Event Types supported by Nozomi Networks

Category	Type ID	Name	Definition
Custom Checks	PROC:STALE-VARIABLE	Stale variable	A variable configured with: check_last_update N does not have its value updated for more than N seconds.
Learned Behavior/Custom Checks	PROC:CRITICAL-STATE-ON	Critical state on	The system has entered in a Process Critical State that has either been learned or inserted as a custom check
Custom Checks	PROC:INVALID-VARIABLE- QUALITY	Invalid variable quality	A variable configured with: check_quality N keeps its value with an invalid quality for more than N seconds.
Built-in Checks	NET:RST-FROM-SLAVE	Slave sent RST on Link	A slave closed the connection to the master. This can be due to the device restarting or behaving in a strange manner.
Custom Checks	NET:INACTIVE-PROTOCOL	Inactive protocol	A link configured with :check_last_activity N stays inactive for more than N seconds.
Built-in Checks	SIGN:TCP-SYN-FLOOD	TCP SYN flood	This kind of alert occurs when either one or many hosts send a great amount of TCP SYN packets to a single host.
Built-in Checks	SIGN:MALICIOUS-PROTOCOL	Malicious Protocol detected	Malicious Protocol detected
Built-in Checks	SIGN:FIRMWARE-CHANGE	Firmware change requested	Firmware change requested
Built-in Checks	SIGN:MAN-IN-THE-MIDDLE	Man-In-the-middle attack	This kind of alert is raised when a Man-In-the-middle attack is detected.
Protocol Validation	SIGN:DHCP-OPERATION	DHCP operation	A DHCP request from an unknown device has been found in the network, as a sign of a new device which is trying to obtain an address.
Built-in Checks	SIGN:CPE:CHANGE	Installed software change detected	This kind of alert is raised after the detection of an installed software change.
Built-in Checks	SIGN:PROTOCOL-ERROR	Protocol error	A generic protocol error occurred, this usually relates to a state machine, option or other general violation of the protocol.
Built-in Checks	SIGN:ILLEGAL-PARAMETERS	A request with illegal parameters was asked	A request with illegal parameters was asked
Built-in Checks	SIGN:UNSUPPORTED-FUNC	Unsupported function was asked	An unsupported function has been called on the remote peer. It might me because of a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device.
Built-in Checks	SIGN:MALICIOUS-DOMAIN	Malicious domain	Malicious domain
Built-in Checks	SIGN:NETWORK-SCAN	Network Scan	Network Scan
Protocol Validation	SIGN:NETWORK-MALFORMED	Malformed network packet	A malformed packet is detected during the Deep Packet Inspection phase.
Built-in Checks	SIGN:PROGRAM:CHANGE	Program change detected	The program on the OT device has been uploaded and changed. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to read the program logic.
Built-in Checks	SIGN:CONFIGURATION-CHANGE	Configuration change requested	The configuration on the device has been uploaded and changed. This can be a legitimate operation during maintenance or an unauthorized tentative to modify the behaviour of the device.
Learned Behavior	VI:NEW-NODE:MALICIOUS-IP	Bad reputation ip	Bad reputation ip
Built-in Checks	SIGN:OT_DEVICE-REBOOT	OT device reboot requested	The OT device has been requested to reboot by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance. However, it may indicate suspicious activity of an attacker trying to disrupt the process being controlled by the OT device.
Custom Checks	PROC:NOT-ALLOWED-INVALID- VARIABLE	(Variable quality is not allowed)	A variable that has been configured with a specific check has been detected to have a not allowed quality.
Built-in Checks	SIGN:MULTIPLE- UNSUCCESSFUL-LOGINS	Multiple unsuccessful logins	This kind of alert occurs when a host is repeatedly trying to login to a service without success.
Custom Checks	PROC:SYNC-ASKED-AGAIN		A new general interrogation command is issued, this can be an anomaly since this command should be performed once per OT device.
Built-in Checks	SIGN:OT_DEVICE-STOP	OT device stop requested	The OT device program has been requested to stop by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself. However, it may indicate suspicious activity of an attacker trying to halt the process being controlled by the OT device.
Built-in Checks	SIGN:OT_DEVICE-START	OT device start requested	The OT device program has been requested to start again by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself or a reboot of the system for updates. However, it may indicate suspicious activity of an attacker trying to manipulate the state of the OT device.
Learned Behavior	VI:PROC:PROTOCOL-FLOW- ANOMALY	Protocol flow anomaly	This kind of alert is raised when the Process-related behavior of a protocol changes in a suspicious manner.
Built-in Checks	SIGN:DEV-STATE-CHANGE	Device state change	This kind of alert is raised when a change of the state of a device is detected, for example when an OT device is asked to enter in a new mode or a factory reset is issued.
Built-in Checks	SIGN:PROGRAM:UPLOAD	Program uploaded to device	The program of the OT device has been uploaded. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to disrupt the normal behavior of the system.
Built-in Checks	SIGN:CLEARTEXT-PASSWORD	Cleartext password	Cleartext password
Built-in Checks	SIGN:TCP-SYN-FLOOD	TCP SYN flood	This kind of alert occurs when one or many host send a great amount of TCP SYN packets to a single host.
Built-in Checks	PROC:WRONG-TIME	Process time issue detected	A slave reported a wrong time regarding Process data. This may be due to incorrect time synchronization of the slave, a misbehavior or a sign of compromise of the device.
Protocol Validation	SIGN:SCADA-INJECTION	SCADA packet Injection4	A traffic injection of SCADA packets has been detected in the network.
Built-in Checks	SIGN:ARP:DUP	Duplicate IP	This kind of alert occurs when a duplicated IP is spotted on the network by analyzing the ARP protocol.
Built-in Checks	SIGN:PACKET-RULE	Packet rule match	A packet rule has matching a specific security check has matched. This Alert requires to thoroughly check what happened to verify if an attacker is trying to compromise one or more host.
Learned Behavior	VI:NEW- PROTOCOL:CONFIRMED	New protocol confirmed	A protocol between two nodes has been confirmed at Layer 4 (the endpoint has accepted the connection).
Custom Checks	NET:LINK-RECONNECTION	Link reconnection	A link configured as persistent has a new TCP handshake.
Built-in Checks	SIGN:MALICIOUS-IP	Bad ip reputation	Bad ip reputation
Learned Behavior	VI:PROC:VARIABLE-FLOW- ANOMALY	Variable flow anomaly	The access over time to a variable has changed in a unexpected manner.
Built-in Checks	SIGN:PROC:MISSING-VAR	Missing Variable Requested	A tentative to access a nonexistent variable has been performed. This can be due to a reconnaissance activity or configuration change.
Learned Behavior	VI:NEW-NET-DEV	New network device detected	A new unseen network device, such as a switch, router or firewall has appeared in the network.
Protocol Validation	SIGN:SCADA-MALFORMED	Malformed SCADA packet	A malformed packet is detected during the Deep Packet Inspection phase.
Learned Behavior	VI:PROC:NEW-VAR	New SCADA variable appeard	A new variable has been detected in a SCADA slave.
Learned Behavior	VI:NEW-FUNC-CODE	New function code detected	A node starts using a function code as never seen earlier.
Learned Behavior	VI:NEW- PROTOCOL:APPLICATION	New application detected	A Layer 7 protocol has been detected in a Layer 4 protocol.
Built-in Checks	SIGN:MALWARE-DETECTED	Malware detected	A malicious payload has been transferred over the network.
Learned Behavior	VI:NEW-PROTOCOL	New protocol used	A new protocol has been tried between two nodes.
Learned Behavior	VI:NEW-LINK	New target used	A node tries to communicate with a node not contacted before.
Learned Behavior	VI:NEW-ARP	New ARP from unknown MAC addresses	A new unseen node appeared through ARP traffic. This Alert is useful to detect also devices that are connected near the sniff interfaces of SCADAguardian but are not sending relevant application-level packets through the network.
Learned Behavior	VI:NEW-NODE:TARGET	New target node appeared	A new unseen node starts to send packets in the network.
Built-in Checks	SIGN:PASSWORD:WEAK	Weak password used	Weak password used
	SIGN:DDOS	DDOS attack	DDOS attack
	SIGN:MULTIPLE-OT_DEVICE-RESERVATIONS	Multiple OT device reservations	Multiple OT device reservations
Learned Behavior	VI:NEW-NODE	New node appeared	A new unseen node starts to send packets in the network.
Built-in Checks	SIGN:PROGRAM:DOWNLOAD	Program downloaded from device	The program of the OT device has been downloaded from another host. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to read the program logic.
Learned Behavior	VI:PROC:NEW-VALUE	New SCADA variable value	A new variable value or behavior has been detected in a SCADA slave.
Learned Behavior/Custom Checks	PROC:CRITICAL-STATE-OFF	Critical state off	The system has exited from a Process Critical State.
Protocol Validation	SIGN:INVALID-IP	Invalid IP	A packet with invalid IP packets reserved for special purposes (e.g. loopback addresses). Packets with such addresses can originate from misconfiguration or spoofing/denial of service attacks.
Learned Behavior	VI:NEW-SCADA-NODE	New SCADA node appeared	A new unseen node speaking SCADA protocols starts to send packets in the network.
Learned Behavior	VI:NEW-MAC	New Mac address	A new unseen MAC address has appeared in the network.
Built-in Checks	SIGN:UNSUPPORTED-FUNC	Unknown RTU ID requested	An unsupported function has been called on the remote peer. This may mean that a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device.

Custom Checks

PROC:STALE-VARIABLE

Stale variable

A variable configured with: check_last_update N does not have its value updated for more than N seconds.

Learned Behavior/Custom Checks

PROC:CRITICAL-STATE-ON

Critical state on

The system has entered in a Process Critical State that has either been learned or inserted as a custom check

Custom Checks

PROC:INVALID-VARIABLE- QUALITY

Invalid variable quality

A variable configured with: check_quality N keeps its value with an invalid quality for more than N seconds.

Built-in Checks

NET:RST-FROM-SLAVE

Slave sent RST on Link

A slave closed the connection to the master. This can be due to the device restarting or behaving in a strange manner.

Custom Checks

NET:INACTIVE-PROTOCOL

Inactive protocol

A link configured with :check_last_activity N stays inactive for more than N seconds.

Built-in Checks

SIGN:TCP-SYN-FLOOD

TCP SYN flood

This kind of alert occurs when either one or many hosts send a great amount of TCP SYN packets to a single host.

Built-in Checks

SIGN:MALICIOUS-PROTOCOL

Malicious Protocol detected

Built-in Checks

SIGN:FIRMWARE-CHANGE

Firmware change requested

Built-in Checks

SIGN:MAN-IN-THE-MIDDLE

Man-In-the-middle attack

This kind of alert is raised when a Man-In-the-middle attack is detected.

Protocol Validation

SIGN:DHCP-OPERATION

DHCP operation

A DHCP request from an unknown device has been found in the network, as a sign of a new device which is trying to obtain an address.

Built-in Checks

SIGN:CPE:CHANGE

Installed software change detected

This kind of alert is raised after the detection of an installed software change.

Built-in Checks

SIGN:PROTOCOL-ERROR

Protocol error

A generic protocol error occurred, this usually relates to a state machine, option or other general violation of the protocol.

Built-in Checks

SIGN:ILLEGAL-PARAMETERS

A request with illegal parameters was asked

Built-in Checks

SIGN:UNSUPPORTED-FUNC

Unsupported function was asked

An unsupported function has been called on the remote peer. It might me because of a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device.

Built-in Checks

SIGN:MALICIOUS-DOMAIN

Malicious domain

Built-in Checks

SIGN:NETWORK-SCAN

Network Scan

Protocol Validation

SIGN:NETWORK-MALFORMED

Malformed network packet

A malformed packet is detected during the Deep Packet Inspection phase.

Built-in Checks

SIGN:PROGRAM:CHANGE

Program change detected

The program on the OT device has been uploaded and changed. This can be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to read the program logic.

Built-in Checks

SIGN:CONFIGURATION-CHANGE

Configuration change requested

The configuration on the device has been uploaded and changed. This can be a legitimate operation during maintenance or an unauthorized tentative to modify the behaviour of the device.

Learned Behavior

VI:NEW-NODE:MALICIOUS-IP

Bad reputation ip

Built-in Checks

SIGN:OT_DEVICE-REBOOT

OT device reboot requested

The OT device has been requested to reboot by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance. However, it may indicate suspicious activity of an attacker trying to disrupt the process being controlled by the OT device.

Custom Checks

PROC:NOT-ALLOWED-INVALID- VARIABLE

(Variable quality is not allowed)

A variable that has been configured with a specific check has been detected to have a not allowed quality.

Built-in Checks

SIGN:MULTIPLE- UNSUCCESSFUL-LOGINS

Multiple unsuccessful logins

This kind of alert occurs when a host is repeatedly trying to login to a service without success.

Custom Checks

PROC:SYNC-ASKED-AGAIN

A new general interrogation command is issued, this can be an anomaly since this command should be performed once per OT device.

Built-in Checks

SIGN:OT_DEVICE-STOP

OT device stop requested

The OT device program has been requested to stop by the sender
host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself. However, it may indicate suspicious activity of an attacker trying to halt the process being controlled by the OT device.

Built-in Checks

SIGN:OT_DEVICE-START

OT device start requested

The OT device program has been requested to start again by the sender host. This event may be something correct during Engineering operations on the OT device, for instance the maintenance of the program itself or a reboot of the system for updates. However, it may indicate suspicious activity of an attacker trying to manipulate the state of the OT device.

Learned Behavior

VI:PROC:PROTOCOL-FLOW- ANOMALY

Protocol flow anomaly

This kind of alert is raised when the Process-related behavior of a protocol changes in a suspicious manner.

Built-in Checks

SIGN:DEV-STATE-CHANGE

Device state change

This kind of alert is raised when a change of the state of a device is detected, for example when an OT device is asked to enter in a new mode or a factory reset is issued.

Built-in Checks

SIGN:PROGRAM:UPLOAD

Program uploaded to device

The program of the OT device
has been uploaded. This can
be a legitimate operation during maintenance and upgrade of the software or an unauthorized tentative to disrupt the normal behavior of the system.

Built-in Checks

SIGN:CLEARTEXT-PASSWORD

Cleartext password

Built-in Checks

SIGN:TCP-SYN-FLOOD

TCP SYN flood

This kind of alert occurs when one or many host send a great amount of TCP SYN packets to a single host.

Built-in Checks

PROC:WRONG-TIME

Process time issue detected

A slave reported a wrong time regarding Process data. This may be due to incorrect time synchronization of the slave, a misbehavior or a sign of compromise of the device.

Protocol Validation

SIGN:SCADA-INJECTION

SCADA packet Injection4

A traffic injection of SCADA packets has been detected in the network.

Built-in Checks

SIGN:ARP:DUP

Duplicate IP

This kind of alert occurs when a duplicated IP is spotted on the network by analyzing the ARP protocol.

Built-in Checks

SIGN:PACKET-RULE

Packet rule match

A packet rule has matching a specific security check has matched. This Alert requires to thoroughly check what happened to verify if an attacker is trying to compromise one or more host.

Learned Behavior

VI:NEW- PROTOCOL:CONFIRMED

New protocol confirmed

A protocol between two nodes has been confirmed at Layer 4 (the endpoint has accepted the connection).

Custom Checks

NET:LINK-RECONNECTION

Link reconnection

A link configured as persistent has a new TCP handshake.

Built-in Checks

SIGN:MALICIOUS-IP

Bad ip reputation

Learned Behavior

VI:PROC:VARIABLE-FLOW- ANOMALY

Variable flow anomaly

The access over time to a variable has changed in a unexpected manner.

Built-in Checks

SIGN:PROC:MISSING-VAR

Missing Variable Requested

A tentative to access a nonexistent variable has been performed. This can be due to a reconnaissance activity or configuration change.

Learned Behavior

VI:NEW-NET-DEV

New network device detected

A new unseen network device, such as a switch, router or firewall has appeared in the network.

Protocol Validation

SIGN:SCADA-MALFORMED

Malformed SCADA packet

A malformed packet is detected during the Deep Packet Inspection phase.

Learned Behavior

VI:PROC:NEW-VAR

New SCADA variable appeard

A new variable has been detected in a SCADA slave.

Learned Behavior

VI:NEW-FUNC-CODE

New function code detected

A node starts using a function code as never seen earlier.

Learned Behavior

VI:NEW- PROTOCOL:APPLICATION

New application detected

A Layer 7 protocol has been detected in a Layer 4 protocol.

Built-in Checks

SIGN:MALWARE-DETECTED

Malware detected

A malicious payload has been transferred over the network.

Learned Behavior

VI:NEW-PROTOCOL

New protocol used

A new protocol has been tried between two nodes.

Learned Behavior

VI:NEW-LINK

New target used

A node tries to communicate with a node not contacted before.

Learned Behavior

VI:NEW-ARP

New ARP from unknown MAC addresses

A new unseen node appeared through ARP traffic. This Alert is useful to detect also devices that are connected near the sniff interfaces of SCADAguardian but are not sending relevant application-level packets through the network.

Learned Behavior

VI:NEW-NODE:TARGET

New target node appeared

A new unseen node starts to send packets in the network.

Built-in Checks

SIGN:PASSWORD:WEAK

Weak password used

SIGN:DDOS

DDOS attack

SIGN:MULTIPLE-OT_DEVICE-RESERVATIONS

Multiple OT device reservations

Learned Behavior

VI:NEW-NODE

New node appeared

A new unseen node starts to send packets in the network.

Built-in Checks

SIGN:PROGRAM:DOWNLOAD

Program downloaded from device

The program of the OT device has been downloaded from another host. This can be a legitimate operation during maintenance and upgrade

of the software or an unauthorized tentative to read the program logic.

Learned Behavior

VI:PROC:NEW-VALUE

New SCADA variable value

A new variable value or behavior has been detected in a SCADA slave.

Learned Behavior/Custom Checks

PROC:CRITICAL-STATE-OFF

Critical state off

The system has exited from a Process Critical State.

Protocol Validation

SIGN:INVALID-IP

Invalid IP

A packet with invalid IP packets reserved for special purposes (e.g. loopback addresses). Packets with such addresses can originate from misconfiguration or spoofing/denial of service attacks.

Learned Behavior

VI:NEW-SCADA-NODE

New SCADA node appeared

A new unseen node speaking SCADA protocols starts to send packets in the network.

Learned Behavior

VI:NEW-MAC

New Mac address

A new unseen MAC address has appeared in the network.

Built-in Checks

SIGN:UNSUPPORTED-FUNC

Unknown RTU ID requested

An unsupported function has been called on the remote peer. This may mean that a malfunctioning software is trying to perform an operation without success or that a malicious attacker is trying to understand the functionalities of the device.