Table of Contents
Advertisement
List of System Rules
This correlation rule detects specific attacks on RPC services on a host followed by suspicious
activity on the targeted host. Suspicious activity may include the host scanning the network, creating
excessive firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded
by reconnaissance attempts targeted to that host. The attacks to RPC services include buffer
overflows, remote command execution attempts using system privileges, denial of service attempts.
System Rule: Server Attack: SCADA Modbus - Attempt.
•
This correlation rule detects attacks on Modbus servers, preceded by reconnaissance attempts
targeted to that host, if any. The attacks include buffer overflows, denial of service attempts etc.
Modbus protocol is the defacto standard in industrial control communications and is the protocol of
choice in a Supervisory Control and Data Acquisition (SCADA) communications network, where
the Programmable logic controllers (PLCs) act as Modbus servers.
System Rule: Server Attack: Sniffer - Attempt.
•
This correlation rule detects denial of service attacks on a host in promiscuous host (e.g. a network
IDS host).
System Rule: Server Attack: Sniffer - Success Likely.
•
This correlation rule detects denial of service attacks on a host in promiscuous host (e.g. a network
IDS host) followed by the destination host reporting functionally anomalous behavior.
System Rule: Server Attack: SNMP - Attempt.
•
This correlation rule detects attacks on SNMP implementation on a host, preceded by
reconnaissance attempts targeted to that host, if any. The attacks include buffer overflows, privilege
escalation attempts to become root, etc.
System Rule: Server Attack: SNMP - Success Likely.
•
This correlation rule detects specific attacks on SNMP implementation on a host followed by
suspicious activity on the targeted host. Suspicious activity may include the host scanning the
network, creating excessive firewall deny traffic, a backdoor opening up at the server etc. The attack
may be preceded by reconnaissance attempts targeted to that host. The attacks to RPC services
include buffer overflows, remote command execution attempts using system privileges, denial of
service attempts.
System Rule: Server Attack: Web - Attempt.
•
This correlation rule detects attacks on a web server, preceded by reconnaissance attempts targeted
to that host, if any. The attacks include buffer overflows, remote command execution attempts,
denial of service attempts etc.
•
System Rule: Server Attack: Web - Success Likely.
This correlation rule detects specific attacks on a web server followed by suspicious activity on the
targeted host. Suspicious activity may include the host scanning the network, creating excessive
firewall deny traffic, a backdoor opening up at the server etc. The attack may be preceded by
reconnaissance attempts targeted to that host. The attacks include buffer overflows, remote
command execution attempts, denial of service attempts etc.
System Rule: State Change: Host.
•
This correlation rule detects significant host status change events such as system failing, rebooting,
interface cards coming up and down, audit log filling up or getting deleted etc...
System Rule: State Change: Network Device.
•
This correlation rule detects significant network status state change events such as system failing,
failover occuring, interface cards coming up and down etc.
•
System Rule: State Change: SCADA Modbus.
User Guide for Cisco Security MARS Local Controller
D-12
Appendix D
System Rules and Reports
78-17020-01
Advertisement
Table of Contents
Troubleshooting
