If detection of signs of falsified addresses in ARP packets is enabled, Kaspersky Industrial CyberSecurity for Networks scans the indicated addresses in ARP packets and detects signs of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is characterized by the presence of falsified ARP messages in traffic.
When the application detects signs of falsified addresses in ARP packets, the application registers the events based on Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:
4000004001 – for detection of multiple ARP replies that are not associated with ARP requests.
4000004002 – for detection of multiple ARP requests from the same MAC address to different destinations.
If TCP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans TCP segments of the data stream in supported application-level protocols.
When it detects packets containing overlapping TCP segments with varying contents, the application registers an event based on Intrusion Detection technology. The event is registered using the system event type that is assigned the code 4000002701.
If IP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans fragmented IP packets.
When the application detects errors in the assembly of IP packets, it registers events for Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:
4000005100 for detection of a data conflict when assembling an IP packet (IP fragment overlapped).
4000005101 for detection of an IP packet that exceeds the maximum permissible size (IP fragment overrun).
4000005102 for detection of an IP packet whose initial fragment is smaller than expected (IP fragment too small).
4000005103 for detection of mis-associated fragments of an IP packet.
You can apply additional Intrusion Detection methods regardless of the presence and state of Intrusion Detection rules. Embedded algorithms are used for the additional scan methods.