https://wiki.atomicorp.com/wiki/index.php?title=HIDS_20100&feed=atom&action=historyHIDS 20100 - Revision history2024-03-29T13:52:26ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=HIDS_20100&diff=5343&oldid=prevMshinn at 20:29, 13 January 20152015-01-13T20:29:06Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 20:29, 13 January 2015</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 12:</td>
<td colspan="2" class="diff-lineno">Line 12:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert.  The Third Party IDS is the cause of this event.'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert.  The Third Party IDS is the cause of this event.'''   </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''Please do not report false positives for this rule.'''</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">== Example log messages == </ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">=== suhosin ===</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">host suhosin[12345]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker `1.2.3.4`, file `/path/to/some/script`, line 123)</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">=== snort ===</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">10/13-16:06:52.495243  [**] [1:10000305:1]  <any> SOSI - Active Bogon IP [**] [Priority: 0] {TCP} 1.2.3.4:80 -> 5.6.7.8:52367</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Details ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Details ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 31:</td>
<td colspan="2" class="diff-lineno">Line 43:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* dragon-nids</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* dragon-nids</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* BRO IDS</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>* BRO IDS</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* Symantec</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* McAfee</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">* Palo Alto</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Note:  These are not installed by [[ASL]].  If you are getting alerts from these products, and require assistance configuring these third party IDS', please contact the third party IDS' vendor.  We do not support, and ASL does not install these products.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>Note:  These are not installed by [[ASL]].  If you are getting alerts from these products, and require assistance configuring these third party IDS', please contact the third party IDS' vendor.  We do not support, and ASL does not install these products.</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 39:</td>
<td colspan="2" class="diff-lineno">Line 54:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule is not caused by [[ASL]].  ASL merely reports that a third party IDS is alerting on some activity.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>This rule is not caused by [[ASL]].  ASL merely reports that a third party IDS is alerting on some activity.</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">'''Please do not report false positives for this rule.'''</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Tuning Guidance ==</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>== Tuning Guidance ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 59:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>None.</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">== Example log messages == </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">=== suhosin ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">host suhosin[12345]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker `1.2.3.4`, file `/path/to/some/script`, line 123)</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">=== snort ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">10/13-16:06:52.495243  [**] [1:10000305:1]  <any> SOSI - Active Bogon IP [**] [Priority: 0] {TCP} 1.2.3.4:80 -> 5.6.7.8:52367</del></div></td><td colspan="2"> </td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_20100&diff=3779&oldid=prevMshinn: Created page with "{{Infobox |header1= Rule 20100 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = First time this IDS alert is generated. }} = Description = This rule is trig..."2013-07-31T23:36:18Z<p>Created page with "{{Infobox |header1= Rule 20100 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = First time this IDS alert is generated. }} = Description = This rule is trig..."</p>
<p><b>New page</b></p><div>{{Infobox<br />
|header1= Rule 20100<br />
|label2 = Status<br />
|data2 = Active<br />
|label3 = Alert Message<br />
|data3 = First time this IDS alert is generated.<br />
}}<br />
<br />
= Description =<br />
<br />
This rule is triggered when a '''third party''' Intrusion Detection system (IDS) has been detected by ASL, and the third party IDS has generated an alert and/or blocked some action.<br />
<br />
'''These events are not triggered, caused, configured or managed by by ASL, and ASL does not cause the blocking action or alert. The Third Party IDS is the cause of this event.''' <br />
<br />
== Details ==<br />
<br />
This rule is designed to detect third party IDS' and to alert you if they have generated an alert and/or blocked some action. The third party IDS may also have generated a false positive (false alarm), and may have blocked a non-malicious action. ASL generates an alert for these conditions in case you wish to investigate the actions of your third party IDS further.<br />
<br />
ASL does not control or configure this behavior, it merely reports when this occurs. Therefore, if your third party IDS is in error, please contact the vendor for this third party IDS for assistance with configuring it.<br />
<br />
ASL will not shun, by default, on these events however if you wish to have ASL block on these events please see the Tuning Advice section below. <br />
<br />
Disabling this rule will not prevent your third party IDS from alerting or blocking this activity. It will simply "silence" the alert in ASL, however the third party IDS will continue to alert and/or block this activity. We do not recommend you disable this rule.<br />
<br />
== Detected Third Party IDS' ==<br />
<br />
ASL can detect alerts, and if configured can also block attacks based on alerts from a number of third party IDS' products. Examples of third party IDS' that ASL can detect alerts:<br />
<br />
* SNORT<br />
* suhosin<br />
* dragon-nids<br />
* BRO IDS<br />
<br />
Note: These are not installed by [[ASL]]. If you are getting alerts from these products, and require assistance configuring these third party IDS', please contact the third party IDS' vendor. We do not support, and ASL does not install these products.<br />
<br />
= Troubleshooting =<br />
<br />
== False Positives ==<br />
<br />
This rule is not caused by [[ASL]]. ASL merely reports that a third party IDS is alerting on some activity.<br />
<br />
== Tuning Guidance ==<br />
<br />
If you wish to shun on these alerts, just set Active Response in the [[ASL]] rule manager for rule 20101 to "yes".<br />
<br />
'''Disabling this rule will not prevent your third party IDS from alerting or blocking this activity.''' It will simply "silence" the alert in ASL. The third party IDS will continue to alert and/or block this activity. We do not recommend you disable this rule.<br />
<br />
= Additional Information =<br />
<br />
== Similar Rules ==<br />
<br />
None.<br />
<br />
== Knowledge Base Articles== <br />
<br />
None.<br />
<br />
== Outside References == <br />
<br />
None.<br />
<br />
== Example log messages == <br />
<br />
=== suhosin ===<br />
<br />
host suhosin[12345]: ALERT - script tried to increase memory_limit to 268435456 bytes which is above the allowed value (attacker `1.2.3.4`, file `/path/to/some/script`, line 123)<br />
<br />
=== snort ===<br />
<br />
10/13-16:06:52.495243 [**] [1:10000305:1] <any> SOSI - Active Bogon IP [**] [Priority: 0] {TCP} 1.2.3.4:80 -> 5.6.7.8:52367</div>Mshinn