Network Security Platform correlated attacks
技術的な記事 ID:
KB60305
最終更新: 2021-06-11 14:51:41 Etc/GMT
最終更新: 2021-06-11 14:51:41 Etc/GMT
環境
McAfee Network Security Manager (NSM)
McAfee Network Security Sensor
McAfee Network Security Sensor
概要
この記事が更新されたときに電子メール通知を受信するには、 契約を更新 ページの右側にあります。購読するには、ログインする必要があります。
(Correlated) Attack Name | (Correlated) Attack ID | (Correlated) Attack Severity | Suppress-Failure | (Correlated) Attack Category |
(Correlated) Attack Sub-category | (Component) Attack Name | (Component) Attack ID | (Component) Attack Severity | (Component) Attack Blockable Option in NSM 6.1 and later |
SMTP: Possible Brute Force Attack Detected | 0x40416c00 | 6 | yes | Reconnaissance | brute-force | SMTP: Authentication Failure Seen | 0x40416b00 | 0 | Disallowed |
SSL: Possible OpenSSL Denial of Service via memory exhaustion (CVE-2016-6304) | 0x43f01000 | 5 | yes | Reconnaissance | Multi-Attack Correlation | SSL: OCSP extension enabled in client hello, OpenSSL: Handshake packet seen |
0x45c08e00, 0x45d39e00 | 0 | Disallowed |
SSL: OpenSSL Memory Exhaustion DOS Vulnerability | 0x4001ab00 | 4 | yes | Reconnaissance | Brute-Force | SSL: OpenSSL Memory Leak Vulnerability (CVE-2009-1378) | 0x45c08c00 | 1 | Disallowed |
Botnet: DGA Heuristic Detection of Botnet Zombie | 0x43f00d00 | 7 | no | Reconnaissance | Multi-Attack Correlation | Botnet: DNS Name Lookup Failure Matching DGA Heuristics | 0x4880db00 | 9 | Disallowed |
ICMP: Timestamp Request Host Sweep | 0x40000200 | 4 | no | Reconnaissance | host-sweep | ICMP: Timestamp Probe | 0x40100300 | 3 | Allowed |
TCP: FIN Port Scan | 0x40009800 | 4 | no | Reconnaissance | port-scan | TCP: Illegal FIN Probe | 0x40011300 | 2 | Allowed |
TCP: NULL Port Scan | 0x4000a000 | 4 | no | Reconnaissance | port-scan | SCAN: NULL Probe | 0x4000bd00 | 3 | Allowed |
TCP: XMAS Port Scan | 0x4000a100 | 4 | no | Reconnaissance | port-scan | NMAP: XMAS Probe | 0x4000b900 | 5 | Allowed |
TCP: FIN Host Sweep | 0x4000a900 | 4 | no | Reconnaissance | host-sweep | TCP: Illegal FIN Probe | 0x40011300 | 2 | Allowed |
TCP: NULL Host Sweep | 0x4000aa00 | 4 | no | Reconnaissance | host-sweep | SCAN: NULL Probe | 0x4000bd00 | 3 | Allowed |
TCP: XMAS Host Sweep | 0x4000ab00 | 4 | no | Reconnaissance | host-sweep | NMAP: XMAS Probe | 0x4000b900 | 5 | Allowed |
TCP: Fingerprinting NMAP | 0x4000b300 | 4 | no | Reconnaissance | fingerprinting | SCAN: NULL Probe | 0x4000bd00 | 3 | Allowed |
NMAP: XMAS Probe | 0x4000b900 | 5 | Allowed | ||||||
NMAP: XMAS with SYN Probe | 0x4000ba00 | 5 | Allowed | ||||||
TCP: Fingerprinting Queso | 0x4000b400 | 4 | no | Reconnaissance | fingerprinting | TCP: Illegal FIN Probe | 0x40011300 | 2 | Allowed |
SCAN: SYN FIN Based Probes | 0x4000ec00 | 3 | Allowed | ||||||
TCP: Bare Push Probe | 0x4000bc00 | 5 | Allowed | ||||||
ICMP: Netmask Request Host Sweep | 0x40011d00 | 4 | no | Reconnaissance | host-sweep | ICMP: Netmask Request | 0x40011600 | 3 | Allowed |
TELNET: Password Brute Force | 0x40012700 | 4 | yes | Reconnaissance | brute-force | TELNET: Telnet Login Failure Detected | 0x40601200 | 2 | Disallowed |
RLOGIN: Password Brute Force | 0x40012800 | 4 | yes | Reconnaissance | brute-force | RLOGIN: Failed Login | 0x40603100 | 2 | Disallowed |
RSH: Password Brute Force | 0x40012900 | 4 | yes | Reconnaissance | brute-force | RSH: Login Failed | 0x41100100 | 2 | Disallowed |
REXEC: Password Brute Force | 0x40012a00 | 4 | yes | Reconnaissance | brute-force | REXEC: Login Failed | 0x41101100 | 2 | Disallowed |
MSSQL: Password Brute Force | 0x40012b00 | 4 | yes | Reconnaissance | brute-force | MSSQL: User Login Failed | 0x41a00a00 | 2 | Disallowed |
RADIUS: Authentication Brute Force | 0x40012c00 | 4 | yes | Reconnaissance | brute-force | RADIUS: Access Denied | 0x41c00400 | 1 | Disallowed |
FTP: Login Brute Force | 0x40012d00 | 4 | yes | Reconnaissance | brute-force | FTP: Login Failed | 0x40505600 | 1 | Disallowed |
IMAP: Password Brute Force | 0x40012e00 | 4 | yes | Reconnaissance | brute-force | IMAP: IMAP Login Failure Detected | 0x41901b00 | 2 | Disallowed |
POP3: Password Brute Force | 0x40012f00 | 4 | yes | Reconnaissance | brute-force | POP3: POP3 Login Failure Detected | 0x40902c00 | 2 | Disallowed |
SMTP: VRFY Brute Force | 0x40013000 | 4 | yes | Reconnaissance | brute-force | SMTP: VRFY Command Used | 0x40013100 | 0 | Disallowed |
SMTP: EXPN Brute Force | 0x40013200 | 4 | yes | Reconnaissance | brute-force | SMTP: EXPN Command Used | 0x40013300 | 0 | Disallowed |
NETBIOS-NS: NBTSTAT Sweep Activity Detected | 0x40013400 | 6 | yes | Reconnaissance | service-sweep | NETBIOS-NS: NBTSTAT Scan | 0x40013500 | 1 | Disallowed |
NETBIOS-SS: Virus/Worm File Share Spread | 0x40013600 | 4 | yes | Reconnaissance | service-sweep | NETBIOS-SS: Copy Executable File Attempt | 0x40706500 | 3 | Disallowed |
ORACLE: Brute Force Logon | 0x40014200 | 4 | yes | Reconnaissance | brute-force | ORACLE: Oracle Login Failure Detected | 0x40014300 | 2 | Disallowed |
SSH: SSH Login Bruteforce Detected | 0x40014400 | 4 | yes | Reconnaissance | brute-force | SSH: SSH Login Failure Detected | 0x40014500 | 1 | Disallowed |
TCP: SYN Packet Fixed Header Options DoS | 0x40014600 | 4 | yes | Reconnaissance | brute-force | TCP: SYN Packet Fixed Options Header | 0x00009b00 | 0 | Disallowed |
WORM: W32/Conficker.C Activity Detected | 0x40014700 | 4 | yes | Reconnaissance | service-sweep | P2P: Suspicious UDP Probe | 0x45d08f00 | 5 | Disallowed |
TCP: RST Resource Exhaustion DoS | 0x40014800 | 4 | yes | Reconnaissance | brute-force | TCP: RST Socket Exhaustion Dos | 0x00009c00 | 5 | Disallowed |
P2P: KaZaA Client Sweep Activity Detected | 0x40015000 | 4 | no | Reconnaissance | service-sweep | P2P: KaZaA Client Connecting to Server | 0x40015100 | 5 | Allowed |
ICMP: Nachi Worm Host Sweep | 0x40015400 | 4 | no | Reconnaissance | host-sweep | ICMP: Nachi-like Ping | 0x40015500 | 6 | Allowed |
P2P: Share Sweep Traffic Detected | 0x40015a00 | 4 | yes | Reconnaissance | service-sweep | P2P: Share-like Traffic Detected | 0x40015b00 | 5 | Disallowed |
P2P: Peer-to-peer Distributed File Download Obfuscated-Traffic Detected | 0x40015c00 | 4 | yes | Reconnaissance | service-sweep | P2P: Unknown Long-lasting Obfuscated Binary Response Data-Stream Transfer Detected | 0x40015d00 | 5 | Disallowed |
BOT: W32/Nuwar@MM Client Sweep Activity Detected | 0x40016200 | 6 | yes | Reconnaissance | service-sweep | BOT: W32/Nuwar@MM Encrypted Traffic | 0x40016300 | 7 | Disallowed |
SMTP: High Level of SMTP Activity | 0x40016700 | 1 | no | Reconnaissance | service-sweep | SMTP: RCPT TO Command Used | 0x40405800 | 0 | Allowed |
PCANYWHERE: Client Sweep Activity Detected | 0x40016e00 | 4 | yes | Reconnaissance | service-sweep | PCANYWHERE: Client Scan Activity Detected | 0x43b00200 | 1 | Disallowed |
BOT: Spam-mailbot Communication Detected | 0x40017200 | 5 | no | Reconnaissance | service-sweep | BOT: Spam-mailbot Activity Detected | 0x45d06100 | 5 | Allowed |
DNS: Generic DNS Spoofing Attempt | 0x40017300 | 5 | yes | Reconnaissance | brute-force | DNS: Generic Spoofing Activity | 0x40303400 | 5 | Disallowed |
DNS: Server Response Validation Vulnerability | 0x40017600 | 5 | yes | Reconnaissance | brute-force | DNS: Microsoft DNS Server Response Validation Vulnerability II | 0x40303b00 | 5 | Disallowed |
TCP: Small Window DoS | 0x40019100 | 5 | yes | Reconnaissance | brute-force | TCP: Small Window Flow Detected | 0x00009d00 | 1 | Disallowed |
Kerberos: Kerberos Login Bruteforce Detected | 0x40019800 | 4 | yes | Reconnaissance | brute-force | KERBEROS: Kerberos Authentication Error Detected | 0x43001a00 | 4 | Disallowed |
NETBIOS-SS: Microsoft Windows SMB NTLM Authentication Lack of Entropy Vulnerability |
0x40019a00 | 4 | yes | Reconnaissance | brute-force | NETBIOS-SS: Non Admin Access in NTLMSSP Auth | 0x4070b900 | 0 | Disallowed |
NETBIOS-SS: Microsoft Windows SMB Memory Corruption Vulnerability | 0x40019b00 | 4 | yes | Reconnaissance | brute-force | NETBIOS-SS: SMB Negotiate | 0x4070bc00 | 0 | Disallowed |
DNS: Too Many Type A Query Response Errors Found | 0x40019c00 | 4 | yes | Reconnaissance | brute-force | DNS: Standard Query Type A Response Error Found | 0x40304000 | 0 | Disallowed |
DNS: Too Many Type MX Query Response Errors Found | 0x40019d00 | 4 | yes | Reconnaissance | brute-force | DNS: Standard Query Type MX Response Error Found | 0x40304100 | 0 | Disallowed |
SMTP: Multiple Emails sent without Authentication | 0x40019e00 | 5 | no | Reconnaissance | service-sweep | SMTP: Email sent without Authentication | 0x4040ec00 | 0 | Allowed |
BOT: Spam Bot Activity - Multiple Blacklist Responses from SMTP server | 0x40019f00 | 5 | no | Reconnaissance | service-sweep | SMTP: Server Rejection due to Blacklist | 0x4040ea00 | 0 | Allowed |
BOT: Potential Bot Activity -Multiple Resets from SMTP receiver | 0x4001a000 | 5 | no | Reconnaissance | service-sweep | SMTP: Unexpected Server Rejection | 0x4040eb00 | 0 | Allowed |
SIP: SIP Bruteforce Attack Detected-I | 0x4001a100 | 4 | yes | Reconnaissance | brute-force | SIP: Unauthorized Access Attempt | 0x43801100 | 0 | Disallowed |
SIP: SIP Bruteforce Attack Detected-II | 0x4001a200 | 4 | yes | Reconnaissance | brute-force | SIP: Server Authentication failure | 0x43801200 | 0 | Disallowed |
HTTP: Possible HTTP Brute Force Attack Against ASP.NET Pages | 0x4001b000 | 4 | yes | Reconnaissance | brute-force | HTTP: HTTP ASP Page Internal Error | 0x40294800 | 5 | Disallowed |
HTTP: Possible HTTP LOIC Denial-of-Service Attack Detected | 0x4001c000 | 4 | yes | Reconnaissance | brute-force | HTTP: Possible Non-Standard HTTP Traffic Detected | 0x40296500 | 0 | Disallowed |
HTTP: Possible HTTP GET LOIC Denial-of-Service Attack Detected | 0x4001d000 | 4 | yes | Reconnaissance | brute-force | HTTP: Possible LOIC Get Request Detected | 0x40299d00 | 0 | Disallowed |
HTTP: Possible SSL Denial-of-Service Attack Detected | 0x4001e000 | 4 | no | Reconnaissance | brute-force | SSL: Invalid SSL Flow Detected | 0x45c02300 | 0 | Disallowed |
HTTP: HTTP Login Bruteforce Detected | 0x40256b00 | 4 | yes | Reconnaissance | brute-force | HTTP: HTTP Authentication Failure | 0x40256a00 | 5 | Disallowed |
HTTP: Possible HTTP DoS Attack with Invalid HTML Page Access | 0x40280300 | 4 | yes | Reconnaissance | brute-force | HTTP: HTTP HTML Page Not Found | 0x40280200 | 5 | Disallowed |
NETBIOS-SS: SMB Bruteforce Attempt | 0x4070ac00 | 4 | yes | Reconnaissance | brute-force | NETBIOS-SS: SMB Logon Failed | 0x4070ab00 | 1 | Disallowed |
PGM: Large Volume of Small Data Fragments | 0x45d06800 | 2 | yes | Reconnaissance | brute-force | PGM: Small Data Fragment | 0x45d06700 | 1 | Disallowed |
ORACLE: Oracle SID Login Bruteforce Detected | 0x46c06d00 | 4 | yes | Reconnaissance | brute-force | ORACLE: ORACLE TNS CONNECT_DATA and SID Request Detected | 0x46c06c00 | 0 | Disallowed |
MySQL: Password Brute Force | 0x47101400 | 4 | yes | Reconnaissance | brute-force | MySQL: Login Failed | 0x47100100 | 3 | Disallowed |
RDP: Terminal Service Denial of service | 0x4001f000 | 5 | yes | Reconnaissance | brute-force | RDP: RST Packet Detected | 0x00011900 | 5 | Disallowed |
HTTP: Possible Anonymous OpMegaUpload DoS | 0x4001b100 | 5 | yes | Reconnaissance | brute-force | HTTP: Anonymous OpMegaUpload Detected | 0x402b8400 | 5 | Disallowed |
NETBIOS-SS: Non Admin Access in NTLMSSP Auth II Denial of Service | 0x40020300 | 4 | yes | Reconnaissance | brute-force | NETBIOS-SS: Non Admin Access in NTLMSSP Auth II | 0x43c03a00 | 4 | Disallowed |
FTP: VSFTPD Connection Handling DOS | 0x4050df00 | 4 | yes | Reconnaissance | brute-force | FTP: VsFTPd Banner | 0x4050de00 | 0 | Disallowed |
NTP: NTP Amplification DoS | 0x41b00800 | 4 | yes | Reconnaissance | brute-force | NTP: NTP Amplification Attacks | 0x41b00700 | 5 | Disallowed |
SSL: Too Many HTTPS Requests | 0x45c03600 | 4 | yes | Reconnaissance | brute-force | SSL: Client HTTPS Request | 0x45c03500 | 0 | Disallowed |
Digium: Digium Asterik Heap Buffer Overflow | 0x45d21600 | 4 | yes | Reconnaissance | brute-force | Digium: Asterisk Heap Buffer Overflow Skinny Channel Driver Remote Code Execution | 0x45d1ee00 | 5 | Disallowed |
ORACLE: Database Server TNS Listener Poison DoS Attack Detected | 0x46c08200 | 4 | yes | Reconnaissance | brute-force | ORACLE: Database Server TNS Listener Poison Attack Remote Code Execution | 0x46c08100 | 7 | Disallowed |
MySQL: MariaDB memcmp Function Security Bypass Vulnerability | 0x47101900 | 4 | yes | Reconnaissance | brute-force | MySQL: Login Failed | 0x47100100 | 3 | Allowed |
BOT: Muieblackcat Activity Detected | 0x43f00e00 | 5 | yes | Reconnaissance | Multi-Attack Known Bot | BOT: Muieblackcat Traffic Detected I,
BOT: Potential Muieblackcat Scanner Double-URI Traffic Detected
|
0x48810600, 0x48810700 | 4, 4
|
Disallowed (for both) |
ICMP: Possible Attack To Exploit BlackNurse Vulnerability II | 0x40102c00 | 4 | yes | Reconnaissance | brute-force | ICMP: Port Unreachable Packet Seen II | 0x40102b00 | 3 | Disallowed |
ICMP: Possible Attack to exploit BlackNurse vulnerability | 0x40102a00 | 4 | yes | Reconnaissance | brute-force | ICMP: Port Unreachable Packet Seen | 0x40102900 | 3 | Disallowed |
BOT: Cerber Ransomware Activity Detected | 0x48812000 | 6 | yes | Reconnaissance | host-sweep | BOT: Cerber Ransomware Traffic Detected | 0x48811f00 | 5 | Disallowed |
HTTP: Possible Wordpress brute force login detected | 0x43f01200 | 6 | yes | Reconnaissance | brute-force | HTTP: WordPress login seen | 0x451d0a00 | 0 | Disallowed |
HTTP: Wordpress User enumeration wpscan | 0x43f01100 | 6 | yes | Reconnaissance | fingerprinting | HTTP: WordPress user enumeration | 0x451d0800 | 0 | Disallowed |
関連情報
For information on how to configure component attacks in Network Security Manager 8.3 to detect correlation attacks, see KB89026.
免責事項
この記事の内容のオリジナルは英語です。英語の内容と翻訳に相違がある場合、常に英語の内容が正確です。一部の内容は Microsoft の機械翻訳による訳文となっています。
言語:
この記事は、次の言語で表示可能です: