This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .email, sometimes linked to phishing activity.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .top, sometimes linked to phishing activity.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .download, sometimes linked to phishing activity.
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .download, sometimes linked to phishing activity.
This alert is triggered when an outbound SMTP connection is made from the internal network, and the email client sends the "EHLO" command to initiate communication. This command is typically used in setting up an email connection but may be flagged in networks where outbound email should be restricted.
This alert is triggered when a Remote Desktop Protocol (RDP) connection is attempted from an external network to the internal network on a non-standard port (any port other than 3389). This may indicate an attempt to bypass standard RDP monitoring or restrictions.
This alert is triggered when traffic associated with Microsoft Terminal Server (RDP) is detected on a non-standard port (any port other than 3389). Such activity could indicate an attempt to avoid standard RDP detection, possibly as part of reconnaissance or unauthorized access efforts.
This alert is triggered when HTTP traffic using the "HEAD" request method is sent over port 443, which is typically reserved for HTTPS traffic. This may indicate an unusual or suspicious use of HTTP on an encrypted port.
This Snort rule is specifically crafted to detect SMBv3 negotiation packets with particular content patterns. If a packet matches these patterns, the rule triggers an alert.
This Snort rule is specifically crafted to detect ICMP packets with the specific type and code associated with BlackNurse attacks. The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network. If a packet matches these criteria and meets the threshold defined by the detection filter, the rule triggers an alert that can indicate of an existance of the virus within the network.