Reporting - event classes¶

anomaly-host-miner (low)
Label_en: Hosts recently active as Bitcoin seed nodes.
Label_cs: Zařízení nedávno aktivní v těžbě Bitcoinů.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-host-miner
Filtering rule: Category in ['Anomaly.Behaviour'] and Source.Type in ['Miner']
Displayed: –

attempt-login-rdp (medium)
Label_en: The machine attempted to login to Remote Desktop Protocol service.
Label_cs: Stroj se pokoušel připojovat ke službě Remote Desktop Protocol.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-rdp
Filtering rule: Category in ['Attempt.Login'] and (Target.Port in [3389] or Target.Proto in ['ms-wbt-server', 'rdp'])
Displayed: ConnCount, FlowCount, Target Port, Protocols

attempt-login-telnet (medium)
Label_en: The machine attempted to login to Telnet service.
Label_cs: Stroj se pokoušel připojovat ke službě Telnet.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-telnet
Filtering rule: Category in ['Attempt.Login'] and (Target.Proto in ['telnet'] or Source.Proto in ['telnet'] or Target.Port in [23])
Displayed: ConnCount, FlowCount, Target Port, Protocols

attempt-login-ssh (medium)
Label_en: The machine attempted to login to SSH service.
Label_cs: Stroj se pokoušel připojovat ke službě SSH.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-ssh
Filtering rule: Category in ['Attempt.Login', 'Intrusion.UserCompromise'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])
Displayed: ConnCount, FlowCount, Source Port, Target Port, Protocols, ips (targets)

attempt-login-sip (medium)
Label_en: The machine attempted to login over SIP protocol.
Label_cs: Stroj se pokoušel připojovat pomocí SIP protokolu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-sip
Filtering rule: Category in ['Attempt.Login'] and (Target.Proto in ['sip', 'sip-tls'] or Source.Proto in ['sip', 'sip-tls'] or Target.Port in [5060])
Displayed: ??? (not in events DB)

attempt-exploit-http (medium)
Label_en: The machine attempted to exploit HTTP/S service.
Label_cs: Stroj se pokusil zneužít službu na HTTP/S.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-exploit-http
Filtering rule: Category in ['Attempt.Exploit'] and (Target.Port in [80, 443] or Source.Proto in ['http', 'https', 'http-alt'] or Target.Proto in ['http', 'https', 'http-alt'])
Displayed: ConnCount, Target Proto, Target Hostname, ips (targets)
=> cz.cesnet.vm.crowdsec: Ref should not be urn:cve:CVE-2020-5902, but cve:CVE-2020-5902 (without urn:), and the second reference might be avoided or moved to URL

attempt-exploit (medium)
Label_en: The machine attempted to exploit some well-known service.
Label_cs: Stroj se pokoušel zneužít některou známou službu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-exploit
Filtering rule: Category in ['Attempt.Exploit']
Displayed: ConnCount, Protocols, Source Port, Target Port, ips (targets)

avail-ddos (medium)
Label_en: Following hosts were sources of DDoS attacks.
Label_cs: Následující stroje byly zdroje DDoS útoků.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/avail-ddos
Filtering rule: Category in ['Availability.DoS', 'Availability.DDoS']
Displayed: FlowCount, Source Port, Source Proto
=> the events should also be reported based on target - #7621

abusive-spam-backscatter (low)
Label_en: The mail server is misconfigured and spreading backscatter (misdirected bounces).
Label_cs: Poštovní server je špatně nakonfigurován a šíří backscatter (nevyžádaná návratová hlášení).
Reference: https://csirt.cesnet.cz/cs/services/eventclass/abusive-spam-backscatter
Filtering rule: Category in ['Abusive.Spam'] and Source.Type in ['Backscatter']
Displayed: ??? (not in events DB)

abusive-spam-spammer (medium)
Label_en: The mail server is spreading spam.
Label_cs: Poštovní server šíří spam.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/abusive-spam-spammer
Filtering rule: Category in ['Abusive.Spam'] and Source.Type in ['Spam']
Displayed: Protocols
=> cz.cesnet.fail2ban.blacklist
- "IP" attribute should be "IP4"/"IP6", no report is generated from this, because abuse group is never assigned
- _CESNET/Impact will not be displayed anywhere, the message should be moved to Note

vulnerable-config-qotd (medium)
Label_en: Open access to QoTD service.
Label_cs: Stroj má otevřeně přístupnou službu QoTD.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-qotd
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['qotd'] or Source.Port in [17])
Displayed: ??? (no event in last month)

vulnerable-config-ssdp (medium)
Label_en: Open access to SSDP service.
Label_cs: Stroj má otevřeně přístupnou službu SSDP.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ssdp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ssdp'] or Source.Port in [1900])
Displayed: Source Note, Source Port, Source Port, Source URL?

vulnerable-config-ntp (medium)
Label_en: Open access to NTP service.
Label_cs: Stroj má otevřeně přístupnou službu NTP.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ntp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ntp'] or Source.Port in [123])
Displayed: Source Port, Source Proto, Source Note

vulnerable-config-domain (medium)
Label_en: Open access to recursive DNS server.
Label_cs: Na stroji je otevřený rekurzivní DNS resolver.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-domain
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['domain'] or Source.Port in [53])
Displayed: Source Port, Source Proto

vulnerable-config-netbios (medium)
Label_en: Open access to NetBIOS-NS service.
Label_cs: Stroj má otevřeně přístupnou službu NetBIOS-NS.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-netbios
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns', 'netbios-dgm', 'netbios-ssn'] or Source.Port in [137, 138, 139])
Displayed: Source Port, Source Proto

vulnerable-config-ipmi (medium)
Label_en: Open access to Intelligent Platform Management Interface service.
Label_cs: Stroj má otevřeně přístupnou službu Intelligent Platform Management Interface.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ipmi
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ipmi', 'asf-rmcp'] or Source.Port in [623])
Displayed: Source Port, Source Proto, Source Note

vulnerable-config-chargen (medium)
Label_en: Open access to Character Generator service.
Label_cs: Stroj má otevřeně přístupnou službu Character Generator.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-chargen
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['chargen'] or Source.Port in [19])
Displayed: ??? (no event in last month)

vulnerable-config-snmp (medium)
Label_en: Open access to SNMP service with "public" community.
Label_cs: Stroj má otevřeně přístupnou službu SNMP s komunitou \public\.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-snmp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['snmp'] or Source.Port in [161])
Displayed: Source Port, Source Proto
=> Note could be more useful (better parsed and shorter)

vulnerable-config-tls-old (medium)
Label_en: Old SSL/TLS is being used.
Label_cs: Používaní zastaralého SSL/TLS.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-tls-old
Filtering rule: Category in ['Vulnerable.Config'] and Source.Proto in ['ssl2','ssl3']
Displayed: Source Hostname, Source Port, Source Proto

vulnerable-open-socks (medium)
Label_en: Open SOCKS proxy.
Label_cs: Stroj funguje jako otevřená SOCKS proxy.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-open-socks
Filtering rule: Category in ['Vulnerable.Config', 'Vulnerable.Open'] and (Source.Proto in ['socks'] or Source.Port in [1080])
Displayed: ??? (no event in last month)

vulnerable-implementation (medium)
Label_en: Vulnerable version of software was found.
Label_cz: Byla nalezena zranitelná verze softvéru.
Filtering rule: Category in ['Vulnerable.Open'] and Ref like ['cvr:']
Displayed: Ref, Source Note, Source Ref, Source Hostname, Source Proto, Source Port

anomaly-traffic-url (low)
Label_en: Botnet communication was intercepted and it contained URL belonging to your network.
Label_cs: Byla zachycena komunikace botnetů, která obsahovala URL z Vaší sítě.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-traffic-url
Filtering rule: Category in ['Anomaly.Traffic'] and Source.Type in ['OriginSandbox']
Displayed: ??? (not in events DB)

anomaly-traffic (low)
Label_en: Communication of following hosts is unusually big or suspicious.
Label_cs: Komunikace těchto strojů je neobvykle vysoká či podezřelá.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-traffic
Filtering rule: Category in ['Anomaly.Traffic']
Displayed: FlowCount, DroppedFlowCount, PacketCount, DroppedPacketCount, ByteCount, DroppedByteCount, AvgPacketSize, Ref?, protocols, ips (targets), Source: InFlowCount & OutFlowCount & InPacketCount & OutPacketCount & InByteCount & OutByteCount, Source Interface, Source BitMask, Source Router, Target Port, Source Port? (possibly a lot)
=> cz.casablanca.nemea.blacklist - In(Out)PacketCount should be used, not In(Out)PacketsCount

intrusion-botnet-bot (medium)
Label_en: The machine is compromised and serve as bot drone.
Label_cs: Stroj je zkompromitován a je součástí botnetu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/intrusion-botnet-bot
Filtering rule: Category in ['Intrusion.Botnet'] and Source.Type in ['Botnet']
Displayed: Source Port, Source Proto
=> cz.cesnet.sabu_ext.cymru - "Note": "\"\"" is weird

intrusion-botnet-cc (medium)
Label_en: The machine is a command and control server of botnet.
Label_cs: Stroj je řídící (command and control) server botnetu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/intrusion-botnet-cc
Filtering rule: Category in ['Intrusion.Botnet'] and Source.Type in ['CC']
Displayed: ??? (not in events DB)

recon-scanning (low)
Label_en: The machine perfomed some type of active scanning.
Label_cs: Stroj se pokoušel o nějakou formu aktivního skenování.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/recon-scanning
Filtering rule: Category in ['Recon.Scanning']
Displayed: ConnCount, FlowCount, Protocols, Target Port, ips (targets)