System event types based on Intrusion Detection technology

This article provides a description of system event types associated with Intrusion Detection technology (see the table below).

System event types based on Intrusion Detection (IDS) technology

Code

Title of event type

Registration conditions

4000002701

TCP protocol anomaly detected: content substitution in overlapping TCP segments

TCP protocol anomaly detected: packets contain overlapping TCP segments with varying contents.

4000003000

Rule from the $fileName set (system set of rules) was triggered

Intrusion Detection rule from the system set of rules is triggered.

The following variables are used in the title and description of an event type:

  • $fileName – name of the rule set.
  • $category – class of the rule.
  • $ruleName – name of the rule.
  • $signature_id – rule ID (sid).

4000003001

A rule from the $fileName set (user-defined rule set) was triggered.

Intrusion Detection rule from the user-defined rule set is triggered.

The following variables are used in the title and description of an event type:

  • $fileName – name of the rule set.
  • $category – class of the rule.
  • $ruleName – name of the rule.
  • $signature_id – rule ID (sid).
  • $action – type of network packet action defined in the rule (drop or reject actions are not supported in Kaspersky Industrial CyberSecurity for Networks).

4000003002

Signs of a brute-force attack or scan were detected

A rule for detecting a scan or brute-force attack was triggered.

In the event type description, the $ruleName variable is used for the rule name.

4000003003

Network Anomaly Detection rule was triggered

Network Anomaly Detection rule was triggered.

When an event is registered, the event receives a title, score and description from the Network Anomaly Detection rule.

4000004001

Symptoms of ARP spoofing detected in ARP replies

Signs of falsified addresses in ARP packets detected: multiple ARP replies that are not associated with ARP requests.

The following variables are used in an event type description:

  • $senderIp – substituted IP address.
  • $targetIp – IP address of the target node.
  • $attackStartTimestamp – time when the first ARP reply was detected.

4000004002

Symptoms of ARP spoofing detected in ARP requests

Signs of falsified addresses in ARP packets detected: multiple ARP requests from the same MAC address to different destinations.

The following variables are used in an event type description:

  • $senderIp – substituted IP address.
  • $targetIp – IP address of the target node.
  • $attackStartTimestamp – time when the first ARP reply was detected.

4000005100

IP protocol anomaly detected: data conflict when assembling IP packet

IP protocol anomaly detected: data does not match when overlaying fragments of an IP packet.

4000005101

IP protocol anomaly detected: fragmented IP packet size exceeded

An IP protocol anomaly was detected: the actual total size of a fragmented IP packet after assembly exceeds the acceptable limit.

4000005102

IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected

An IP protocol anomaly was detected: the size of the initial fragment of an IP packet is less than the minimum permissible value.

4000005103

IP protocol anomaly detected: mis-associated fragments

An IP protocol anomaly was detected: fragments of an assembled IP packet contain conflicting data on the length of the fragmented packet.

4000000003

Test event (IDS)

A test network packet was detected (with rule-based Intrusion Detection enabled).

Page top