iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Cyber Attack

( 538 Alerts)

ET SCAN Suspicious inbound to MSSQL port 1433

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 1433 (MSSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack

This alert is triggered when detecting frequent attempts to create an SSH Connection to an asset. SSH is a secure protocol to provide access to an asset in a network. This alert may be triggered when an adversary is attempting a brute-force Attack.

ET SCAN Nessus User Agent

This alert is triggered when detecting external communication to a Nessus User Agent on an asset in the network. Nessus User Agents are management programs that collect vulnerability, compliance and system data. This alert may by trigerd by an adversery atempting to comunicat with the Nessus user agent in order to get information on the asset.

ET SCAN Potential VNC Scan 5800-5820

This alert is triggered when detecting communication on ports 5800-5820 from an external source. Ports 5800-5820 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.

ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection

This alert is triggered when detecting communication on port 445 between devices in the network. Port 445 is used for SMB communication, which allows systems of the same network to share files. the SMB protocol is known to be vulnerable, communication on port 445 can be an indication of Potential scanning or attempted attack by an adversary. However, port 445 (SMB) is commonly used for communication in OT systems.

ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)

This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication to an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary is scanning the network for devices to connect to remotely.

ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Outbound)

This alert is triggered when detecting unusually fast Remote desktop protocol (RDP) communication from an asset in the network. RDP uses port 3389 to create a remote connection between devices. This alert may be triggered when an adversary has infected an asset.

(spp_ssh) Protocol mismatch

The rule is designed to trigger an alert when it detects a protocol mismatch in the SSH communication. This could occur if the SSH client and server attempt to communicate using different SSH protocol versions or incompatible encryption algorithms. Such protocol mismatches may result from misconfigurations, attempts to use non-standard SSH implementations, or potential man-in-the-middle attacks attempting to interfere with SSH communication.

(spp_ssl) Invalid Client HELLO after Server HELLO Detected

The rule is designed to trigger an alert when it detects an invalid SSL client hello message. The client hello message is the first message sent by a client when initiating an SSL handshake with a server. It includes various parameters and cipher suites supported by the client, allowing the server to negotiate a secure connection.

ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection

This alert is triggered when detecting communication on port 135 between devices in the network. Port 135 is used by the Remote Procedure Call service, this service enables other systems to identify what services are available on an asset and which port they use. communication on port 135 can be an indication of Potential scanning of the network by an adversary.