|
1
|
"filter": {"$and": [{"Category" : "Anomaly.Traffic"}]}
|
|
2
|
Name Anomaly traffic Count >= 25739
|
|
3
|
|
|
4
|
!!! 'Anomaly.Traffic:Fraud.UnauthorizedUsage:Test_+++_Relay_+++_*__+++_SMTP_anomaly': 413,
|
|
5
|
FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Category" : "Fraud.UnauthorizedUsage"}]}
|
|
6
|
LABEL_CZ: Anomální provoz SMTP serveru
|
|
7
|
LABEL_EN: SMTP traffic anomaly
|
|
8
|
SEVERITY: 2
|
|
9
|
URL: https://csirt.cesnet.cz/cs/services
|
|
10
|
|
|
11
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_CONTINUING_traffic_anomaly': 38,
|
|
12
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_DETECTED_traffic_anomaly': 9,
|
|
13
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_CONTINUING_traffic_anomaly': 212,
|
|
14
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_DETECTED_traffic_anomaly': 68,
|
|
15
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_CONTINUING_traffic_anomaly': 17110,
|
|
16
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_DETECTED_traffic_anomaly': 18201,
|
|
17
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 312,
|
|
18
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_against_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 6,
|
|
19
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_from_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 5921,
|
|
20
|
!!! 'Anomaly.Traffic_+++_*__+++_Incomplete_+++_TCP_SYN_from_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 216,
|
|
21
|
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_incoming_attacks_-_CONTINUING_traffic_anomaly': 465,
|
|
22
|
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_incoming_attacks_-_DETECTED_traffic_anomaly': 144,
|
|
23
|
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_outgoing_attacks_-_CONTINUING_traffic_anomaly': 489,
|
|
24
|
!!! 'Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_METACentre_-_possible_outgoing_attacks_-_DETECTED_traffic_anomaly': 154,
|
|
25
|
!!! "Anomaly.Traffic:Test_+++_*__+++_Incomplete_+++_x_(source_IP)_-_found_1_08359806027173_flows_(limit_'Flow-Cnt>=5000_or_Flow-Cnt>=1_and_Pkts-estimated>=300000')_within_period_of_5_seconds_Next_message_not_before_16_02_25_x_CET_+0100_in_case_of_continuous_anomaly_Notes_-_detector_uses_extrapolated_values_(bytes,_packets)_in_case_of_sampled_flows;_detector_fragments_long_(duration)_flows_into_5s_intervals_for_evaluation_purposes_": 1,
|
|
26
|
|
|
27
|
FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Source.Type": {"$eq": "Incomplete"}}]}
|
|
28
|
LABEL_CZ: Anomální provoz - nekompletní spojení
|
|
29
|
LABEL_EN: Anomaly traffic - incomplete connections
|
|
30
|
SEVERITY: 1
|
|
31
|
URL: https://csirt.cesnet.cz/cs/services
|
|
32
|
|
|
33
|
NEVIM SI RADY!!! Ale klidne by to tak mohlo byt...:
|
|
34
|
!!! 'Anomaly.Traffic_+++_External:Policy_+++_*__+++_Unexpected_heavy_traffic': 269,
|
|
35
|
!!! 'Anomaly.Traffic_+++_External_+++_OriginSandbox_+++_Sandbox_URL': 3,
|
|
36
|
!!! 'Anomaly.Traffic:Test_+++_*__+++_*__+++_METACentre_-_possible_outgoing_attacks_-_CONTINUING_traffic_anomaly': 174,
|
|
37
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_Backbone_-_UDP_from_external_networks_to_internal_IPs,_packet_length>=1024,_targets_-_CONTINUING_traffic_anomaly': 3,
|
|
38
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_Backbone_-_UDP_from_internal_IPs_to_external_networks,_packet_length>=1024,_sources_-_CONTINUING_traffic_anomaly': 4,
|
|
39
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges,_sources_-_CONTINUING_traffic_anomaly': 41,
|
|
40
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 4,
|
|
41
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_against_internal_IP_address_ranges_-_DETECTED_traffic_anomaly': 3,
|
|
42
|
!!! 'Anomaly.Traffic_+++_*__+++_*__+++_TCP_SYN_from_internal_IP_address_ranges_-_CONTINUING_traffic_anomaly': 18,
|
|
43
|
FILTER: {"$and": [{"Category" : "Anomaly.Traffic"}, {"Source.Type": {"$ne": "Incomplete"}}]}
|
|
44
|
LABEL_CZ: Anomální provoz
|
|
45
|
LABEL_EN: Anomaly traffic
|
|
46
|
SEVERITY: 1
|
|
47
|
URL: https://csirt.cesnet.cz/cs/services
|
|
48
|
|
|
49
|
Pod Anomaly.Connection je jedina udalost, proto by teoreticky stacil filtr s {"Category" : "Anomaly.Connection"} (testovaci dotazy to potvrdily):
|
|
50
|
!!! 'Anomaly.Connection_+++_Blacklist:Connection_+++_*__+++_Connection_to_blacklisted_host(s)': 514,
|
|
51
|
FILTER: {"Category" : "Anomaly.Connection"}, {"Node.Type" : "Connection"}, {"Node.Type" : "Blacklist"}
|
|
52
|
LABEL_CZ: Anomomální provoz - komunikace s hostem na blacklistu
|
|
53
|
LABEL_EN: Host communicated with blacklisted host
|
|
54
|
SEVERITY: 2
|
|
55
|
URL: https://csirt.cesnet.cz/cs/services
|
|
56
|
|