An Admin user must define the alerts described in this article in order to complement the data offered by the Security Insights application. Many of the widgets in the application are based on these alerts and the data they represent depends directly on them. Not only they are essential for widgets, but also to notify you about critical problems or unexpected situations in your network. For example, an alert triggers when the number of threats grows drastically during the last 24 hours.
These alerts are based on firewall, proxy server and web server logs. Alerts based on firewall logs are mandatory, but alerts based on proxy and web logs have to be defined only if the customer is sharing proxy server and web server logs with Devo.
There are two different sets of alerts to be installed:
- Alert tier one - These are alerts directly based on firewall, web and proxy logs. The names of these alerts always start with SecInt.
- Alert tier two - These are alerts based on the alerts in tier one. The names of these alerts always start with SecIntMulti.
Some of the alerts include the
threatLevel parameter, which is an internal value used to define the default threat level for a specific type of alert.
How to define the alerts
This process must be repeated for each of the alerts included in the list of required alerts below. Go to Create a new alert to learn more about defining alerts in Devo.
- Go to Data Search → Free text Query and paste the code of the alert. In this example, we are defining the SecIntSeveralDNS alert. Select Run when you're done.
- You are taken to the query window, which displays the aggregated data defined in the LINQ query. Select New alert definition from the toolbar, then fill the Message, Description and Alert Name as specified in the article.
- Select Create.
Alert tier one
These are alerts based directly on the firewall.all.traffic, web.all.access and proxy.all.access tables, which gather all your firewall, web and proxy logs.
This alert checks the outbound traffic to port 53, which could correspond to DNS traffic. It triggers when a user (
srcIp) sends requests to more than 20 different destination servers. These are possibly DNS servers (internal cache, authoritative or root servers), but even if port 53 is being used for reasons other than DNS traffic, this is still a suspicious behavior that needs to be notified.
Message: Several DNS servers accessed
Description: This internal IP $srcIp has accessed $totalservers different DNS servers in the last hour
This alert checks the outbound traffic that has been hidden by Tor or other tools used to anonymize IP addresses.
Message: Anonymous connection detected
Description: IP $srcIp is connecting to IP $dstIp marked as anonymous proxy
This alert checks the requests that try to get public IPs using backdoor ports. This alert triggers only when the connections are accepted by the firewall. The list of backdoor ports is stored in the lookup CheckBackdoorConnection, so it can be modified by any Admin user.
Message: Connection using backdoor port detected
Description: Accepted connection from $scrIp to the backdoor port $dstPort
This alert checks the outbound traffic to IPs identified to be related to fraud by our system feeds. These feeds are updating constantly, and they are the result of gathering information from several public sources related to fraud.
Message: Suspicious connection to an IP related to fraud
Description: Detected connection from $srcIp to $dstIp using port $dstPort. IP $dstIp is marked as $ThreatFraud by our system
This alert checks the outbound traffic to IPs identified to be related to malware by our system feeds. These feeds are updating constantly, and they are the result of gathering information from several public sources related to malware.
Message: Detected connection to suspicious IP related to malware
Description: Detected connection from $srcIp to $dstIp, marked as $ThreatMalware by our system
This alert checks the connections to public IPs using peer to peer ports every 3 hours, according to the list stored in the Devo internal lookup Check P2PConnection. It also informs if the connection is accepted or denied.
Message: Peer to Peer (P2P) connection detected
Description: $action connection from $scrIp to a Peer to Peer (P2P) port
This alert checks the outbound traffic and controls the action parameter for each connection every one-day period. The alert triggers if there is any different action for the same connection. The action refers to the rule of the firewall, that can be either DENIED or ACCEPTED. A connection can only have a single action value. If a connection has different action values, it may indicate a possible firewall misconfiguration.
Message: Firewall misconfiguration
Description: Firewall $fwname misconfigured. Different rules for the same connection
This alert is triggered when a single IP is trying to access too many different ports of a specific destination IP. When there are more than 100 requests in a 5 min period, the alert is triggered because it may indicate a port scanning attempt.
Message: Possible port scan
Description: IP $srcIpStr has tested $dstPortRound different ports for the same IP in the last 10 minutes
This alert is triggered when a single IP has caused several 4xx errors in the web server in the last 10 minutes period.
Message: Too many 4xx errors from the same IP
Description: The IP $sourceIP has caused $count 4xx errors in the last 10 minutes
This alert checks the
method parameter of each request to the web server. It is common to perform several requests when navigating a web page, but not so common to use different methods (POST, GET, HEAD...) in the requests. This alert triggers when one user uses more than 4 different methods every 1 hour.
Message: Suspicious behavior related to HTTP methods
Description: IP $srcIp used several HTTP methods
This alert checks the user agent of each request to the web server. IP addresses do not usually use several user agents. The alert triggers when a single IP uses more than 10 different user agents every 30 minutes.
Message: Several user agents
Description: IP $srcIp used $userAgentCount different user agents during the last day
This alert checks if the URL contains a PHP WebShell file using a lookup. Webshell files are created based on OSINT.
Message: Possible suspicious WebShell files
Description: Detected connection from IP $srcIp trying to access a possible WebShell file $UrlLimpia
This alert is triggered when an unknown method is detected.
Message: Unknown methods
Description: IP $srcIp uses unknown method $method
This alert is triggered when the URL contains robot files but the request doesn't come from a robot.
Message: No robot accesses robot files
Description: IP $srcIp is asking for $url that contains robot files, but the user agent is not associated with a robot.
This alert checks if the URL contains information that could be related to password file discover.
Message: Password files discovered
Description: Access to $url from IP $srcIp is marked as suspicious
This alert is triggered when a user tries to perform a denial-of-service (DoS) attack. Source IPs are checked every 10 minutes. If a user accesses more than 1000 different ports, it may indicate an attack and the alert is triggered.
Message: Possible DoS attack
Description: IP $sourceIP has accessed the server $count times in the last 10 minutes
This alert triggers when a user accesses 60 or more different destination servers in one hour and the proxy doesn't deny it.
Message: User accessed many different hosts
Description: User $user has accessed $dstHostRound different hosts in the last hour
This alert triggers when a user is blocked by a proxy more than 90 times in the last hour.
Message: User blocked by proxy
Description: User $user has been blocked $count times by proxy in the last hour
Alert tier two
This set of alerts are based on the siem.logtrust.alerts.info table, where are the alerts triggered in Devo are stored.
All these alerts contain the
threatLevel parameter, an integer with values from 1-10, 1-3 meaning low level of threat, 4-7 medium and 8-10 high.
This alert checks two different alerts for the same user. There is a user (
sourceIP) that have caused one or several SecIntError4xx alerts and also one or several SecIntDoS alert in a period of 20 minutes. The
threatLevel parameter for this alert is high (8 in 10).
Message: Multi Alert: several DoS and 4xx alerts by the same IP
Description: The IP $sourceIP has caused both DoS and 4xx alerts ($count total alerts) in the last 20 minutes || sourceIP=$sourceIP,threatLevel=$threatLevel
This alert is triggered when a Distributed Denial of Service attack (DDoS) is detected. This alert gathers several DoS alerts, caused by different users (srcIP). As all the other alerts in Security Insights, it is possible to change the filter parameters.
Message: Multi Alert: possible DDoS attack
Description: $count different IPs have caused denial of service alerts in the last 20 minutes || threatLevel=$threatLevel
This alert is triggered when a user (srcIP) causes more than one alert in the last hour. This is an alert over an alert; this means that one alert acts as the condition (two alerts in this case). When the conditions are fulfilled, the new alert is triggered and also stored in the table siem.logtrust.alert.info
Message: IP has caused several different alerts in the same hour
Description: IP $alertSrcIp has caused $contextRound different alerts in the last hour