Updated on 2023-06-09 GMT+08:00

Threat Alarms Overview

Overview

SA can aggregate alarms reported by other security products. All those alarms are centrally displayed in the Threat Alarms module. In this module, you can learn of threats and security events discovered in your cloud resources in a timely manner.

Beyond that, this module sorts threats by attack source and attacked asset so that you can quickly learn of vulnerable assets and learn the security posture of your assets in real time.

The threat alarms module includes the following functions:

  • Alarms

    SA monitors threat events on the cloud in real time, provides alarm notifications using linked services HSS and WAF, and displays details about alarms for the last 180 days.

  • Threat Analysis

    Allows you to query threats or attacks by Attack source or Attacked asset.

Alarm Types

Currently, SA includes eight categories of check items, including more than 200 event types.

DDoS Alarm Events

SA can protect all your hosts from DDoS attacks no matter where your hosts are deployed.

More than 100 types of DDoS threats can be detected.

  • Network layer attacks

    NTP flood and CC attacks

  • Transport layer DDoS attacks

    SYN and ACK flood attacks

  • Session layer attacks

    SSL DDoS attacks

  • Application layer attacks

    HTTP-GET DDoS flood attacks and HTTP-POST DDoS flood attacks

Brute-force Attack Alarms

SA detects intrusion behaviors and internal risks to your host assets in real time. It checks whether accounts, such as SSH, RDP, FTP, SQL Server and MySQL accounts, are experiencing password cracking attacks, and detects whether asset accounts have been cracked for abnormal logins.

Currently, 22 types of brute-force attacks can be detected.

  • Brute-force attacks that can be detected by SA

    SSH brute force attacks (2 types), RDP brute force attacks, Microsoft SQL brute force attacks, MySQL brute force attacks, FTP brute force attacks, SMB brute force attacks (3 types), HTTP brute force attacks (4 types), and Telnet brute force attacks.

  • Alarms from the linked HSS service

    SSH, RDP, FTP, MySQL, IRC, and Webmin brute force attacks, brute force attacks on other ports, and brute force attacks on OSs

Web Attack Alarms

SA detects web threats such as malicious web scanners, malicious IP addresses, and web Trojans in real time.

Currently, 38 types of web threats can be detected.

  • Web attacks that can be detected by SA

    Web shell attacks (3 types), cross-site scripting (XSS) attacks, code injection attacks (7 types), SQL injection attacks (9 types), and command injection attacks.

  • Alarms from the linked HSS service

    Web shells, Linux web page tampering, and Windows web page tampering.

  • Alarms from the linked WAF service

    Cross-site scripting (XSS) attacks, command injection attacks, SQL injection attacks, directory traversal attacks, local file inclusion, remote file inclusion, remote code execution, Trojans, website information leakage, exploits, IP reputation database, malicious crawlers, web page anti-tampering, and web page anti-crawler.

Trojan Attack Alarms

SA detects Trojans and malicious requests to compromised hosts in real time.

Currently, 5 types of Trojans can be detected.

  • Trojans in PHP and JSP files in the web directory on hosts
  • Trojans on compromised hosts

    Trojans such as Win32/Ramnit Checkin, WannaCry ransomware request resolution, Trojan downloading, and access to HTTP File Server (HFS) download servers

Zombie Alarms

SA detects threats initiated by zombie hosts in real time. The following 7 types of zombie attacks can be detected:

  • SSH brute-force attacks
  • RDP brute-force attacks
  • Web brute-force attacks
  • MySQL brute-force attacks
  • SQL Server brute-force attacks
  • DDoS attacks
  • Mining software

Abnormal Behavior Alarms

SA detects abnormal changes and operations of the operating systems (OSs) on assets in real time. The following 21 types of abnormal behavior can be scanned for:

The following 21 types of abnormal behavior can be scanned for:
  • Abnormal behavior that can be scanned for by SA

    Unauthorized scanning over the file system, CMS V1.0 vulnerabilities, and unauthorized sensitive file access.

  • Alarms reported by HSS

    Abnormal logins, critical file changes, network interface cards (NIC) in promiscuous mode, unsafe accounts, reverse shells, abnormal shells, high-risk command execution, abnormal automatic startups, file privilege escalation, process privilege escalation, and Rootkits

  • Alarms reported by WAF

    Alarms generated against custom rules, whitelist, blacklist, geographical access control rules, malicious scanners & crawlers, IP blacklist or whitelist rules, and unauthorized access blocking

Exploit Alarms

In real time, SA scans the potentially compromised assets that may be used to initiate attacks. The following 2 types of vulnerabilities can be detected:

  • Web-CMS vulnerability attacks

C&C Alarms

SA detects command and control (C&C) servers in real time. A C&C server may remotely control the hosts to access or establish links with malware.

The following 3 types of C&C threats can be detected:

  • Access to Domain Generation Algorithm (DGA) domain names
  • Access to malicious C&C domain names
  • Malicious communication channels between C&C servers and host assets