IDSTrojanAlert
ID: 100016
Description:
IDS Trojan alert
Repository: Group: SourceFire Type: event
Default Status:
Disabled
| Tags: |
|---|
Selector:
Query:
@tags:(SFIMS OR SFDC)
Filters:
| Field | MUST hit |
|---|---|
| @fields.classification | A Network Trojan was Detected |
| Field | MUST NOT hit |
|---|---|
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.sip | ip | security alert |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
| ALERT_MALWARE | 800 | alert |
Attributes:
| Alias | Key |
|---|---|
| Classification | @fields.classification |
| SignatureID | @fields.sid |
| DestinationIP | @fields.dip |
| SourceIP | @fields.sip |
| DestinationPort | @fields.dport |
| Impact | @fields.impact |
| Message | @fields.msg |
| Protocol | @fields.protocol |
| DestniationCountry | @fields.dCountry |
| SourceCountry | @fields.sCountry |
| SourcePort | @fields.sport |
| From | @fields.from |
Correlation Rules:
First Occurrence:
| Name | Window | Fields |
|---|---|---|
| NewAlert | 10 days | @fields.sid |
| Risks: | ML_NEW_ALERT | |
| NewIP | 10 days | @fields.sip |
| Risks: | ML_NEW_ASSET | |
| NewCountry | 10 days | @fields.dCountry |
| Risks: | ML_NEW_GEO_COUNTRY |
History:
| User | Date | | :— | :— | | — | — |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)