iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Radiflow

( 189 Alerts)

NF – Bad TLD domain – email DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .email, sometimes linked to phishing activity.

NF – Bad TLD domain – top DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .top, sometimes linked to phishing activity.

NF – Bad TLD domain – ga DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .download, sometimes linked to phishing activity.

NF – Bad TLD domain – download DNS query – Check domains

This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .download, sometimes linked to phishing activity.

NF – Outbound mail setup command EHLO

This alert is triggered when an outbound SMTP connection is made from the internal network, and the email client sends the "EHLO" command to initiate communication. This command is typically used in setting up an email connection but may be flagged in networks where outbound email should be restricted.

NF – POLICY – Remote Desktop connection request on non-standard port

This alert is triggered when a Remote Desktop Protocol (RDP) connection is attempted from an external network to the internal network on a non-standard port (any port other than 3389). This may indicate an attempt to bypass standard RDP monitoring or restrictions.

ET SCAN MS Terminal Server Traffic on Non-standard Port

This alert is triggered when traffic associated with Microsoft Terminal Server (RDP) is detected on a non-standard port (any port other than 3389). Such activity could indicate an attempt to avoid standard RDP detection, possibly as part of reconnaissance or unauthorized access efforts.

NF – HTTP traffic on port 443 (HEAD)

This alert is triggered when HTTP traffic using the "HEAD" request method is sent over port 443, which is typically reserved for HTTPS traffic. This may indicate an unusual or suspicious use of HTTP on an encrypted port.

SMBv3 Negotiate Protocol Request with Compression Capabilities Context

This Snort rule is specifically crafted to detect SMBv3 negotiation packets with particular content patterns. If a packet matches these patterns, the rule triggers an alert.

TDC-SOC – Possible BlackNurse attack from external source 3,3

This Snort rule is specifically crafted to detect ICMP packets with the specific type and code associated with BlackNurse attacks. The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network. If a packet matches these criteria and meets the threshold defined by the detection filter, the rule triggers an alert that can indicate of an existance of the virus within the network.