System event types based on Intrusion Detection technology

This section provides a description of system event types associated with Intrusion Detection technology (see the table below).

System event types based on Intrusion Detection (IDS) technology

Code

Title of event type

Registration conditions

4000003000

Rule from the $fileName set (system set of rules) was triggered

An Intrusion Detection rule in the system set of rules was triggered (the rule set is in active state).

The following variables are used in the title and description of an event type:

  • $fileName – name of the rule set.
  • $category – class of the rule.
  • $ruleName – name of the rule.
  • $signature_id – rule ID (sid).

     

Kaspersky Industrial CyberSecurity for Networks version 4.0.1 additionally uses the variable $action, which refers to the type of action to take on network packets defined in the rule (the drop or reject actions are not performed in Kaspersky Industrial CyberSecurity for Networks).

4000003001

A rule from the $fileName set (user-defined rule set) was triggered.

An Intrusion Detection rule in the user-defined rule set was triggered (the rule set is in active state).

The following variables are used in the title and description of an event type:

  • $fileName – name of the rule set.
  • $category – class of the rule.
  • $ruleName – name of the rule.
  • $signature_id – rule ID (sid).

     

Kaspersky Industrial CyberSecurity for Networks version 4.0.1 additionally uses the variable $action, which refers to the type of action to take on network packets defined in the rule (the drop or reject actions are not performed in Kaspersky Industrial CyberSecurity for Networks).

4000004001

Symptoms of ARP spoofing detected in ARP replies

Signs of falsified addresses in ARP packets detected: multiple ARP replies that are not associated with ARP requests.

The following variables are used in an event type description:

  • $senderIp – substituted IP address.
  • $targetIp – IP address of the target node.
  • $attackStartTimestamp – time when the first ARP reply was detected.

4000004002

Symptoms of ARP spoofing detected in ARP requests

Signs of falsified addresses in ARP packets detected: multiple ARP requests from the same MAC address to different destinations.

The following variables are used in an event type description:

  • $senderIp – substituted IP address.
  • $targetIp – IP address of the target node.
  • $attackStartTimestamp – time when the first ARP reply was detected.

4000005100

IP protocol anomaly detected: data conflict when assembling IP packet

IP protocol anomaly detected: data does not match when overlaying fragments of an IP packet.

4000005101

IP protocol anomaly detected: fragmented IP packet size exceeded

An IP protocol anomaly was detected: the actual total size of a fragmented IP packet after assembly exceeds the acceptable limit.

4000005102

IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected

An IP protocol anomaly was detected: the size of the initial fragment of an IP packet is less than the minimum permissible value.

4000005103

IP protocol anomaly detected: mis-associated fragments

An IP protocol anomaly was detected: fragments of an assembled IP packet contain conflicting data on the length of the fragmented packet.

4000002701

TCP protocol anomaly detected: content substitution in overlapping TCP segments

TCP protocol anomaly detected: packets contain overlapping TCP segments with varying contents.

4000000003

Test event (IDS)

A test network packet was detected (with rule-based Intrusion Detection enabled).

Page top