In response to the HydraQ threat and to help Symantec Security Information Manager customers detect issues that relate to this threat in their own environment, the attached table and rule set is provided. This table and rule set is compatible with Symantec Security Information Manager 4.5 and later.

The attached rule is a User Rule that can be edited to suit your environment.

Import and deploy the HydraQ Lookup Table and Rule
 

1. Download Hydraq-1-19-2010.zip.md5 and the Hydraq-1-19-2010.zip file to the computer that has the SSIM UI installed and compare the checksum
2. Extract Hydraq-1-19-2010.zip file to the computer that has the SSIM UI installed.
3. Launch the SSIM UI Client.
4. Select the Rules Tile, and in the right pane, expand Lookup Tables, and open the User Lookup Tables.
5. In the toolbar, click Import from disk icon, and browse to the directory where you extracted the files in step 2.
6. Select Hydraq Watchlist.tab, and click Import.
7. To verify that the table imported and is formatted correctly, make sure that the “Destination IP” column contains several IP address , and then from the toolbar click Deploy to Server icon .
8. Next, expand Correlation Rules, and click on User Rules.
9. In the toolbar, click Import from disk icon, and browse to the directory where you extracted the files in step 2.
10. Select Hydraq_Rapid_Response_Rule.xml, and in the toolbar click Import.
    • The rule appears in the right pane, in red.
11. Select the Hydraq Rapid Response Rule, check the box to activate it, and in the toolbar, click Deploy to Server icon.

This rule triggers incidents and conclusions for new traffic that is directed at any IP address with IP address destination ports of 21 or 443, as defined in the Hydraq Watchlist Lookup Table. In addition, you can also deploy a query that checks for past traffic to these destinations.

Deploy a query that checks for past traffic to IP address destination ports of 21 or 443

The attached HydraqSampleQuery.qml is a query that can be edited to suit your environment.

1. In the SSIM UI, in the left pane, click Events, and then click My Queries.
2. In the toolbar, click Query Wizard.
3. Follow the prompts to create an event query. You may choose to run the top 5 hosts, a detail, or a type that meets the needs of your environment. Create the event filter with criteria similar to the following values:
   
   AND
   IP Destination Address is in Hydraq_Watchlist
   
   OR
   IP Destination Port = 21
   IP Destination Port = 443