iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Radiflow

( 189 Alerts)

NF – POLICY – Covert iodine tunnel request

The rule detects covert iodine tunnel requests within DNS traffic. The rule helps identify potential unauthorized or covert communication channels using iodine tunnels.

NF – Policy – SMB2 connection containing CISF fileshare information – Check for external IP

The rule detects an SMB2 connection containing CISF fileshare information. The rule suggests checking for an external IP address involved in the communication.

NF – Generic – DNS Response 127.0.0.1 – Possible sinkholed domain – Check domain

The rule detects DNS responses containing the IP address 127.0.0.1. This rule is used to identify possible sinkholed domains, where malicious domains are intentionally resolved to the loopback address (127.0.0.1) to prevent further communication with malicious servers.

NF – Host name with IP address sending exe file

The rule detects HTTP responses containing an executable file (exe file) being served from a web server with a host name that includes an IP address. This could indicate potentially suspicious or malicious activity, as legitimate web servers typically use domain names in their host names, not IP addresses.

NF – NTPD Kiss-o’-Death – Peer Polling Interval 10

The rule detects NTPD (Network Time Protocol Daemon) Kiss-o'-Death packets with a peer polling interval of 10. NTPD Kiss-o'-Death packets are used to signal to an NTP server that it should stop sending time updates to the client for a specified interval. The rule can help identify potential NTP-related issues or attacks involving NTP servers and clients with specific polling intervals.

NF – EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication

The rule detects communication related to the installation of the DoublePulsar Backdoor, specifically looking for specific patterns and headers in the TCP payload. The DoublePulsar Backdoor is associated with the EternalBlue exploit and is a significant security threat that could lead to unauthorized access and control of vulnerable systems.

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows XP

The rule detects ISAKMP VPN connection setups originating from the internal network to an outbound destination (EXTERNAL_NET), with a specific ISAKMP Initiator cookie value (00 00 00 03). The rule is intended to provide visibility into ISAKMP VPN connection attempts, particularly those related to Windows XP hosts, and assist in monitoring and securing VPN communication in the network.

Basic Auth Base64 HTTP Password detected unencrypted

The rule detects instances of unencrypted Basic Authentication (Base64-encoded) HTTP passwords being transmitted over the network. Basic Authentication is a simple method for sending credentials (username and password) over HTTP.

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows 2000

The rule detects ISAKMP VPN connection setups originating from the internal network to an outbound destination (EXTERNAL_NET), with a specific ISAKMP Initiator cookie value (00 00 00 02). The rule is intended to provide visibility into ISAKMP VPN connection attempts, particularly those related to Windows 2000 hosts, and assist in monitoring and securing VPN communication in the network.

NF – ISAKMP VPN Connection setup from host to outbound destination – Windows 7 SP2 – Windows Server 2008 / 2008 R2

The rule detects ISAKMP VPN connection setups originating from the internal network to an outbound destination (EXTERNAL_NET), with a specific ISAKMP Initiator cookie value (00 00 00 08). The rule is intended to provide visibility into ISAKMP VPN connection attempts, particularly those related to Windows 7 SP2 - Windows Server 2008 / 2008 R2 hosts, and assist in monitoring and securing VPN communication in the network.