This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Live February 2014 Content Announcement

RSAAdmin
Beginner
Beginner
‎2014-02-07 01:21 PM

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. This is a large update and our format has changed a bit, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

The categories of new and updated content is as follows:

Event Stream Analysis Rules

Log Collector

Log Parsers

LUA Parsers

Yara Rules

Flex Parsers

Reports

Report Engine Rules

 

Seeking Customer Developed Parsers, Rules and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We would like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

1) Have you created a parser, rule, or report that you would be helpful to the broader RSA User Community? If so, let us know about it!  Reach out to us via email at:

 

ASOC.Content@rsa.com

Your emails will go directly to the content management team and we are looking forward to working with you to help evolve our content offering.

2) Do you want to request support for a new log source or protocol?


For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

3) The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

 

https://developer-content.emc.com/login/register.asp

The Latest Threat Research From RSA

- Our RSA Incident Response Team’s research dissecting Shell Crew and their malicious tactics, techniques, and procedures was recently released. As a supplement to this report we have released a digital appendix of content that can be utilized in Security Analytics as well as RSA ECAT to help identify stances of Shell Crew.  RSA Security Analytics customers can subscribe to this content via RSA Live.  The full report can be found here:

http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf

- RSA FirstWatch Intelligence Team published a well received article about the Chewbacca Trojan and it’s role in stealing payment card data here:

 

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/30/rsa-uncovers-new-pos-malware-operation-stealing-payment-card-personal-information

- Also, below are FirstWatch Intelligence Team’s recent Feeds:

Malicious Filename Feed

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/31/deprecated-feeds-and-the-new-malicious-filename-feed

Malicious UA Feed

https://community.emc.com/thread/187497

Zbot Detection Feed:

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/01/22/you-can-install-the-firstwatch-zbot-feed

How To Receive Notifications And Announcements

One final thought, if you haven’t already registered to RSA’s SecurCare Online support site, please do so. Being a member allows you to subscribe to notifications and announcements for the entire suite of RSA security products. From new release announcements to end of support notifications, SecurCare Online keeps you informed about what’s happening with your RSA product.

We look forward to forging a stronger relationship with you in 2014 as we move to evolve our content and enhance your improve your total content experience.

If you have suggestions about how you would like to see this type of messaging formatted in the future, let us know about it. Please keep in mind that this is an unusually large update and future notifications will be much smaller.

Content Updates

New Event Stream Analysis Rules for Correlation and Complex Event Processing

Title: Multiple login failures from same source for username that does not exist

Desc: Alert when log events contain multiple login failures due to username that does not exist from same source in 180 seconds. It is different from the username which exists but fail to logon because of bad password. Over here, the user itself does not exist and is trying to logon multiple times from same machine. Both the time window and number of failed logins are configurable.

Title: Multiple failed logins from a single user from multiple different sources to same destination in X seconds

Desc: Alert when log events contain multiple failed logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of failed logins are configurable.

Filename: esa000039.esaa

Title: Multiple successful logins from a single user from multiple different sources to the same destination

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to same destination in 3600 seconds. Both the time window and number of success logins are configurable.

Title: User added to admin group then syslog is disabled

Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.

Title: Single source, Same IDS / IPS message type, different destination IP

Desc: Detects similar IDS/IPS events from same source and multiple destination ip. Count of unique destination and time are configurable.

Title: Privilege Escalation Detected for Unix devices

Desc: Detects 2 kinds of events: user escalates himself using su or administrator adds user to user defined list of groups

Title: SSH traffic detected from a single source to different destinations

Desc: Detects SSH traffic(service=22) coming from single source to multiple destination in given time. Number of destination, service and time are configurable.

Title: Multiple failed logins from multiple different users from same source to same destination

Desc: Alert when log events contain multiple failed logins from multiple different users from same source to same destination in 180 seconds. Both the time window and number of failed logins are configurable.

Title: Multiple successful logins from a single user from multiple different sources to multiple destinations

Desc: Alert when log events contain multiple successful logins from a single user from multiple different sources to multiple different destinations in 180 seconds. Both the time window and number of success logins are configurable.

Title: DNS Lookups From the Same Host

Desc: Detects 50 DNS lookups in 60 seconds from the same IP source. Both the time window and number of lookups are configurable.

Title: File Transfer Using Non Standard Port

Desc: File transferred using non-standard TCP destination port. Both the list of file extensions and standard TCP ports are configurable. The statement detects if the TCP destination port does not equal those that are standard as configured.

Title: User added to admin group then ssh is enabled

Desc: User was added to groups configured and same user starts syslog/rsyslog service on Linux m/c. Rule relies on Event Categorization Tags (ECT) for group modification. For this rule to work, infobloxnios should be disabled. The time window, service name and a list of administrator groups are configurable. This rule uses non-standard meta key of client so it must be made available to the Log Decoder and Concentrator by updating index-concentrator-custom.xml and/or table-map.xml.

Title: Non SMTP Traffic on TCP Port 25 Containing Executable

Desc: Monitors for non-SMTP traffic on TCP destination port 25 containing executable.Both the list of executable file extensions and TCP port for SMTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

Title: HTTP Outbound Traffic to Multiple Destinations From Single Source

Desc: HTTP outbound traffic to 50 unique destination IPs from a single source IP within 60 seconds.Outbound traffic is defined as that which does not have a private reserved address.Source IP must be within the RFC 1918 specification.The time window,number of unique destination IPs and source IP whitelist are all configurable.All events are grouped by ip.src and 50 must occur within 60 seconds.

Title: Multi-Service connection attempts_Pckt

Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes.Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.

Title: Root fail ESX server (x3) + Root success to ESX server + VMClone

Desc: Alert if there are Multiple (here,assumed as 3 Failures) Root Login Failures to ESX server followed by Root Login Success to ESX server followed by a VMClone event within 5 minutes.The time window is configurable.

Title: Non HTTP Traffic on TCP Port 80 Containing Executable

Desc: Monitors for non-HTTP traffic on TCP destination port 80 containing executable.Both the list of executable file extensions and TCP port for HTTP traffic are configurable.This rule assumes that the connection does not need to be successful at both the client and server and a single event matching the filter criteria should trigger the rule.

Title: Account Created and Deleted within an hour.

Desc: Account Created and Deleted within an hour.

Log Collector Content

Title: ActivIdentity AAA Server Log Collector Configuration

Desc: Log Collector configuration content for event source ActivIdentity AAA Server

Title: Alcatel-Lucent OmniSwitch Log Collector Configuration

Desc: Log Collector configuration content for event source Alcatel-Lucent OmniSwitch

Title: Apache Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Web Server

Title: Apache Tomcat Log Collector Configuration

Desc: Log Collector configuration content for event source Apache Tomcat

Title: AppSec DbProtect Log Collector Configuration

Desc: Log Collector configuration content for event source AppSec DbProtect

Title: Avocent KVM Log Collector Configuration

Desc: Log Collector configuration content for event source Avocent KVM

Title: BigFix Log Collector Configuration

Desc: Log Collector configuration content for event source BigFix

Title: Bit9 Log Collector Configuration

Desc: Log Collector configuration content for event source Bit9

Title: RIM Blackberry Enterprise Server Log Collector Configuration

Desc: Log Collector configuration content for event source RIM Blackberry Enterprise Server

Title: BMC Remedy ITSM Log Collector Configuration

Desc: Log Collector configuration content for event source BMC Remedy ITSM

Title: CA Integrated Threat Management Log Collector Configuration

Desc: Log Collector configuration content for event source CA Integrated Threat Management

Title: EMC Celerra Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Celerra

Title: Check Point FW-1 Log Collector Configuration

Desc: Log Collector configuration content for event source Check Point FW-1

Title: Cisco Ironport ESA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport ESA

Title: Cisco Ironport WSA Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Ironport WSA

Title: Cisco LMS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco LMS

Title: Cisco MARS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco MARS

Title: CiscoWorks NCM Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks NCM

Title: Cisco Security Agent Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Security Agent

Title: Cisco WCS Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco WCS

Title: CiscoWorks Common Services/Cisco Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source CiscoWorks Common Services/Cisco

Title: Citrix XenApp Log Collector Configuration

Desc: Log Collector configuration content for event source Citrix XenApp

Title: Courion Password Courier Log Collector Configuration

Desc: Log Collector configuration content for event source Courion Password Courier

Title: Dell DRAC Log Collector Configuration

Desc: Log Collector configuration content for event source Dell DRAC

Title: Dragon IDS Log Collector Configuration

Desc: Log Collector configuration content for event source Dragon IDS

Title: eEye Blink Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Blink

Title: eEye Retina Log Collector Configuration

Desc: Log Collector configuration content for event source eEye Retina

Title: EMC Avamar Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Avamar

Title: EMC Documentum Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Documentum

Title: EMC Data Protection Advisor Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Data Protection Advisor

Title: EMC Ionix UIM Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Ionix UIM

Title: EMC Isilon Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Isilon

Title: EMC NetWorker Log Collector Configuration

Desc: Log Collector configuration content for event source EMC NetWorker

Title: EMC VPLEX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC VPLEX

Title: Entercept Log Collector Configuration

Desc: Log Collector configuration content for event source Entercept

Title: McAfee ePolicy Orchestrator Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee ePolicy Orchestrator

Title: FairWarning Privacy Monitoring Log Collector Configuration

Desc: Log Collector configuration content for event source FairWarning Privacy Monitoring

Title: F-Secure Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source F-Secure Anti-Virus

Title: GE Centricity Enterprise Archive Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity Enterprise Archive

Title: GE Centricity PACS IW Log Collector Configuration

Desc: Log Collector configuration content for event source GE Centricity PACS IW

Title: GIT-SCM Server Log Collector Configuration

Desc: Log Collector configuration content for event source GIT-SCM Server

Title: EMC Greenplum Database Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Database

Title: EMC Greenplum Hadoop Distribution Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Greenplum Hadoop Distribution

Title: GlobalSCAPE EFT Server Log Collector Configuration

Desc: Log Collector configuration content for event source GlobalSCAPE EFT Server

Title: IBM DB2 UDB Log Collector Configuration

Desc: Log Collector configuration content for event source IBM DB2 UDB

Title: IBM Mainframe ICSF Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe ICSF

Title: IBM Mainframe (IDMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IDMS)

Title: IBM Mainframe (IMS) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (IMS)

Title: IBM Mainframe IPSec Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe IPSec

Title: IBM Mainframe zOS System Log Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe zOS System Log

Title: IBM Mainframe (RACF) Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Mainframe (RACF)

Title: IBM Tivoli Access Manager ESSO Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Access Manager ESSO

Title: IBM TAM WebSEAL Log Collector Configuration

Desc: Log Collector configuration content for event source IBM TAM WebSEAL

Title: IBM Tivoli Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source IBM Tivoli Identity Manager

Title: IBM WebSphere MQ Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere MQ

Title: IntruShield Log Collector Configuration

Desc: Log Collector configuration content for event source IntruShield

Title: McAfee Email Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Email Gateway

Title: ISS Realsecure Log Collector Configuration

Desc: Log Collector configuration content for event source ISS Realsecure

Title: JBoss Application Server Log Collector Configuration

Desc: Log Collector configuration content for event source JBoss Application Server

Title: Steel-Belted Radius Log Collector Configuration

Desc: Log Collector configuration content for event source Steel-Belted Radius

Title: Kaspersky Anti-Virus Log Collector Configuration

Desc: Log Collector configuration content for event source Kaspersky Anti-Virus

Title: Kernel-based Virtual Machine Log Collector Configuration

Desc: Log Collector configuration content for event source Kernel-based Virtual Machine

Title: LANDesk Management Suite Log Collector Configuration

Desc: Log Collector configuration content for event source LANDesk Management Suite

Title: Lotus Domino Log Collector Configuration

Desc: Log Collector configuration content for event source Lotus Domino

Title: Lumension EMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Lumension EMSS

Title: ManageEngine Netflow Analyzer Log Collector Configuration

Desc: Log Collector configuration content for event source ManageEngine Netflow Analyzer

Title: Mazu Profiler Log Collector Configuration

Desc: Log Collector configuration content for event source Mazu Profiler

Title: McAfee Host DLP Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Host DLP

Title: McAfee Endpoint Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Endpoint

Title: McAfee Vulnerability Manager Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Vulnerability Manager

Title: McAfee Integrity Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Integrity Control

Title: McAfee Network Access Control Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Network Access Control

Title: McAfee Policy Auditor Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Policy Auditor

Title: McAfee Reconnex Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Reconnex

Title: McAfee Virus Scan Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Virus Scan

Title: McKesson HPF Log Collector Configuration

Desc: Log Collector configuration content for event source McKesson HPF

Title: Microsoft IIS Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft IIS

Title: Microsoft Audit Collection Services Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Audit Collection Services

Title: Microsoft DHCP Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft DHCP

Title: Microsoft Forefront Client Security Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront Client Security

Title: Microsoft Forefront UAG Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Forefront UAG

Title: Microsoft Network Access Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Network Access Protection

Title: Microsoft SharePoint Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SharePoint

Title: Windows Server Update Service Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Server Update Service

Title: MySQL Log Collector Configuration

Desc: Log Collector configuration content for event source MySQL

Title: Netapp Log Collector Configuration

Desc: Log Collector configuration content for event source Netapp

Title: Rapid7 NeXpose Log Collector Configuration

Desc: Log Collector configuration content for event source Rapid7 NeXpose

Title: NFDump Log Collector Configuration

Desc: Log Collector configuration content for event source NFDump

Title: Novell eDirectory Log Collector Configuration

Desc: Log Collector configuration content for event source Novell eDirectory

Title: NetScreen-Security Manager Log Collector Configuration

Desc: Log Collector configuration content for event source NetScreen-Security Manager

Title: openvms Log Collector Configuration

Desc: Log Collector configuration content for event source openvms

Title: Oracle Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle

Title: Oracle Audit Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Audit Vault

Title: Oracle DB Vault Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle DB Vault

Title: Oracle Internet Directory Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle Internet Directory

Title: Oracle IM Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle IM

Title: Oracle iPlanet Web Server Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle iPlanet Web Server

Title: Oracle WebLogic Log Collector Configuration

Desc: Log Collector configuration content for event source Oracle WebLogic

Title: Perforce Log Collector Configuration

Desc: Log Collector configuration content for event source Perforce

Title: Radware DefensePro Log Collector Configuration

Desc: Log Collector configuration content for event source Radware DefensePro

Title: Riverbed Steelhead Log Collector Configuration

Desc: Log Collector configuration content for event source Riverbed Steelhead

Title: RSA Adaptive Auth (Hosted) Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Adaptive Auth (Hosted)

Title: RSA Access Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Access Manager

Title: RSA ACE Server Log Collector Configuration

Desc: Log Collector configuration content for event source RSA ACE Server

Title: RSA Archer Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Archer

Title: RSAAveksa Log Collector Configuration

Desc: Log Collector configuration content for event source RSAAveksa

Title: RSA Certificate Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Certificate Manager

Title: RSA Federated Identity Manager Log Collector Configuration

Desc: Log Collector configuration content for event source RSA Federated Identity Manager

Title: SAP ERP Central Component Log Collector Configuration

Desc: Log Collector configuration content for event source SAP ERP Central Component

Title: Secude Security Intelligence Log Collector Configuration

Desc: Log Collector configuration content for event source Secude Security Intelligence

Title: Solaris Basic Security Module Log Collector Configuration

Desc: Log Collector configuration content for event source Solaris Basic Security Module

Title: Sophos Enterprise Console Log Collector Configuration

Desc: Log Collector configuration content for event source Sophos Enterprise Console

Title: Sybase ASE Log Collector Configuration

Desc: Log Collector configuration content for event source Sybase ASE

Title: SYMANTECEP Log Collector Configuration

Desc: Log Collector configuration content for event source SYMANTECEP

Title: EMC Symmetrix Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Symmetrix

Title: Teradata Log Collector Configuration

Desc: Log Collector configuration content for event source Teradata

Title: Trend Micro Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro

Title: Trend Micro IMSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IMSS

Title: Trend Micro IWSS Log Collector Configuration

Desc: Log Collector configuration content for event source Trend Micro IWSS

Title: Tripwire Enterprise Log Collector Configuration

Desc: Log Collector configuration content for event source Tripwire Enterprise

Title: Varonis DatAdvantage Probe Log Collector Configuration

Desc: Log Collector configuration content for event source Varonis DatAdvantage Probe

Title: VMware View Log Collector Configuration

Desc: Log Collector configuration content for event source VMware View

Title: EMC Voyence Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Voyence

Title: Websense Web Security Log Collector Configuration

Desc: Log Collector configuration content for event source Websense Web Security

Title: WhatsUp Gold Log Collector Configuration

Desc: Log Collector configuration content for event source WhatsUp Gold

Title: Microsoft Operations Manager Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Operations Manager

Title: Microsoft Exchange Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Exchange

Title: Microsoft SCCM Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SCCM

Title: Microsoft SQL Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft SQL Server

Title: Microsoft Internet Security and Acceleration Server Log Collector Configuration

Desc: Log Collector configuration content for event source Microsoft Internet Security and Acceleration Server.

Title: Microdasys XML Security Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source Microdasys XML Security Gateway.

Title: IBM WebSphere Log Collector Configuration

Desc: Log Collector configuration content for event source IBM WebSphere.

Title: Actiance Vantage Log Collector Configuration

Desc: Log Collector configuration content for event source Actiance Vantage

Title: CA Siteminder Log Collector Configuration

Desc: Log Collector configuration content for event source CA Siteminder

Title: Cisco Secure IDS XML Log Collector Configuration

Desc: Log Collector configuration content for event source Cisco Secure IDS XML.

Title: EMC Clariion/VNX Log Collector Configuration

Desc: Log Collector configuration content for event source EMC Clariion/VNX

Title: SonicWALL GMS Log Collector Configuration

Desc: Log Collector configuration content for event source SonicWALL GMS

Title: Squid Log Collector Configuration

Desc: Log Collector configuration content for event source Squid

Title: SunOne LDAP Directory Server Log Collector Configuration

Desc: Log Collector configuration content for event source SunOne LDAP Directory Server

Title: Symantec Critical Systems Protection Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Critical Systems Protection

Title: Symantec Intruder Alert Log Collector Configuration

Desc: Log Collector configuration content for event source Symantec Intruder Alert

Title: McAfee Web Gateway Log Collector Configuration

Desc: Log Collector configuration content for event source McAfee Web Gateway

Title: Bluecoat ProxyAV Log Collector Configuration

Desc: Log Collector configuration content for event source Bluecoat ProxyAV

Title: Blue Coat ELFF Log Collector Configuration

Desc: Log Collector configuration content for event source Blue Coat ELFF

Title: Tenable Network Security Nessus Log Collector Configuration

Desc: Log Collector configuration content for event source Tenable Network Security Nessus

Title: Windows Events (NIC) Log Collector Configuration

Desc: Log Collector configuration content for event source Windows Events (NIC)

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

Log Parsers


New Event Sources:

Fortinet FortiAnalyzer version 5.0

Cyberoam UTM version 10.04.3

Aventail SSL VPN (now called SonicWall E-Class SRA)

Cisco Wireless LAN Controller (2100 Series and 4400 Series)

Updated Event Sources:

Alcatel-Lucent OmniSwitch version 6600

Cisco Secure ACS version 5.4

McAfee Web Gateway version 7.3

Microsoft Exchange 2013

MySQL Enterprise version 5.6

Symantec DLP versions 11 and 12

Blue Coat Proxy AV version 3.5.1.1

Check Point Security Suite version R77 GAIA OS

Citrix XenApp version 6.5

Oracle WebLogic Server version 10.3.6

Palo Alto Panorama version 5.1.4

Sybase version 15 on Solaris 2.10



LUA Parsers

Title: VNC

Desc: Identifies the Remote Framebuffer protocol used by VNC and its derivatives.

Title: X11_lua

Desc: Identifies the X11 protocol (RFC 1013)

Title: HTTP_lua

Desc: Replicates and improves the functionality of the native and flex HTTP parsers.Performs HTTP header anamoly detection, and proxy client IP extraction.Parses ICAP (HTTP) requests.

Title: xor_executable_lua

Desc: Detects executables that have been xor or hex encoded.

Title: NFS_lua

Desc: Identifies and parses RPC-related protocols NFS,MOUNT, and PORTMAP.

Title: DNP3_lua

Desc: DNP3 Distributed Network Protocol (SCADA)

Title: ethernet_oui

Desc: Determines the manufacturer of eth.src and eth.dst addresses.

Title: Fingerprint_Private_Key

Desc: Detects SSH and PGP private key files.

Title: IMAP_lua

Desc: Identifies IMAP,registers commands,errors,usernames, and passwords.

Title: Lync

Desc: Identifies Microsoft Lync (formerly Microsoft Office Communicator, Windows Messenger).

Title: pwdump

Desc: Detects output from Windows password dumping tools such as pwdump.

Title: QQ_lua

Desc: Identifies QQ (OICQ protocol) sessions.  Extracts number QQ user id,and login,logout events.

Title: shadyrat_lua

Desc: Identifies potential artifacts related to shadyrat command and control traffic.

Title: socks_lua

Desc: Identifies Socks protocol version 4 and 5.

Title: SoulSeek_lua

Desc: Identifies the SoulSeek file sharing protocol

Title: spectrum_lua

Desc: Determines which sessions are sent to Spectrum for analysis,based upon file types seen in the session, and total session size.

Title: DNS_verbose_lua

Desc: Identifies DNS sessions.Registers query and response records including record type.Registers protocol error messages.Alerts for dns anamolies.

Title: htran_lua

Desc: Identifies the error message generated by the htran redirection tool.

Title: bittorrent_lua

Desc: Identifies the bittorrent protocol and registers the name of the file being downloaded.

Title: fingerprint_7zip

Desc: Detects 7zip archive files.

Title: Derusbi_Server_Handshake

Desc: Detects Derusbi server handshake.

Title: fingerprint_rtf_lua

Desc: Detects RTF files

Title: fingerprint_zip

Desc: Detects PK format zip files and extracts filenames contained in the archive.

Title: NTLMSSP_lua

Desc: Extracts Active Directory user information from NTLM HTTP headers.

Title: SMB_lua

Desc: Parses the Microsoft SMB-CIFS protocol versions 1 and 2.

Title: fingerprint_rar_lua

Desc: Detects RAR archive files.  Registers names of archived files if available

Title: Netwitness Lua Library

Desc: Commonly used parser functions in lua.This file itself is not a parser.

Title: fingerprint_javascript_lua

Desc: Detect javascript and suspicious javascript actions and anomolies.

Title: fingerprint_office_lua

Desc: Identifies Microsoft Office 95,2007 Word,Excel, and Powerpoint documents.

Title: iSCSI

Desc: Identifies SCSI-over-IP.

Title: MAIL_lua

Desc: Replicates in lua the functionality of the native and flex MAIL parsers.Extracts from email messages values such as -from;to; and subject.

Title: creditcard_detection_lua

Desc: Attempts to detect possible credit card numbers and validate with Luhns Algorithm.Intended as a replacement for the credit card detection in search.ini

Title: phishing_lua

Desc: Registers the host portion from each URL found within an email.

FLEX Parsers

Title: Derusbi_Variant_Beacon

Desc: Detects Derusbi Variant Beacons

Title: DNS - Verbose

Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors.  Detects and registers anomalies.

YARA Rules

Title: RSA Malware PE Packers

Desc: Yara IOCs which statically analyze Windows PE files to identify Common Packers

Title: RSA Malware PDF Artifacts

Desc: Yara IOCs which statically analyze PDF file artifacts for signs of malware

Title: RSA Malware PE Artifacts

Desc: Yara IOCs which statically analyze Windows PE file artifacts for signs of malware

Reports

Title: Accounts Created SAW

Desc: SAW Compliance Report Template - Accounts Created SAW

Title: Accounts Deleted SAW

Desc: SAW Compliance Report Template - Accounts Deleted SAW

Title: Accounts Disabled SAW

Desc: SAW Compliance Report Template - Accounts Disabled SAW

Title: Accounts Modified SAW

Desc: SAW Compliance Report Template - Accounts Modified SAW

Title: Anti-Virus Signature Updates SAW

Desc: SAW Compliance Report Template - Anti-Virus Signature Updates SAW

Title: Change in Audit Settings SAW

Desc: SAW Compliance Report Template - Change in Audit Settings SAW

Title: Encryption Failures SAW

Desc: SAW Compliance Report Template - Encryption Failures SAW

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Report Template - Encryption Key Generation and Changes SAW

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Details SAW

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Failed Escalation of Privileges Summary SAW

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Report Template - Failed Remote Access Details SAW

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Report Template - Failed Remote Access Summary SAW

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Report Template - Firewall Configuration Changes SAW

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Report Template - Firmware Changes on Wireless Devices SAW

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Report Template - Inbound Network Traffic SAW

Title: Logon Failures Summary SAW

Desc: SAW Compliance Report Template - Logon Failures Summary SAW

Title: Logon Failure Details SAW

Desc: SAW Compliance Report Template - Logon Failure Details SAW

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Report Template - Outbound Network Traffic SAW

Title: Password Changes Details SAW

Desc: SAW Compliance Report Template - Password Changes Details SAW

Title: Password Changes Summary SAW

Desc: SAW Compliance Report Template - Password Changes Summary SAW

Title: Router Configuration Changes SAW

Desc: SAW Compliance Report Template - Router Configuration Changes SAW

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Details SAW

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Report Template - Successful Escalation of Privileges Summary SAW

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Report Template - Successful Remote Access Details SAW

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Report Template - Successful Remote Access Summary SAW

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Report Template - Successful Use of Encryption SAW

Title: System Clock Synchronization SAW

Desc: SAW Compliance Report Template - System Clock Synchronization SAW

Title: User Access Revoked SAW

Desc: SAW Compliance Report Template - User Access Revoked SAW

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Report Template - User Session Terminated Summary SAW

Report Engine Rules

Title: Accounts Created SAW

Desc: SAW Compliance Rule - Accounts Created SAW

Title: Accounts Deleted SAW

Desc: SAW Compliance Rule - Accounts Deleted SAW

Title: Accounts Disabled SAW

Desc: SAW Compliance Rule - Accounts Disabled SAW

Title: Accounts Modified SAW

Desc: SAW Compliance Rule - Accounts Modified SAW

Title: Anti-virus Signature Update SAW

Desc: SAW Compliance Rule - Anti-virus Signature Update SAW

Title: Change in Audit Settings SAW

Desc: SAW Compliance Rule - Change in Audit Settings SAW

Title: Encryption Failures SAW

Desc: SAW Compliance Rule - Encryption Failures SAW

Title: Encryption Key Generation and Changes SAW

Desc: SAW Compliance Rule - Encryption Key Generation and Changes SAW

Title: Failed Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Details SAW

Title: Failed Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Failed Escalation of Privileges Summary SAW

Title: Failed Remote Access Details SAW

Desc: SAW Compliance Rule - Failed Remote Access Details SAW

Title: Failed Remote Access Summary SAW

Desc: SAW Compliance Rule - Failed Remote Access Summary SAW

Title: Firewall Configuration Changes SAW

Desc: SAW Compliance Rule - Firewall Configuration Changes SAW

Title: Firmware Changes on Wireless Devices SAW

Desc: SAW Compliance Rule - Firmware Changes on Wireless Devices SAW

Title: Inbound Network Traffic SAW

Desc: SAW Compliance Rule - Inbound Network Traffic SAW

Title: Logon Failures Summary SAW

Desc: SAW Compliance Rule - Logon Failures Summary SAW

Title: Logon Failures Details SAW

Desc: SAW Compliance Rule - Logon Failures Details SAW

Title: Outbound Network Traffic SAW

Desc: SAW Compliance Rule - Outbound Network Traffic SAW

Title: Password Changes Details SAW

Desc: SAW Compliance Rule - Password Changes Details SAW

Title: Password Changes Summary SAW

Desc: SAW Compliance Rule - Password Changes Summary SAW

Title: Router Configuration Changes SAW

Desc: SAW Compliance Rule - Router Configuration Changes SAW

Title: Successful Escalation of Privileges Details SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Details SAW

Title: Successful Escalation of Privileges Summary SAW

Desc: SAW Compliance Rule - Successful Escalation of Privileges Summary SAW

Title: Successful Remote Access Details SAW

Desc: SAW Compliance Rule - Successful Remote Access Details SAW

Title: Successful Remote Access Summary SAW

Desc: SAW Compliance Rule - Successful Remote Access Summary SAW

Title: Successful Use of Encryption SAW

Desc: SAW Compliance Rule - Successful Use of Encryption SAW

Title: System Clock Synchronization SAW

Desc: SAW Compliance Rule - System Clock Synchronization SAW

Title: User Access Revoked SAW

Desc: SAW Compliance Rule - User Access Revoked SAW

Title: User Session Terminated Summary SAW

Desc: SAW Compliance Rule - User Session Terminated Summary SAW

Labels:
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.