This article provides a description of system event types associated with Intrusion Detection technology (see the table below).
System event types based on Intrusion Detection (IDS) technology
Code |
Title of event type |
Registration conditions |
---|---|---|
4000003000 |
Rule from the $fileName set (system set of rules) was triggered |
Intrusion Detection rule from the system set of rules is triggered. The following variables are used in the title and description of an event type:
|
4000003001 |
A rule from the $fileName set (user-defined rule set) was triggered. |
Intrusion Detection rule from the user-defined rule set is triggered. The following variables are used in the title and description of an event type:
|
4000003002 |
Signs of a brute-force attack or scan were detected |
A rule for detecting a scan or brute-force attack was triggered. In the event type description, the $ruleName variable is used for the rule name. |
4000004001 |
Symptoms of ARP spoofing detected in ARP replies |
Signs of falsified addresses in ARP packets detected: multiple ARP replies that are not associated with ARP requests. The following variables are used in an event type description:
|
4000004002 |
Symptoms of ARP spoofing detected in ARP requests |
Signs of falsified addresses in ARP packets detected: multiple ARP requests from the same MAC address to different destinations. The following variables are used in an event type description:
|
4000005100 |
IP protocol anomaly detected: data conflict when assembling IP packet |
IP protocol anomaly detected: data does not match when overlaying fragments of an IP packet. |
4000005101 |
IP protocol anomaly detected: fragmented IP packet size exceeded |
An IP protocol anomaly was detected: the actual total size of a fragmented IP packet after assembly exceeds the acceptable limit. |
4000005102 |
IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected |
An IP protocol anomaly was detected: the size of the initial fragment of an IP packet is less than the minimum permissible value. |
4000005103 |
IP protocol anomaly detected: mis-associated fragments |
An IP protocol anomaly was detected: fragments of an assembled IP packet contain conflicting data on the length of the fragmented packet. |
4000002701 |
TCP protocol anomaly detected: content substitution in overlapping TCP segments |
TCP protocol anomaly detected: packets contain overlapping TCP segments with varying contents. |
4000000003 |
Test event (IDS) |
A test network packet was detected (with rule-based Intrusion Detection enabled). |