Security Classifications

The following tables provide Security classification information. This table lists descriptions and examples.

Classification	Description	Examples Of
Compromise	Logs reporting on a successful system or network compromise. Seen more on Host Intrusion Detection Systems (HIDS) than network based detection mechanisms.	Admin privileges gained Unauthorized data access Seizing control of the logical flow of program execution Modification of any critical file. Creation of unauthorized processes. Modification a system configuration via use of an exploit.
Attack	Logs reporting on activity indicative of a system or network attack where it is either assumed to have been successful or cannot be assumed to have failed. Attack is known to have originated from a “Bad Guy” source.	Buffer overflow SQL Injection attack Forceful Browsing Session Hijacking Password Guessing (Dictionary) Known Exploits
Denial of Service	Logs reporting on activity indicative a denial of service where it is assumed to have succeeded or cannot be assumed to have failed.	DOS Attack Distributed DOS Attack Resource Starvation Spinning (process starving CPU) SynFlood Attack Ping of Death Win Nuke Spam Flooding Teardrop
Malware	Logs reporting on activity indicative of malware installation, propagation, or use. This classification is set to RR=9 because malware is indicative of complex control of systems within the environment possibly leading to data loss with malicious intent, theft, tampering, etc.	Trojan horse installed Backdoor traffic observed Worm propagated Virus activity observed Spyware software installed
Suspicious	Logs reporting on activity that is suspicious but not known to be an attack or unauthorized.	Multiple failed login attempts (5 – 10 times) Packets with abnormal payloads Use of default user accounts (root, administrator, guest) detected by an ids and not an audit log. Access from outside anticipated use zone(s).
Reconnaissance	Logs reporting on activity indicative of or directly indicating system or network reconnaissance.	Port Scan Port Probe Service enumeration Program enumeration User list enumeration Directory enumeration Web crawling
Misuse	Logs reporting on activity indicative of system or network misuse.	Public webmail usage Pornographic content observed Unauthorized program access Content policy violation P2P Usage
Activity	Logs reporting on general system or network activity.	Packet type observed Packet payload dump Interface set in promiscuous mode Attack Response Forensic related activity
Failed Attack	Logs reporting on attack activity that was not successful, possibly due to preventative measures.	Buffer overflow dropped SQL Injection dropped
Failed Denial of Service	Logs reporting on denial of service activity that was not successful, possibly due to preventative measures.	DOS attack prevented Distributed DOS attack prevented
Failed Malware	Logs reporting on malware activity that was not successful, possibly due to preventative measures.	Trojan horse installation detected and dropped Worm propagation blocked
Failed Suspicious	Logs reporting on suspicious activity that was not successful, possibly due to preventative measures.	Packet with abnormal payload dropped Hotmail usage blocked Pornographic content blocked Unauthorized program access denied
Failed Activity	Logs reporting on general system or network activity that was not successful, possibly due to preventative measures	Drop Peer to Peer FTP Command Denied
Other Security	Logs reporting on security activity not otherwise classifiable

Security Classification Defaults

This table gives defaults for Risk Rating (RR), Event Forwarding, and LogMart Forwarding.

Classification	Default Risk Rating (RR)*	Default Event Forwarding**	Default LogMart Forwarding
Compromise	9	Forward All	Forward All
Attack	8	Forward All	Forward All
Denial of Service	8	Forward All	Forward All
Malware	9	Forward All	Forward All
Suspicious	6	Forward All	Forward All
Reconnaissance	4	Forward All	Forward All
Misuse	5	Forward All	Forward All
Activity	0	Forward If	Forward Events
Failed Attack	0	Forward None	Forward All
Failed Denial of Service	0	Forward None	Forward All
Failed Malware	0	Forward None	Forward All
Failed Suspicious	0	Forward None	Forward All
Failed Activity	0	Forward None	Forward None
Other Security	0	Case by Case	Forward Events

*This is the usual Risk Rating assigned to a Common Event associated with this classification. However, Risk Ratings will vary by Common Event within the same classification. This value is a general default, not strictly enforced.

**This is the default setting for forwarding the log to the Platform Manager assigned to a Common Event associated with this classification.