|
|
|
The information in this table provides a list of server types where high activity is frequently used. To change the Event Policy, adjust event thresholds and add Exclusions for servers and services . You can decrease more the quantity of false positives detected.
Common events by service
Server Type |
Category |
Event Name |
Source |
Dest |
Service |
Reason |
|---|---|---|---|---|---|---|
SNMP |
Scans |
IP sweep from internal network |
Any |
Any |
SNMP-read |
Hosts that query other hosts |
DNS Servers |
Scans |
IP sweep from internal network |
DNS servers |
- |
DNS |
Inter-DNS servers updates |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
DNS servers |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
High connection rate from internal network |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
High connection rate from internal network on service |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
|
Anomalies |
Abnormal activity on service |
Any |
Any |
DNS |
DNS requests and inter-DNS servers updates |
NIS Servers |
Scans |
Port scan from internal network |
NIS servers |
Any |
- |
Multiple NIS queries |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
NIS servers |
NIS |
NIS queries |
|
Anomalies |
High connection rate from internal network |
Any |
Any |
NIS |
NIS queries |
|
Anomalies |
High connection rate from internal network on service |
Any |
Any |
NIS |
NIS queries |
|
Anomalies |
Abnormal activity on service |
Any |
Any |
NIS |
NIS queries |
LDAP Servers |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
High connection rate from internal network |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
High connection rate from internal network on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
|
Anomalies |
Abnormal activity on service |
Any |
LDAP servers |
LDAP |
LDAP requests |
HTTP Proxy Servers - Hosts To Proxy Server |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
High connection rate from internal network |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
|
Anomalies |
Abnormal activity on service |
Any |
Proxy servers |
HTTP:8080 |
Hosts connections to Proxy servers |
HTTP Proxy Servers - Out to the Web |
Scans |
IP sweep from internal network |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Anomalies |
High connection rate from internal network |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
|
High connection rate from internal hosts on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
|
Anomalies |
Abnormal activity on service |
Proxy servers |
Any |
HTTP/ HTTPS |
Proxy servers connections out to various sites |
UFP Servers |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
High connection rate from internal network |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
|
Anomalies |
Abnormal activity on service |
Any |
UFP servers |
Any/UFP by vendor |
Firewall connections to UFP servers |
CVP Servers Request |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
High connection rate from internal network |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
|
Anomalies |
Abnormal activity on service |
Any |
CVP servers |
Any/CVP by vendor |
Firewall connections to CVP servers |
CVP Servers Replies |
Scans |
Port scans from internal network |
CVP servers |
Any |
- |
Multiple CVP replies to same GW |
|
Scans |
IP sweep from internal network |
CVP servers |
- |
CVP |
CVP replies to multiple GWs |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
High connection rate from internal network |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
High connection rate from internal hosts on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
|
Anomalies |
Abnormal activity on service |
CVP servers |
Any |
Any/CVP by vendor |
CVP replies |
UA Server Request |
Denial of Service (DoS) |
High connection rate on internal host on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
High connection rate from internal network |
Any |
UA servers |
(TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
High connection rate from internal hosts on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
|
Anomalies |
Abnormal activity on service |
Any |
UA servers |
uas-port (TCP:19191 TCP:19194) |
Connections to UA servers |
UA Servers Replies |
Scans |
Port scans from internal network |
UA servers |
Any |
- |
Multiple UA replies to the same computer |
|
Scans |
IP sweep from internal network |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
Multiple UA replies to multiple computers |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
High connection rate from internal network |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
High connection rate from internal hosts on service |
UA servers |
Any |
uas-port (TCP:19191 TCP:19194) |
UA replies |
|
Anomalies |
Abnormal activity on service |
UA servers |
Any |
uas-port (TCP:19191TCP:19194) |
UA replies |
SMTP Servers |
Scans |
IP sweep from internal network |
SMTP servers |
- |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
High connection rate from internal network |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
High connection rate from internal hosts on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
|
Anomalies |
Abnormal activity on service |
SMTP servers |
Any |
SMTP |
SMTP servers connections out to various SMTP servers |
Anti-Virus Definition Servers |
Scans |
IP sweep from internal network |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Denial of Service (DoS) |
High connection rate on internal host on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
High connection rate from internal network |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
High connection rate from internal hosts on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
|
Anomalies |
Abnormal activity on service |
AV_Defs servers |
- |
Any/AV by vendor |
Anti-Virus definitions updates deployment |
