Breadcrumbs

Security Classifications


The following tables provide Security classification information. This table lists descriptions and examples.

Classification

Description

Examples Of

Compromise

Logs reporting on a successful system or network compromise.   

** Seen more on Host Intrusion Detection Systems (HIDS) than network based detection mechanisms. **

  • Admin privileges gained

  • Unauthorized data access

  • Seizing control of the logical flow of program execution

  • Modification of any critical file.
    Creation of unauthorized processes.

  • Modification a system configuration via use of an exploit.

Attack

Logs reporting on activity indicative of a system or network attack where it is either assumed to have been successful or cannot be assumed to have failed.  Attack is known to have originated from a “Bad Guy” source.

  • Buffer overflow

  • SQL Injection attack

  • Forceful Browsing

  • Session Hijacking

  • Password Guessing (Dictionary)

  • Known Exploits

Denial of Service

Logs reporting on activity indicative a denial of service where it is assumed to have succeeded or cannot be assumed to have failed.

  • DOS Attack

  • Distributed DOS Attack

  • Resource Starvation

  • Spinning (process starving CPU)

  • SynFlood Attack

  • Ping of Death

  • Win Nuke

  • Spam Flooding

  • Teardrop

Malware

Logs reporting on activity indicative of malware installation, propagation, or use.

This classification is set to RR=9 because malware is indicative of complex control of systems within the environment possibly leading to data loss with malicious intent, theft, tampering, etc.

  • Trojan horse installed

  • Backdoor traffic observed

  • Worm propagated

  • Virus activity observed

  • Spyware software installed

Suspicious

Logs reporting on activity that is suspicious but not known to be an attack or unauthorized.

  • Multiple failed login attempts (5 – 10 times)

  • Packets with abnormal payloads

  • Use of default user accounts (root, administrator, guest) detected by an ids and not an audit log.

  • Access from outside anticipated use zone(s).

Reconnaissance

Logs reporting on activity indicative of or directly indicating system or network reconnaissance.

  • Port Scan

  • Port Probe

  • Service enumeration

  • Program enumeration

  • User list enumeration

  • Directory enumeration

  • Web crawling

Misuse

Logs reporting on activity indicative of system or network misuse.

  • Public webmail usage

  • Pornographic content observed

  • Unauthorized program access

  • Content policy violation

  • P2P Usage

Activity

Logs reporting on general system or network activity.

  • Packet type observed

  • Packet payload dump

  • Interface set in promiscuous mode

  • Attack Response

  • Forensic related activity

Failed Attack

Logs reporting on attack activity that was not successful, possibly due to preventative measures.

  • Buffer overflow dropped

  • SQL Injection dropped

Failed Denial of Service

Logs reporting on denial of service activity that was not successful, possibly due to preventative measures.

  • DOS attack prevented

  • Distributed DOS attack prevented

Failed Malware

Logs reporting on malware activity that was not successful, possibly due to preventative measures.

  • Trojan horse installation detected and dropped

  • Worm propagation blocked

Failed Suspicious

Logs reporting on suspicious activity that was not successful, possibly due to preventative measures.

  • Packet with abnormal payload dropped

  • Hotmail usage blocked

  • Pornographic content blocked

  • Unauthorized program access denied

Failed Activity

Logs reporting on general system or network activity that was not successful, possibly due to preventative measures

  • Drop Peer to Peer

  • FTP Command Denied

Other Security

Logs reporting on security activity not otherwise classifiable

Security Classification Defaults

This table gives defaults for Risk Rating (RR), Event Forwarding, and LogMart Forwarding.

Classification

Default Risk Rating (RR)*

Default Event
Forwarding**

Default LogMart
Forwarding

Compromise

9

Forward All

Forward All

Attack

8

Forward All

Forward All

Denial of Service

8

Forward All

Forward All

Malware

9

Forward All

Forward All

Suspicious

6

Forward All

Forward All

Reconnaissance

4

Forward All

Forward All

Misuse

5

Forward All

Forward All

Activity

0

Forward If

Forward Events

Failed Attack

0

Forward None

Forward All

Failed Denial of Service

0

Forward None

Forward All

Failed Malware

0

Forward None

Forward All

Failed Suspicious

0

Forward None

Forward All

Failed Activity

0

Forward None

Forward None

Other Security

0

Case by Case

Forward Events

*This is the usual Risk Rating assigned to a Common Event associated with this classification.  However, Risk Ratings will vary by Common Event within the same classification.  This value is a general default, not strictly enforced.

**This is the default setting for forwarding the log to the Platform Manager assigned to a Common Event associated with this classification.