Project

General

Profile

Wiki »

Reporting - event classes

anomaly-host-miner (low)
Label_en: Hosts recently active as Bitcoin seed nodes.
Label_cs: Zařízení nedávno aktivní v těžbě Bitcoinů.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-host-miner
Filtering rule: Category in ['Anomaly.Behaviour'] and Source.Type in ['Miner']

attempt-login-rdp (medium)
Label_en: The machine attempted to login to Remote Desktop Protocol service.
Label_cs: Stroj se pokoušel připojovat ke službě Remote Desktop Protocol.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-rdp
Filtering rule: Category in ['Attempt.Login'] and (Target.Port in [3389] or Target.Proto in ['ms-wbt-server', 'rdp'])

attempt-login-telnet (medium)
Label_en: The machine attempted to login to Telnet service.
Label_cs: Stroj se pokoušel připojovat ke službě Telnet.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-telnet
Filtering rule: Category in ['Attempt.Login'] and (Target.Proto in ['telnet'] or Source.Proto in ['telnet'] or Target.Port in [23])

attempt-login-ssh (medium)
Label_en: The machine attempted to login to SSH service.
Label_cs: Stroj se pokoušel připojovat ke službě SSH.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-ssh
Filtering rule: Category in ['Attempt.Login', 'Intrusion.UserCompromise'] and (Target.Proto in ['ssh'] or Source.Proto in ['ssh'] or Target.Port in [22])

attempt-login-sip (medium)
Label_en: The machine attempted to login over SIP protocol.
Label_cs: Stroj se pokoušel připojovat pomocí SIP protokolu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-login-sip
Filtering rule: Category in ['Attempt.Login'] and (Target.Proto in ['sip', 'sip-tls'] or Source.Proto in ['sip', 'sip-tls'] or Target.Port in [5060])

attempt-exploit-http (medium)
Label_en: The machine attempted to exploit HTTP/S service.
Label_cs: Stroj se pokusil zneužít službu na HTTP/S.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-exploit-http
Filtering rule: Category in ['Attempt.Exploit'] and (Target.Port in [80, 443] or Source.Proto in ['http', 'https', 'http-alt'] or Target.Proto in ['http', 'https', 'http-alt'])
=> cz.cesnet.vm.crowdsec: Ref should not be urn:cve:CVE-2020-5902, but cve:CVE-2020-5902 (without urn:), and the second reference might be avoided or moved to URL

attempt-exploit (medium)
Label_en: The machine attempted to exploit some well-known service.
Label_cs: Stroj se pokoušel zneužít některou známou službu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/attempt-exploit
Filtering rule: Category in ['Attempt.Exploit']

avail-ddos (medium)
Label_en: Following hosts were sources of DDoS attacks.
Label_cs: Následující stroje byly zdroje DDoS útoků.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/avail-ddos
Filtering rule: Category in ['Availability.DoS', 'Availability.DDoS']
=> the events should also be reported based on target - #7621

abusive-spam-backscatter (low)
Label_en: The mail server is misconfigured and spreading backscatter (misdirected bounces).
Label_cs: Poštovní server je špatně nakonfigurován a šíří backscatter (nevyžádaná návratová hlášení).
Reference: https://csirt.cesnet.cz/cs/services/eventclass/abusive-spam-backscatter
Filtering rule: Category in ['Abusive.Spam'] and Source.Type in ['Backscatter']

abusive-spam-spammer (medium)
Label_en: The mail server is spreading spam.
Label_cs: Poštovní server šíří spam.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/abusive-spam-spammer
Filtering rule: Category in ['Abusive.Spam'] and Source.Type in ['Spam']
=> cz.cesnet.fail2ban.blacklist
- _CESNET/Impact will not be displayed anywhere, the message should be moved to Note

vulnerable-config-qotd (medium)
Label_en: Open access to QoTD service.
Label_cs: Stroj má otevřeně přístupnou službu QoTD.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-qotd
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['qotd'] or Source.Port in [17])

vulnerable-config-ssdp (medium)
Label_en: Open access to SSDP service.
Label_cs: Stroj má otevřeně přístupnou službu SSDP.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ssdp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ssdp'] or Source.Port in [1900])

vulnerable-config-ntp (medium)
Label_en: Open access to NTP service.
Label_cs: Stroj má otevřeně přístupnou službu NTP.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ntp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ntp'] or Source.Port in [123])

vulnerable-config-domain (medium)
Label_en: Open access to recursive DNS server.
Label_cs: Na stroji je otevřený rekurzivní DNS resolver.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-domain
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['domain'] or Source.Port in [53])

vulnerable-config-netbios (medium)
Label_en: Open access to NetBIOS-NS service.
Label_cs: Stroj má otevřeně přístupnou službu NetBIOS-NS.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-netbios
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['netbios-ns', 'netbios-dgm', 'netbios-ssn'] or Source.Port in [137, 138, 139])

vulnerable-config-ipmi (medium)
Label_en: Open access to Intelligent Platform Management Interface service.
Label_cs: Stroj má otevřeně přístupnou službu Intelligent Platform Management Interface.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-ipmi
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['ipmi', 'asf-rmcp'] or Source.Port in [623])

vulnerable-config-chargen (medium)
Label_en: Open access to Character Generator service.
Label_cs: Stroj má otevřeně přístupnou službu Character Generator.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-chargen
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['chargen'] or Source.Port in [19])

vulnerable-config-snmp (medium)
Label_en: Open access to SNMP service with "public" community.
Label_cs: Stroj má otevřeně přístupnou službu SNMP s komunitou \public\.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-snmp
Filtering rule: Category in ['Vulnerable.Config'] and (Source.Proto in ['snmp'] or Source.Port in [161])
=> Note could be more useful (better parsed and shorter)

vulnerable-config-tls-old (medium)
Label_en: Old SSL/TLS is being used.
Label_cs: Používaní zastaralého SSL/TLS.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-config-tls-old
Filtering rule: Category in ['Vulnerable.Config'] and Source.Proto in ['ssl2','ssl3']

vulnerable-open-socks (medium)
Label_en: Open SOCKS proxy.
Label_cs: Stroj funguje jako otevřená SOCKS proxy.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/vulnerable-open-socks
Filtering rule: Category in ['Vulnerable.Config', 'Vulnerable.Open'] and (Source.Proto in ['socks'] or Source.Port in [1080])

vulnerable-implementation (medium)
Label_en: Vulnerable version of software was found.
Label_cz: Byla nalezena zranitelná verze softvéru.
Filtering rule: Category in ['Vulnerable.Open'] and Ref like ['cvr:']

anomaly-traffic-url (low)
Label_en: Botnet communication was intercepted and it contained URL belonging to your network.
Label_cs: Byla zachycena komunikace botnetů, která obsahovala URL z Vaší sítě.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-traffic-url
Filtering rule: Category in ['Anomaly.Traffic'] and Source.Type in ['OriginSandbox']

anomaly-traffic (low)
Label_en: Communication of following hosts is unusually big or suspicious.
Label_cs: Komunikace těchto strojů je neobvykle vysoká či podezřelá.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/anomaly-traffic
Filtering rule: Category in ['Anomaly.Traffic']

intrusion-botnet-bot (medium)
Label_en: The machine is compromised and serve as bot drone.
Label_cs: Stroj je zkompromitován a je součástí botnetu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/intrusion-botnet-bot
Filtering rule: Category in ['Intrusion.Botnet'] and Source.Type in ['Botnet']

intrusion-botnet-cc (medium)
Label_en: The machine is a command and control server of botnet.
Label_cs: Stroj je řídící (command and control) server botnetu.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/intrusion-botnet-cc
Filtering rule: Category in ['Intrusion.Botnet'] and Source.Type in ['CC']

recon-scanning (low)
Label_en: The machine perfomed some type of active scanning.
Label_cs: Stroj se pokoušel o nějakou formu aktivního skenování.
Reference: https://csirt.cesnet.cz/cs/services/eventclass/recon-scanning
Filtering rule: Category in ['Recon.Scanning']