Intrusions

Use the IBM® Security QRadar® Intrusions Content Extension to focus on intrusion detection.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Intrusions Content Extension

The IBM Security QRadar Intrusions Content Extension is removed from Fix Central. The rules are available in the following content extensions.
  • IBM Security QRadar Compliance Content Extension
  • IBM Security QRadar Endpoint Content Extension
  • IBM Security QRadar Threat Monitoring Content Extension
  • IBM Security QRadar Network Anomaly Content Extension

The following list shows the rules added to the IBM Security QRadar Compliance Content Extension.

  • BB:CategoryDefinition: Countries/Regions with no Remote Access
  • Excessive Firewall Accepts From Multiple Sources to a Single Destination

The following list shows the rules added to the IBM Security QRadar Endpoint Content Extension.

  • Remote: Remote Desktop Access from the Internet
  • BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts - UUID SYSTEM-1055 (New name - BB:BehaviorDefinition: Remote Desktop Access from a Remote Host)
  • BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts - SYSTEM-1056 (New name - BB:BehaviorDefinition: VNC Activity from a Remote Host)
  • Remote: VNC Access from the Internet to a Local Host - UUID SYSTEM-1108 (New name - Remote: VNC Access from the Internet)

The following list shows the rules added to the IBM Security QRadar Threat Monitoring Content Extension.

  • BB:CategoryDefinition: Countries/Regions with no Remote Access
  • BB:CategoryDefinition: Database Access Denied
  • BB:CategoryDefinition: Malware Annoyances
  • BB:CategoryDefinition: Virus Detected
  • BB:CategoryDefinition: Worm Events
  • BB:FalseNegative: Events That Indicate Successful Compromise
  • BB:NetworkDefinition: Undefined IP Space
  • BB:NetworkDefinition: Watch List Addresses
  • Exploit Followed by Suspicious Host Activity
  • Exploit/Malware Events Across Multiple Destinations
  • Exploit: Exploits Followed by Firewall Accepts
  • Multiple Vector Attack Source
  • Source Vulnerable to any Exploit
  • Source Vulnerable to this Exploit
  • 100% Accurate Events - SYSTEM-1459(New name - Successful Signature Compromise)

The following list shows the rules added to the IBM Security QRadar Network Anomaly Content Extension.

  • Anomaly: DMZ Jumping
  • Remote: Possible Tunneling

IBM Security QRadar Intrusions Content Extension V1.0.4

The following table shows the rule that updated in IBM Security QRadar Intrusions Content Extension V1.0.4.

Table 1. Rules and Building Blocks in IBM Security QRadar Intrusions Content Extension V1.0.4
Name Description
Excessive Firewall Accepts From Multiple Sources to a Single Destination Changed the name from Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination.

The following rules and building blocks are removed in IBM Security QRadar Intrusions Content Extension V1.0.4 because they are now included in IBM Security QRadar by default.

  • BB:BehaviorDefinition: Compromise Activities
  • BB:CategoryDefinition: Authentication Failures
  • BB:CategoryDefinition: Authentication to Disabled Account
  • BB:CategoryDefinition: Authentication to Expired Account
  • BB:CategoryDefinition: DDoS Attack Events
  • BB:CategoryDefinition: Exploits Backdoors and Trojans
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:CategoryDefinition: Firewall or ACL Denies
  • BB:CategoryDefinition: Key Loggers
  • BB:CategoryDefinition: Mail Policy Violation
  • BB:CategoryDefinition: Network DoS Attack
  • BB:CategoryDefinition: Post DMZ Jump
  • BB:CategoryDefinition: Post Exploit Account Activity
  • BB:CategoryDefinition: Pre DMZ Jump
  • BB:CategoryDefinition: Recon Event Categories
  • BB:CategoryDefinition: Recon Events
  • BB:CategoryDefinition: Recon Flows
  • BB:CategoryDefinition: Service DoS
  • BB:CategoryDefinition: Successful Communication
  • BB:Database: System Action Deny
  • BB:DeviceDefinition: Database
  • BB:DeviceDefinition: FW / Router / Switch
  • BB:HostDefinition: Database Servers
  • BB:HostReference: Database Servers
  • BB:NetworkDefinition: Darknet Addresses
  • BB:NetworkDefinition: DMZ Addresses
  • BB:NetworkDefinition: Honeypot like Addresses
  • BB:PortDefinition: Common Worm Ports
  • BB:PortDefinition: Database Ports
  • BB:Threats: Port Scans: Host Scans
  • BB:Threats: Port Scans: UDP Port Scan
  • BB:Threats: Scanning: Empty Responsive Flows High
  • BB:Threats: Scanning: Empty Responsive Flows Low
  • BB:Threats: Scanning: Empty Responsive Flows Medium
  • BB:Threats: Scanning: ICMP Scan High
  • BB:Threats: Scanning: ICMP Scan Low
  • BB:Threats: Scanning: ICMP Scan Medium
  • BB:Threats: Scanning: Potential Scan
  • BB:Threats: Scanning: Scan High
  • BB:Threats: Scanning: Scan Low
  • BB:Threats: Scanning: Scan Medium
  • BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
  • BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
  • Destination Vulnerable to Detected Exploit
  • Destination Vulnerable to Detected Exploit on a Different Port
  • Malware or Virus Clean Failed

(Back to top)

IBM Security QRadar Intrusions Content Extension V1.0.3

The following table shows the rules and building blocks in IBM Security QRadar Intrusions Content Extension V1.0.3.

Table 2. Rules and Building Blocks in IBM Security QRadar Intrusions Content Extension V1.0.3
Type Name Description
Rule Destination Vulnerable to Detected Exploit Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule Destination Vulnerable to Detected Exploit on a Different Port Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.
Rule Destination Vulnerable to Different Exploit than Attempted on Targeted Port Detects an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to some attack but not the one being attempted.

The following table shows the reference data in IBM Security QRadar Intrusions Content Extension V1.0.3.

Table 3. Reference Data in IBM Security QRadar Intrusions Content Extension V1.0.3
Type Name Description
Reference Set Database Servers List of Database IP addresses.

(Back to top)

IBM Security QRadar Intrusions Content Extension V1.0.2

The following table shows the rules and building blocks that are updated in IBM Security QRadar Intrusions Content Extension V1.0.2.

Table 4. Rules and Building Blocks in IBM Security QRadar Intrusions Content Extension V1.0.2
Type Name Description
Building Block BB:DeviceDefinition: FW / Router / Switch Updated building block with FW/Router/Switch devices.
Building Block BB:DeviceDefinition: Database Updated building block with database devices.
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added the following QIDs:
  • 5001948: Failure Audit: An account failed to log on: Account Disabled
  • 5001959: An account failed to log on: Account Disabled
  • 5001954: Failure Audit: An account failed to log on: User Locked Out
  • 5001965: An account failed to log on: User Locked Out
  • 5001949: Failure Audit: An account failed to log on: Account Expired
  • 5001960: An account failed to log on: Account Expired
  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time
  • 5001962: An account failed to log on: Logon Outside Normal Time
Rule Malware or Virus Clean Failed New QIDs added to rule:
  • 42002833: Security risk found, Actual action: All actions failed
  • 42002836: Security risk found, Actual action: Left alone
  • 42002845: Virus Detected, Actual action: Left alone
  • 42003869: Virus Detected, Actual action: Actions failed

(Back to top)

IBM Security QRadar Intrusions Content Extension V1.0.1

The following table shows the rules and building blocks in IBM Security QRadar Intrusions Content Extension V1.0.1.

Table 5. Building Blocks in IBM Security QRadar Intrusions Content Extension V1.0.1
Type Name Description
Building Block BB:CategoryDefinition: Authentication to Disabled Account Added QID 5000475: Failure Audit: An account failed to log on.
Building Block BB:DeviceDefinition: FW / Router / Switch No updates. Dependent on another rule and must be included in the extension framework.
Rule Exploit: Exploits Followed by Firewall Accepts Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Anomaly: DMZ Jumping Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination Added a rule test: BB:DeviceDefinition: FW/Router/Switch to rule
Rule Exploit: Destination Vulnerable to Detected Exploit on a Different Port Updated user interface name and rule text description.

(Back to top)

IBM Security QRadar Intrusions Content Extension V1.0.0

The IBM Security QRadar Intrusions Content Extension V1.0.0 adds the Database Servers reference set to QRadar.

The following rules and building blocks are included in IBM Security QRadar Intrusions Content Extension V1.0.0.
Type Name Description
Building Block BB:BehaviorDefinition: Compromise Activities Edit this building block to include categories that are considered the be part of events seen during typical compromises.
Building Block BB:CategoryDefinition: Authentication Failures Edit this building block to include all events that indicate an unsuccessful attempt to access the network.
Building Block BB:CategoryDefinition: Authentication to Disabled Account Edit this building block to include all events that indicate failed attempts to access the network using a disabled account.
Building Block BB:CategoryDefinition: Authentication to Expired Account Edit this building block to include all events that indicate failed attempts to access the network using an expired account.
Building Block BB:CategoryDefinition: Countries/Regions with no Remote Access Edit this building block to include any geographic location that typically would not be allowed remote access to the enterprise. Once configured, you can enable the Anomaly: Remote Access from Foreign Country/Region rule.
Building Block BB:CategoryDefinition: Database Access Denied Identifies database events that are considered denied access.
Building Block BB:CategoryDefinition: DDoS Attack Events Edit this building block to include all event categories that you wish to categorize as a DDoS attack.
Building Block BB:CategoryDefinition: Exploits Backdoors and Trojans Edit this building block to include all events that are typically exploits, backdoor, or trojans.
Building Block BB:CategoryDefinition: Firewall or ACL Accept Edit this building block to include all events that indicate access to the firewall.
Building Block BB:CategoryDefinition: Firewall or ACL Denies Edit this building block to include all events that indicate unsuccessful attempts to access the firewall.
Building Block BB:CategoryDefinition: Key Loggers Edit this building block to include all events associated with the monitoring of user activities through a key logger.
Building Block BB:CategoryDefinition: Mail Policy Violation Edit this building block to include anything you would consider to be a mail based policy violation. An example might be outbound traffic on port 25 not originating from a mail server.
Building Block BB:CategoryDefinition: Malware Annoyances Edit this building block to include event categories that are typically associated with spyware infections.
Building Block BB:CategoryDefinition: Network DoS Attack Edit this building block to include all event categories that you wish to categorize as a network DoS attack.
Building Block BB:CategoryDefinition: Post DMZ Jump Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules.
Building Block BB:CategoryDefinition: Post Exploit Account Activity Identifies events that generally happen after an exploit.
Building Block BB:CategoryDefinition: Pre DMZ Jump Identifies actions that may be seen within a DMZ jumping scenario. It is used mainly by the Anomaly: DMZ Jumping and Anomaly: DMZ Reverse Tunnel rules.
Building Block BB:CategoryDefinition: Recon Event Categories Edit this building block to include all events that indicate reconnaissance activity.
Building Block BB:CategoryDefinition: Recon Events Edit this building block to include all events that indicate reconnaissance activity.
Building Block BB:CategoryDefinition: Recon Flows Edit this building block to include all events that indicate suspicious activity.
Building Block BB:CategoryDefinition: Service DoS Edit this building block to define Denial of Service (DoS) attack events.
Building Block BB:CategoryDefinition: Successful Communication Defines flows which are typical of a successful communication. If you are paranoid you may wish to drop the ratio to 64 bytes/packet however this will cause a lot of false positives and may require further tuning using flags and other properties.
Building Block BB:CategoryDefinition: Virus Detected This rule defines all virus detection events.
Building Block BB:CategoryDefinition: Worm Events Edit this building block to define worm events. This building block only applies to events not detected by a custom rule.
Building Block BB:Database: System Action Deny Edit this building block to include any events that indicate unsuccessful actions within a database
Building Block BB:DeviceDefinition: Database This rule defines all databases on the system.
Building Block BB:DeviceDefinition: FW / Router / Switch This rule defines all firewalls, routers, and switches on the system.
Building Block BB:FalseNegative: Events That Indicate Successful Compromise Defines events which indicate a successful compromise. These events generally have 100% accuracy.
Building Block BB:HostDefinition: Database Servers Edit this building block to define typical database servers. This building block is used in conjunction with the BB:FalsePositive: Database Server False Positive Categories and BB:FalsePositive: Database Server False Positive Events building blocks.
Building Block BB:HostReference: Database Servers  
Building Block BB:NetworkDefinition: Darknet Addresses Edit this building block to include networks which should be added into a Darknet list.
Building Block BB:NetworkDefinition: DMZ Addresses Edit this building block to include addresses that are included in the DMZ
Building Block BB:NetworkDefinition: Honeypot like Addresses Edit this building block by replace the other network with network objects defined in your network hierarchy that are currently not in use in your network or are used in a honeypot or tarpit installation. Once these have been defined, you must enable the Anomaly: Potential Honeypot Access rule. You must also add a security/policy sentry to these network objects to generate events based on attempted access
Building Block BB:NetworkDefinition: Undefined IP Space Edit this building block to include areas of your network that does not contain any valid hosts.
Building Block BB:NetworkDefinition: Watch List Addresses Edit this building block to include networks which should be added into a watch list.
Building Block BB:PortDefinition: Common Worm Ports Defines ports that generally are not seen in local to remote traffic.
Building Block BB:PortDefinition: Database Ports Edit this building block to include all common database ports.
Building Block BB:Threats: Port Scans: Host Scans Identifies potential reconnaissance by flows.
Building Block BB:Threats: Port Scans: UDP Port Scan Identifies UDP based port scans.
Building Block BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts Identifies flows where a remote desktop application is being accessed from a remote host
Building Block BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts Identifies flows where a VNC service is being accessed from a remote host.
Building Block BB:Threats: Scanning: Empty Responsive Flows High This building block detects potential reconnaissance activity where the source packet count is greater than 100,000.
Building Block BB:Threats: Scanning: Empty Responsive Flows Low This building block detects potential reconnaissance activity where the source packet count is greater than 500.
Building Block BB:Threats: Scanning: Empty Responsive Flows Medium This building block detects potential reconnaissance activity where the source packet count is greater than 5,000.
Building Block BB:Threats: Scanning: ICMP Scan High Identifies a high level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: ICMP Scan Low Identifies a low level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: ICMP Scan Medium Identifies a medium level of ICMP reconnaissance.
Building Block BB:Threats: Scanning: Potential Scan Identifies potential reconnaissance by flows.
Building Block BB:Threats: Scanning: Scan High Identifies a high level of potential reconnaissance.
Building Block BB:Threats: Scanning: Scan Low Identifies a low level of potential reconnaissance.
Building Block BB:Threats: Scanning: Scan Medium Identifies a medium level of potential reconnaissance.
Building Block BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets Identifies flows with abnormaly large DNS packets
Building Block BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets Identifies flows with abnormaly large ICMP packets
Rule 100% Accurate Events Creates an offense when an event matches a 100% accurate signature for successful compromises.
Rule Anomaly: DMZ Jumping This rule will fire when connections seemed to be bridged across the network's DMZ.
Rule Anomaly: Excessive Firewall Accepts From Multiple Sources to a Single Destination Reports excessive Firewall Accepts to the same destination from at least 100 unique source IP addresses in 5 minutes.
Rule Destination Vulnerable to Detected Exploit Detects an attack against a vulnerable local destination, where the host is known to exist, and the host is vulnerable to the attack.
Rule Exploit Followed by Suspicious Host Activity Reports an exploit or attack type activity from a source IP address followed by suspicious account activity on the same destination host within 15 minutes of the original event.
Rule Exploit: Destination Vulnerable to Detected Exploit on a Different Port Reports an attack against a vulnerable local destination host, where the host is known to exist, and the host is vulnerable to the attack on a different port.
Rule Exploit: Exploits Followed by Firewall Accepts Detects when exploit or attack events are followed by firewall accept events, which may indicate a successful attack.
Rule Exploit/Malware Events Across Multiple Destinations Reports a source IP address generating multiple (at least 5) exploits or malicious software (malware) events in the last 5 minutes. These events are not targeting hosts that are vulnerable and may indicate false positives generating from a device.
Rule Malware or Virus Clean Failed System detected a virus and failed to clean or remote it
Rule Multiple Vector Attack Source Detects when an source host tries multiple attack vectors, this may indicate the source host is specifically targeting an asset.
Rule Remote: Possible Tunneling Detects possible tunneling, which can indicate a bypass of policy, or an infected system.
Rule Remote: Remote Desktop Access from the Internet Detects the Microsoft Remote Desktop Protocol from the internet to a local host. Most companies consider this a violation of corporate policy. If this is normal activity on your network, you should disable this rule.
Rule Remote: VNC Access from the Internet to a Local Host Detects VNC (a remote desktop access application) from the internet to a local host. Many companies consider this a policy issue that should be addressed. If this is normal activity on your network, disable this rule.
Rule Source Vulnerable to any Exploit Reports an attack from a local host where the source has at least one vulnerability. It is possible the source was targeted in an earlier offense.
Rule Source Vulnerable to this Exploit Reports an attack from a local host where the source host is vulnerable to the attack being used. It is possible the source host was the destination of an earlier offense.
  • Excessive Firewall Accepts From Multiple Sources to a Single Destination
  • DMZ Jumping
  • Destination Vulnerable to Detected Exploit
  • Source Vulnerable to any Exploit
  • Source Vulnerable to this Exploit
  • Exploit/Malware Events Across Multiple Destinations
  • Exploit Followed by Suspicious Host Activity
  • Destination Vulnerable to Detected Exploit on a Different Port
  • 100% Accurate Events
  • Multiple Vector Attack Source
  • Remote: Remote Desktop Access from the Internet
  • Exploits Followed by Firewall Accepts
  • Remote: VNC Access from the Internet to a Local Host
  • Malware or Virus Clean Failed
  • Remote: Possible Tunneling
The following building blocks are included in IBM Security QRadar Intrusions Content Extension V1.0.0.
  • BB:Database: System Action Deny
  • BB:HostDefinition: Database Servers
  • BB:HostReference: Database Servers
  • BB:PortDefinition: Database Ports
  • BB:PortDefinition: Common Worm Ports
  • BB:FalseNegative: Events That Indicate Successful Compromise
  • BB:DeviceDefinition: Database
  • BB:DeviceDefinition: FW / Router / Switch
  • BB:Threats: Scanning: Scan Medium
  • BB:Threats: Remote Access Violations: Remote Desktop Access from Remote Hosts
  • BB:Threats: Scanning: ICMP Scan Low
  • BB:Threats: Scanning: ICMP Scan High
  • BB:Threats: Scanning: Scan Low
  • BB:Threats: Scanning: ICMP Scan Medium
  • BB:Threats: Remote Access Violations: VNC Activity from Remote Hosts
  • BB:Threats: Suspicious IP Protocol Usage: Large ICMP Packets
  • BB:Threats: Scanning: Empty Responsive Flows High
  • BB:Threats: Scanning: Scan High
  • BB:Threats: Scanning: Empty Responsive Flows Low
  • BB:Threats: Scanning: Empty Responsive Flows Medium
  • BB:Threats: Port Scans: UDP Port Scan
  • BB:Threats: Port Scans: Host Scans
  • BB:Threats: Suspicious IP Protocol Usage: Large DNS Packets
  • BB:Threats: Scanning: Potential Scan
  • BB:CategoryDefinition: Post Exploit Account Activity
  • BB:CategoryDefinition: Recon Flows
  • BB:CategoryDefinition: Successful Communication
  • BB:CategoryDefinition: Firewall or ACL Denies
  • BB:CategoryDefinition: Recon Events
  • BB:CategoryDefinition: Mail Policy Violation
  • BB:CategoryDefinition: Service DoS
  • BB:CategoryDefinition: Worm Events
  • BB:CategoryDefinition: Virus Detected
  • BB:CategoryDefinition: Authentication to Expired Account
  • BB:CategoryDefinition: Countries/Regions with no Remote Access
  • BB:CategoryDefinition: Pre DMZ Jump
  • BB:CategoryDefinition: Authentication to Disabled Account
  • BB:CategoryDefinition: Network DoS Attack
  • BB:CategoryDefinition: Recon Event Categories
  • BB:CategoryDefinition: Firewall or ACL Accept
  • BB:CategoryDefinition: Exploits Backdoors and Trojans
  • BB:BehaviorDefinition: Compromise Activities
  • BB:CategoryDefinition: Post DMZ Jump
  • BB:CategoryDefinition: Authentication Failures
  • BB:CategoryDefinition: Key Loggers
  • BB:CategoryDefinition: Malware Annoyances
  • BB:CategoryDefinition: DDoS Attack Events
  • BB:CategoryDefinition: Database Access Denied
  • BB:NetworkDefinition: DMZ Addresses
    Note: This building block references the default network hierarchy. Update this building block if you are using a different network hierarchy.
  • BB:NetworkDefinition: Honeypot like Addresses
  • BB:NetworkDefinition: Undefined IP Space
  • BB:NetworkDefinition: Darknet Addresses
  • BB:NetworkDefinition: Watch List Addresses

(Back to top)