Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. This is a large update and our format has changed a bit, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.
The categories of new and updated content is as follows:
Event Stream Analysis Rules
Log Collector
Log Parsers
LUA Parsers
Yara Rules
Flex Parsers
Reports
Report Engine Rules
Seeking Customer Developed Parsers, Rules and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We would like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
1) Have you created a parser, rule, or report that you would be helpful to the broader RSA User Community? If so, let us know about it! Reach out to us via email at:
Your emails will go directly to the content management team and we are looking forward to working with you to help evolve our content offering.
2) Do you want to request support for a new log source or protocol?
For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx
For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx
3) The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:
https://developer-content.emc.com/login/register.asp
The Latest Threat Research From RSA
- Our RSA Incident Response Team’s research dissecting Shell Crew and their malicious tactics, techniques, and procedures was recently released. As a supplement to this report we have released a digital appendix of content that can be utilized in Security Analytics as well as RSA ECAT to help identify stances of Shell Crew. RSA Security Analytics customers can subscribe to this content via RSA Live. The full report can be found here:
http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
- RSA FirstWatch Intelligence Team published a well received article about the Chewbacca Trojan and it’s role in stealing payment card data here:
- Also, below are FirstWatch Intelligence Team’s recent Feeds:
Malicious Filename Feed
Malicious UA Feed
https://community.emc.com/thread/187497
Zbot Detection Feed:
How To Receive Notifications And Announcements
One final thought, if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.
We look forward to forging a stronger relationship with you in 2014 as we move to evolve our content and enhance your improve your total content experience.
If you have suggestions about how you would like to see this type of messaging formatted in the future, let us know about it. Please keep in mind that this is an unusually large update and future notifications will be much smaller.
Content Updates
New Event Stream Analysis Rules for Correlation and Complex Event Processing
Title: Multiple login failures from same source for username that does not exist
Desc: Alert when log events contain multiple login failures due to username that does not exist from same source in 180 seconds. It is different from the username which exists but fail to logon because of bad password. Over here, the user itself does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.
Title: Multiple failed logins from a single user from multiple different sources to same destination in X seconds
Desc: Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of failed logins are configurable.
Filename: esa000039.esaa
Title: Multiple successful logins from a single user from multiple different sources to the same destination
Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of success logins are configurable.
Title: User added to admin group then syslog is disabled
Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.
Title: Single source, Same IDS / IPS message type, different destination IP
Desc: Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.
Title: Privilege Escalation Detected for Unix devices
Desc: Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups
Title: SSH traffic detected from a single source to different destinations
Desc: Detects SSH traffic(service=22) coming from single source to multiple destination in given time. Number of destination, service and time are configurable.
Title: Multiple failed logins from multiple different users from same source to same destination
Desc: Alert when log events contain multiple failed logins from multiple different users from same source to same destination in 180 seconds. Both the time window and number of failed logins are configurable.
Title: Multiple successful logins from a single user from multiple different sources to multiple destinations
Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds. Both the time window and number of success logins are configurable.
Title: DNS Lookups From the Same Host
Desc: Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and number of lookups are configurable.
Title: File Transfer Using Non Standard Port
Desc: File transferred using non-standard TCP destination port. Both the list of file extensions and standard TCP ports are configurable. The statement detects if the TCP destination port does not equal those that are standard as configured.
Title: User added to admin group then ssh is enabled
Desc: User was added to groups configured and same user starts syslog/rsyslog service on Linux m/c. Rule relies on Event Categorization Tags (ECT) for group modification. For this rule to work, infobloxnios should be disabled. The time window, service name and a list of administrator groups are configurable. This rule uses non-standard meta key of client so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.
Title: Non SMTP Traffic on TCP Port 25 Containing Executable
Desc: Monitors for non-SMTP traffic on TCP destination port 25 containing executable.Both the list of executable file extensions and TCP port for SMTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.
Title: HTTP Outbound Traffic to Multiple Destinations From Single Source
Desc: HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds.Outbound traffic is defined as that which does not have a private reserved address.Source IP must be within the RFC 1918 specification.The time window,number of unique destination IPs and source IP whitelist are all configurable.All events are grouped by ip.src and 50 must occur within 60 seconds.
Title: Multi-Service connection attempts_Pckt
Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes.Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.
Title: Root fail ESX server (x3) + Root success to ESX server + VMClone
Desc: Alert if there are Multiple (here,assumed as 3 Failures) Root Login Failures to ESX server followed by Root Login Success to ESX server followed by a VMClone event within 5 minutes.The time window is configurable.
Title: Non HTTP Traffic on TCP Port 80 Containing Executable
Desc: Monitors for non-HTTP traffic on TCP destination port 80 containing executable.Both the list of executable file extensions and TCP port for HTTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.
Title: Account Created and Deleted within an hour.
Desc: Account Created and Deleted within an hour.
Log Collector Content
Title: ActivIdentity AAA Server Log Collector Configuration
Desc: Log Collector configuration content for event source ActivIdentity AAA Server
Title: Alcatel-Lucent OmniSwitch Log Collector Configuration
Desc: Log Collector configuration content for event source Alcatel-Lucent OmniSwitch
Title: Apache Web Server Log Collector Configuration
Desc: Log Collector configuration content for event source Apache Web Server
Title: Apache Tomcat Log Collector Configuration
Desc: Log Collector configuration content for event source Apache Tomcat
Title: AppSec DbProtect Log Collector Configuration
Desc: Log Collector configuration content for event source AppSec DbProtect
Title: Avocent KVM Log Collector Configuration
Desc: Log Collector configuration content for event source Avocent KVM
Title: BigFix Log Collector Configuration
Desc: Log Collector configuration content for event source BigFix
Title: Bit9 Log Collector Configuration
Desc: Log Collector configuration content for event source Bit9
Title: RIM Blackberry Enterprise Server Log Collector Configuration
Desc: Log Collector configuration content for event source RIM Blackberry Enterprise Server
Title: BMC Remedy ITSM Log Collector Configuration
Desc: Log Collector configuration content for event source BMC Remedy ITSM
Title: CA Integrated Threat Management Log Collector Configuration
Desc: Log Collector configuration content for event source CA Integrated Threat Management
Title: EMC Celerra Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Celerra
Title: Check Point FW-1 Log Collector Configuration
Desc: Log Collector configuration content for event source Check Point FW-1
Title: Cisco Ironport ESA Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco Ironport ESA
Title: Cisco Ironport WSA Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco Ironport WSA
Title: Cisco LMS Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco LMS
Title: Cisco MARS Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco MARS
Title: CiscoWorks NCM Log Collector Configuration
Desc: Log Collector configuration content for event source CiscoWorks NCM
Title: Cisco Security Agent Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco Security Agent
Title: Cisco WCS Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco WCS
Title: CiscoWorks Common Services/Cisco Security Manager Log Collector Configuration
Desc: Log Collector configuration content for event source CiscoWorks Common Services/Cisco
Title: Citrix XenApp Log Collector Configuration
Desc: Log Collector configuration content for event source Citrix XenApp
Title: Courion Password Courier Log Collector Configuration
Desc: Log Collector configuration content for event source Courion Password Courier
Title: Dell DRAC Log Collector Configuration
Desc: Log Collector configuration content for event source Dell DRAC
Title: Dragon IDS Log Collector Configuration
Desc: Log Collector configuration content for event source Dragon IDS
Title: eEye Blink Log Collector Configuration
Desc: Log Collector configuration content for event source eEye Blink
Title: eEye Retina Log Collector Configuration
Desc: Log Collector configuration content for event source eEye Retina
Title: EMC Avamar Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Avamar
Title: EMC Documentum Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Documentum
Title: EMC Data Protection Advisor Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Data Protection Advisor
Title: EMC Ionix UIM Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Ionix UIM
Title: EMC Isilon Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Isilon
Title: EMC NetWorker Log Collector Configuration
Desc: Log Collector configuration content for event source EMC NetWorker
Title: EMC VPLEX Log Collector Configuration
Desc: Log Collector configuration content for event source EMC VPLEX
Title: Entercept Log Collector Configuration
Desc: Log Collector configuration content for event source Entercept
Title: McAfee ePolicy Orchestrator Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee ePolicy Orchestrator
Title: FairWarning Privacy Monitoring Log Collector Configuration
Desc: Log Collector configuration content for event source FairWarning Privacy Monitoring
Title: F-Secure Anti-Virus Log Collector Configuration
Desc: Log Collector configuration content for event source F-Secure Anti-Virus
Title: GE Centricity Enterprise Archive Log Collector Configuration
Desc: Log Collector configuration content for event source GE Centricity Enterprise Archive
Title: GE Centricity PACS IW Log Collector Configuration
Desc: Log Collector configuration content for event source GE Centricity PACS IW
Title: GIT-SCM Server Log Collector Configuration
Desc: Log Collector configuration content for event source GIT-SCM Server
Title: EMC Greenplum Database Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Greenplum Database
Title: EMC Greenplum Hadoop Distribution Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Greenplum Hadoop Distribution
Title: GlobalSCAPE EFT Server Log Collector Configuration
Desc: Log Collector configuration content for event source GlobalSCAPE EFT Server
Title: IBM DB2 UDB Log Collector Configuration
Desc: Log Collector configuration content for event source IBM DB2 UDB
Title: IBM Mainframe ICSF Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe ICSF
Title: IBM Mainframe (IDMS) Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe (IDMS)
Title: IBM Mainframe (IMS) Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe (IMS)
Title: IBM Mainframe IPSec Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe IPSec
Title: IBM Mainframe zOS System Log Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe zOS System Log
Title: IBM Mainframe (RACF) Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Mainframe (RACF)
Title: IBM Tivoli Access Manager ESSO Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Tivoli Access Manager ESSO
Title: IBM TAM WebSEAL Log Collector Configuration
Desc: Log Collector configuration content for event source IBM TAM WebSEAL
Title: IBM Tivoli Identity Manager Log Collector Configuration
Desc: Log Collector configuration content for event source IBM Tivoli Identity Manager
Title: IBM WebSphere MQ Log Collector Configuration
Desc: Log Collector configuration content for event source IBM WebSphere MQ
Title: IntruShield Log Collector Configuration
Desc: Log Collector configuration content for event source IntruShield
Title: McAfee Email Gateway Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Email Gateway
Title: ISS Realsecure Log Collector Configuration
Desc: Log Collector configuration content for event source ISS Realsecure
Title: JBoss Application Server Log Collector Configuration
Desc: Log Collector configuration content for event source JBoss Application Server
Title: Steel-Belted Radius Log Collector Configuration
Desc: Log Collector configuration content for event source Steel-Belted Radius
Title: Kaspersky Anti-Virus Log Collector Configuration
Desc: Log Collector configuration content for event source Kaspersky Anti-Virus
Title: Kernel-based Virtual Machine Log Collector Configuration
Desc: Log Collector configuration content for event source Kernel-based Virtual Machine
Title: LANDesk Management Suite Log Collector Configuration
Desc: Log Collector configuration content for event source LANDesk Management Suite
Title: Lotus Domino Log Collector Configuration
Desc: Log Collector configuration content for event source Lotus Domino
Title: Lumension EMSS Log Collector Configuration
Desc: Log Collector configuration content for event source Lumension EMSS
Title: ManageEngine Netflow Analyzer Log Collector Configuration
Desc: Log Collector configuration content for event source ManageEngine Netflow Analyzer
Title: Mazu Profiler Log Collector Configuration
Desc: Log Collector configuration content for event source Mazu Profiler
Title: McAfee Host DLP Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Host DLP
Title: McAfee Endpoint Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Endpoint
Title: McAfee Vulnerability Manager Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Vulnerability Manager
Title: McAfee Integrity Control Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Integrity Control
Title: McAfee Network Access Control Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Network Access Control
Title: McAfee Policy Auditor Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Policy Auditor
Title: McAfee Reconnex Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Reconnex
Title: McAfee Virus Scan Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Virus Scan
Title: McKesson HPF Log Collector Configuration
Desc: Log Collector configuration content for event source McKesson HPF
Title: Microsoft IIS Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft IIS
Title: Microsoft Audit Collection Services Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Audit Collection Services
Title: Microsoft DHCP Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft DHCP
Title: Microsoft Forefront Client Security Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Forefront Client Security
Title: Microsoft Forefront UAG Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Forefront UAG
Title: Microsoft Network Access Protection Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Network Access Protection
Title: Microsoft SharePoint Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft SharePoint
Title: Windows Server Update Service Log Collector Configuration
Desc: Log Collector configuration content for event source Windows Server Update Service
Title: MySQL Log Collector Configuration
Desc: Log Collector configuration content for event source MySQL
Title: Netapp Log Collector Configuration
Desc: Log Collector configuration content for event source Netapp
Title: Rapid7 NeXpose Log Collector Configuration
Desc: Log Collector configuration content for event source Rapid7 NeXpose
Title: NFDump Log Collector Configuration
Desc: Log Collector configuration content for event source NFDump
Title: Novell eDirectory Log Collector Configuration
Desc: Log Collector configuration content for event source Novell eDirectory
Title: NetScreen-Security Manager Log Collector Configuration
Desc: Log Collector configuration content for event source NetScreen-Security Manager
Title: openvms Log Collector Configuration
Desc: Log Collector configuration content for event source openvms
Title: Oracle Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle
Title: Oracle Audit Vault Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle Audit Vault
Title: Oracle DB Vault Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle DB Vault
Title: Oracle Internet Directory Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle Internet Directory
Title: Oracle IM Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle IM
Title: Oracle iPlanet Web Server Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle iPlanet Web Server
Title: Oracle WebLogic Log Collector Configuration
Desc: Log Collector configuration content for event source Oracle WebLogic
Title: Perforce Log Collector Configuration
Desc: Log Collector configuration content for event source Perforce
Title: Radware DefensePro Log Collector Configuration
Desc: Log Collector configuration content for event source Radware DefensePro
Title: Riverbed Steelhead Log Collector Configuration
Desc: Log Collector configuration content for event source Riverbed Steelhead
Title: RSA Adaptive Auth (Hosted) Log Collector Configuration
Desc: Log Collector configuration content for event source RSA Adaptive Auth (Hosted)
Title: RSA Access Manager Log Collector Configuration
Desc: Log Collector configuration content for event source RSA Access Manager
Title: RSA ACE Server Log Collector Configuration
Desc: Log Collector configuration content for event source RSA ACE Server
Title: RSA Archer Log Collector Configuration
Desc: Log Collector configuration content for event source RSA Archer
Title: RSAAveksa Log Collector Configuration
Desc: Log Collector configuration content for event source RSAAveksa
Title: RSA Certificate Manager Log Collector Configuration
Desc: Log Collector configuration content for event source RSA Certificate Manager
Title: RSA Federated Identity Manager Log Collector Configuration
Desc: Log Collector configuration content for event source RSA Federated Identity Manager
Title: SAP ERP Central Component Log Collector Configuration
Desc: Log Collector configuration content for event source SAP ERP Central Component
Title: Secude Security Intelligence Log Collector Configuration
Desc: Log Collector configuration content for event source Secude Security Intelligence
Title: Solaris Basic Security Module Log Collector Configuration
Desc: Log Collector configuration content for event source Solaris Basic Security Module
Title: Sophos Enterprise Console Log Collector Configuration
Desc: Log Collector configuration content for event source Sophos Enterprise Console
Title: Sybase ASE Log Collector Configuration
Desc: Log Collector configuration content for event source Sybase ASE
Title: SYMANTECEP Log Collector Configuration
Desc: Log Collector configuration content for event source SYMANTECEP
Title: EMC Symmetrix Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Symmetrix
Title: Teradata Log Collector Configuration
Desc: Log Collector configuration content for event source Teradata
Title: Trend Micro Log Collector Configuration
Desc: Log Collector configuration content for event source Trend Micro
Title: Trend Micro IMSS Log Collector Configuration
Desc: Log Collector configuration content for event source Trend Micro IMSS
Title: Trend Micro IWSS Log Collector Configuration
Desc: Log Collector configuration content for event source Trend Micro IWSS
Title: Tripwire Enterprise Log Collector Configuration
Desc: Log Collector configuration content for event source Tripwire Enterprise
Title: Varonis DatAdvantage Probe Log Collector Configuration
Desc: Log Collector configuration content for event source Varonis DatAdvantage Probe
Title: VMware View Log Collector Configuration
Desc: Log Collector configuration content for event source VMware View
Title: EMC Voyence Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Voyence
Title: Websense Web Security Log Collector Configuration
Desc: Log Collector configuration content for event source Websense Web Security
Title: WhatsUp Gold Log Collector Configuration
Desc: Log Collector configuration content for event source WhatsUp Gold
Title: Microsoft Operations Manager Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Operations Manager
Title: Microsoft Exchange Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Exchange
Title: Microsoft SCCM Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft SCCM
Title: Microsoft SQL Server Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft SQL Server
Title: Microsoft Internet Security and Acceleration Server Log Collector Configuration
Desc: Log Collector configuration content for event source Microsoft Internet Security and Acceleration Server.
Title: Microdasys XML Security Gateway Log Collector Configuration
Desc: Log Collector configuration content for event source Microdasys XML Security Gateway.
Title: IBM WebSphere Log Collector Configuration
Desc: Log Collector configuration content for event source IBM WebSphere.
Title: Actiance Vantage Log Collector Configuration
Desc: Log Collector configuration content for event source Actiance Vantage
Title: CA Siteminder Log Collector Configuration
Desc: Log Collector configuration content for event source CA Siteminder
Title: Cisco Secure IDS XML Log Collector Configuration
Desc: Log Collector configuration content for event source Cisco Secure IDS XML.
Title: EMC Clariion/VNX Log Collector Configuration
Desc: Log Collector configuration content for event source EMC Clariion/VNX
Title: SonicWALL GMS Log Collector Configuration
Desc: Log Collector configuration content for event source SonicWALL GMS
Title: Squid Log Collector Configuration
Desc: Log Collector configuration content for event source Squid
Title: SunOne LDAP Directory Server Log Collector Configuration
Desc: Log Collector configuration content for event source SunOne LDAP Directory Server
Title: Symantec Critical Systems Protection Log Collector Configuration
Desc: Log Collector configuration content for event source Symantec Critical Systems Protection
Title: Symantec Intruder Alert Log Collector Configuration
Desc: Log Collector configuration content for event source Symantec Intruder Alert
Title: McAfee Web Gateway Log Collector Configuration
Desc: Log Collector configuration content for event source McAfee Web Gateway
Title: Bluecoat ProxyAV Log Collector Configuration
Desc: Log Collector configuration content for event source Bluecoat ProxyAV
Title: Blue Coat ELFF Log Collector Configuration
Desc: Log Collector configuration content for event source Blue Coat ELFF
Title: Tenable Network Security Nessus Log Collector Configuration
Desc: Log Collector configuration content for event source Tenable Network Security Nessus
Title: Windows Events (NIC) Log Collector Configuration
Desc: Log Collector configuration content for event source Windows Events (NIC)
Title: Envision Content File
Desc: This file is used to update the content file for NWFL
Log Parsers
New Event Sources:
Fortinet FortiAnalyzer version 5.0
Cyberoam UTM version 10.04.3
Aventail SSL VPN (now called SonicWall E-Class SRA)
Cisco Wireless LAN Controller (2100 Series and 4400 Series)
Updated Event Sources:
Alcatel-Lucent OmniSwitch version 6600
Cisco Secure ACS version 5.4
McAfee Web Gateway version 7.3
Microsoft Exchange 2013
MySQL Enterprise version 5.6
Symantec DLP versions 11 and 12
Blue Coat Proxy AV version 3.5.1.1
Check Point Security Suite version R77 GAIA OS
Citrix XenApp version 6.5
Oracle WebLogic Server version 10.3.6
Palo Alto Panorama version 5.1.4
Sybase version 15 on Solaris 2.10
LUA Parsers
Title: VNC
Desc: Identifies the Remote Framebuffer protocol used by VNC and its derivatives.
Title: X11_lua
Desc: Identifies the X11 protocol (RFC 1013)
Title: HTTP_lua
Desc: Replicates and improves the functionality of the native and flex HTTP parsers.Performs HTTP header anamoly detection, and proxy client IP extraction.Parses ICAP (HTTP) requests.
Title: xor_executable_lua
Desc: Detects executables that have been xor or hex encoded.
Title: NFS_lua
Desc: Identifies and parses RPC-related protocols NFS,MOUNT, and PORTMAP.
Title: DNP3_lua
Desc: DNP3 Distributed Network Protocol (SCADA)
Title: ethernet_oui
Desc: Determines the manufacturer of eth.src and eth.dst addresses.
Title: Fingerprint_Private_Key
Desc: Detects SSH and PGP private key files.
Title: IMAP_lua
Desc: Identifies IMAP,registers commands,errors,usernames, and passwords.
Title: Lync
Desc: Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger).
Title: pwdump
Desc: Detects output from Windows password dumping tools such as pwdump.
Title: QQ_lua
Desc: Identifies QQ (OICQ protocol) sessions. Extracts number QQ user id,and login,logout events.
Title: shadyrat_lua
Desc: Identifies potential artifacts related to shadyrat command and control traffic.
Title: socks_lua
Desc: Identifies Socks protocol version 4 and 5.
Title: SoulSeek_lua
Desc: Identifies the SoulSeek file sharing protocol
Title: spectrum_lua
Desc: Determines which sessions are sent to Spectrum for analysis,based upon file types seen in the session, and total session size.
Title: DNS_verbose_lua
Desc: Identifies DNS sessions.Registers query and response records including record type.Registers protocol error messages.Alerts for dns anamolies.
Title: htran_lua
Desc: Identifies the error message generated by the htran redirection tool.
Title: bittorrent_lua
Desc: Identifies the bittorrent protocol and registers the name of the file being downloaded.
Title: fingerprint_7zip
Desc: Detects 7zip archive files.
Title: Derusbi_Server_Handshake
Desc: Detects Derusbi server handshake.
Title: fingerprint_rtf_lua
Desc: Detects RTF files
Title: fingerprint_zip
Desc: Detects PK format zip files and extracts filenames contained in the archive.
Title: NTLMSSP_lua
Desc: Extracts Active Directory user information from NTLM HTTP headers.
Title: SMB_lua
Desc: Parses the Microsoft SMB-CIFS protocol versions 1 and 2.
Title: fingerprint_rar_lua
Desc: Detects RAR archive files. Registers names of archived files if available
Title: Netwitness Lua Library
Desc: Commonly used parser functions in lua.This file itself is not a parser.
Title: fingerprint_javascript_lua
Desc: Detect javascript and suspicious javascript actions and anomolies.
Title: fingerprint_office_lua
Desc: Identifies Microsoft Office 95,2007 Word,Excel, and Powerpoint documents.
Title: iSCSI
Desc: Identifies SCSI-over-IP.
Title: MAIL_lua
Desc: Replicates in lua the functionality of the native and flex MAIL parsers.Extracts from email messages values such as -from;to; and subject.
Title: creditcard_detection_lua
Desc: Attempts to detect possible credit card numbers and validate with Luhns Algorithm.Intended as a replacement for the credit card detection in search.ini
Title: phishing_lua
Desc: Registers the host portion from each URL found within an email.
FLEX Parsers
Title: Derusbi_Variant_Beacon
Desc: Detects Derusbi Variant Beacons
Title: DNS - Verbose
Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors. Detects and registers anomalies.
YARA Rules
Title: RSA Malware PE Packers
Desc: Yara IOCs which statically analyze Windows PE files to identify Common Packers
Title: RSA Malware PDF Artifacts
Desc: Yara IOCs which statically analyze PDF file artifacts for signs of malware
Title: RSA Malware PE Artifacts
Desc: Yara IOCs which statically analyze Windows PE file artifacts for signs of malware
Reports
Title: Accounts Created SAW
Desc: SAW Compliance Report Template - Accounts Created SAW
Title: Accounts Deleted SAW
Desc: SAW Compliance Report Template - Accounts Deleted SAW
Title: Accounts Disabled SAW
Desc: SAW Compliance Report Template - Accounts Disabled SAW
Title: Accounts Modified SAW
Desc: SAW Compliance Report Template - Accounts Modified SAW
Title: Anti-Virus Signature Updates SAW
Desc: SAW Compliance Report Template - Anti-Virus Signature Updates SAW
Title: Change in Audit Settings SAW
Desc: SAW Compliance Report Template - Change in Audit Settings SAW
Title: Encryption Failures SAW
Desc: SAW Compliance Report Template - Encryption Failures SAW
Title: Encryption Key Generation and Changes SAW
Desc: SAW Compliance Report Template - Encryption Key Generation and Changes SAW
Title: Failed Escalation of Privileges Details SAW
Desc: SAW Compliance Report Template - Failed Escalation of Privileges Details SAW
Title: Failed Escalation of Privileges Summary SAW
Desc: SAW Compliance Report Template - Failed Escalation of Privileges Summary SAW
Title: Failed Remote Access Details SAW
Desc: SAW Compliance Report Template - Failed Remote Access Details SAW
Title: Failed Remote Access Summary SAW
Desc: SAW Compliance Report Template - Failed Remote Access Summary SAW
Title: Firewall Configuration Changes SAW
Desc: SAW Compliance Report Template - Firewall Configuration Changes SAW
Title: Firmware Changes on Wireless Devices SAW
Desc: SAW Compliance Report Template - Firmware Changes on Wireless Devices SAW
Title: Inbound Network Traffic SAW
Desc: SAW Compliance Report Template - Inbound Network Traffic SAW
Title: Logon Failures Summary SAW
Desc: SAW Compliance Report Template - Logon Failures Summary SAW
Title: Logon Failure Details SAW
Desc: SAW Compliance Report Template - Logon Failure Details SAW
Title: Outbound Network Traffic SAW
Desc: SAW Compliance Report Template - Outbound Network Traffic SAW
Title: Password Changes Details SAW
Desc: SAW Compliance Report Template - Password Changes Details SAW
Title: Password Changes Summary SAW
Desc: SAW Compliance Report Template - Password Changes Summary SAW
Title: Router Configuration Changes SAW
Desc: SAW Compliance Report Template - Router Configuration Changes SAW
Title: Successful Escalation of Privileges Details SAW
Desc: SAW Compliance Report Template - Successful Escalation of Privileges Details SAW
Title: Successful Escalation of Privileges Summary SAW
Desc: SAW Compliance Report Template - Successful Escalation of Privileges Summary SAW
Title: Successful Remote Access Details SAW
Desc: SAW Compliance Report Template - Successful Remote Access Details SAW
Title: Successful Remote Access Summary SAW
Desc: SAW Compliance Report Template - Successful Remote Access Summary SAW
Title: Successful Use of Encryption SAW
Desc: SAW Compliance Report Template - Successful Use of Encryption SAW
Title: System Clock Synchronization SAW
Desc: SAW Compliance Report Template - System Clock Synchronization SAW
Title: User Access Revoked SAW
Desc: SAW Compliance Report Template - User Access Revoked SAW
Title: User Session Terminated Summary SAW
Desc: SAW Compliance Report Template - User Session Terminated Summary SAW
Report Engine Rules
Title: Accounts Created SAW
Desc: SAW Compliance Rule - Accounts Created SAW
Title: Accounts Deleted SAW
Desc: SAW Compliance Rule - Accounts Deleted SAW
Title: Accounts Disabled SAW
Desc: SAW Compliance Rule - Accounts Disabled SAW
Title: Accounts Modified SAW
Desc: SAW Compliance Rule - Accounts Modified SAW
Title: Anti-virus Signature Update SAW
Desc: SAW Compliance Rule - Anti-virus Signature Update SAW
Title: Change in Audit Settings SAW
Desc: SAW Compliance Rule - Change in Audit Settings SAW
Title: Encryption Failures SAW
Desc: SAW Compliance Rule - Encryption Failures SAW
Title: Encryption Key Generation and Changes SAW
Desc: SAW Compliance Rule - Encryption Key Generation and Changes SAW
Title: Failed Escalation of Privileges Details SAW
Desc: SAW Compliance Rule - Failed Escalation of Privileges Details SAW
Title: Failed Escalation of Privileges Summary SAW
Desc: SAW Compliance Rule - Failed Escalation of Privileges Summary SAW
Title: Failed Remote Access Details SAW
Desc: SAW Compliance Rule - Failed Remote Access Details SAW
Title: Failed Remote Access Summary SAW
Desc: SAW Compliance Rule - Failed Remote Access Summary SAW
Title: Firewall Configuration Changes SAW
Desc: SAW Compliance Rule - Firewall Configuration Changes SAW
Title: Firmware Changes on Wireless Devices SAW
Desc: SAW Compliance Rule - Firmware Changes on Wireless Devices SAW
Title: Inbound Network Traffic SAW
Desc: SAW Compliance Rule - Inbound Network Traffic SAW
Title: Logon Failures Summary SAW
Desc: SAW Compliance Rule - Logon Failures Summary SAW
Title: Logon Failures Details SAW
Desc: SAW Compliance Rule - Logon Failures Details SAW
Title: Outbound Network Traffic SAW
Desc: SAW Compliance Rule - Outbound Network Traffic SAW
Title: Password Changes Details SAW
Desc: SAW Compliance Rule - Password Changes Details SAW
Title: Password Changes Summary SAW
Desc: SAW Compliance Rule - Password Changes Summary SAW
Title: Router Configuration Changes SAW
Desc: SAW Compliance Rule - Router Configuration Changes SAW
Title: Successful Escalation of Privileges Details SAW
Desc: SAW Compliance Rule - Successful Escalation of Privileges Details SAW
Title: Successful Escalation of Privileges Summary SAW
Desc: SAW Compliance Rule - Successful Escalation of Privileges Summary SAW
Title: Successful Remote Access Details SAW
Desc: SAW Compliance Rule - Successful Remote Access Details SAW
Title: Successful Remote Access Summary SAW
Desc: SAW Compliance Rule - Successful Remote Access Summary SAW
Title: Successful Use of Encryption SAW
Desc: SAW Compliance Rule - Successful Use of Encryption SAW
Title: System Clock Synchronization SAW
Desc: SAW Compliance Rule - System Clock Synchronization SAW
Title: User Access Revoked SAW
Desc: SAW Compliance Rule - User Access Revoked SAW
Title: User Session Terminated Summary SAW
Desc: SAW Compliance Rule - User Session Terminated Summary SAW
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.