Category: Radiflow
( 189 Alerts)Modbus TCP – Invalid Modbus Function Code
This alert is triggered when a Modbus TCP packet with an invalid or unsupported function code is detected. Function codes in Modbus are used to perform specific operations, and values exceeding 0x5A are considered invalid, potentially indicating misconfigured devices or malicious activity.
NF – Microsoft Powershell Banner Outbound
This alert is triggered when outbound traffic contains a PowerShell banner, indicating that a PowerShell script or command is being executed and potentially communicating with an external network. This can be a legitimate action or a sign of unauthorized or malicious activity, such as data exfiltration or command-and-control communication.
NF – NanoCore Trojan C2 – Traffic detected
This alert is triggered when network traffic containing a specific signature associated with the NanoCore Trojan Command and Control (C2) communication is detected. NanoCore is a Remote Access Trojan (RAT) that allows attackers to remotely control infected devices, steal data, and execute malicious commands. The detection is based on a payload pattern (|08 00 00 00|) typically found in NanoCore C2 traffic, and the rule monitors for repeated occurrences within a short time frame.
NF – Norwegian_Nynorsk layout in RDP connection setup
This alert is triggered when an RDP connection setup from an internal network device to an external server includes a specific input layout identifier (|08 14 00 00|) associated with the Norwegian Nynorsk keyboard layout. This could indicate a specific regional configuration being used.
NF – Web search engine – Sogou
This alert is triggered when an HTTP request is sent to a monitored web server with a User-Agent header containing "Sogou." indicating traffic originating from the Sogou web search engine. Sogou is a popular Chinese search engine developed by Sogou Inc. It is widely used in China for internet searches, similar to Google or Bing in other regions. This traffic might be part of legitimate web crawling or unauthorized scraping.
NF – Bad TLD domain – pink DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .pink. This domain ending is sometimes linked to suspicious or malicious activities.
NF – Bad TLD domain – pw DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .pw. This domain ending is sometimes linked to suspicious or malicious activities.
NF – Bad TLD domain – racing DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .racing. This domain ending is sometimes linked to suspicious or malicious activities.
NF – Bad TLD domain – ren DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .ren. This domain ending is sometimes linked to suspicious or malicious activities.
NF – Bad TLD domain – report DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .report. This domain ending is sometimes linked to suspicious or malicious activities.