Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Eventia Policy Updates (Revision 10)

Eventia Policy updates contain updates to Eventia Analyzer event definitions.

Event definitions updates are accumulative. Current event definitions update (Revision 9) delivers the following event definitions:

Date published: 4-Aug-2008

  • A new user configured juniper NSM event
    A generic event for Juniper NSM logs. This event will generate when specific NSM logs with predefined values are received.
  • Port scan from internal network - detected by device
    A port scan is an attempt to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the internal network which may indicate malware activity.

    Once the attack attempt is detected by a device managed by a Juniper NSM the, this event will appear.
  • Port scan from external network - detected by device
    A port scan is an attempt to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from an external network.

    Once the attack attempt is detected by a device managed by a Juniper NSM the, this event will appear.
  • IDS Alert - Detection capabilities expended for Juniper NSM
    This event indicates a high rate of alerts that were generated by the IDS device.
    This event will generate once the number of alerts per source exceeds the defined threshold.
  • Viruses and Worms - Detection capabilities expended for Juniper NSM
    The Viruses and worms event indicates that a virus or a worm was detected by one of the supported devices.

Date Published: 18-Mar-2008

  • User configured Cisco events according to message ID- Detection capabilities expended for Cisco ASA
    A generic event for Cisco-identified attacks that are not incorporated in other events. In order to generate an event from such an attack, specify the Cisco syslog message ID.
  • Port scan from internal network
    Detection capabilities expended for Cisco ASA, A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a mchine from the internal network which may indicate virus activity. Once the number of unique ports exceeds the defined threshold this event will appear
  • Port scan from external network
    Detection capabilities expended for Cisco ASA, A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the external network which may depict a probe for weaknesses on the destination machine. Once the number of unique ports exceeds the defined threshold and at least one of the access passed the firewall, this event will appear.
  • IP sweep from internal network
    Detection capabilities expended for Cisco ASA, IP sweep is an excessive number of attempts to scan the internal and/or external network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the internal network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold this event will appear
  • IP sweep from external network
    Detection capabilities expended for Cisco ASA IP sweep is an excessive number of attempts to scan the internal network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the external network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold and at least one connection passes the firewall, this event will appear.

Date Published: 19-Feb-2008

  • Credential guessing- Detection capabilities expended for ProFTP
    A Credential guessing event indicates that the number of bad logins or switch user command failures exceeds the defined threshold. This can also imply a user's attempt to identify himself as someone s/he is not.
  • User login/su at irregular hours- Detection capabilities expended for ProFTP
    A user login/su at irregular hours event indicates that a user has logged into an application / OS outside defined working hours.
  • Dictionary Attack- Detection capabilities expended for ProFTP
    This event indicates that there is a very high rate of login failures or switch user command failures, probably caused by a dictionary attack tool.

    The event will appear once the number of bad logins or switch user command failures exceeds the defined threshold.
  • High rate of blocked connections- Detection capabilities expended for Top Layer IPS
    This event indicates a high number of connections from the same origin machine that were all rejected or dropped.

     Once the number of logs per origin machine exceeds the defined threshold, this event will appear.
  • High connection rate to internal host on service- Detection capabilities expended for Top Layer IPS
    A high connection rate to an internal host on a service, indicates that one machine or more has attempted to deny a particular service on a machine inside the internal network.

    Alternatively, this event may indicate the usage of Peer to Peer networking tools.

    The event will occur as a result of a high success rate of connections to a single internal host.
  • High connection rate to external host on service- Detection capabilities expended for Top Layer IPS
    A high connection rate to an external host on a service indicates that one or more machines has attempted to deny a particular service on a machine on the external network.
    This kind of activity may indicate a Bandwidth Consumption DDoS.
    The event will occur as a result of a high success rate of connections to an external host performed by the local host.
  • High connection rate from internal host- Detection capabilities expended for Top Layer IPS
    The event indicates an excessive number of attempts by an internal machine to perform connection opening.
    Once the number of logs per source exceeds the defined threshold, this event will appear.
  • High connection rate from external host- Detection capabilities expended for Top Layer IPS
    This event indicates an excessive number of attempts by an external machine to perform connection opening to internal machines.
    Once the number of logs per source exceeds the defined threshold, this event will appear.
  • User configured Top Layer events
    A generic event defenition for spesific Top Layer's events.
    This event will generate only based on pre-defined Top Layer Event ID's.

Date published: 27-Dec-2007

  • URL Filtering
    Extensive unauthorized browsing attempt- Detection capabilities available for WELF and CLF products URL Filtering is used to examine and detect an Web sites that may include unauthorized content. When the amount of failed access attempts is reached, an event will be generated.
  • URL Hacking
    Detection capabilities available for WELF and CLF products URL Hacking is a malicious attempt to append other information to the URL of a websites, exploit file names and access restricted or inaccessible directories. When a certain number of unsuccessful attempts are reached, an event will be generated.
  • High error rate on web sever Detection capabilities available for WELF and CLF products
    This event indicates that a host received a high rate of errors from a web server. This can imply an attempt by the host to attack the web server. Once the number of logs per source exceeds the defined threshold, this event will appear.
  • Port scan from internal network
    Detection capabilities expended for WELF products A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the internal network which may indicate virus activity. Once the number of unique ports exceeds the defined threshold this event will appear.
  • Port scan from external network
    Detection capabilities expended for WELF products A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the external network which may depict a probe for weaknesses on the destination machine. Once the number of unique ports exceeds the defined threshold and at least one of the access passed the firewall, this event will appear.
  • IP sweep from internal network
    Detection capabilities expended for WELF products IP sweep is an excessive number of attempts to scan the internal and/or external network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the internal network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold this event will appear.
  • IP sweep from external network
    Detection capabilities expended for WELF products IP sweep is an excessive number of attempts to scan the internal network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the external network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold and at least one connection passes the firewall, this event will appear.
  • High rate of blocked connections
    Detection capabilities expended for WELF products This event indicates a high number of connections from the same origin machine that were all rejected or dropped. Once the number of logs per origin machine exceeds the defined threshold, this event will appear.
  • High connection rate to internal host on service
    Detection capabilities expended for WELF products A high connection rate to an internal host on a service, indicates that one machine or more has attempted to deny a particular service on a machine inside the internal network. Alternatively, this event may indicate the usage of Peer to Peer networking tools. The event will occur as a result of a high success rate of connections to a single internal host.
  • User access from multiple IPs
    Detection capabilities expended for WELF products A user access from multiple IPs event indicates that a user logged into a corporate network from multiple IP addresses. The event will appear once the number of IPs from the same source exceeds the defined threshold.
  • High connection rate from internal host on service
    Detection capabilities expended for WELF products This event indicates an excessive number of attempts by an internal machine to connect to another machine, using the same service and protocol. Once the number of logs exceeds the defined threshold, this event will appear.
  • High connection rate from external host on service
    Detection capabilities expended for WELF products This event indicates an excessive number of attempts by an external machine to connect to another machine, using the same service and protocol. Once the number of logs exceeds the defined threshold, this event will appear.
  • High connection rate from internal host
    Detection capabilities expended for WELF products The event indicates an excessive number of attempts by an internal machine to perform connection opening. Once the number of logs per source exceeds the defined threshold, this event will appear. n. High connection rate from external host- Detection capabilities expended for WELF products This event indicates an excessive number of attempts by an external machine to perform connection opening to internal machines. Once the number of logs per source exceeds the defined threshold, this event will appear.
  • Abnormal activity on service
    Detection capabilities expended for WELF products This event indicates that a specific service is abnormally active. That is, the numbers of logs that were received in the defined period of time exceed the defined threshold.

Date published: 31-Oct-2007

  • High connection rate to internal host on service- Detection capabilities expended for Fortigate Firewall
    A high connection rate to an internal host on a service, indicates that one machine or more has attempted to deny a particular service on a machine inside the internal network. Alternatively, this event may indicate the usage of Peer to Peer networking tools. The event will occur as a result of a high success rate of connections to a single internal host.
  • High connection rate to external host on service- Detection capabilities expended for Fortigate Firewall
    A high connection rate to an external host on a service indicates that one or more machines has attempted to deny a particular service on a machine on the external network. This kind of activity may indicate a Bandwidth Consumption DDoS. The event will occur as a result of a high success rate of connections to an external host performed by the local host.
  • High rate of blocked connections- Detection capabilities expended for Fortigate Firewall
    This event indicates a high number of connections from the same origin machine that were all rejected or dropped. Once the number of logs per origin machine exceeds the defined threshold, this event will appear.
  • User access from multiple IPs-Detection capabilities expended for Fortigate Firewall
    Indicates that the same user logged in from multiple IP addresses. The event will appear once the number of IPs from the same source exceeds the defined threshold.
  • Multiple user access from single IP-Detection capabilities expended for Fortigate Firewall
    Multiple users have accessed a machine or machines from the same source IP.
  • IP sweep from internal network-Detection capabilities expended for for Fortigate Firewall
    IP sweep is an excessive number of attempts to scan the internal and/or external network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the internal network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold this event will appear.
  • IP sweep from external network-Detection capabilities expended for Fortigate Firewall
    IP sweep is an excessive number of attempts to scan the internal network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the external network that uses the same protocol and service with each attempted connection. Once the number of unique destination IP addresses exceeds the defined threshold and at least one connection passes the firewall, this event will appear.
  • Port scan from internal network-Detection capabilities expended for Fortigate Firewall
    A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the internal network which may indicate virus activity. Once the number of unique ports exceeds the defined threshold this event will appear.
  • Port scan from external network-Detection capabilities expended for Fortigate Firewall
    A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the external network which may depict a probe for weaknesses on the destination machine. Once the number of unique ports exceeds the defined threshold and at least one of the access passed the firewall, this event will appear.
  • Virus Found-Detection capabilities expended for Fortigate Firewall
    This event indicates a virus that was detected by one of the supported devices.
  • Abnormal activity on service-Detection capabilities expended for Fortigate Firewall
    This event indicates that a specific service is abnormally active. That is, the numbers of logs that were received in the defined period of time exceed the defined threshold.
  • User login/su at irregular hours-Detection capabilities expended for Juniper SA4000
    A user login/su at irregular hours event indicates that a user has logged into an application / OS outside defined working hours.
  • Multiple user access from single IP-Detection capabilities expended for Juniper SA4000
    Multiple users have accessed a machine or machines from the same source IP.

Date published: 23-Jul-2007

  • IDS Alerts - Added Support for device Netscreen IDP
    A generic event for "IDS Alerts"
    Accumulates logs based on source and attack name.

    Once the attack attempt is detected by one of the supported devices, this event will appear.

Date published: 20-Jun-2007

  • Insecure protocols - Detection capabilities expended for Tipping Point device
    This event indicates a detection of connections with insecure protocols as Windows popup messages, peer to peer applications, instant messaging applications, etc..

    Once the attack attempt is detected by one of the supported devices this event will appear.
  • Credential guessing - Added Support for device Tipping Point
    A Credential guessing event indicates that the number of bad logins or switch user command failures exceeds the defined threshold. This can also imply a user's attempt to identify himself as someone s/he is not.
  • Unauthorized access attempt - Detection capabilities expended for Tipping Point device
    This event indicates an attempt to access a machine in a way that bypasses the access controls mechanism, without performing full authentication.

    Once the attack attempt is detected by one of the supported devices this event will appear.
  • Insecure options/variants of protocols - Detection capabilities expended for Tipping Point device
    This event indicates the detection of insecure options in protocols or their variants. Supports:
    • IP options
    • TCP packet that has no associated connection in the module's connection table
    • VPN - Aggressive IKE
    • Insecure Protocols: SNMP, SMTP (Mail), FTP, DNS, SSH (VPN), SOCKS, DCOM (MS-RPC), HTTP (Web)
    • Insecure routing: OSPF, BGP, RIP
  • Other denial of service - Detection capabilities expended for Tipping Point device
    This event indicates the possibility of a denial of service attack(s) that have not been solved in other DoS events. This event includes the following attacks:
    • spoofed RST packets
    • specific IPv4 packets causing the Cisco IOS interface to be flagged as full
    • DNS cache poisoning
    • ASN.1 BitString encoding attack.
  • Once the attack attempt is detected by one of the supported devices, this event will appear.
  • Malicious code detected - Detection capabilities expended for Tipping Point device
    This event appears when the formatting of special strings that contain assembler code is detected. This may imply an attempt to highjack a machine via a buffer overflow and the insertion of malicious code in the packets.

    Once the attack attempt is detect by one of the supported devices, this event will appear.
  • EXPN command on mail server - Added Support for device Tipping Point
    The EXPN command allow an attacker to determine if an mail account exists on a system, providing significant assistance to a brute force attack on user mail accounts. The EXPN command enables uncover alias for accounts and discover the accounts underneath it. EXPN provides additional information concerning users on the system, such as if they exist and their full names.

    Once the command is detected by one of the supported devices, this event will appear.
  • VRFY command on mail server - Added Support for device Tipping Point
    The VRFY (Verify) command allows an attacker to determine if a mail account exists on a system, which provides significant assistance to a brute force attack on user mail accounts. VRFY provides additional information about users on the system, such as if they exist and their full names.

    Once the command is detected by one of the supported devices, this event will appear.
  • Intrusion/information disclosure - Added Support for device Tipping Point
    This event indicates a machine intrusion attempt to disclose internal information. The intrusion can be performed by using one of the following methods: cross site scripting,LDAP injection, SQL injection, command injection, directory traversal, directory listing and connection creation to device via the NetScreen-Global Manager port or NetScreen-Global PRO port.

    Once the attack attempt is detected by one of the supported devices this event will appear.
  • Viruses and worms - Detection capabilities expended for Tipping Point device
    The Viruses and worms event indicates that a virus or a worm was detected by one of the supported devices. There are various different types of viruses and worms.
    Supports:
    • Worms propagating using HTTP
    • Email worms and viruses
    • Worms propagating using CIFS
    • Welchia/Nachi (A worm which caused to buffer overflow and to the crash of the RPC service on that system)
    • MS-SQL worm (high volumes of traffic from both internal and external systems due to buffer overflow on MS-SQL server)
    • Nimda (a mail virus which spreads itself in attachments)
    • Code red family (internet worm)
  • Packet/address forgery - Added Support for device Tipping Point
    This event indicates that a machine received forged packets or spoofed addresses as a result of the following attacks: forged PADO packets, DNS spoofing, IP spoofing and/or spoofed PPTP.

    The event will appear once the number of logs indicates that the number of attacks generated by the supported devices exceeds the defined threshold.
  • Port scan from internal network detected by device - Added Support for device Tipping Point
    A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the internal network which may indicate virus activity.

    Once the attack attempt is detected by one of the supported devices, this event will appear.
  • Port scan from external network detected by device - Added Support for device Tipping Point
    A port scan is an attempt by a source IP to connect to an excessive number of ports on a specific destination IP address in order to detect vulnerable services. In this particular event, the source of these attempts is a machine from the external network which may depict a probe for weaknesses on the destination machine.

    Once the number of unique ports exceeds the defined threshold and at least one of the access passed the firewall, this event will appear.
  • IP sweep from internal network detected by device - Added Support for device Tipping Point
    IP sweep is an excessive number of attempts to scan the internal and/or external network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the internal network that uses the same protocol and service with each attempted connection.

    Once the attack attempt is detected by one of the supported devices, this event will appear.
  • IP sweep from external network detected by device - Added Support for device Tipping Point
    IP sweep is an excessive number of attempts to scan the internal network in order to discover hosts or servers that can be accessed through a specific service. The scan is performed by a specific machine from the external network that uses the same protocol and service with each attempted connection.

    Once the attack attempt is detected by one of the supported devices, this event will appear.
  • Potential resource abuse - Added Support for device Tipping Point
    The potential resource abuse event on a host occurs as a result of one or more of the following attacks:
    • ICMP flood - Broadcasting of either numerous pings or UDP packets.
    • SYN attack - Prevents a TCP/IP server from servicing other users. Accomplished by not sending a final acknowledgement in the handshaking sequence.
    • UDP flood -  Generation of ICMP packets with an unreachable destination.
    • Small PMTU - A bandwidth attack in which a large amount of data is sent in small packets. This could cause a bandwidth on the bottleneck on the server.
    • Firewall non-TCP flood - High volumes of non-TCP traffic in order to fill up the firewall state table. This prevents the firewall from accepting new connections.
    • Inbound DNS - Unauthorized inbound queries whose content is not part of the server's predefined zone.
  • Once the attack attempt is detected by one of the supported devices, this event will appear.

Date published: 3-May-2007

  • IPS-1 Alert
    A generic event for Check Point IPS-1 generated alerts. Accumulates logs based on source and attack name. Eventia Analyzer Event Severity is based on the original IPS-1 severity, using pre-defined exception rules.

    Supported devices: IPS-1
  • User login/su at irregular hours
    A user login/su at irregular hours event indicates that a user has logged into an application / OS outside defined working hours.

    Supported devices: Cisco VPN Concentrator 3000 
  • Multiple user access from single IP
    Multiple users had accessed a machine or machines from the same source IP.

    Supported devices: Cisco VPN Concentrator 3000 
  • Credential guessing
    This event indicates a high number of connections from the same origin machine that were all rejected or dropped. Once the number of logs per origin machine exceeds the defined threshold, this event will appear.

    Supported devices: Cisco VPN Concentrator 3000 

Date published: 1-JAN-2007

  • Link Up/Down
    This event is generated each time a link goes down and when the link returns to normal.

    Supported devices: Nortel BayStack switches
  • Rising/Falling Alarm
    This event is generated when an alarm entry crosses its rising/falling threshold.

    Supported devices: RMON