ISS RealSecure Network Sensor Policy
[ issPolicy v1.01 | http://packet.sequenced.org/projects/isspolicy ]



POLICY INFORMATION

   Policy File: policies/AttackDetector.policy
   Policy Name: Attack Detector
   Policy Version: 7.0.2003.59
   Sensor Type: RealSecure Network Sensor (v7.0)


SIGNATURES POLICY

Response Summary Legend: DISPLAY | LOGDB | EMAIL | SNMP | RSKILL | OPSEC | LOGEVIDENCE | VIEWSESSION

Signature Name	Signature Description	Signature Status	Signature Priority	Response Summary	Log
AOLIM_File_Xfer	AOL Instant Messenger file transfer	Disabled	LOW		LogWithoutRaw
AOLIM_Login	AOL Instant Messenger login	Disabled	LOW		LogWithoutRaw
AOLIM_Message	AOL Instant Messenger message	Disabled	LOW		LogWithoutRaw
AOLIM_Password_Change	AOL Instant Messenger password change	Disabled	LOW		LogWithoutRaw
AOLIM_Trillian_Encrypt_Handshake	Trillian encrypted messaging handshake	Disabled	LOW		LogWithoutRaw
AUDIT_DNS_Version_Request	Bind Version Information Requested	Disabled	LOW		LogWithoutRaw
BGP_New_Route	BGP new route advertisement	Disabled	LOW		LogWithoutRaw
BGP_Notify_Msg	BGP notification message	Disabled	LOW		LogWithoutRaw
BGP_Route_Unreachable	BGP route has become unreachable	Disabled	LOW		LogWithoutRaw
DHCP_Ack	DHCP Ack	Disabled	LOW		LogWithoutRaw
DHCP_Discover	DHCP Discover	Disabled	LOW		LogWithoutRaw
DHCP_Request	DHCP Request	Disabled	LOW		LogWithoutRaw
Email_Data	Report SMTP e-mail message body	Disabled	LOW		LogWithoutRaw
Email_Ehlo	E-mail SMTP Ehlo info leak	Disabled	LOW		LogWithoutRaw
Email_From	Decode SMTP From: line	Disabled	LOW		LogWithoutRaw
Email_Mime_Filename	SMTP MIME filename	Disabled	LOW		LogWithoutRaw
Email_ServerID	SMTP Server ID	Disabled	LOW		LogWithoutRaw
Email_Subject	Decode E-Mail Subject: line	Disabled	LOW		LogWithoutRaw
Email_To	Decode SMTP To: line	Disabled	LOW		LogWithoutRaw
FTP_Filename	FTP File Name	Disabled	LOW		LogWithoutRaw
FTP_Get	Decode FTP get file command	Disabled	LOW		LogWithoutRaw
FTP_Mkdir	Decode FTP mkdir command	Disabled	LOW		LogWithoutRaw
FTP_Port	FTP Port Command	Disabled	LOW		LogWithoutRaw
FTP_Put	Decode FTP put file command	Disabled	LOW		LogWithoutRaw
FTP_Server_Identity	FTP Server Identity	Disabled	LOW		LogWithoutRaw
FTP_Syst	FTP SYST command decode	Disabled	LOW		LogWithoutRaw
FTP_User	Decode FTP username command	Disabled	LOW		LogWithoutRaw
FastTrack_Download	FastTrack Download	Disabled	LOW		LogWithoutRaw
Gnutella_BearShare	Gnutella BearShare	Disabled	LOW		LogWithoutRaw
Gnutella_Connect	Gnutella connection	Disabled	LOW		LogWithoutRaw
Gnutella_Download	Gnutella file transfer	Disabled	LOW		LogWithoutRaw
Gnutella_LimeWire	Gnutella LimeWire	Disabled	LOW		LogWithoutRaw
HTTP_Authentication	HTTP authentication decode	Disabled	LOW		LogWithoutRaw
HTTP_Cookie	HTTP Cookie Passing Check	Disabled	LOW		LogWithoutRaw
HTTP_EDonkey	HTTP EDonkey	Disabled	LOW		LogWithoutRaw
HTTP_Get	Decode HTTP get command	Disabled	LOW		LogWithoutRaw
HTTP_GetArg	HTTP Get Arg	Disabled	LOW		LogWithoutRaw
HTTP_Java_Class	Java Class URL	Disabled	LOW		LogWithoutRaw
HTTP_Kazaa	HTTP KaZaA	Disabled	LOW		LogWithoutRaw
HTTP_Post	Decode HTTP Post command	Disabled	LOW		LogWithoutRaw
HTTP_Post_Field	HTTP Post Field	Disabled	LOW		LogWithoutRaw
HTTP_RobotsTxt	HTTP Robots.txt probe	Disabled	LOW		LogWithoutRaw
HTTP_Server_ID	HTTP Server ID	Disabled	LOW		LogWithoutRaw
HTTP_TrendVCS_Auth_Bypass	Trend VCS stores passwords using weak encryption algorithm	Disabled	LOW		LogWithoutRaw
HTTP_User_Agent	HTTP User Agent	Disabled	LOW		LogWithoutRaw
HTTP_Vulnerable_Client	HTTP Vulnerable Client Check	Disabled	LOW		LogWithoutRaw
IMAP_Login	Decode IMAP username	Disabled	LOW		LogWithoutRaw
IP_Unknown_Protocol	Detect unknown IP protocol	Disabled	LOW		LogWithoutRaw
IRC_Join	IRC join channel decode	Disabled	LOW		LogWithoutRaw
IRC_Join_Attempt	IRC join attempt	Disabled	LOW		LogWithoutRaw
IRC_Msg	IRC message decode	Disabled	LOW		LogWithoutRaw
IRC_Nick	IRC nick change decode	Disabled	LOW		LogWithoutRaw
IRC_Notice	IRC notice message decode	Disabled	LOW		LogWithoutRaw
Ident_User	Ident user request	Disabled	LOW		LogWithoutRaw
MSMessenger_Login	Microsoft Messenger login	Disabled	LOW		LogWithoutRaw
MSMessenger_Message	Microsoft Messenger message	Disabled	LOW		LogWithoutRaw
MSRPC_Registry_Key	Windows remote registry key access	Disabled	LOW		LogWithoutRaw
MSRPC_Registry_Write	Report MSRPC Windows registry write command	Disabled	LOW		LogWithoutRaw
NNTP_Group	Decode NNTP group	Disabled	LOW		LogWithoutRaw
NNTP_Subject	Decode NNTP subject	Disabled	LOW		LogWithoutRaw
NTP_Time	Report Network Time Protocol time	Disabled	LOW		LogWithoutRaw
Napster_Client_Update	Napster client update	Disabled	LOW		LogWithoutRaw
Napster_Create_Account	Napster create account	Disabled	LOW		LogWithoutRaw
Napster_Download	Napster download	Disabled	LOW		LogWithoutRaw
Napster_Login	Napster login	Disabled	LOW		LogWithoutRaw
Napster_Login_Info	Napster login information	Disabled	LOW		LogWithoutRaw
Napster_Private_Msg	Napster private message	Disabled	LOW		LogWithoutRaw
Napster_Public_Msg	Napster public message	Disabled	LOW		LogWithoutRaw
Napster_Search	Napster search	Disabled	LOW		LogWithoutRaw
Napster_Sharing	Napster sharing	Disabled	LOW		LogWithoutRaw
Netbios_Session_Granted	Decode NetBIOS session grants	Disabled	LOW		LogWithoutRaw
Netbios_Session_Rejected	Decode NetBIOS session rejects	Disabled	LOW		LogWithoutRaw
Netbios_Session_Request	Decode NetBIOS session requests	Disabled	LOW		LogWithoutRaw
Nmap_OS_Fingerprint	Nmap OS fingerprint	Disabled	LOW		LogWithoutRaw
POP_Filename	POP3 File Name	Disabled	LOW		LogWithoutRaw
POP_Server_Identity	Decode POP Banner	Disabled	LOW		LogWithoutRaw
POP_User	Decode POP username	Disabled	LOW		LogWithoutRaw
Packet_Capturing_Remote	Remote use of packet capturing tools	Disabled	LOW		LogWithoutRaw
RIP_Add	RIP Add Route	Disabled	LOW		LogWithoutRaw
RIP_Expire	RIP Expire Route	Disabled	LOW		LogWithoutRaw
RIP_Metric_Change	RIP Metric Change	Disabled	LOW		LogWithoutRaw
RPC_Mountd_Mnt	Decode NFS mount request	Disabled	LOW		LogWithoutRaw
RPC_Portmap_Getport	Report RPC Portmapper get port requests	Disabled	LOW		LogWithoutRaw
SMB_Filename	SMB Filename	Disabled	LOW		LogWithoutRaw
SMB_LSA_Connect	Remote connection to Windows NT LSA (possible information gathering)	Disabled	LOW		LogWithoutRaw
SOCKS4_Connect	SOCKS 4 Connection	Disabled	LOW		LogWithoutRaw
SOCKS5_Connect	SOCKS 5 Connection	Disabled	LOW		LogWithoutRaw
SQL_Login	Microsoft SQL Server/Sybase login	Disabled	LOW		LogWithoutRaw
SSH_Version	Secure Shell (SSH) present	Disabled	LOW		LogWithoutRaw
TCP_ACK_Ping	TCP ACK ping	Disabled	LOW		LogWithoutRaw
TCP_FIN_Scan	TCP FIN scan	Disabled	LOW		LogWithoutRaw
TCP_Null_Scan	TCP Null scan	Disabled	LOW		LogWithoutRaw
TCP_OS_Fingerprint	TCP OS fingerprint	Disabled	LOW		LogWithoutRaw
TCP_Probe_DNS	DNS TCP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Finger	FINGER port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Ftp	FTP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Gnutella	TCP Probe Gnutella	Disabled	LOW		LogWithoutRaw
TCP_Probe_HTTP	HTTP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_IRC	IRC port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Ident	IDENT port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Imap4	IMAP4 port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_LinuxConf	Linux conf port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Lpr	LPR port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_MSRPC	Microsoft RPC TCP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_NNTP	NNTP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_NetBIOS	NetBIOS port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Netbus	Netbus probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Other	TCP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_POP3	POP3 port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_PPTP	PPTP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Proxy	Proxy port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Rlogin	Rlogin port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_SMTP	SMTP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_SQL	SQL port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Socks	SOCKS port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_SunRPC	RPC TCP port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_T0rn	T0rn port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Telnet	Telnet port probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_Trojan	TCP trojan horse probe	Disabled	LOW		LogWithoutRaw
TCP_Probe_XWindows	X-Windows port probe	Disabled	LOW		LogWithoutRaw
TCP_Xmas_Scan	TCP Xmas scan	Disabled	LOW		LogWithoutRaw
Talk_Request	Decode talk request	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Kerb4	Telnet using Kerberos4 authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Kerb5	Telnet using Kerberos5 authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Loki	Telnet using Loki authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Null	Telnet using null authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Rsa	Telnet using RSA authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_Spx	Telnet using SPX authentication	Disabled	LOW		LogWithoutRaw
Telnet_Auth_User	Telnet using user authentication	Disabled	LOW		LogWithoutRaw
Telnet_Env_All	Telnet environment variables	Disabled	LOW		LogWithoutRaw
Telnet_Login	Telnet Login Name	Disabled	LOW		LogWithoutRaw
Telnet_Terminal_Type	Telnet terminal type option	Disabled	LOW		LogWithoutRaw
Telnet_Xdisplay	Telnet X display option	Disabled	LOW		LogWithoutRaw
UDP_Probe_CharGen	CHARGEN port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_DNS	DNS UDP port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_Echo	UDP ECHO port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_MSDNS	Microsoft DNS port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_MSRPC	Microsoft RPC UDP port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_NFS	NFS port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_NFS_Lockd	NFS-LOCKD port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_Norton_AV	Norton Antivirus port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_Other	UDP port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_Qotd	QOTD port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_SNMP	SNMP port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_TFTP	TFTP port probe	Disabled	LOW		LogWithoutRaw
UDP_Probe_Trojan	UDP Trojan Horse probe	Disabled	LOW		LogWithoutRaw
VNC_Detected	VNC session detected	Disabled	LOW		LogWithoutRaw
Windows_Access_Error	Errors while connecting to Windows servers	Disabled	LOW		LogWithoutRaw
Windows_Null_Session	Windows null session login (possible anonymous user backdoor)	Disabled	LOW		LogWithoutRaw
YahooMSG_File_Transfer	Yahoo Messaging file transfer	Disabled	LOW		LogWithoutRaw
YahooMSG_Login	Yahoo Messaging login	Disabled	LOW		LogWithoutRaw
YahooMSG_Message	Yahoo Messaging message	Disabled	LOW		LogWithoutRaw
pcAnywhere_Login	Detect pcAnywhere logins	Disabled	LOW		LogWithoutRaw

USER-DEFINED IP FILTERS

Filter Name	Filter Description	Filter Status	Protocol	Source Address/Mask [Asset]	Source Port	Destination Address/Mask [Asset]	Destination Port

USER-DEFINED EVENT FILTERS

Filter Name	Filter Description	Filter Status	Filtered Event	Source Address	Source Port	Destination Address	Destination Port

[ Generated using: issPolicy v1.01 - http://packet.sequenced.org/projects/isspolicy ] [ Author: Kristof Philipsen / kphilipsen@gmail.com ]