https://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&feed=atom&action=historyHIDS 553 - Revision history2024-03-29T00:24:33ZRevision history for this page on the wikiMediaWiki 1.20.2https://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1771&oldid=prevMshinn at 22:30, 26 July 20112011-07-26T22:30:54Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 22:30, 26 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 25:</td>
<td colspan="2" class="diff-lineno">Line 25:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[HIDS 550]]</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>[[HIDS 550]]</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[HIDS 551]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1746&oldid=prevMshinn: Undo revision 1744 by Mshinn (talk)2011-07-23T00:36:44Z<p>Undo revision 1744 by <a href="/wiki/index.php/Special:Contributions/Mshinn" title="Special:Contributions/Mshinn">Mshinn</a> (<a href="/wiki/index.php?title=User_talk:Mshinn&action=edit&redlink=1" class="new" title="User talk:Mshinn (page does not exist)">talk</a>)</p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 00:36, 23 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Rule ID'''  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Rule ID'''  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">5703</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">553</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Status'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Status'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Possible breakin attempt (high number of reverse lookup errors)</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Active rule currently published</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is detects when <del class="diffchange diffchange-inline">an application, such as sshd, </del>has <del class="diffchange diffchange-inline">reported a high number of reverse lookup errors.  A reverse lookup error occurs when your application attempts to determine what the fully qualified DNS name is for an IP address</del>, and <del class="diffchange diffchange-inline">then looks up </del>the <del class="diffchange diffchange-inline">fully qualified name to see if </del>it <del class="diffchange diffchange-inline">matches the IP address</del>.  <del class="diffchange diffchange-inline">If they do not match</del>, <del class="diffchange diffchange-inline">this </del>may indicate that <del class="diffchange diffchange-inline">someone is spoofing the fully qualified domain name to try to trick </del>your system <del class="diffchange diffchange-inline">into allowing them to log in</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is detects when <ins class="diffchange diffchange-inline">a monitored file </ins>has <ins class="diffchange diffchange-inline">been deleted</ins>, and the <ins class="diffchange diffchange-inline">system can not longer monitor </ins>it.  <ins class="diffchange diffchange-inline">This may be non-malicious</ins>, <ins class="diffchange diffchange-inline">or </ins>may indicate that <ins class="diffchange diffchange-inline">unauthorized changes have occurred on </ins>your system.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">For example, when this occurs with SSH you may see an error message such as this:</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">'''False Positives'''</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">servername sshd[12345]: reverse mapping checking getaddrinfo </del>for <del class="diffchange diffchange-inline">www</del>.<del class="diffchange diffchange-inline">example</del>.<del class="diffchange diffchange-inline">com failed - POSSIBLE BREAK-IN ATTEMPT!</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">There is no known false positive </ins>for <ins class="diffchange diffchange-inline">this rule</ins>. <ins class="diffchange diffchange-inline"> This rule detects when a file has been deleted, and therefore the system can no longer monitor it</ins>. <ins class="diffchange diffchange-inline"> </ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">In </del>this <del class="diffchange diffchange-inline">example, </del>a <del class="diffchange diffchange-inline">system has connected to your ssh server.  That connection has an IP address.  For the purposes of example</del>, <del class="diffchange diffchange-inline">lets say that IP address is 1.2.3.4.  The sshd service lookups that IP address, conducting what is called a "reverse lookup" </del>to determine <del class="diffchange diffchange-inline">that the fully qualified domain name </del>is <del class="diffchange diffchange-inline">for 1.2.3.4.  The DNS server for 1.2.3.4 returns the name "www.example.com".  Because anyone can return any name they want from </del>a <del class="diffchange diffchange-inline">DNS server</del>, <del class="diffchange diffchange-inline">this method is not an accurate way of determining </del>if <del class="diffchange diffchange-inline">the answer is correct</del>.  <del class="diffchange diffchange-inline">You now have </del>to <del class="diffchange diffchange-inline">reverse </del>the <del class="diffchange diffchange-inline">process to see if "www.example.com" will resolve to 1.2.3.4.  The sshd service then conducts a DNS query to ask the authoritative DNS server for www.example.com what the IP address is for www.example.com.  If that DNS server returns an address that is different from 1.2.3.4, then the reverse mapping has failed.  1.2.3.4 is not the IP address for www.example.com, so someone may be trying to spoof the DNS address.  This could also occur if someone made a mistake with their DNS names.  Contact the DNS operators for both the domain name and IP address if you believe they have made a mistake.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">If you believe that </ins>this <ins class="diffchange diffchange-inline">is </ins>a <ins class="diffchange diffchange-inline">false positive</ins>, <ins class="diffchange diffchange-inline">please report this </ins>to <ins class="diffchange diffchange-inline">our security team can </ins>determine <ins class="diffchange diffchange-inline">if this </ins>is a <ins class="diffchange diffchange-inline">legitimate case</ins>, <ins class="diffchange diffchange-inline">or </ins>if <ins class="diffchange diffchange-inline">its clever attack on your system</ins>.  <ins class="diffchange diffchange-inline">Instructions </ins>to <ins class="diffchange diffchange-inline">report false positives are detailed on </ins>the <ins class="diffchange diffchange-inline">[[Reporting </ins>False Positives<ins class="diffchange diffchange-inline">]] wiki page.</ins></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div> </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''</del>False Positives<del class="diffchange diffchange-inline">'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">There are no known false positive for this rule.  This rule simply reports when your application reports that this has occurred.  If your application is in error, please contact your application vendor for assistance.  If the DNS servers are in error, please contact the DNS operators.  And if the DNS software is incorrectly reporting this information to your application, please contact your DNS vendor.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Tuning Recommendations'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Tuning Recommendations'''</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 27:</td>
<td colspan="2" class="diff-lineno">Line 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">[[HIDS 550]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1744&oldid=prevMshinn at 00:35, 23 July 20112011-07-23T00:35:41Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 00:35, 23 July 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Rule ID'''  </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Rule ID'''  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">553</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">5703</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Status'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Status'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">Active rule currently published</del>.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">Possible breakin attempt (high number of reverse lookup errors)</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is detects when <del class="diffchange diffchange-inline">a monitored file </del>has <del class="diffchange diffchange-inline">been deleted</del>, and the <del class="diffchange diffchange-inline">system can not longer monitor </del>it.  <del class="diffchange diffchange-inline">This may be non-malicious</del>, <del class="diffchange diffchange-inline">or </del>may indicate that <del class="diffchange diffchange-inline">unauthorized changes have occurred on </del>your system.</div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is detects when <ins class="diffchange diffchange-inline">an application, such as sshd, </ins>has <ins class="diffchange diffchange-inline">reported a high number of reverse lookup errors.  A reverse lookup error occurs when your application attempts to determine what the fully qualified DNS name is for an IP address</ins>, and <ins class="diffchange diffchange-inline">then looks up </ins>the <ins class="diffchange diffchange-inline">fully qualified name to see if </ins>it <ins class="diffchange diffchange-inline">matches the IP address</ins>.  <ins class="diffchange diffchange-inline">If they do not match</ins>, <ins class="diffchange diffchange-inline">this </ins>may indicate that <ins class="diffchange diffchange-inline">someone is spoofing the fully qualified domain name to try to trick </ins>your system <ins class="diffchange diffchange-inline">into allowing them to log in</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">'''False Positives'''</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">For example, when this occurs with SSH you may see an error message such as this:</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">There is no known false positive </del>for <del class="diffchange diffchange-inline">this rule</del>. <del class="diffchange diffchange-inline"> This rule detects when a file has been deleted, and therefore the system can no longer monitor it</del>. <del class="diffchange diffchange-inline"> </del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">servername sshd[12345]: reverse mapping checking getaddrinfo </ins>for <ins class="diffchange diffchange-inline">www</ins>.<ins class="diffchange diffchange-inline">example</ins>.<ins class="diffchange diffchange-inline">com failed - POSSIBLE BREAK-IN ATTEMPT!</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">If you believe that </del>this <del class="diffchange diffchange-inline">is </del>a <del class="diffchange diffchange-inline">false positive</del>, <del class="diffchange diffchange-inline">please report this </del>to <del class="diffchange diffchange-inline">our security team can </del>determine <del class="diffchange diffchange-inline">if this </del>is a <del class="diffchange diffchange-inline">legitimate case</del>, <del class="diffchange diffchange-inline">or </del>if <del class="diffchange diffchange-inline">its clever attack on your system</del>.  <del class="diffchange diffchange-inline">Instructions </del>to <del class="diffchange diffchange-inline">report false positives are detailed on </del>the <del class="diffchange diffchange-inline">[[Reporting </del>False Positives<del class="diffchange diffchange-inline">]] wiki page.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">In </ins>this <ins class="diffchange diffchange-inline">example, </ins>a <ins class="diffchange diffchange-inline">system has connected to your ssh server.  That connection has an IP address.  For the purposes of example</ins>, <ins class="diffchange diffchange-inline">lets say that IP address is 1.2.3.4.  The sshd service lookups that IP address, conducting what is called a "reverse lookup" </ins>to determine <ins class="diffchange diffchange-inline">that the fully qualified domain name </ins>is <ins class="diffchange diffchange-inline">for 1.2.3.4.  The DNS server for 1.2.3.4 returns the name "www.example.com".  Because anyone can return any name they want from </ins>a <ins class="diffchange diffchange-inline">DNS server</ins>, <ins class="diffchange diffchange-inline">this method is not an accurate way of determining </ins>if <ins class="diffchange diffchange-inline">the answer is correct</ins>.  <ins class="diffchange diffchange-inline">You now have </ins>to <ins class="diffchange diffchange-inline">reverse </ins>the <ins class="diffchange diffchange-inline">process to see if "www.example.com" will resolve to 1.2.3.4.  The sshd service then conducts a DNS query to ask the authoritative DNS server for www.example.com what the IP address is for www.example.com.  If that DNS server returns an address that is different from 1.2.3.4, then the reverse mapping has failed.  1.2.3.4 is not the IP address for www.example.com, so someone may be trying to spoof the DNS address.  This could also occur if someone made a mistake with their DNS names.  Contact the DNS operators for both the domain name and IP address if you believe they have made a mistake.</ins></div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div> </div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">'''</ins>False Positives<ins class="diffchange diffchange-inline">'''</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins style="color: red; font-weight: bold; text-decoration: none;">There are no known false positive for this rule.  This rule simply reports when your application reports that this has occurred.  If your application is in error, please contact your application vendor for assistance.  If the DNS servers are in error, please contact the DNS operators.  And if the DNS software is incorrectly reporting this information to your application, please contact your DNS vendor.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Tuning Recommendations'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Tuning Recommendations'''</div></td></tr>
<tr><td colspan="2" class="diff-lineno">Line 24:</td>
<td colspan="2" class="diff-lineno">Line 27:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del style="color: red; font-weight: bold; text-decoration: none;">[[HIDS 550]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1626&oldid=prevMshinn at 17:00, 23 June 20112011-06-23T17:00:47Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:00, 23 June 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 24:</td>
<td colspan="2" class="diff-lineno">Line 24:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Similar Rules'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div><del class="diffchange diffchange-inline">None.</del></div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div><ins class="diffchange diffchange-inline">[[HIDS 550]]</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Knowledge Base Articles'''</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1625&oldid=prevMshinn at 17:00, 23 June 20112011-06-23T17:00:31Z<p></p>
<table class='diff diff-contentalign-left'>
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;'>
<td colspan='2' style="background-color: white; color:black;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black;">Revision as of 17:00, 23 June 2011</td>
</tr><tr><td colspan="2" class="diff-lineno">Line 9:</td>
<td colspan="2" class="diff-lineno">Line 9:</td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''Description'''   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>This rule is detects when a monitored file <del class="diffchange diffchange-inline">changes</del>.   </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>This rule is detects when a monitored file <ins class="diffchange diffchange-inline">has been deleted, and the system can not longer monitor it</ins>.  <ins class="diffchange diffchange-inline">This may be non-malicious, or may indicate that unauthorized changes have occurred on your system.</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>'''False Positives'''</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="background: #ffa; color:black; font-size: smaller;"><div>There is no known false positive for this rule.  This rule detects when <del class="diffchange diffchange-inline">files change</del>, therefore<del class="diffchange diffchange-inline">, </del>it <del class="diffchange diffchange-inline">is not recommended that you disable this rule</del>.   </div></td><td class='diff-marker'>+</td><td style="background: #cfc; color:black; font-size: smaller;"><div>There is no known false positive for this rule.  This rule detects when <ins class="diffchange diffchange-inline">a file has been deleted</ins>, <ins class="diffchange diffchange-inline">and </ins>therefore <ins class="diffchange diffchange-inline">the system can no longer monitor </ins>it.   </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.</div></td><td class='diff-marker'> </td><td style="background: #eee; color:black; font-size: smaller;"><div>If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system.  Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.</div></td></tr>
</table>Mshinnhttps://wiki.atomicorp.com/wiki/index.php?title=HIDS_553&diff=1623&oldid=prevMshinn: Created page with "'''Rule ID''' 553 '''Status''' Active rule currently published. '''Description''' This rule is detects when a monitored file changes. '''False Positives''' There is n..."2011-06-23T16:58:55Z<p>Created page with "'''Rule ID''' 553 '''Status''' Active rule currently published. '''Description''' This rule is detects when a monitored file changes. '''False Positives''' There is n..."</p>
<p><b>New page</b></p><div>'''Rule ID''' <br />
<br />
553<br />
<br />
'''Status'''<br />
<br />
Active rule currently published.<br />
<br />
'''Description''' <br />
<br />
This rule is detects when a monitored file changes. <br />
<br />
'''False Positives'''<br />
<br />
There is no known false positive for this rule. This rule detects when files change, therefore, it is not recommended that you disable this rule. <br />
<br />
If you believe that this is a false positive, please report this to our security team can determine if this is a legitimate case, or if its clever attack on your system. Instructions to report false positives are detailed on the [[Reporting False Positives]] wiki page.<br />
<br />
<br />
'''Tuning Recommendations'''<br />
<br />
None.<br />
<br />
'''Similar Rules'''<br />
<br />
None.<br />
<br />
'''Knowledge Base Articles'''<br />
<br />
None.<br />
<br />
'''Outside References'''</div>Mshinn