Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to the RSA Live Content Library. We have added several useful submission links this month, so please take a moment to review this announcement about the latest tools we are providing you to detect threats to your environment.
New and updated content includes:
Application Rules – new rules include the ability to detect outbound MS Outlook PFF files, outbound TOR connections and proxy detection and more
Reporting Engine (RE) Reports – A new report on anonymous proxy and remote control activity has been added
Reporting Engine (RE) Rules – new rules to detect anonymous access, use of remote client download sites and suspicious tunneling and more
Event Stream Analysis (ESA) Rules – There are many new correlation rules including aggressive scan detection, logins across multiple platforms, password cracker tools and many more
Log (Device) Parsers (ESU 73) – New parsers for vCenter and many updated parsers
As a reminder we are always seeking your input and custom developed parsers rules and reports. Please see instruction below to learn how to submit or leverage the RSA Security Analytics Community where you’ll also find previous RSA Live Content updates https://community.emc.com/community/connect/rsaxchange/netwitness
We look forward to presenting you new content updates next month!
Regards,
The RSA Security Analytics Content Team
Content Updates
New Application Rules
Title: Outbound MS Outlook PFF file
Desc: Detects outbound MS Outlook (Personal folder files) PFF filetype.
Title: Tor Outbound
Desc: Detects an encrypted network session to an external (non RFC-1918) IP destination that shows at least one indicator of using the Tor protocol for anonymous data access.
The possible indicators of Tor are communication:
An encrypted network session is identified as service 443 (HTTPS), 22 (SSH) or IP protocol 50 (IPSec). A network parser for TLS is required.
Title: Proxy Anonymous Services
Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
Title: Proxy Client Download
Desc: Detects proxy client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.
Title: Remote Control Client Download
Desc: Detects remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.
Title: Remote Control Client Website
Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
New Reporting Engine (RE) Reports
Title: Anonymous Proxy and Remote Control Activity
Desc: Displays suspected use of services, clients or protocols for anonymous access or remote control activites.
New Reporting Engine (RE) Rules
Title: Anonymous Access by Suspicious Source
Desc: Displays when a user enters or exists through a suspected criminal SOCKS or VPN node. RSA FirstWatch feeds populate the meta keys used within the rule. The rule requies threat.category equal to 'anonymous access' plus threat.desc as either 'suspicious-ip' or 'criminal vpn service exit node' or 'criminal vpn service entry node' or 'criminal socks node'.
Title: Anonymous Proxy Service Connection
Desc: Detects use of common proxy services using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
Title: Remote Control Client Site
Desc: Detects use of common remote client download sites using a list of domains matched against the alias host meta key. Use of an HTTP network parser is required.
Title: Remote Control or Proxy Client Download
Desc: Detects proxy and remote client file downloads by looking for the file name and extension within the filename meta key. Use of an HTTP network parser is required.
Title: Tunneling Protocols Outbound
Desc: Displays internal users communicating over tunneling protocols that may indicate inappropriate or anonymous access. This rule includes SSH and Tor tunneling protocols..
New Event Stream Analysis (ESA) Rules
Title: Aggressive internal web portal scan
Desc: Detects a single host making connection attempts to 20 or more unique IP addresses in 1 minute over any combination of TCP/80 and TCP/443. The time window and unique target number are configurable.
Title: Aggressive NetBIOS scan
Desc: Detects a single host making connection attempts to 10 or more unique IP addresses over 2 of the three following ports within 1 minute: UDP/137, UDP/138, TCP139 .
Title: Aggressive Internal Database Scan
Desc: Detects a single host making connections to 10 or more unique IP addresses in 1 minute over any combination of the following ports TCP/1433, UDP/1434, TCP/3306, TCP/5432, TCP/3351, TCP/1583.
Title: Consecutive Login without Logout
Desc: Detects consecutive logins by the same user to the same system without a Logout
Title: Suspicious Login without any activity
Desc: Detects a login and logout from a single user with no other recorded activity. Rule is limited to windows hosts.
Title: Low Orbit Ion Cannon DoS tool download
Desc: Detects Low Orbit Ion Cannon DoS tool download from sourceforge.
Title: WebSploit tool download
Desc: Detects WebSploit tool download from sourceforge.
Title: Suspicious Communication Channel: Sender
Desc: Detects servers that are generating multiple SYN/ACKs to the same host without ever having received a SYN packet from the host. In normal TCP communications SYN/ACKs should only be presented after receiving an initiating SYN packet
Title: Suspicious Communication Channel: Receiver
Desc: Detects server responding with a TCP RST in response to a SYN/ACK multiple times to the same host in one minute. The IP sending the RST (not RST / ACK) may potentially be receiving side of a covert communication channel.
Title: Logins across multiple platforms
Desc: Detects logins from the same user across 3 or more separate platforms within 5 minutes. The time window and unique destination number are configurable.
Title: DoS Logged and Service Shutdown
Desc: Detects 2 DoS log events to a host followed by a service on the host shutting down within 5 minutes. This rule requires a IPS/IDS monitoring the segment and reporting to SA as well as having host based logging configured on the protected servers.
The time window and DoS log event number are configurable. This module uses non-standard meta key 'disposition'.
Title: Remote Password Cracking Tool Use
Desc: Detects login failures from a IP or host source to 3 different IP or host destinations. The time window and login failures number are configurable. This module uses non-standard meta keys host.src and host.dst.
New Log Parsers
Title: VMware vCenter Orchestrator
Desc: Log Device content for event source VMware vCenter Orchestrator – vmware_vco
Title: vCenter Operations Manager
Desc: Log Device content for event source VMware vCenter Operations Manager
Title: vCloud Automation Center
Desc: Log Device content for event source VMware vCloud Automation Center
Updated Log Parsers
Title: Tipping Point
Desc: Log Device content for event source Tipping Point
Title: Blue Coat ELFF
Desc: Log Device content for event source Blue Coat ELFF
Title: Windows Events (Snare)
Desc: Log Device content for event source Windows Events (Snare)
Title: Windows Events (NIC)
Desc: Log Device content for event source Windows Events (NIC)
Title: VMware vShield
Desc: Log Device content for event source VMware vShield
Title: Trend Micro Deep Security Agent
Desc: Log Device content for event source Trend Micro Deep Security Agent
Title: Snort/Sourcefire
Desc: Log Device content for event source Snort/Sourcefire
Title: Web Threat Detection
Desc: Log Device content for event source Web Threat Detection
Title: RSA DLP
Desc: Log Device content for event source RSA DLP
Title: RSA Access Manager
Desc: Log Device content for event source RSA Access Manager
Title: RSA Adaptive Authentication On Premise
Desc: Log Device content for event source RSA Adaptive Authentication On Premise
Title: Rapid7 NeXpose
Desc: Log Device content for event source Rapid7 NeXpose
Title: Netscreen IDP
Desc: Log Device content for event source Netscreen IDP
Title: Microsoft Exchange
Desc: Log Device content for event source Microsoft Exchange
Title: Lotus Domino
Desc: Log Device content for event source Lotus Domino
Title: Juniper JUNOS
Desc: Log Device content for event source Juniper JUNOS
Title: ISS Realsecure
Desc: Log Device content for event source ISS Realsecure
Title: IntruShield
Desc: Log Device content for event source IntruShield
Title: IBM WebSphere
Desc: Log Device content for event source IBM WebSphere
Title: IBM Mainframe zOS System Log
Desc: Log Device content for event source IBM Mainframe zOS System Log
Title: CA ACF2
Desc: Log Device content for event source CA ACF2
Title: Fortinet FortiGate
Desc: Log Device content for event source Fortinet FortiGate
Title: Dragon IDS
Desc: Log Device content for event source Dragon IDS
Title: Cyberoam UTM
Desc: Log Device content for event source Cyberoam UTM
Title: Citrix NetScaler
Desc: Log Device content for event source Citrix NetScaler
Title: Cisco Secure ACS Appliance
Desc: Log Device content for event source Cisco Secure ACS Appliance
Title: Cisco IOS
Desc: Log Device content for event source Cisco IOS
Title: Cisco Secure IDS XML
Desc: Log Device content for event source Cisco Secure IDS XML
Seeking Customer Developed Parsers, Rules, and Reports
Security Analytics content will be evolving in 2014, both in functionality and presentation. We’d like to work more closely with our customers in order to provide content that helps you find the threats that matter most to you. Your feedback, suggestions, and general questions are always appreciated.
Have you created a parser, rule, or report that you think is widely applicable across the SA User Community? Let us know about it! Reach out to us at:
Your emails will go directly to the Content Management team and we are looking forward to working with you to help evolve our content offering.
Do you want to request support for a new log source or protocol?
For Log Parser Requests go here: https://emcinformation.com/64308/REG/.ash
For Protocol Parser Requests go here: https://emcinformation.com/139605/SI/.ashx
Do you want to request use cases for Event Stream Analysis Rules?
Please use our request form: https://emcinformation.com/204401/REG/.ashx
The content team will also be heavily engaged with the EMC Community portal this year. Not only is the Community a great place for us to communicate directly with our customers, but it’s a wonderful resource for our customers to gain tips and tricks from our research engineers as well as gain early access to our various pieces of security research. Not a member? Sign up here:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.