NetWitness Community

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment. Of particular note this month, we have created parsers for identifying servers vulnerable to the latest Heartbleed exploits, as well as exploit attempts:

How to detect the Heartbleed Vulnerability using RSA Security Analytics

Parsers that have been created to address Heartbleed are now available in RSA Live.  These are available for all RSA Live subscription tiers.  The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.

To detect vulnerable  servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.

Search for tag “heartbleed” on Live for a full list of parsers associated with Heartbleed.

The categories of new and updated content is as follows:

Application Rules

Event Stream Analysis Rules

Log (Device) Parsers

LUA Parsers

Flex Parsers

Security Analytics Rules

The Latest Research from RSA

Introducing a new blog that details how emergent malware is designed to defeat hash-based solutions.

The Malware Factory and Massive Morphing Malware

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/26/the-malware-factory-and-massive-morphing-malware

RSA’s FirstWatch team has posted a blog detailing a new variant of Kazy that uses a wrapped JSON file for its Command and Control. A simple detection rule is included, as is a PCAP for analysis and testing purposes.

New Kazy Variant: Kazy Force

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/28/new-kazy-variant-kazy-forces

Additionally, RSA’s Content team is updating log parser support for major IDS/IPS vendors as they release Heartbleed specific signatures. Currently RSA’s Content team has updated support for Cisco, Snort, and SourceFire, with more being added as they become available.

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

Content Updates

Updated Application Rules

Enhanced

Title: suspicious php put long query

Desc: Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic.

New ESA Rules

Title: Detect Port Knocking Packet

Desc: Detects when four failed port connection attempts are followed by a successful connection from a single source within the specified time period. You can configure the time period (default is five minutes), IP sources (list of IP addresses to exclude from the alert), and the port range (RANGE followed by the port numbers).

Title: Multiple Login Failures from Same Source IP with Unique Usernames

Desc: Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).

Title: Detects Router configuration attempts

Desc: Detects when someone tries to change a router configuration. The alerts triggers when the Event Classification Tags (ECT) of ec.subject is equal to Configuration, ec.activity isequal to Modify, and device.class is equal to Router. The alert also triggers when NWFL_config:router-change application rule is matched.

Title: Multiple SYN packets from Same Source

Desc: Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets).

Title: Backdoor Activity Detected

Desc: Detects backdoor activity within log files. The rule triggers an alert when the Event Classification Tags (ECT) of ec.theme is equal to TEV and ec.activity is equal to Detect in combination with a variation of the backdoor keyword found in policy.name or event.category.name. You can add a list of backdoor names that the rule looks for by default in both policy.name and event.category.name.

Title: Windows User Added to Administrators Group and Security Disable.

Desc: Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specific time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the accesses and event.desc non-standard meta keys. You must implement these non-standard meta keys after you download this rule.

Title: Detection of Encrypted Traffic to Countries

Desc: Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries.Note :- You must upload and enable the TLS_lua parser, the SSH_lua parser and their dependencies on the Decoder.You can configure the list of destination countries using a colon ":" as a delimiter to separate each country in the list.

Title: Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP

Desc: Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).

Title: Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP

Desc: Detects when the specified number of log events from the specified list of message IDs (each log has to have a unique message ID among the specified set of IDs) with Same Source IP and Destination IP occur in the specified time period. You can configure the number of log events, (default value is 3), the list of message IDs, and the time period (default is 300 seconds).

Updated ESA Rules

Title: Multi-Service connection attempts_Pckt

Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes. Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.

Title: Account Created and Deleted within an hour.

Desc: Account Created and Deleted within an hour.

New Log Parsers

Title: Oracle Access manager

Desc: Log Device content for event source Oracle Access manager - oracleam

Updated Log Parsers

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

Title: Arbor Peakflow SP

Desc: Log Device content for event source Arbor Peakflow SP - arborpeakflowsp

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML – ciscoidsxml

Title: Cisco Security Agent

Desc: Log Device content for event source Cisco Security Agent - ciscosecagent

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS – dragonids

Title: eEye Blink

Desc: Log Device content for event source eEye Blink - eeyeblink

Title: eEye REM

Desc: Log Device content for event source eEye REM - eeyerem

Title: F5 Firepass

Desc: Log Device content for event source F5 Firepass - firepass

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate - fortinet

Title: Infoblox NIOS

Desc: Log Device content for event source Infoblox NIOS - infobloxnios

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

Title: Invincea

Desc: Log Device content for event source Invincea - invincea

Title: McAfee Email Gateway

Desc: Log Device content for event source McAfee Email Gateway - ironmail

Title: iSeries

Desc: Log Device content for event source iSeries - iseries

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

Title: Kaspersky Anti-Virus

Desc: Log Device content for event source Kaspersky Anti-Virus - kasperskyav

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

Title: Netapp

Desc: Log Device content for event source Netapp - netapp

Title: Netscreen

Desc: Log Device content for event source Netscreen - netscreen

Title: Oracle

Desc: Log Device content for event source Oracle - oracle

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks

Title: SAP ERP Central Component

Desc: Log Device content for event source SAP ERP Central Component - sap

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

Title: Symantec AntiVirus/Endpoint Protection

Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav

Title: Trend Micro Deep Security

Desc: Log Device content for event source Trend Micro Deep Security - trendmicrods

Title: Trend Micro Deep Security Agent

Desc: Log Device content for event source Trend Micro Deep Security Agent - trendmicrodsa

Title: VMware ESX / ESXi

Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi

Title: VMware View

Desc: Log Device content for event source VMware View - vmware_view

Title: Windows Events (NIC)

Desc: Log Device content for event source Windows Events (NIC) - winevent_nic

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

New Lua Parsers

Title: TFTP_lua

Desc: Identifies Trivial File Transfer Protocol and extracts names of files transferred.

Updated Lua Parsers

Title: TLS_lua

Desc: Identifies TLS and SSL sessions. Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.

Title: MAIL_lua

Desc: Replicates in lua the functionality of the native and flex MAIL parsers. Extracts from email messages values such as -from;to; and subject.

Title: rtmp_lua

Desc: Identify Tunneled Real Time Messaging Protocol packets.

Title: fingerprint_job

Desc: Identifies windows .job task scheduling files.

Title: RDP_lua

Desc: Identifies the Microsoft Remote Desktop Protocol

Title: windows executable

Desc: Identifies windows executables and analyzes them for anomalies and other suspicious characteristics

Title: IRC_verbose_lua

Desc: Expanded IRC parsing implemented in lua.

Updated Flex Parsers

Title: TLS

Desc: Parses SSL/TLS certificates. Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizataional Name (meta ssl.subject), and Subjecet Common Name (meta alias.host).

Title: DNS - Verbose

Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors. Detects and registers anomalies.

Title: Advanced Windows Executable

Desc: Detects executable content and threat rates it according to the level of code obfuscation that is evident in the binary structure.

Title: Botnet Traffic Patterns

Desc: Detects patterns associated with many known botnets.

Title: File Fingerprints

Desc: Forensically fingerprints various filetypes.

NOTE: This parser is deprecated and the individual "fingerprint_*" parsers should be used in its place.

Updated Security Analytics Rules

Title: Failed Remote Access Summary

Desc: Compliance Rule- Failed Remote Access Summary

Title: Successful Remote Access Summary

Desc: Compliance Rule- Successful Remote Access Summary

Seeking Customer Developed Parsers, Rules, and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

-Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it!  Reach out to us at:

      ASOC-LIVE-CONTENT@emc.com

     Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content    offering.

-Do you want to request support for a new log source or protocol?

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

-Do you want to request use cases for Event Stream Analysis Rules?

Please use our request form: https://emcinformation.com/204401/REG/.ashx

-The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

https://developer-content.emc.com/login/register.asp