This section provides a description of system event types associated with Intrusion Detection technology (see the table below).
System event types based on Intrusion Detection (IDS) technology
Code of event type |
Event title |
Severity |
Registration conditions |
---|---|---|---|
4000003000 |
Rule from the $fileName set (system set of rules) was triggered |
Determined based on the rule priority |
An Intrusion Detection rule in the system set of rules was triggered (the rule set is in active state). The following variables are used in the title and description of an event type:
|
4000003001 |
A rule from the $fileName set (custom set of rules) was triggered. |
Determined based on the rule priority |
An Intrusion Detection rule in the custom set of rules was triggered (the rule set is in active state). The following variables are used in the title and description of an event type:
|
4000004001 |
Symptoms of ARP spoofing detected in ARP replies |
Critical |
Signs of falsified addresses in ARP packets detected: multiple ARP replies that are not associated with ARP requests. The following variables are used in an event type description:
|
4000004002 |
Symptoms of ARP spoofing detected in ARP requests |
Critical |
Signs of falsified addresses in ARP packets detected: multiple ARP requests from the same MAC address to different destinations. The following variables are used in an event type description:
|
4000005100 |
IP protocol anomaly detected: data conflict when assembling IP packet |
Critical |
IP protocol anomaly detected: data does not match when overlaying fragments of an IP packet. |
4000005101 |
IP protocol anomaly detected: fragmented IP packet size exceeded |
Critical |
An IP protocol anomaly was detected: the actual total size of a fragmented IP packet after assembly exceeds the acceptable limit. |
4000005102 |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected |
Critical |
An IP protocol anomaly was detected: the size of the initial fragment of an IP packet is less than the minimum permissible value. |
4000005103 |
IP protocol anomaly detected: mis-associated fragments |
Warning |
An IP protocol anomaly was detected: fragments of an assembled IP packet contain conflicting data on the length of the fragmented packet. |
4000002701 |
TCP protocol anomaly detected: content substitution in overlapping TCP segments |
Critical |
TCP protocol anomaly detected: packets contain overlapping TCP segments with varying contents. |
4000000003 |
Test event (IDS) |
Informational |
A test network packet was detected (with rule-based Intrusion Detection enabled). |