• Active Directory
  • Application
  • Desktop & Mobile
  • Help Desk
  • Network
  • IT Security
  • MSP
  • On-Demand
 
 
Device Management, made easy
Manage control and secure your workstations, mobile
devices and tablets
 
 
Help Desk for Everyone
IT Help Desk Software and Customer Support Software
 
 
Protect Your IT. Save Your Business
Build a secure fortress with our security management solutions
 
 
MSP
Manage services faster, with multi-tenanted, ITIL-ready, and unified RMM solutions
 
 
On-Demand Solutions
IT Help Desk, Active Directory, and Operations Management from the Cloud
 

Advanced Security Analytics Module

Security Problem & Class Catalog

problem class catalogue

The table below lists some of the important abbreviations with their fully expanded word/phrase used in this document

Setting Description
IP Internet Protocol Address
Src Source
Dst Destination
P2P Peer to Peer
ToS Type of Service
DoS Denial of Service
TCP: U-A-P-R-S-F TCP: Urg – Ack – Psh – Rst – Syn – Fin

The table below lists the set of classes used for classifying problems with a brief description

Class Name Description
Bad Src – Dst Either the Src IP or the Dst IP of the flow is suspicious
Suspect Flows Some attribute(s) other than Src IP and Dst IP of the flow is suspicious
DoS Denial of Service Attack

The table below lists the set of problems detected, their classification followed by a brief description

Problem Name

Description

Bad Src – Dst

Invalid Src-Dst Flows

Invalid Src or Dst IP irrespective of whatever be the enterprise perimeter, for example, Loopback IPs or IANA Local IPs in either Src or Dst IP

Non Unicast Source Flows

Src IP is either Multicast or Broadcast or Network IP i.e., not Unicast

Excess Multicast Flows

Multicast traffic exceeds threshold for any given Src IP

Excess Broadcast Flows

Broadcast traffic exceeds threshold for any given Src IP

Excess Networkcast Flows

Network IP destined traffic exceeds threshold for any given Src IP

Suspect Flows

Malformed IP Packets

Flows with BytePerPacket less than or equal to the minimum 20 octets (bytes)

Invalid ToS Flows

Flows with invalid ToS values

Malformed TCP Packets

TCP Flows with BytePerPacket less than the minimum 40 octets (bytes)

Excess Empty TCP Packets

TCP Flows without any payload ie., BytePerPacket exactly 40 octets (bytes) with TCP FLAGS value IN (25–27, 29–31). All other TCP FLAGS values are included in other TCP based events given below

Excess Short TCP Handshake Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (19/ASF, 22/ARS, 23/ARSF), denoting opened & closed TCP Sessions, exceeds threshold

TCP Null Violations

TCP Flows with TCP Flags value equals 0/Null

TCP Syn Violations

TCP Flows with TCP Flags value equals 2/Syn

TCP Syn_Fin Violations

TCP Flows with TCP Flags value IN (3/SF, 7/RSF), denoting TCP Syn_Fin –or– Syn_Rst_Fin Flows, but without Urg/Ack/Psh Flags.

Excess Short TCP Syn_Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA exceeds threshold

Excess Short TCP Syn_Rst Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 6/RS, denoting TCP Syn_Rst Flows, but without Urg/Ack/Psh Flags, exceeds threshold

TCP Rst Violations

TCP Flows with TCP Flags value equals 4/R

Excess Short TCP Rst_Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (20/AR, 21/ARF), denoting TCP Rst_Ack Flows, exceeds threshold

TCP Fin Violations

TCP Flows with TCP Flags value IN (1/F, 5/RF)

Excess Short TCP Fin_Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 17/FA exceeds threshold

Excess Short TCP Psh_Ack_No-Syn_Fin Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (24/PA, 28/APR), denoting TCP Psh_Ack but without Syn/Fin, exceeds threshold

Excess Short TCP Psh_No-Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (8/P, 42/UPS, 43/UPSF, 44/UPR, 45/UPRF, 46/UPRS, 47/UPRSF), denoting TCP Psh but without Ack, exceeds threshold

Excess Short TCP Ack Packets

TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 16/A, denoting TCP Ack, exceeds threshold

TCP Xmas Violations

TCP Flows with TCP Flags value equals 41/UPF

TCP Urg Violations

TCP Flows with TCP Flags value IN (32-40, 42-63), denoting all combinations of Urg Flag except the XMAS combination

Malformed ICMP Packets

ICMP Flows with BytePerPacket less than the minimum 28 octets (bytes)

Excess ICMP Requests

ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) exceeds threshold

Excess ICMP Responses

ICMP Response Flows with Dst Port value IN (0/Echo Reply, 3584/Timestamp Reply, 4096/Information Reply, 4608/Address Mask Reply) exceeds threshold

ICMP Network Unreachables

ICMP Network Unreachable Flows with Dst Port value IN (768/Network Unreachable, 774/Network Unknown, 777/Network Administratively Prohibited, 779/Network Unreachable for TOS)

ICMP Host Unreachables

ICMP Host Unreachable Flows with Dst Port value IN (769/Host Unreachable, 773/Source Route Failed, 775/Host Unknown, 776/Source Host Isolated (obsolete), 778/Host Administratively Prohibited, 780/Host Unreachable for TOS, 781/Communication administratively prohibited by filtering)

ICMP Port Unreachables

ICMP Port Unreachable Flows with Dst Port value equals 771/Port Unreachable

ICMP Unreachables for ToS

ICMP ToS Unreachable Flows with Dst Port value IN (779/Network Unreachable for TOS, 780/Host Unreachable for TOS)

ICMP Redirects

ICMP Redirect Flows with Dst Port value IN (1280/Redirect for Network, 1281/Redirect for Host, 1282/Redirect for ToS and Network, 1283/Redirect for ToS and Host)

ICMP Time Exceeded Flows

ICMP Time Exceeded Flows with Dst Port IN (2816/Time-to-live equals 0 During Transit, 2817/Time-to-live equals 0 During Reassembly). Indicates Traceroute attempt or datagram fragment reassembly failure.

ICMP Parameter Problem Flows

ICMP Parameter Problem Flows with Dst Port IN (3072/IP Header Bad, 3073/Required Option Missing, 3074/Bad Length). Generally indicates some local or remote implementation error ie., invalid datagrams.

ICMP Trace Route Flows

ICMP Traceroute Flows with Dst Port equals 7680/Trace Route. Indicates traceroute attempt.

ICMP Datagram Conversion Error Flows

ICMP Datagram Conversion Error Flows with Dst Port value equals 7936/Datagram Conversion Error ie., for valid datagrams.

Malformed UDP Packets

UDP Flows with BytePerPacket less than the minimum 28 octets (bytes)

Excess Empty UDP Packets

UDP Flows without any payload ie., BytePerPacket exactly 28 octets (bytes)

Excess Short UDP Packets

UDP Flows with nominal payload ie., BytePerPacket between 29 and 32 octets (bytes), exceeds threshold

Excess UDP Echo Requests

UDP Echo Request to Dst Port 7 (Echo) exceeds threshold

Excess UDP Echo Responses

UDP Echo Response from Src Port 7 (Echo) exceeds threshold

DoS

Land Attack Flows

Flows with the same Src IP & Dst IP. Causes the target machine to reply to itself continuously

ICMP Request Broadcasts

ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP.

ICMP Protocol Unreachables

ICMP Protocol Unreachable Flows with Dst Port value equals (770/Protocol Unreachable). Can be used to perform a denial of service on active TCP sessions, causing the TCP connection to be dropped.

ICMP Source Quench Flows

ICMP Source Quench Flows with Dst Port value equals (1024/Source Quench). Out dated. But can be used to attempt a denial of service by limiting the bandwidth of a router or host.

Snork Attack Flows

UDP Flows with Src Port IN (7, 19, 135) and Dst Port IN (135). Indicates denial of service attack against Windows NT RPC Service

UDP Echo Request Broadcasts

UDP Echo Request to Dst Port 7 (Echo) sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP.

UDP Echo-Chargen Broadcasts

UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP.

UDP Chargen-Echo Broadcasts

UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP.

Excess UDP Echo-Chargen Flows

UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to any unicast IP exceeds threshold. Indicates possible amplification attack on the Src IP.

Excess UDP Chargen-Echo Flows

UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to any unicast IP exceeds threshold. Indicates possible amplification attack on the Src IP.

Customers

Partners