Once you install the Coralogix Security Traffic Analyzer (STA) we can update your account with a set of default alerts built specifically for use with the Coralogix STA. Here’s a quick overview of these alerts and their purpose:
STA – NIDS alert detected – This alert will fire every time a security-related issue is detected by the STA’s Snort engine. You can tune this alert by either modifying the alert’s Lucene query or by modifying the disablesid.conf file (to disable the current signature) and then to create a new one in the local.rules file on the STA’s config S3 bucket. To learn more about how to do that see here.
STA – Unusual reconnaissance activity detected – This alert will fire when Coralogix detects an abnormal rate of STA events indicating that the organization is being scanned from the outside.
STA – Unusual connections rate from blacklisted IPs – This alert will fire when Coralogix detects an abnormal rate of STA events indicating a connection from a potentially malicious IP address.
STA – Request for public IP echo services detected – Many malicious tools will attempt to discover their public IP address. Some will attempt to do that to detect where they are located on the globe, others will use this information for registration with their Command & Control server. This alert will fire when Coralogix, based on the STA logs, detects a connection to several sites often used for this purpose by malicious tools.
STA – Trojan activity detected – This alert will fire when the Snort engine of the STA detects a Trojan attempt.
STA is not seeing any traffic – MIRRORING is DOWN – This alert will fire when Coralogix detects, based on the logs from the STA that it is alive but is not seeing any traffic. This can indicate that there’s a problem with your VPC Traffic Mirroring configuration. In the last version of the STA, we also published a tool for automating the VPC Traffic Mirroring configuration which can help to fix the problem. You can find more about it here.
STA – Usage of rarely used DNS record types detected – Some DNS record types, like A, AAA, and MX are very commonly used while others like TXT and ISDN are almost never used. Some of those can also be used (or even preferred) by an adversary for a DNS tunneling attack. This alert will fire when an attempt is made to use such a record type. If your organization uses such records for legitimate purposes you can simply remove it from the alert query and possibly create a new alert that will fire only if the rate of DNS requests for that specific record type is abnormal.
STA – Unusual high volume of DNS requests returned NXDOMAIN – This alert would fire when Coralogix detects an abnormal rate of NXDOMAIN responses by DNS servers based on the STA logs. Many types of attacks nowadays are some sort of a connection with a Command & Control server. The common way for malware to connect to its Command & Control server today is by using a machine-generated domain name – a.k.a Domain Generation Algorithm (DGA). The way it usually works is that the attacker programs the malware to attempt to generate a domain name based on the current date every day and attempt to reach it and if it fails – to use the domain that was used until now. That way, if someone would block the access to the Command & Control domain the attacker would simply have to register the domain name that the malware will look for tomorrow and the connection will automatically be restored. Such a strategy would lead to an abnormal rate of DNS requests resulting in NXDOMAIN responses (since the malware will continuously look for domains that are not registered).
STA – Unrecognized software – The Bro (a.k.a Zeek) engine of the STA can detect software running on monitored (and unmonitored) servers by deducing them based on the traffic observed by the STA. These findings appear on the Software dashboard of the STA. This alert is a stub that you can use to whitelist software that you do use (based on what you saw on the software dashboard) and alert on everything new. This is the software dashboard of the STA:
STA – Unrecognized software type – See “STA – Unrecognized software” above.
STA – DNS activity on TCP detected – DNS most commonly runs on the UDP protocol on port 53. DNS uses TCP in two main scenarios: Domain transfer and for sending large TXT requests. The first one should not be used by unauthorized personnel and definitely not very often and the latter should almost never happen. This alert will fire when such activity (DNS over TCP is detected)
STA – Access to a baby domain was detected – Employees and even more so, servers that are accessing domains that are “young” in the sense that they were registered only very recently are often good indications of malicious activity. This alert fires when access to a domain that was created less than three months has been detected.
STA – BRO Notice Detected – This alert fires when the Bro (a.k.a Zeek) engine in the STA has detected anomalous and potentially malicious behavior.
STA – Unusual TOR nodes connectivity – Tor browsers and the Tor network in general are notorious for their malicious usage in hiding adversary actions. This alert would fire when Coralogix detects an anomaly in the rate of connections from Tor nodes (as detected by the Snort engine in the STA)
STA is OFFLINE – This alert would fire when no logs are coming from the STA
More alerts will be added in the upcoming versions so stay tuned!