This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Products
- NetWitness Platform
- Advisories
- Product Advisories
- Threat Detection Content Update - May 2017
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Threat Detection Content Update - May 2017
Threat Detection Content Update - May 2017
Summary
Several changes have been made to the Threat Detection Content in Live.
Additions
Detection
- Punycode Phishing Attempt ESA Rule - This rule looks identifies mail sessions that have a mis-match between hostname in a link and the text in the link, in addition the hostname is an identified IDN homograph. In order for the alert to trigger, there must also be a HTTP or HTTPS session that follows the mail session that contains the IDN homograph in the HTTP Host header or in the SSL certificate. IDN Homograph support was released last month, this builds on that capability. For information check out the blog post: https://community.rsa.com/community/products/netwitness/blog/2017/05/03/punycode-not-all-characters-are-created-equal
Changes
Hunting
- Hunting Bundle - Added IDN_homograph parser as well as the SuperCMD parser.
- ssh_to_external App Rule - This has been re-written to leverage directionality (https://community.rsa.com/docs/DOC-44948) vs. hard-coded RFC 1918 IP space.
- HTTP_lua Parser - Updated to flag Host Headers with an integer as the host (as opposed to an IP address or FQHN) in support of: https://community.rsa.com/community/products/netwitness/blog/2017/05/11/rig-decimal-ip-campaign
- TLD_lua Parser - Numerals are now considered consonants in tagging hostnames with five or more consecutive consonants or numerals as well as two groups of four consecutive consonants or numerals.
- DNS_verbose_lua - Tag resolution of external domains and hostnames to the loopback address. This replaces the retired Application Rule below.
Detection
- RIG Exploit Kit ESA Rule - This rule was updated to support the RIG Decimal IP campaign in addition to the detection released last month. For more information on the Decimal IP campaign: https://community.rsa.com/community/products/netwitness/blog/2017/05/11/rig-decimal-ip-campaign Integer host detected was added as an initial gate into the rule in addition to the existing external iframe reference.
Other bug fixes and changes
- HTTP_lua - bug fixes
Retired
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- carberp botnet activity - No longer a relevant threat.
- Facebook Login - Facebook transmits all traffic SSL so this rule is no longer applicable in the general case.
- loopback Traffic - This has been superseded by a more accurate approach (looking for external domains resolving to 127.0.0.0/8.
- Zeus Botnet Activity - No longer an active threat.
- Botnet Report - Replaced with the Malware Activity report listed above.
EOPS Policy
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
No ratings
