NetWitness Community

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment.

The categories of new and updated content is as follows:

Application Rules

Correlation Rules

RE Rules

RE Lists

RE Reports

Event Stream Analysis Rules

Log (Device) Parsers

LUA Parsers

Flex Parsers

Security Analytics Rules

The Latest Research from RSA

Introducing a new blog that details GameOver Zeus and How to Detect It

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/04/22/gameover-zeus-and-how-to-detect-it

RSA’s FirstWatch team has posted a blog detailing a specific botnet variant: The Kargen Zbot and How to Detect It

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/04/30/the-kargen-zbot-and-how-to-detect-it

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

Content Updates

New Application Rules

Title: zusy_botnet

Desc: Detects the beaconing activity of the Zusy botnet.

Title: tsone_dorkbot_beaconing

Desc: Detects hosts infected with the TSONE Dorkbot.

Title: ssh to external

Desc: Detects when an internal IP address initiates an SSH connection to an external IP address.An SSH connection is identified by the following:service = 22, and tcp.dstport = 22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

Title: tdss_rootkit_variant_beaconing

Desc: Detects the beaconing activity of the TDSS Rootkit botnet.

New Correlation Rules

Title: IPv4 Potential DB Server Sweep 5

Desc: Detects when packet or log decoder receives sessions from a unique source IPV4 address that connects to five or more unique destination IPV4 addresses on destination ports 1433 (MSSQL), 1521(Oracle), and 3306 (mysql) within one minute.This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ip.src and ip.dst metadata.

Title: IPv4 Horizontal Port Scan 5

Desc: Detects when a unique IPv4 source address communicates with five or more unique IP destination addresses within one minute across network sessions.

Title: IPv4 Vertical TCP Port Scan 5

Desc: Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique TCP ports within one minute across network sessions.

Title: IPv4 Vertical UDP Port Scan 5

Desc: Detects when a unique combination of IPv4 source and destination addresses communicate over five or more unique UDP ports within one minute across network sessions.

Title: IPv6 Horizontal Port Scan 5

Desc: Detects when a unique IPv6 source address communicates with five or more unique IP destination addresses within one minute across network sessions.

Title: IPv6 Vertical TCP Port Scan 5

Desc: Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique TCP ports within one minute across network sessions.

Title: IPv6 Vertical UDP Port Scan 5

Desc: Detects when a unique combination of IPv6 source and destination addresses communicate over five or more unique UDP ports within one minute.

Title: IPv4 Potential Web Sweep 10

Desc: Detects when a unique IPv4 source address communicates over ten or more unique IP destination addresses over port 80 within one minute.

Title: IPv6 Potential Web Sweep 10

Desc: Detects when a unique IPv6 source address communicates over ten or more unique IP destination addresses over port 80 within one minute.

Title: IPv6 Potential DB Server Sweep 5

Desc: Detects when packet or log decoder receives sessions from a unique source IPV6 address that connects to five or more unique destination IPV6addresses on destination ports 1433 (MSSQL), 1521 (Oracle), and 3306 (mysql) within one minute.This rule should be deployed on Concentrator, as it examines both Log and Packet metadata. The rule uses ip.dstport for logs and tcp.dstport for packets. For IP addresses, the rule examines ipv6.src and ipv6.dst metadata.

New RE Rules

Title: Ad Servers by Bandwidth

Desc: Aggregates sessions that contain ad sites, which are listed in the Ad Servers List.Ad services consume a lot of disk space. If the traffic is acceptable, ad servers are a good candidate for filtering.This rule feeds data to the Global Filtering Candidate report.

Title: Content Delivery Networks by Bandwidth

Desc: Aggregates sessions that contain CDNs, which are listed in the Content Delivery Networks List.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.

Title: IPv4 Horizontal Port Scans

Desc: Fires when either IPv4 Horizontal Port Scan 5, IPv4 Potential Web Sweep 10 or IPv4 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

Title: IPv4 Vertical Port Scans

Desc: Fires when either IPv4 Vertical TCP Port Scan 5 or IPv4 Vertical UDP Port Scan 5 has been generated within the report date range across network sessions.

Title: IPv6 Horizontal Port Scans

Desc: Fires when either IPv6 Horizontal Port Scan 5, IPv6 Potential Web Sweep 10 or IPv6 Potential DB Server Sweep 5 has been generated within the report date range across network sessions.

Title: IPv6 Vertical Port Scans

Desc: Fires when either IPv6 Vertical TCP Port Scan 5 or IPv6 Vertical UDP Port Scan has been generated within the report date range across network sessions.

Title: News Portals by Bandwidth

Desc: Aggregates sessions that contain news sites, which are listed in the News Portal List.If you are not worried about these sites, you should filter them from capture.

Title: SSH to External Address

Desc: Fires when alert.id =ssh to external.This rule is indirectly dependent on the app rule ssh_internal_to_external.nwr.App rule appends alert.id =ssh to external when there is SSH traffic detected between internal to external IP address.An SSH connection is identified by the following:service = 22, and tcp.dstport = 22.An Internal IP address is a private address space defined by RFC-1918. Any IP address not in the private space is considered external.

Title: Streaming Media by Bandwidth

Desc: Aggregates sessions that contain streaming media sites, which are listed in the Streaming Media List. Capturing streaming media is a huge problem for disk retention. These are good filtering candidates.

Title: Top Social Sites by Bandwidth

Desc: Aggregates sessions that contain social sites, which are listed in the Social Sites List. If social media is not blocked or considered a risk, filter traffic to reduce amount of data captured.

Title: Vendor Update Sites by Bandwidth

Desc: Rule aggregates sessions that contain vendor update sites defined in Vendor Update SitesList. Traffic from most of vendor sites is considered normal and hence can act as good filtering candidates.

Title: SSH Over Non Standard Port

Desc: Fires when ssh traffic is detected over a port that is not typically used for ssh.

New RE Lists

Title: Ad Servers

Desc: List of popular Ad sites.Ad services consume a lot of disk space If the traffic is acceptable, ad servers are a good candidate for filtering.

Title: Content Delivery Networks

Desc: List of popular Content Delivery Networks. Most popular content is spread across CDNs.Filter these sites to reduce the amount of "noise" from non-dangerous traffic.

Title: News Portals

Desc: List of popular News Portal sites.If you are not worried about these sites, you should filter them from capture.

Title: Social Sites

Desc: List of popular Social Sites.If social media is not blocked, and not considered a risk, filter traffic from capture.

Title: Streaming Media Sites

Desc: List of popular Streaming Media Sites.Capturing streaming media is a huge problem for disk retention therefore,it makes sense to filter them.

Title: Vendor Update Sites

Desc: List of popular Vendor Update Sites providing updates to your endpoints.Traffic from most of vendor sites is considered normal and hence can be filtered from capture.

New RE Reports

Title: SSH Activity

Desc: Reports 2 activities:ANY ssh going to external IP addresses and ANY ssh detected over a port other than 22.

Title: Scanning Activity

Desc: Reports veritcal and horizontal port scans for both IPv4 and IPv6 addresses across network sessions.

Title: Global Filtering Candidate Report

Desc: Shows an aggregated view of traffic that is being captured in your SA deployment.Use this view to determine candidates for filtering. For instance, if the entire company reads CNN throughout the day, this report will show that usage. You could then make a decision to filter the CNN traffic from view,so that suspicious traffic becomes more noticeable.Available rules and lists cover different browsing categories, such as Ad servers, streaming sites,social networks,and so on.

New ESA Rules

Title: SYN Flood Log Messages

Desc: SYN flood log messages with a count of 10 within 60 seconds from the device classes of either IDS, IPS or Firewall.The rule will trigger when the Event Classification Tags (ECT) of ec.theme is equal to "TEV" and ec.activity is equal to "Detect" and ec.subject is equal to "NetworkComm" in combination with a variation of the keyword "Syn Flood" found within policy.name,event.desc or msg.id.This alert uses non-standard meta key of "event.desc" and so it must be made available to the Log Decoder and Concentrator.

Title: Multiple Intrusion scan events from same username to unique destinations

Desc: Detects scan events from intrusion devices to unique destination from same username. All events leading to alert will have same username and different destination address. The rule will trigger when Event Classification Tags (ECT) of ec.activity is equal to "Scan" in combination with list of user defined message ids and-or policy.name and count matches number of unique destination address. Messageids and policy.name should be in lower case.

Title: User Added to Administrative Group + SIGHUP Detected within 5 Minutes

Desc: Detects when a user is upgraded to one of the admin groups(custom list of groups) and a SIGHUP is detected on a service on the same device.ip. This rule is specific to Unix devices.

Updated ESA Rules

Title: Non DNS Traffic on TCP or UDP Port 53 Containing Executable

Desc: Detects non-DNS traffic on UDP destination port 53 that contains an executable file. You can configure the list of executable file extensions and the UDP port for DNS traffic

Title: User added to admin group then iptables is restarted

Desc: Detects when a user is added to one of specified groups and then the same user restarts IPtables on the same device IP. This rule is specific to Linux devices.

Title: Basic Rule Template

Desc: This template is for basic rule content module creation.

Title: User added to admin group then syslog is disabled

Desc: User was added to groups listed and same user stops syslog/rsyslog service on Linux m/c. Rule relies on ec tags for Group modification. Linux m/c does not generate events for stopping syslog service but event is triggered for stopping kernel logging. This event is used to fire rule.

New Log Parsers

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP - netscreenidp

Title: Nortel Web OS

Desc: Log Device content for event source Nortel Web OS - nortelwebos

Title: Atlassian Stash

Desc: Log Device content for event source Atlassian Stash - stash

Title: Zscaler NSS

Desc: Log Device content for event source Zscaler NSS - zscalernss

Title: Sonicwall-FW

Desc: Log Device content for event source Sonicwall-FW - sonicwall

Updated Log Parsers

Title: Envision Content File

Desc: This file is used to update the content file for NWFL

Title: Airdefense Enterprise

Desc: Log Device content for event source Airdefense Enterprise - airdefense

Title: UNIX AIX

Desc: Log Device content for event source UNIX AIX - aix

Title: F5 BigIP

Desc: Log Device content for event source F5 BigIP - bigip

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff

Title: Check Point FW-1

Desc: Log Device content for event source Check Point FW-1 - checkpointfw1

Title: Cisco ASA

Desc: Log Device content for event source Cisco ASA - ciscoasa

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML - ciscoidsxml

Title: Cisco IOS

Desc: Log Device content for event source Cisco IOS - ciscorouter

Title: Cisco UCS Manager

Desc: Log Device content for event source Cisco UCS Manager - ciscoucs

Title: Cyberguard Classic

Desc: Log Device content for event source Cyberguard Classic - cyberguardclassic

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS - dragonids

Title: Envision Config File

Desc: This file is used to update the Log Device base config files: table-map.xml,ipaddr.tab,etc.ini

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate - fortinet

Title: IBM DB2 UDB

Desc: Log Device content for event source IBM DB2 UDB - ibmdb2

Title: IntruShield

Desc: Log Device content for event source IntruShield - intrushield

Title: McAfee Email Gateway

Desc: Log Device content for event source McAfee Email Gateway - ironmail

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure - iss

Title: Juniper SSL VPN

Desc: Log Device content for event source Juniper SSL VPN - junipervpn

Title: Microsoft Operations Manager

Desc: Log Device content for event source Microsoft Operations Manager - mom

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange - msexchange

Title: Microsoft SharePoint

Desc: Log Device content for event source Microsoft SharePoint - mssharepoint

Title: NFR NIDS

Desc: Log Device content for event source NFR NIDS - nfrnids

Title: Nortel VPN Contivity

Desc: Log Device content for event source Nortel VPN Contivity - nortelvpn

Title: Oracle Access manager

Desc: Log Device content for event source Oracle Access manager - oracleam

Title: Palo Alto Networks Firewall

Desc: Log Device content for event source Palo Alto Networks Firewall – paloaltonetworks

Title: Linux

Desc: Log Device content for event source Linux - rhlinux

Title: RSA DLP

Desc: Log Device content for event source RSA DLP - rsadlp

Title: Silver Tail Systems Forensics

Desc: Log Device content for event source Silver Tail Systems Forensics - silvertailforensics

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire - snort

Title: Sophos Enterprise Console

Desc: Log Device content for event source Sophos Enterprise Console - sophos

Title: Tipping Point

Desc: Log Device content for event source Tipping Point - tippingpoint

Title: Trend Micro

Desc: Log Device content for event source Trend Micro - trendmicro

Title: Trend Micro IWSS

Desc: Log Device content for event source Trend Micro IWSS - trendmicroiwss

Title: VMware ESX / ESXi

Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi

Title: VMware vCenter

Desc: Log Device content for event source VMware vCenter - vmware_vc

Title: VMware View

Desc: Log Device content for event source VMware View - vmware_view

Updated Lua Parsers

Title: TLS_lua

Desc: Identifies TLS and SSL sessions.Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.

Updated Flex Parsers

Title: TLS

Desc: Parses SSL/TLS certificates.  Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizational Name (meta ssl.subject), and Subject Common Name (meta alias.host).

Seeking Customer Developed Parsers, Rules, and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

1. Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:

ASOC-LIVE-CONTENT@emc.com

Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.

2. Do you want to request support for a new log source or protocol?

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ashx

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

3. Do you want to request use cases for Event Stream Analysis Rules?

Please use our request form: https://emcinformation.com/204401/REG/.ashx

The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

https://developer-content.emc.com/login/register.asp