To help deploy the DDI effectively and validate whether it could receive traffic and trigger detections successfully, DDI has several built-in rules for testing and demonstration.
This article provides detailed information on the DDI demo rules.
The following are detailed information about each demo rule.
RuleID 2244 is the rule for testing the ICMP traffic between 2 endpoints is scanned by DDI.
Proof Of Concept (POC): In Linux/Unix, use hping3 to generate ICMP packet with payload “DDI_DETECTION_TEST” and total 100 bytes payload.
For example:
# hping3 192.168.1.60 --icmp --sign 'DDI_DETECTION_TEST' -d 100
RuleID 2245 is the rule for testing the DNS traffic between monitored client and customer’s DNS Server is scanned by DDI.
POC: In Windows/Linux, use nslookup to generate DNS request packet for resolve “ddi.detection.test”.
For example:
# nslookup ddi.detection.test
RuleID 2246 is the rule for testing the HTTP traffic between monitored client and TrendMicro WRS is scanned by DDI.
POC: Use Browser (or wget) to navigate the URL: http://wrs49.winshipway.com/
RuleID 2247 is the rule for testing the SMB/SMB2 traffic between 2 endpoints is scanned by DDI.
POC: From one Windows A connect to the share folder of Windows B with username DDI_DETECTION_TEST
RuleID 2248 is the rule for testing the SMTP traffic between monitored client and the specified SMTP Server is scanned by DDI.
POC: Send an email with Subject DDI_DETECTION_TEST via SMTP
Rule2249 is the rule for testing the Kerberos traffic between monitored client and customer’s Domain Controller Server is scanned by DDI.
POC: Windows logon by account DDI_DETECTION_TEST via Kerberos
Click image to enlarge
- The severity for demo rules will be 'Informational' and with few different attack phases.
- Based on current DDI Aggregation policy (criteria can be changed by AU NCCP/ECP), within the same hour, at max 10 logs for each Demo Rule detections.