We are happy to announce two SD Script updates for eyeInspect:
- Host and Link Add Ons v1.34
This SD Script extends the device fingerprinting capabilities of the HLI module of eyeInspect by inspecting protocol-specific messages. - Threat Detection Add Ons v1.3
This SD Script extends the detection capabilities of the ITL module of eyeInspect by inspecting protocol-specific messages. - HTTP-based fingerprinting (Sensor versions of eyeInspect 4.2.x and up)
- RTSP-based fingerprinting
- RTCP-based fingerprinting
- Fingerprinting of MTL8000 I/O modules using MTL8000_MATRIX protocol
- Improved Windows OS fingerprinting based on SMBv1 Session Setup messages
- New SNMP fingerprints for the following vendors: ABB, Ambery, Axis, Cambium Networks, Campbell Scientific, Cisco, EtherWan, HP, Lantronix, MH Corbin, Microhard systems, Moxa, Radwin, Ricoh, Samsung, Sharp, Siemens, TC Communications, Vaisala, Westermo
- New SNMP fingerprints for NTCIP devices
- Improved recognition and fingerprinting logic for Wonderware Historian based on the HCAL protocol
- Implemented the detection of RTSP error codes and malfunctioning/misbehaving devices
- Implemented the detection of RTSP teardown commands (disabled by default)
- Implemented the detection of potentially dangerous operations targeting IP cameras via known HTTP requests format (relevant functionality is enabled and available only on sensor versions higher or equal than 4.2.x)
- Added new malicious domain names related to the Sunburst backdoor communications
- eyeInspect version 3.13.0 and up
- Host and Link Add Ons v1.34 SD Script:
- Systems using sensor version 4.2.x or higher must disable or remove the “HTTP HLI” SD Script
- Systems using any sensor version must disable or remove the “Surveillance Systems HLI” SD Script.
- Threat Detection Add Ons v1.3 SD Script :
- Systems using sensor version 4.2.x or higher must disable or remove the “Surveillance Systems Monitor” SD Script
- Systems using sensor version 4.1.x or inferior will still need the “Surveillance Systems Monitor” SD Script to have HTTP detection and will have to disable RTSP detection to avoid duplicated alerts
- Systems using sensor version 4.1.x or inferior may need additional SD Scripts to reach detection capabilities equivalent to 4.2
- MODBUSTCP Monitor
- GE SRTP Monitor
- ETHIP/CSP – PCCC Monitor
- Ovation Monitor
- SEL Monitor (partially)
- SATEC IED HLI
- GE iFIX HLI
- CVE-2019-0708 Monitor
- CVE-2020-0796 Monitor
- MS17_010 Monitor
- Urgent/11 Monitor
What’s new?
These releases reduce the number of scripts needed to setup a comprehensive and effective eyeInspect deployment, improving maintainability and simplifying PoV preparation.
Download and install the Host and Link Add Ons v1.34 to gain the following additional capabilities:
Download and install the Threat Detection Add Ons v1.3 to gain the following additional capabilities:
Supported Versions
This content update is supported by the following releases:
Deployment notes:
Please note that the HTTP detection checks in the script “Surveillance Systems Monitor” could have performance impact and, if used, must be monitored to ensure the other eyeInspect capabilities are not affected. way. This script should be adopted preferably for demos/PoVs and under Forescout PS/SE supervision
Requirements
The SD Script profile must be uploaded in the eyeInspect Command Center. For the Threat Detection Add Ons, the accompanying CSV file with new Event Type IDs must be uploaded in the eyeInspect Command Center. Please be advised that this CSV comes in two versions: a US regional version, and a global version. Upload the version matching your system regional settings.
Availability
eyeInspect Users:
Download the module and related documentation from the Downloads / Resources section of the OT Customer portal, https://portal.secmatters.com/.