The following are detailed information about each demo rule.
RuleID 2244 is the rule for testing the ICMP traffic between 2 endpoints is scanned by DDI.
Proof Of Concept (POC): In Linux/Unix, use hping3 to generate ICMP packet with payload “DDI_DETECTION_TEST” and total 100 bytes payload.
For example:
# hping3 192.168.1.60 --icmp --sign 'DDI_DETECTION_TEST' -d 100
RuleID 2245 is the rule for testing the DNS traffic between monitored client and customer’s DNS Server is scanned by DDI.
POC: In Windows/Linux, use nslookup to generate DNS request packet for resolve “ddi.detection.test”.
For example:
# nslookup ddi.detection.test
RuleID 2246 is the rule for testing the HTTP traffic between monitored client and TrendMicro WRS is scanned by DDI.
POC: Use Browser (or wget) to navigate the URL: http://wrs49.winshipway.com/
RuleID 2247 is the rule for testing the SMB/SMB2 traffic between 2 endpoints is scanned by DDI.
POC: From one Windows A connect to the share folder of Windows B with username DDI_DETECTION_TEST
RuleID 2248 is the rule for testing the SMTP traffic between monitored client and the specified SMTP Server is scanned by DDI.
POC: Send an email with Subject DDI_DETECTION_TEST via SMTP
Rule2249 is the rule for testing the Kerberos traffic between monitored client and customer’s Domain Controller Server is scanned by DDI.
POC: Windows logon by account DDI_DETECTION_TEST via Kerberos
Click image to enlarge
- The severity for demo rules will be 'Informational' and with few different attack phases.
- Based on current DDI Aggregation policy (criteria can be changed by AU NCCP/ECP), within the same hour, at max 10 logs for each Demo Rule detections.