Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Using Deep Discovery Inspector (DDI) demo rules to validate monitored traffic

    • Updated:
    • 27 Nov 2017
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Discovery Inspector 5.0
    • Platform:
    • CentOS 6 64-bit
Summary

To help deploy the DDI effectively and validate whether it could receive traffic and trigger detections successfully, DDI has several built-in rules for testing and demonstration. 

This article provides detailed information on the DDI demo rules.

Details
Public

The following are detailed information about each demo rule.

RuleID 2244 is the rule for testing the ICMP traffic between 2 endpoints is scanned by DDI.

Proof Of Concept (POC): In Linux/Unix, use hping3 to generate ICMP packet with payload “DDI_DETECTION_TEST” and total 100 bytes payload.

For example:

# hping3 192.168.1.60 --icmp --sign 'DDI_DETECTION_TEST' -d 100

RuleID 2245 is the rule for testing the DNS traffic between monitored client and customer’s DNS Server is scanned by DDI.

POC: In Windows/Linux, use nslookup to generate DNS request packet for resolve “ddi.detection.test”.

For example:

# nslookup ddi.detection.test

RuleID 2246 is the rule for testing the HTTP traffic between monitored client and TrendMicro WRS is scanned by DDI.

POC: Use Browser (or wget) to navigate the URL:http://wrs81.winshipway.com/ddi_detection_test

RuleID 2247 is the rule for testing the SMB/SMB2 traffic between 2 endpoints is scanned by DDI.

POC: From one Windows A connect to the share folder of Windows B with username DDI_DETECTION_TEST

RuleID 2248 is the rule for testing the SMTP traffic between monitored client and the specified SMTP Server is scanned by DDI.

POC: Send an email with Subject DDI_DETECTION_TEST via SMTP

Rule2249 is the rule for testing the Kerberos traffic between monitored client and customer’s Domain Controller Server is scanned by DDI.

POC: Windows logon by account DDI_DETECTION_TEST via Kerberos

Click image to enlarge

 
  • The severity for demo rules will be 'Informational' and with few different attack phases.
  • Based on current DDI Aggregation policy (criteria can be changed by AU NCCP/ECP), within the same hour, at max 10 logs for each Demo Rule detections.
Premium
Internal
Rating:
Category:
Deploy
Solution Id:
1117108
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.