Dear Valued RSA Customer,
RSA is pleased to announce the addition of new and updated content to RSA Live’s Content Library. We have added a few useful submission links this month, so please take a moment to review the various sections in this announcement to become familiar with the latest tools we are providing you to detect threats to your environment. Of particular note this month, we have created parsers for identifying servers vulnerable to the latest Heartbleed exploits, as well as exploit attempts:
How to detect the Heartbleed Vulnerability using RSA Security Analytics
Parsers that have been created to address Heartbleed are now available in RSA Live. These are available for all RSA Live subscription tiers. The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.
To detect vulnerable servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.
Search for tag “heartbleed” on Live for a full list of parsers associated with Heartbleed.
The categories of new and updated content is as follows:
Application Rules
Event Stream Analysis Rules
Log (Device) Parsers
LUA Parsers
Flex Parsers
Security Analytics Rules
The Latest Research from RSA
Introducing a new blog that details how emergent malware is designed to defeat hash-based solutions.
The Malware Factory and Massive Morphing Malware
RSA’s FirstWatch team has posted a blog detailing a new variant of Kazy that uses a wrapped JSON file for its Command and Control. A simple detection rule is included, as is a PCAP for analysis and testing purposes.
New Kazy Variant: Kazy Force
Additionally, RSA’s Content team is updating log parser support for major IDS/IPS vendors as they release Heartbleed specific signatures. Currently RSA’s Content team has updated support for Cisco, Snort, and SourceFire, with more being added as they become available.
We look forward to presenting you new content updates next month!
Regards,
The RSA Security Analytics Content Team
Content Updates
Updated Application Rules
Enhanced
Title: suspicious php put long query
Desc: Detects puts to PHP pages that include extremly long query strings. This behavior is often indicative of botnet or malware encoded check-in traffic.
New ESA Rules
Title: Detect Port Knocking Packet
Desc: Detects when four failed port connection attempts are followed by a successful connection from a single source within the specified time period. You can configure the time period (default is five minutes), IP sources (list of IP addresses to exclude from the alert), and the port range (RANGE followed by the port numbers).
Title: Multiple Login Failures from Same Source IP with Unique Usernames
Desc: Detects when log events that contain multiple failed login events from the same source IP address with unique usernames occur within the specified time period. You can configure the time period (default is 180 seconds) and number of failed logins (default is three).
Title: Detects Router configuration attempts
Desc: Detects when someone tries to change a router configuration. The alerts triggers when the Event Classification Tags (ECT) of ec.subject is equal to Configuration, ec.activity isequal to Modify, and device.class is equal to Router. The alert also triggers when NWFL_config:router-change application rule is matched.
Title: Multiple SYN packets from Same Source
Desc: Detects when the specified number of SYN packets from the same source occur in the specified time period. You can configure the time period (default is 60 seconds) and the SYN count (default is 100 packets).
Title: Backdoor Activity Detected
Desc: Detects backdoor activity within log files. The rule triggers an alert when the Event Classification Tags (ECT) of ec.theme is equal to TEV and ec.activity is equal to Detect in combination with a variation of the backdoor keyword found in policy.name or event.category.name. You can add a list of backdoor names that the rule looks for by default in both policy.name and event.category.name.
Title: Windows User Added to Administrators Group and Security Disable.
Desc: Detects when a Windows user was added to an administrative group and the security center or manager was disabled within the specific time period. You can configure the list of administrator groups and time period (default values is five minutes). Note: This rule uses the accesses and event.desc non-standard meta keys. You must implement these non-standard meta keys after you download this rule.
Title: Detection of Encrypted Traffic to Countries
Desc: Detects when there is encrypted traffic to an IP address registered in the specified list of destination countries.Note :- You must upload and enable the TLS_lua parser, the SSH_lua parser and their dependencies on the Decoder.You can configure the list of destination countries using a colon ":" as a delimiter to separate each country in the list.
Title: Multiple Logs from a MsgID Set with Same SourceIP and DestinationIP
Desc: Detects when multiple log events from the specified list of message IDs with Same Source IP and Destination IP take place in the specified time period. You can configure the number of log events (default value is three), the list of message IDs, and the time period (default is 300 seconds).
Title: Multiple Unique Logs from MsgID Set with Same SourceIP and DestinationIP
Desc: Detects when the specified number of log events from the specified list of message IDs (each log has to have a unique message ID among the specified set of IDs) with Same Source IP and Destination IP occur in the specified time period. You can configure the number of log events, (default value is 3), the list of message IDs, and the time period (default is 300 seconds).
Updated ESA Rules
Title: Multi-Service connection attempts_Pckt
Desc: Multiple Connection Failures detected based on Packet data from the Same Source to multiple common service ports (destination ports - ex. TCP 21, 22, 23, 25, 80, 8080, 443) of Same Destination within time period of 5 minutes. Time window and List of destination ports to be monitored, Number of Connection Attempts is configurable.
Title: Account Created and Deleted within an hour.
Desc: Account Created and Deleted within an hour.
New Log Parsers
Title: Oracle Access manager
Desc: Log Device content for event source Oracle Access manager - oracleam
Updated Log Parsers
Title: Envision Content File
Desc: This file is used to update the content file for NWFL
Title: Arbor Peakflow SP
Desc: Log Device content for event source Arbor Peakflow SP - arborpeakflowsp
Title: F5 BigIP
Desc: Log Device content for event source F5 BigIP - bigip
Title: Blue Coat ELFF
Desc: Log Device content for event source Blue Coat ELFF - cacheflowelff
Title: Cisco ASA
Desc: Log Device content for event source Cisco ASA - ciscoasa
Title: Cisco Secure IDS XML
Desc: Log Device content for event source Cisco Secure IDS XML – ciscoidsxml
Title: Cisco Security Agent
Desc: Log Device content for event source Cisco Security Agent - ciscosecagent
Title: Dragon IDS
Desc: Log Device content for event source Dragon IDS – dragonids
Title: eEye Blink
Desc: Log Device content for event source eEye Blink - eeyeblink
Title: eEye REM
Desc: Log Device content for event source eEye REM - eeyerem
Title: F5 Firepass
Desc: Log Device content for event source F5 Firepass - firepass
Title: Fortinet FortiGate
Desc: Log Device content for event source Fortinet FortiGate - fortinet
Title: Infoblox NIOS
Desc: Log Device content for event source Infoblox NIOS - infobloxnios
Title: IntruShield
Desc: Log Device content for event source IntruShield - intrushield
Title: Invincea
Desc: Log Device content for event source Invincea - invincea
Title: McAfee Email Gateway
Desc: Log Device content for event source McAfee Email Gateway - ironmail
Title: iSeries
Desc: Log Device content for event source iSeries - iseries
Title: ISS Realsecure
Desc: Log Device content for event source ISS Realsecure - iss
Title: Juniper SSL VPN
Desc: Log Device content for event source Juniper SSL VPN - junipervpn
Title: Kaspersky Anti-Virus
Desc: Log Device content for event source Kaspersky Anti-Virus - kasperskyav
Title: Microsoft Exchange
Desc: Log Device content for event source Microsoft Exchange - msexchange
Title: Netapp
Desc: Log Device content for event source Netapp - netapp
Title: Netscreen
Desc: Log Device content for event source Netscreen - netscreen
Title: Oracle
Desc: Log Device content for event source Oracle - oracle
Title: Palo Alto Networks Firewall
Desc: Log Device content for event source Palo Alto Networks Firewall - paloaltonetworks
Title: SAP ERP Central Component
Desc: Log Device content for event source SAP ERP Central Component - sap
Title: Snort/Sourcefire
Desc: Log Device content for event source Snort/Sourcefire - snort
Title: Symantec AntiVirus/Endpoint Protection
Desc: Log Device content for event source Symantec AntiVirus/Endpoint Protection - symantecav
Title: Trend Micro Deep Security
Desc: Log Device content for event source Trend Micro Deep Security - trendmicrods
Title: Trend Micro Deep Security Agent
Desc: Log Device content for event source Trend Micro Deep Security Agent - trendmicrodsa
Title: VMware ESX / ESXi
Desc: Log Device content for event source VMware ESX / ESXi - vmware_esx_esxi
Title: VMware View
Desc: Log Device content for event source VMware View - vmware_view
Title: Windows Events (NIC)
Desc: Log Device content for event source Windows Events (NIC) - winevent_nic
Title: Linux
Desc: Log Device content for event source Linux - rhlinux
New Lua Parsers
Title: TFTP_lua
Desc: Identifies Trivial File Transfer Protocol and extracts names of files transferred.
Updated Lua Parsers
Title: TLS_lua
Desc: Identifies TLS and SSL sessions. Extracts the Certificate Authority Subject and Serial Number from x509v3 certificates.
Title: MAIL_lua
Desc: Replicates in lua the functionality of the native and flex MAIL parsers. Extracts from email messages values such as -from;to; and subject.
Title: rtmp_lua
Desc: Identify Tunneled Real Time Messaging Protocol packets.
Title: fingerprint_job
Desc: Identifies windows .job task scheduling files.
Title: RDP_lua
Desc: Identifies the Microsoft Remote Desktop Protocol
Title: windows executable
Desc: Identifies windows executables and analyzes them for anomalies and other suspicious characteristics
Title: IRC_verbose_lua
Desc: Expanded IRC parsing implemented in lua.
Updated Flex Parsers
Title: TLS
Desc: Parses SSL/TLS certificates. Specifically, it looks for the first certificate in a chain and extracts the Issuer Organizational Name (meta ssl.ca), Subject Organizataional Name (meta ssl.subject), and Subjecet Common Name (meta alias.host).
Title: DNS - Verbose
Desc: Identifies DNS sessions. Registers queries and responses including record types. Registers protocol errors. Detects and registers anomalies.
Title: Advanced Windows Executable
Desc: Detects executable content and threat rates it according to the level of code obfuscation that is evident in the binary structure.
Title: Botnet Traffic Patterns
Desc: Detects patterns associated with many known botnets.
Title: File Fingerprints
Desc: Forensically fingerprints various filetypes.
NOTE: This parser is deprecated and the individual "fingerprint_*" parsers should be used in its place.
Updated Security Analytics Rules
Title: