Guardianは4つのカテゴリのアラートを生成します。
ここでは、Guardianによって生成される可能性があるさまざまな種類のアラートのリストの抜粋を記述します。
List of Alerts
Category |
Type ID |
Name |
Trigger |
Protocol Validation |
SIGN:NETWORK-MALFORMED |
Malformed network packet |
A malformed packet is detected during the Deep Packet Inspection phase. |
Protocol Validation |
SIGN:SCADA-MALFORMED |
Malformed SCADA network packet |
A malformed packet is detected during the Deep Packet Inspection phase. |
Protocol Validation |
SIGN:SCADA-INJECTION |
Injection of a SCADA packet |
A traffic injection of SCADA packets has been detected in the network. |
Protocol Validation |
SIGN:INVALID-IP |
Invalid IP addresses |
A packet with invalid IP packets reserved for special purposes (e.g. loopback addresses). Packets with such addresses can originate from misconfiguration or spoofing/denial of service attacks. |
Protocol Validation |
SIGN:DHCP-OPERATION |
Suspicious DHCP activity |
A DHCP request from an unknown device has been found in the network, as a sign of a new device that is trying to obtain an address. |
Learned Behavior |
VI:NEW-ARP |
New device appeared |
A new unseen node appeared through ARP traffic. This Alert is useful to detect also devices that are connected near the sniff interfaces of SCADAguardian but are not sending relevant application-level packets through the network. |
Learned Behavior |
VI:NEW-MAC |
New MAC appeared |
A new unseen MAC address has appeared in the network. |
Learned Behavior |
VI:NEW-NET-DEV |
New network device appeared |
A new unseen network device, such as a switch, router or firewall has appeared in the network. |
Learned Behavior |
VI:NEW-NODE |
New source node appeared |
A new unseen node starts to send packets in the network. |
Learned Behavior |
VI:NEW-NODE:TARGET |
New target node appeared |
A new unseen node starts to send packets in the network. |
Learned Behavior |
VI:NEW-SCADA-NODE |
New SCADA node appeared |
A new unseen node speaking SCADA protocols starts to send packets in the network. |
Learned Behavior |
VI:NEW-LINK |
New target used |
A node tries to communicate with a node not contacted before. |
Learned Behavior |
VI:NEW-PROTOCOL |
New protocol used |
A new protocol has been tried between two nodes. |
Learned Behavior |
VI:NEW- PROTOCOL:CONFIRMED |
Protocol is confirmed |
A protocol between two nodes has been confirmed at Layer 4 (the endpoint has accepted the connection). |
Learned Behavior |
VI:NEW- PROTOCOL:APPLICATION |
Application protocol detected |
A Layer 7 protocol has been detected in a Layer 4 protocol. |
Learned Behavior |
VI:NEW-FUNC-CODE |
New SCADA function code |
A node starts using a function code never seen before. |
Learned Behavior |
VI:PROC:NEW-VAR |
New SCADA variable |
A new variable has been detected in a SCADA slave. |
Learned Behavior |
VI:PROC:NEW-VALUE |
New behavior on SCADA variable |
A new variable value or behavior has been detected in a SCADA slave. |
Learned Behavior |
VI:PROC:PROTOCOL-FLOW- ANOMALY |
Protocol flow anomaly |
This kind of alert is raised when the Process-related behavior of a protocol changes in a suspicious manner. |
Learned Behavior |
VI:PROC:VARIABLE-FLOW- ANOMALY |
Unexpected timing flow for a variable |
The access over time to a variable has changed in a unexpected manner. |
Learned Behavior/Custom Checks |
PROC:CRITICAL-STATE-ON |
Entered in Process Critical State |
The system has entered in a Process Critical State that has either been learned or inserted as a custom check. |
Learned Behavior/Custom Checks |
PROC:CRITICAL-STATE-OFF |
Exited from Process Critical State |
The system has exited from a Process Critical State. |
Built-in Checks |
SIGN:PACKET-RULE |
Packet rule match |
A packet rule has matching a specific security check has matched. This Alert requires to thoroughly check what happened to verify if an attacker is trying to compromise one or more host. |
Built-in Checks |
SIGN:MALWARE-DETECTED |
Malware detected |
A malicious payload has been transferred over the network. |
Built-in Checks |
SIGN:UNKNOWN-FUNC |
Unknown function |
An unknown function has been called on the remote peer. This may mean that a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device. |
Built-in Checks |
SIGN:PROC:MISSING-VAR |
Non existing variable accessed |
A tentative to access a nonexistent variable has been performed. This can be due to a reconnaissance activity or configuration change. |
Built-in Checks |
SIGN:PROC:UNKNOWN-RTU |
Unknown RTU ID requested |
An attempt to access an unexisting RTU has been made. This may be due to a misconfiguration or a tentative to discover valid RTUs of a slave. |
Built-in Checks |
SIGN:PROTOCOL-ERROR |
Protocol error |
A generic protocol error occurred, this usually relates to a state machine, option or other general violation of the protocol. |
Built-in Checks |
SIGN:OT_DEVICE-START |
OT device start requested |
The OT device program has been requested to start again by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself or a reboot of the system for updates. However, it may indicate suspicious activity of an attacker trying to manipulate the state of the OT device. |
Built-in Checks |
SIGN:OT_DEVICE-STOP |
OT device stop requested |
The OT device program has been requested to stop by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself. However, it may indicate suspicious activity of an attacker trying to halt the process being controlled by the OT device. |
Built-in Checks |
SIGN:OT_DEVICE-REBOOT |
OT device reboot requested |
The OT device has been requested to reboot by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance. However, it may indicate suspicious activity of an attacker trying to disrupt the process being controlled by the OT device. |
Built-in Checks |
SIGN:PROGRAM:DOWNLOAD |
Program downloaded from device |
The program of the OT device has been downloaded from another host. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to read the program logic. |
Built-in Checks |
SIGN:PROGRAM:UPLOAD |
Program uploaded to device |
The program of the OT device has been uploaded. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to disrupt the normal behavior of the system. |
Built-in Checks |
SIGN:PROGRAM:CHANGE |
Program change detected |
The program on the OT device has been uploaded and changed. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to read the program logic. |
Built-in Checks |
SIGN:DEV-STATE-CHANGE |
Device state change detected |
This kind of alert is raised when a change of the state of a device is detected, for example when an OT device is asked to enter in a new mode or a factory reset is issued. |
Built-in Checks |
SIGN:MAN-IN-THE-MIDDLE |
Man-in-the-middle detected |
This kind of alert is raised when a man-in-the-middle attack is detected. |
Built-in Checks |
SIGN:CONFIGURATION- CHANGE |
Configuration change detected |
The configuration on the device has been uploaded and changed. This can be a legitimate operation during maintenance or an unauthorized tentative to modify the behaviour of the device. |
Built-in Checks |
SIGN:CPE:CHANGE |
Installed software change detected |
This kind of alert is raised after the detection of an installed software change. |
Built-in Checks |
SIGN:PASSWORD:DEFAULT |
Default password used |
A default password has been used to access a resource. This Alert is raised when the default user/ password combination is valid and has allowed access to a resource. |
Built-in Checks |
SIGN:MULTIPLE- UNSUCCESSFUL-LOGINS |
Multiple unsuccessful logins |
This kind of alert occurs when an host is repeatedly trying to login to a service without success. |
Built-in Checks |
SIGN:TCP-SYN-FLOOD |
TCP SYN flood |
This kind of alert occurs when one or many host send a great amount of TCP SYN packets to a single host. |
Built-in Checks |
SIGN:ARP:DUP |
Duplicated IP address |
This kind of alert occurs when a duplicated IP is spotted on the network by analyzing the ARP protocol. |
Built-in Checks |
NET:RST-FROM-SLAVE |
Slave sent RST on Link |
A slave closed the connection to the master. This can be due to the device restarting or behaving in a strange manner. |
Built-in Checks |
PROC:WRONG-TIME |
Time issue detected |
A slave reported a wrong time regarding Process data. This may be due to incorrect time synchronization of the slave, a misbehavior or a sign of compromise of the device. |
Custom Checks |
ASRT:FAILED |
Assertion Failed |
A custom Assertion has failed. |
Custom Checks |
NET:TCP-SYN |
Link connection |
A link configured with the specific check has received a new TCP SYN. |
Custom Checks |
NET:LINK-RECONNECTION |
Link reconnection |
A link configured as persistent has a new TCP handshake. |
Custom Checks |
NET:INACTIVE-PROTOCOL |
Inactive protocol (ON|OFF) |
A link configured with :check_last_activity N stays inactive for more than N seconds. |
Custom Checks |
PROC:STALE-VARIABLE |
Stale variable (ON|OFF) |
A variable configured with :check_last_update N does not have its value updated for more than N seconds. |
Custom Checks |
PROC:INVALID-VARIABLE- QUALITY |
Invalid variable quality (ON|OFF) |
A variable configured with :check_quality N keeps its value with an invalid quality for more than N seconds |
Custom Checks |
PROC:NOT-ALLOWED-INVALID- VARIABLE |
Variable with invalid quality |
A variable that has been configured with a specific check has been detected to have a not allowed quality. |
Custom Checks |
PROC:SYNC-ASKED-AGAIN |
OT device synchronization asked |
A new general interrogation command is issued, this can be an anomaly since this command should be performed once per OT device. |