System event types based on Intrusion Detection technology

Support

Support for business applications

Kaspersky Industrial CyberSecurity for Networks

Appendices

System event types in Kaspersky Industrial CyberSecurity for Networks

System event types based on Intrusion Detection technology

March 22, 2024

ID 187475

Get as PDF

This section provides a description of system event types associated with Intrusion Detection technology (see the table below).

System event types based on Intrusion Detection (IDS) technology

Code	Title of event type	Registration conditions
4000003000	Rule from the $fileName set (system set of rules) was triggered	An Intrusion Detection rule in the system set of rules was triggered (the rule set is in active state). The following variables are used in the title and description of an event type: $fileName – name of the rule set. $category – class of the rule. $ruleName – name of the rule. $signature_id – rule ID (sid). Kaspersky Industrial CyberSecurity for Networks version 4.0.1 additionally uses the variable $action, which refers to the type of action to take on network packets defined in the rule (the `drop` or `reject` actions are not performed in Kaspersky Industrial CyberSecurity for Networks).
4000003001	A rule from the $fileName set (user-defined rule set) was triggered.	An Intrusion Detection rule in the user-defined rule set was triggered (the rule set is in active state). The following variables are used in the title and description of an event type: $fileName – name of the rule set. $category – class of the rule. $ruleName – name of the rule. $signature_id – rule ID (sid). Kaspersky Industrial CyberSecurity for Networks version 4.0.1 additionally uses the variable $action, which refers to the type of action to take on network packets defined in the rule (the `drop` or `reject` actions are not performed in Kaspersky Industrial CyberSecurity for Networks).
4000004001	Symptoms of ARP spoofing detected in ARP replies	Signs of falsified addresses in ARP packets detected: multiple ARP replies that are not associated with ARP requests. The following variables are used in an event type description: $senderIp – substituted IP address. $targetIp – IP address of the target node. $attackStartTimestamp – time when the first ARP reply was detected.
4000004002	Symptoms of ARP spoofing detected in ARP requests	Signs of falsified addresses in ARP packets detected: multiple ARP requests from the same MAC address to different destinations. The following variables are used in an event type description: $senderIp – substituted IP address. $targetIp – IP address of the target node. $attackStartTimestamp – time when the first ARP reply was detected.
4000005100	IP protocol anomaly detected: data conflict when assembling IP packet	IP protocol anomaly detected: data does not match when overlaying fragments of an IP packet.
4000005101	IP protocol anomaly detected: fragmented IP packet size exceeded	An IP protocol anomaly was detected: the actual total size of a fragmented IP packet after assembly exceeds the acceptable limit.
4000005102	IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected	An IP protocol anomaly was detected: the size of the initial fragment of an IP packet is less than the minimum permissible value.
4000005103	IP protocol anomaly detected: mis-associated fragments	An IP protocol anomaly was detected: fragments of an assembled IP packet contain conflicting data on the length of the fragmented packet.
4000002701	TCP protocol anomaly detected: content substitution in overlapping TCP segments	TCP protocol anomaly detected: packets contain overlapping TCP segments with varying contents.
4000000003	Test event (IDS)	A test network packet was detected (with rule-based Intrusion Detection enabled).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.