Difference between revisions of "HIDS 20101"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 20101 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = IDS event }} = Description = This rule is triggered when a '''third party'''...")
 
m (Description)
Line 9: Line 9:
 
= Description =
 
= Description =
  
This rule is triggered when a '''third party''' IDS has been detected by ASL, and the third party IDS has blocked or alerted on some action.
+
This rule is triggered when a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated an alert and/or blocked some action.
'''
+
 
These events are not triggered or managed by by ASL.'''  This rule is designed to detect third party IDS' and to alert you if they have blocked some action.  ASL will not shun, by default, on these events.  This is a generic alert that some third party IDS exists on your system, and may have blocked or detected a potentially malicious action. The third party IDS may also have generated a false positive (false alarm), which ASL is alerting you to in case this is blocking non-malicious actions.
+
'''These events are not triggered, caused, configured or managed by by ASL.'''   
 +
 
 +
This rule is designed to detect third party IDS' and to alert you if they have generated an alert and/or blocked some action.   The third party IDS may also have generated a false positive (false alarm), and may have blocked a non-malicious action.  ASL generates an alert for these conditions in case you wish to investigate the actions of your third party IDS further.
  
 
ASL does not control or configure this behavior, it merely reports when this occurs.  Therefore, if your third party IDS is in error, please contact the vendor for this third party IDS for assistance with configuring it.
 
ASL does not control or configure this behavior, it merely reports when this occurs.  Therefore, if your third party IDS is in error, please contact the vendor for this third party IDS for assistance with configuring it.
  
Disabling this rule will not prevent your third party IDS from alerting or blocking this activity. It will simply "silence" the alert in ASL, however the third party IDS will continue to alert and/or block this activity.  We do not recommend you disable this rule.
+
ASL will not shun, by default, on these events.  Disabling this rule will not prevent your third party IDS from alerting or blocking this activity. It will simply "silence" the alert in ASL, however the third party IDS will continue to alert and/or block this activity.  We do not recommend you disable this rule.
  
 
== Detected Third Party IDS' ==
 
== Detected Third Party IDS' ==
  
ASL can detect alerts, and if configured will also block attacks based on alerts form a number of third party IDS' products.  The following is not a complete list:
+
ASL can detect alerts, and if configured can also block attacks based on alerts from a number of third party IDS' products.  The following is not a complete list:
  
 
* SNORT
 
* SNORT

Revision as of 14:56, 13 October 2012

Rule 20101
Status Active
Alert Message IDS event

Contents

Description

This rule is triggered when a third party Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated an alert and/or blocked some action.

These events are not triggered, caused, configured or managed by by ASL.

This rule is designed to detect third party IDS' and to alert you if they have generated an alert and/or blocked some action. The third party IDS may also have generated a false positive (false alarm), and may have blocked a non-malicious action. ASL generates an alert for these conditions in case you wish to investigate the actions of your third party IDS further.

ASL does not control or configure this behavior, it merely reports when this occurs. Therefore, if your third party IDS is in error, please contact the vendor for this third party IDS for assistance with configuring it.

ASL will not shun, by default, on these events. Disabling this rule will not prevent your third party IDS from alerting or blocking this activity. It will simply "silence" the alert in ASL, however the third party IDS will continue to alert and/or block this activity. We do not recommend you disable this rule.

Detected Third Party IDS'

ASL can detect alerts, and if configured can also block attacks based on alerts from a number of third party IDS' products. The following is not a complete list:

  • SNORT
  • suhosin
  • dragon-nids
  • BRO IDS

Note: These are not supplied by ASL. If you require assistance configuring these third party IDS' please contact the third party IDS' vendor. We do not support these products.

Troubleshooting

False Positives

This rule is not caused by ASL. ASL merely reports that a third party IDS is alerting on some activity.


Tuning Guidance

If you wish to shun on these alerts, just set Active Response in the ASL rule manager for run 20101 to "yes".

Additional Information

Similar Rules

None.

Knowledge Base Articles

None.

Outside References

None.

Notes

Example log messages:

host suhosin[12345]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker `1.2.3.4`, file `/path/to/some/script`, line 123)

Personal tools