iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Radiflow

( 189 Alerts)

NF – VNC server response

this Snort rule is designed to detect VNC server responses in TCP traffic from external networks to the internal network on any port. If the specified patterns are found within the payload of an established TCP connection, the rule triggers an alert. The rule is crafted to identify VNC server responses based on specific content patterns in the payload.

NF – ICMP Payload to big for normal use – Covert Channel

this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.

NF – POLICY – SSH Client detected on non SSH standard port

this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.

NF – SSH connection established

this Snort rule is designed to detect SSH connections established from external networks to the internal network on the standard SSH port (port 22). If such a connection is established and occurs at least once within a 10-second window, the rule triggers an alert. The rule is crafted to identify SSH traffic based on the presence of the "SSH-" string in the payload.

ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection

This rule detects unusual TCP traffic on port 1433, commonly associated with Microsoft SQL Server. Specifically, it looks for SYN packets coming from internal network addresses to any destination on port 1433 and triggers an alert if a certain threshold of such traffic is reached within a specific time frame. This kind of rule is often used to detect scanning behavior or potential infections targeting specific ports.

Modbus – Slave Device Busy Exception Code Delay

This Snort rule is crafted to detect specific byte sequences in Modbus TCP traffic, indicating a potential protocol violation or attack scenario related to Modbus communication. If packets matching this pattern are detected in the specified threshold, an alert will be triggered.

GPL SCAN SolarWinds IP scan attempt

A "GPL scan" is typically performed to ensure that the software being used or distributed complies with the GPL license terms. This scan involves analyzing the source code of the software to identify any GPL-licensed components or dependencies and to verify that the software is being distributed in compliance with the GPL requirements. the alert is triggering a potential malicious scan of the network

NF – Request for JPG file but sending binary file

The rule detects a scenario where an HTTP server responds to a request for a JPG file with a binary file that contains the string "This program cannot be run in DOS mode." This type of response may indicate that an exe was sent under a cover of a picture and might point on a malicius activity

NF – Request for PNG file but sending binary file

The rule detects a scenario where an HTTP server responds to a request for a JPG file with a binary file that contains the string "This program cannot be run in DOS mode." This type of response may indicate that an exe was sent under a cover of a picture and might point on a malicius activity

NF – POLICY – Windows XP making Internet connection – IE 8 – Company Policy Violation

The rule detects instances where a host on the internal network (Windows XP) is making an Internet connection using Internet Explorer 8 (IE 8) with a User-Agent header indicating Windows NT 5.1 (Windows XP). This activity is flagged as a potential company policy violation, possibly due to security concerns related to the use of outdated software and operating systems.