Security Posture: Infected - Single Host.
This rule detects that a particular host is reporting INFECTED security posture status for an
excessive period of time. This implies that the host is having trouble getting cleaned.
• System Rule: Security Posture: Quarantined - Network wide.
This rule detects that many distinct hosts are reporting QUARANTINED security posture status for
an excessive period of time. This implies that a significant number of hosts are having trouble
getting DAT file updates.
• System Rule: Security Posture: Quarantined - Single Host.
This rule detects that a particular host is reporting QUARANTINE security posture status for an
excessive period of time. This implies that the host is having trouble getting DAT file updates.
• System Rule: Server Attack: Database - Attempt.
This correlation rule detects attacks on a database server, preceded by reconnaissance attempts
targeted to that host, if any. The attacks include buffer overflows, denial of service attempts, SQL
Injection and other remote command execution attempts using database server privileges.
• System Rule: Server Attack: Database - Success Likely.
This correlation rule detects specific attacks on a database server followed by suspicious activity on
the targeted host. Suspicious activity may include the host scanning the network, creating excessive
firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by
reconnaissance attempts targeted to that host. The attacks to a database server include buffer
overflows, denial of service attempts, SQL Injection and other remote command execution attempts
using database server privileges.
System Rule: Server Attack: DNS - Attempt.
•
This correlation rule detects specific attacks on a DNS host, preceded by reconnaissance attempts
targeted to that host, if any. Attacks on a DNS host includes buffer overflow attempts, denial of
service attempts.
System Rule: Server Attack: DNS - Success Likely.
•
This correlation rule detects likely successful attacks on a DNS host - an attack is successful if it is
followed by suspicious activity on the targeted DNS server. Suspicious activity includes the host
scanning the network, creating excessive firewall deny traffic, a backdoor opening up at the server
etc. The attack may be preceded by reconnaissance attempts targeted to that host.
System Rule: Server Attack: FTP - Attempt.
•
This correlation rule detects attacks on a FTP server, preceded by reconnaissance attempts targeted
to that host, if any. The attacks include buffer overflows, remote command execution attempts using
FTP server privileges, denial of service attempts.
System Rule: Server Attack: FTP - Success Likely.
•
User Guide for Cisco Security MARS Local Controller
D-10
Appendix D System Rules and Reports
78-17020-01