NetWitness Community

Dear Valued RSA Customer,

RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library. We have added several useful submission links this month, so please take a moment to review this announcement about the latest tools we are providing you to detect threats to your environment.

New and updated content includes:

Application Rules – new rules include the ability to detect outbound MS Outlook PFF files, outbound TOR connections and proxy detection and more

Reporting Engine (RE) Reports – A new report on anonymous proxy and remote control activity has been added

Reporting Engine (RE) Rules – new rules to detect anonymous access, use of remote client download sites and suspicious tunneling and more

Event Stream Analysis (ESA) Rules – There are many new correlation rules including aggressive scan detection, logins across multiple platforms, password cracker tools and many more

Log (Device) Parsers (ESU 73) – New parsers for vCenter and many updated parsers

As a reminder we are always  seeking your input and custom developed parsers rules and reports.  Please see instruction below to learn how to submit or leverage the RSA Security Analytics Community where you’ll also find previous RSA Live Content updates https://community.emc.com/community/connect/rsaxchange/netwitness

We look forward to presenting you new content updates next month!

Regards,

The RSA Security Analytics Content Team

Content Updates

New Application Rules

Title: Outbound MS Outlook PFF file

Desc: Detects outbound MS Outlook (Personal folder files) PFF filetype.

• It does not differentiate between type of pff (e.g.: .pst, .ost, .pab).
• NOTE:

Title: Tor Outbound

Desc: Detects an encrypted network session to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access.

The possible indicators of Tor are communication:

• Over a common Tor destination port of 9001,9030,9050 or 9051
• Communication with a known Tor tunnel node.  RSA Feeds of Tor Nodes and Tor Exit Nodes are required for this indicator.

An encrypted network session is identified as service 443 (HTTPS), 22 (SSH) or IP protocol 50 (IPSec).  A network parser for TLS is required.

Title: Proxy Anonymous Services

Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key.  Use of an HTTP network parser is required.

Title: Proxy Client Download

Desc: Detects proxy client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

Title: Remote Control Client Download

Desc: Detects remote client file downloads by looking for the file name and extension within the filename meta key.  Use of an HTTP network parser is required.

Title: Remote Control Client Website

Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.

New Reporting Engine (RE) Reports

Title: Anonymous Proxy and Remote Control Activity

Desc: Displays suspected use of services, clients or protocols for anonymous access or remote control activites.

New Reporting Engine (RE) Rules

Title: Anonymous Access by Suspicious Source

Desc: Displays when a user enters or exists through a suspected criminal SOCKS or VPN node. RSA FirstWatch feeds populate the meta keys used within the rule.  The rule requies threat.category equal to  'anonymous access'  plus threat.desc as either 'suspicious-ip' or 'criminal vpn service exit node' or 'criminal vpn service entry node' or 'criminal socks node'.

Title: Anonymous Proxy Service Connection

Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key.  Use of an HTTP network parser is required.

Title: Remote Control Client Site

Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.

Title: Remote Control or Proxy Client Download

Desc: Detects proxy and remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.

Title: Tunneling Protocols Outbound

Desc: Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access.  This rule includes SSH and Tor tunneling protocols..

New Event Stream Analysis (ESA) Rules

Title: Aggressive internal web portal scan

Desc: Detects a single host making connection attempts to 20 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. The time window and unique target number are configurable.

Title: Aggressive NetBIOS scan

Desc: Detects a single host making connection attempts to 10 or more unique IP addresses over 2 of the three following ports within 1 minute: UDP/137, UDP/138, TCP139 .

Title: Aggressive Internal Database Scan

Desc: Detects a single host making connections to 10 or more unique IP addresses in 1 minute over any combination of the following ports TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1583.

Title: Consecutive Login without Logout

Desc: Detects consecutive logins by the same user to the same system without a Logout

Title: Suspicious Login without any activity

Desc: Detects a login and logout from a single user with no other recorded activity. Rule is limited to windows hosts.

Title: Low Orbit Ion Cannon DoS tool download

Desc: Detects Low Orbit Ion Cannon DoS tool download from sourceforge.

Title: WebSploit tool download

Desc: Detects WebSploit tool download from sourceforge.

Title: Suspicious Communication Channel: Sender

Desc: Detects servers that are generating multiple SYN/ACKs to the same host without ever having received a SYN packet from the host. In normal TCP communications SYN/ACKs should only be presented after receiving an initiating SYN packet

Title: Suspicious Communication Channel: Receiver

Desc: Detects server responding with a TCP RST in response to a SYN/ACK multiple times to the same host in one minute. The IP sending the RST (not RST / ACK) may potentially be receiving side of a covert communication channel.

Title: Logins across multiple platforms

Desc: Detects logins from the same user across 3 or more separate platforms within 5 minutes. The time window and unique destination number are configurable.

Title: DoS Logged and Service Shutdown

Desc: Detects 2 DoS log events to a host followed by a service on the host shutting down within 5 minutes. This rule requires a IPS/IDS monitoring the segment and reporting to SA as well as having host based logging configured on the protected servers.

The time window and DoS log event number are configurable.  This module uses non-standard meta key 'disposition'.

Title: Remote Password Cracking Tool Use

Desc: Detects login failures from a IP or host source to 3 different IP or host destinations. The time window and login failures number are configurable.  This module uses non-standard meta keys host.src and host.dst.

New Log Parsers

Title: VMware vCenter Orchestrator

Desc: Log Device content for event source VMware vCenter Orchestrator – vmware_vco

Title: vCenter Operations Manager

Desc: Log Device content for event source VMware vCenter Operations Manager

Title: vCloud Automation Center

Desc: Log Device content for event source VMware vCloud Automation Center

Updated Log Parsers

Title: Tipping Point

Desc: Log Device content for event source Tipping Point

Title: Blue Coat ELFF

Desc: Log Device content for event source Blue Coat ELFF

Title: Windows Events (Snare)

Desc: Log Device content for event source Windows Events (Snare)

Title: Windows Events (NIC)

Desc: Log Device content for event source Windows Events (NIC)

Title: VMware vShield

Desc: Log Device content for event source VMware vShield

Title: Trend Micro Deep Security Agent

Desc: Log Device content for event source Trend Micro Deep Security Agent

Title: Snort/Sourcefire

Desc: Log Device content for event source Snort/Sourcefire

Title: Web Threat Detection

Desc: Log Device content for event source Web Threat Detection

Title: RSA DLP

Desc: Log Device content for event source RSA DLP

Title: RSA Access Manager

Desc: Log Device content for event source RSA Access Manager

Title: RSA Adaptive Authentication On Premise

Desc: Log Device content for event source RSA Adaptive Authentication On Premise

Title: Rapid7 NeXpose

Desc: Log Device content for event source Rapid7 NeXpose

Title: Netscreen IDP

Desc: Log Device content for event source Netscreen IDP

Title: Microsoft Exchange

Desc: Log Device content for event source Microsoft Exchange

Title: Lotus Domino

Desc: Log Device content for event source Lotus Domino

Title: Juniper JUNOS

Desc: Log Device content for event source Juniper JUNOS

Title: ISS Realsecure

Desc: Log Device content for event source ISS Realsecure

Title: IntruShield

Desc: Log Device content for event source IntruShield

Title: IBM WebSphere

Desc: Log Device content for event source IBM WebSphere

Title: IBM Mainframe zOS System Log

Desc: Log Device content for event source IBM Mainframe zOS System Log

Title: CA ACF2

Desc: Log Device content for event source CA ACF2

Title: Fortinet FortiGate

Desc: Log Device content for event source Fortinet FortiGate

Title: Dragon IDS

Desc: Log Device content for event source Dragon IDS

Title: Cyberoam UTM

Desc: Log Device content for event source Cyberoam UTM

Title: Citrix NetScaler

Desc: Log Device content for event source Citrix NetScaler

Title: Cisco Secure ACS Appliance

Desc: Log Device content for event source Cisco Secure ACS Appliance

Title: Cisco IOS

Desc: Log Device content for event source Cisco IOS

Title: Cisco Secure IDS XML

Desc: Log Device content for event source Cisco Secure IDS XML

Seeking Customer Developed Parsers, Rules, and Reports

Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.

Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:

ASOC.CONTENT@emc.com

Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.

Do you want to request support for a new log source or protocol?

For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ash

For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx

Do you want to request use cases for Event Stream Analysis Rules?

Please use our request form: https://emcinformation.com/204401/REG/.ashx

The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:

https://developer-content.emc.com/login/register.asp