Trojan Port Activity

Summary:

The document outlines the integration of SANS Institute's trojan port information into ArcSight ESM™ version 4.5 SP2 through a Perl script named "Trojan Port Activity." This script reads from "sans.txt," which contains port data compiled by SANS, and generates two output files: "trojanPortsAL.txt" for active list enhancement in the ArcSight console and "trojanPortsPL.txt" for updating other applications or systems' port lists. The script is flexible, allowing adjustments to input and output file paths based on user needs. Key components include: 1. Importing a trojanPortsAL.txt file into the system configuration as a Trojan Port List active list. 2. Implementing a rule named "Trojan Port Activity Detected" to alert upon detection of Trojan port activities. 3. Enclosed files for parsing and handling port data, including sans_ports.pl, sans.txt, trojanPortsAL.txt, and potentially configuring trojanPortsPL.txt within the ArcSight tool's configuration settings. 4. An ESM package named "Trojan_Port_Activity_-_IP_Submission.arb" that includes both the active list and rule for automated threat detection in enterprise environments.

Details:

"ArcSight ESM™ Trojan Port Activity - Importing SANS Content" is a software update that integrates SANS Institute's port information, specifically targeting known trojan ports. Version 4.5 SP2, released on July 25, 2010, includes this feature through a Perl script designed to read and parse data from the SANS website (http://isc.sans.edu/services.html). The Perl script named "Trojan Port Activity" reads a file called "sans.txt," which contains port information compiled by SANS Institute. This script then parses this information, creating two output files: "trojanPortsAL.txt" and "trojanPortsPL.txt." The former is intended for import into an active list within the ArcSight ESM console to enhance detection capabilities, while the latter serves as a replacement file that can be used to update port lists in other applications or systems. The script allows users to modify input and output files by adjusting variables such as $inputFile and setting new values for $outputFileAL and $outputFilePL. This flexibility enables customization based on specific user needs, further enhancing the tool's adaptability and utility within cybersecurity environments. The provided text describes a set of files related to detecting activity on Trojan ports using ArcSight, an enterprise security information and event management (SIEM) tool. Specifically, the key components include: 1. **Active List**: A trojanPortsAL.txt file is imported to create a Trojan Port List active list in the system configuration. 2. **Rule**: A specific rule named "Trojan Port Activity Detected" is implemented to trigger an alert upon detection of activity on these ports. 3. **Files Enclosed**:

• **sans_ports.pl**: A Perl script designed to parse and handle the port list file, presumably for use in detecting Trojan activities.

• **sans.txt**: An example file from http://isc.sans.edu/services.html which could be used as a reference or template for understanding the nature of trojan ports.

• **trojanPortsAL.txt**: A sample output file that might be used to develop and test the active list and rule before finalizing them in the system configuration.

• **trojanPortsPL.txt**: Another sample output which is intended to configure $ArcSight_Home\config\trojan_ports.txt, a critical file where the Trojan Port List is stored within the ArcSight tool's configuration settings.

4. **ESM Package**: The package named "Trojan_Port_Activity_-_IP_Submission.arb" contains both the active list and the rule mentioned above, facilitating automated detection of potential security threats posed by activities on these ports in an enterprise environment. These files collectively support a systematic approach to monitoring and potentially mitigating risks associated with Trojan port activities using ArcSight's capabilities for effective threat management.