System event types of the Intrusion Detection technology

This article describes the system event types of the Intrusion Detection technology (see the table below).

Intrusion Detection (IDS) system event types

Code

Event type title

Conditions for registration

4000003000

Rule from the $fileName set (system rule set) was triggered

An intrusion detection rule from the system rule set is triggered.

The following variables are used in the title and description of the event type:

  • $fileName: name of the rule set
  • $category: category of the rule
  • $ruleName: name of the rule
  • $signature_id: ID (sid) of the rule

4000003001

Rule from the $fileName set (user-defined rule set) was triggered

An intrusion detection rule from the user-defined rule set is triggered.

The following variables are used in the title and description of the event type:

  • $fileName: name of the rule set
  • $category: category of the rule
  • $ruleName: name of the rule
  • $signature_id: ID (sid) of the rule
  • $action: type of network packet action defined in the rule (drop or reject actions are not performed in Kaspersky Anti Targeted Attack Platform).

4000003002

Signs of a brute-force attack or scan were detected

A rule for detecting brute-force or scanning attack is triggered.

In the description of the event type, the $ruleName variable is used for the rule name.

4000004001

Symptoms of ARP spoofing detected in ARP replies

Indicators of address spoofing in ARP packets detected: multiple ARP responses that are not associated with ARP requests.

The following variables are used in the description of the event type:

  • $senderIp: IP address being spoofed
  • $targetIp: IP address of the destination host
  • $attackStartTimestamp: time when the first ARP response was detected

4000004002

Symptoms of ARP spoofing detected in ARP requests

Indicators of address spoofing in ARP packets detected: multiple ARP requests from the same MAC address to different destinations.

The following variables are used in the description of the event type:

  • $senderIp: IP address being spoofed
  • $targetIp: IP address of the destination host
  • $attackStartTimestamp: time when the first ARP response was detected

4000005100

IP protocol anomaly detected: data conflict when assembling IP packet

IP protocol anomaly detected: data mismatch in overlapping IP packet fragments.

4000005101

IP protocol anomaly detected: fragmented IP packet size exceeded

IP protocol anomaly detected: actual total size of fragmented IP packet after reassembly exceeds the allowed limit.

4000005102

IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than expected

IP protocol anomaly detected: the size of the initial fragment of the IP packet is less than the minimum allowed value.

4000005103

IP protocol anomaly detected: mis-associated fragments

IP protocol anomaly detected: fragments of the IP packet being assembled contain different information about the length of the fragmented packet.

4000002701

TCP protocol anomaly detected: content substitution in overlapping TCP segments

TCP protocol anomaly detected: packets contain overlapping TCP segments with different content.

4000000003

Test event (IDS)

Test network packet detected (with rule-based intrusion detection enabled).

Page top