Portaledge: Enumeration Event Class

From SCADApedia

The Enumeration Event Class in Portaledge is comprised of Events that are triggered when enumeration efforts occur, e.g. a device or network is scanned, has a service attached to, or is otherwise communicated in a manner the is indicative of at attacker determining information about the device or network.

Enumeration Events rely on the PI IP Flow Interface, Snort IDS, or other sensors that detect traffic indicative of someone or something probing for information about the control system and its components. Sensors on the network can also monitor for stealth enumeration techniques such as an ArpScan. Monitoring enumeration techniques is critical as enumeration is a typical first step in a penetration attempt. If an attack can be identified during the enumeration stage the asset owner is better able to stop the attack or at a minimum limit its impact.

Contents 1 Enumeration Session Info Module 2 Detecting Port Scans and Port Sweeps 3 Events 3.1 FIN Port Scan Enumeration Event 3.2 Finger User Enumeration Event 3.3 ICMP Scan Host Enumeration Event 3.4 Syn Portscan Enumeration Event 3.5 TCP Portscan Enumeration Event 3.6 Traffic Monitor Enumeration Event 3.7 UDP Portscan Enumeration Event 4 Installation Instructions 4.1 Enumeration Events 5 Related Pages 6 External Links

Enumeration Session Info Module

Most of the Events in the Enumeration Event class require information about TCP sessions be analyzed to determine if activity exceeds a trigger threshold and is indicative of an enumeration attempt. Rather than gather, store and analyze this data in each Event ACE module, Digital Bond has created an Enumeration Session Info Module that serves this purpose for all Events. This improves performance significantly and reduces the resource requirements on the PI server for this Event Class.

Detecting Port Scans and Port Sweeps

Many of the Enumeration Events detect port scans use two different criteria for triggering an alert and have different names for the alarm.

Port Scans A Port Scan Event is generated if a single system, represented by an IP address, is scanned on multiple ports with a time period. The defaults are scanned on three ports in five minutes. This will detect an attacker doing a detailed scan on a single workstation, server or other device. The thresholds can be modified to reduce false positives or catch more attackers who are scanning slowly to avoid detection. Source and destination IP addresses can be excluded from detection to prevent false positives from repeated, authorized scans.

When detected an Event will be generated such as "TCP Port Scan" or "FIN Port Scan".

Port Sweeps A Port Sweep Event is generated when multiple systems are scanned on the same port within a time period. The defaults are three systems scanned on the same port in five minutes. This will detect an attacker who is searching a subnet for a certain service or application, like a web server or DNP3 server. The thresholds can be modified and systems can be excluded from analysis.

When detected an Event will be generated such as "TCP Port Sweep" or "FIN Port Sweep".

Events

FIN Port Scan Enumeration Event

Definition: The FIN Port Scan Enumeration Event will trigger an Event when TCP FIN packets are sent to multiple ports on one or more hosts.

Description: FIN port scans are used by attackers to bypass firewalls and work by sending TCP FIN packets to targeted ports. Closed ports reply with an RST packets, active ports do not reply.

Triggers

• FIN Port Scan: This trigger will generate an Event if TCP FIN packets are detected that are directed at multiple ports on a single host [default is 3 ports].
• FIN Port Sweep: This trigger will raise an Event if TCP FIN packets are detected that are directed at the same port on multiple hosts [default is 3 hosts].

Interfaces

• IP Flow: Used to detect TCP FIN communications.
• Snort or other IDS into Syslog or Windows Event Log: As an IDS may not necessarily be deployed on a network, it is considered a secondary interface.

Finger User Enumeration Event

Definition: The Finger User Enumeration Event event will trigger on any session to port 79, the standard Ringer port.

Description: Through querying the Finger service (if enabled) an attacker can enumerate the user accounts on a system.

Triggers

• Finger - This trigger will raise an alarm if any session is established on port 79.

Interfaces

• IP Flow: Used to detect the creation of a session with the Finger service.

ICMP Scan Host Enumeration Event

Definition: The ICMP Scan Enumeration Event will trigger an alert when gratuitous non ECHO ICMP packets are detected across multiple hosts.

Description: ICMP Information Request, Timestamp Request, CMP Address Mask Request, ICMP error message packets (and others) can be used to enumerate hosts utilizing methodologies not as commonly employed as ping sweeping. These methodologies rely on the replies to the various ICMP packets to detect if a host is alive.

Triggers

• ICMP Scan: This trigger will raise an alarm if any type of gratuitous non ECHO ICMP packets are detected across multiple hosts.

Interfaces

• IP Flow: Used to detect portscans.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Syn Portscan Enumeration Event

Definition: The Syn Portscan Enumeration Event will trigger an alert when incomplete (Syn to Syn-Ack) TCP sessions are created across multiple ports on one or more hosts.

Description: A Syn Portscan sends a Syn packet to a target port and awaits the Syn-Ack reply, without ever fully establishing a full TCP session.

Triggers

• Syn Portscan: This trigger will raise an alarm if incomplete TCP sessions are tried against multiple ports on one or more hosts.

Interfaces

• IP Flow: Used to detect incomplete TCP connection.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

TCP Portscan Enumeration Event

Definition: The TCP Portscan Enumeration Event will trigger an alert when complete TCP sessions that immediately terminate are created across multiple ports on one or more hosts.

Description: A TCP Portscan completes the 3 way TCP connection establishment and then immediately terminates the session.

Triggers

• TCP Portscan: This trigger will raise an alarm if complete TCP to quick terminating session are tried against multiple ports on one or more hosts.

Interfaces

• IP Flow: Used to detect TCP connections.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Traffic Monitor Enumeration Event

Definition: The Traffic Monitor Enumeration Event event will trigger when "out of bounds" communications occur.

Description: The Traffic Monitor Enumeration Event allows a system administrator to profile network communications on their systems. Communications that are allowed can be added on a per system basis, specifying IP addresses and ports of the allowed communications. When a communication occurs to a system that participates in the Traffic Monitoring that is not in the allowed list of communications an "out of bounds" communication is detected and an alert is created.

Triggers

• Traffic Monitor - This trigger will raise an alarm if "out of bounds" communications are detected..

Interfaces

• IP Flow: Used to monitor communications.

UDP Portscan Enumeration Event

Definition: The UDP Portscan Enumeration Event will trigger an alert when UDP packets are detected as having been sent to multiple ports on one or more hosts.

Description: As UDP is a connectionless protocol, UDP scanner sends a UDP packet at a port and wait for the ICMP port not available reply. If the reply is not received the port is assumed to be active.

Triggers

• UDP Portscan: This trigger will raise an alarm if UDP packets are detected that are directed at multiple ports across one or more hosts.

Interfaces

• IP Flow: Used to detect UDP communications.
• Sort IDS into Syslog or Windows Event Log: As Snort may not necessarily be deployed on a network, snort detection is a secondary interface path.

Installation Instructions

The Portaledge Event Installation page is the primary documentation for Portaledge installation. Event specific installation instructions are available on the Event pages in SCADApedia.

The Enumeration Event Class has a module, the Enumeration Session Info Module that is a helper module for the Class. The Enumeration Session Info module executes on a user specified period and creates a list of sessions that it shares with the other modules in the Enumeration Event Class. This module exists in order to reduce the computational overhead of creating the sessions list, creating it once and sharing the list instead of recreating it for each individual event. The installation of the module is necessary, but its execution is not. The Enumeration Session Info module does not have to be executing for the other Events in the Enumeration Class to operate successfully.

Enumeration Events

FIN Port Scan Enumeration Event

Finger User Enumeration Event

ICMP Scan Enumeration Event

Syn Portscan Enumeration Event

TCP Portscan Enumeration Event

Traffic Monitor Enumeration Event

UDP Portscan Enumeration Event

There is also an ACE module, the Enumeration Event Class Event, that generates Enumeration Event Class Events and their corresponding Event chains.

Related Pages

Portaledge

Portaledge Event Installation

Portaledge Event Taxonomy

External Links

Download the Portaledge Beta Release Package