Specifications
Dragon has four default notification rules: netsight−atlas−asm−attacks, netsight−atlas−asm−compromise,
netsight−atlas−asm−informational, and netsight−atlas−asm−misuse. Each of Dragon's default notification
rules has a corresponding default event category in ASM: ASM_ATTACKS, ASM_COMPROMISE,
ASM_INFORMATIONAL, and ASM_MISUSE. ASM uses Rules to compare incoming trap messages with
specific event categories, then determines where and what action to apply as a response.
For ASM's response to a serious threat to be timely and effective, it is important that ASM only be notified of
serious threats. The following table lists the Dragon events for which notification to ASM is recommended:
BACKDOOR:PHATBOT COMP:MS−DIR COMP:ROOT−ICMP
COMP:ROOT−TCP COMP:ROOT−UDP COMP:SDBOT−LOGIN
COMP:SDBOT−NETINFO COMP:SPYBOT−DOWNLOAD COMP:SPYBOT−INFO
COMP:SPYBOT−KEYLOG COMP:WIN−2000 COMP:WIN−XP
GENERIC:UPX−EXE MS−BACKDOOR MS−BACKDOOR2
MS−BACKDOOR3 MS−SQL:HAXOR−TABLE MS−SQL:PWDUMP
MS−SQL:WORM−SAPPHIRE MS:BACKDOOR−BADCMD MS:BACKDOOR−DIR
SMB:SAMBAL−SUCCESS SSH:HIGHPORT SSH:X2−CHRIS
SSH:X2−CHRIS−REPLY
You should also read the Dragon IDS AlarmTool Step−by−Step Instructions to learn more about events,
alarms, traps, and inform configuration in Dragon IDS.
Automated Security Manager Help
Configuring Automated Security Manager 35