This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Products
- NetWitness Platform
- Advisories
- Product Advisories
- Threat Detection Content Update - September 2017
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Threat Detection Content Update - September 2017
Threat Detection Content Update - September 2017
Summary:
Several changes have been made to the Threat Detection Content in Live. For Added detection you need to add/subscribe to the content via Live, for retired content you'll need to manually remove those, and for additional changes no action is required if you are subscribed to content.
Additions
Detection
- CVE-2017-12611 & CVE-2017-9805 - These are two recent Apache Struts vulnerabilities that allow arbitrary code execution. Detection for these have been added to both HTTP_lua and the newly released struts_exploit.lua. They create the meta values 'apache struts exploit attempt' and 'apache struts CVE-2017-9085' in Indicators of Compromise (ioc) respectively. Presence of either of these meta values indicate a possible exploit attempt against a web server. The logic does not know if your web server is vulnerable, that will require your organization to investigate the activity.
- SSL Blacklist feed - This feed contains SSL/TLS certs that have been associated with malware. If you see these on your network you might have malicious software on your network. In addition this feed includes expanded information in it as well, including but not limited to why the cert was blacklisted, as well as the md5 of a sample that lead to discovery of the certificate.
- CCleaner - The malicious SSL certificate has been added to the SSL Blacklist feed (above).
Retired
We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
- File Transfer Using Non Standard Port - While the logic behind this rule can be useful in specific scenario we're currently restructuring some of our ESA content and attempting to limit as much duplication between ESA rules and App rules in order to make sure the right set of ESA rules are consuming resources on your system(s).
Other bug fixes and changes
- RSA Fraudaction Intelligence Feeds - We made some backend changes to update the FRI feeds to their new data sources. This resulted in better data quality as better stability.
For additional documentation, downloads, and more, visit the RSA NetWitness Suite page on RSA Link.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Tags (22)
- Advisory
- Announcement
- NetWitness
- netwitness logs
- netwitness logs & packets
- netwitness logs and packets
- netwitness packets
- netwitness suite
- NW
- NWP
- Product Advisory
- product announcement
- Product Communication
- Product Notification
- release announcement
- RSA Live Content
- RSA NetWitness
- RSA NetWitness Platform
- sa
- SCOL Note
- Security Analytics
- threat
No ratings
