this Snort rule is designed to detect VNC server responses in TCP traffic from external networks to the internal network on any port. If the specified patterns are found within the payload of an established TCP connection, the rule triggers an alert. The rule is crafted to identify VNC server responses based on specific content patterns in the payload.
this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.
this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.
this Snort rule is designed to detect SSH connections established from external networks to the internal network on the standard SSH port (port 22). If such a connection is established and occurs at least once within a 10-second window, the rule triggers an alert. The rule is crafted to identify SSH traffic based on the presence of the "SSH-" string in the payload.
This rule detects unusual TCP traffic on port 1433, commonly associated with Microsoft SQL Server. Specifically, it looks for SYN packets coming from internal network addresses to any destination on port 1433 and triggers an alert if a certain threshold of such traffic is reached within a specific time frame. This kind of rule is often used to detect scanning behavior or potential infections targeting specific ports.
This Snort rule is crafted to detect specific byte sequences in Modbus TCP traffic, indicating a potential protocol violation or attack scenario related to Modbus communication. If packets matching this pattern are detected in the specified threshold, an alert will be triggered.
A "GPL scan" is typically performed to ensure that the software being used or distributed complies with the GPL license terms. This scan involves analyzing the source code of the software to identify any GPL-licensed components or dependencies and to verify that the software is being distributed in compliance with the GPL requirements. the alert is triggering a potential malicious scan of the network
The rule detects a scenario where an HTTP server responds to a request for a JPG file with a binary file that contains the string "This program cannot be run in DOS mode." This type of response may indicate that an exe was sent under a cover of a picture and might point on a malicius activity
The rule detects a scenario where an HTTP server responds to a request for a JPG file with a binary file that contains the string "This program cannot be run in DOS mode." This type of response may indicate that an exe was sent under a cover of a picture and might point on a malicius activity
The rule detects instances where a host on the internal network (Windows XP) is making an Internet connection using Internet Explorer 8 (IE 8) with a User-Agent header indicating Windows NT 5.1 (Windows XP). This activity is flagged as a potential company policy violation, possibly due to security concerns related to the use of outdated software and operating systems.