The rule detects ISAKMP VPN connection setups originating from the internal network to an outbound destination (EXTERNAL_NET), with a specific ISAKMP Initiator cookie value (00 00 00 05). The rule is intended to provide visibility into ISAKMP VPN connection attempts, particularly those related to Windows Vista hosts, and assist in monitoring and securing VPN communication in the network.
The rule detects UDP traffic containing a "Classic-STUN Binding Request" message associated with the Dyre malware. Dyre is a trojan that targets financial institutions and is known for its credential-stealing capabilities (www.secureworks.com/cyber-threat-intelligence/threats/dyre-banking-trojan).
The rule detects ICMP Echo Reply packets with a payload size larger than 100 bytes. ICMP Echo Reply packets are typically responses to ICMP Echo (Ping) requests, and a larger payload in such responses may indicate potential abnormal or suspicious behavior, which could be worth investigating.
The rule detects ICMP Echo Request packets with a payload size larger than 100 bytes. ICMP Echo Request packets are typically used to check the reachability of a host and a larger payload in such requests may indicate potential abnormal or suspicious behavior, which could be worth investigating.
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 - Upload" command is used to transfer data from the PLC to the client as part of an upload process. This could include PLC program code, data blocks, or other configurations.
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 Setup communication" command is typically sent at the beginning of the communication session between the client and the PLC to establish communication parameters, such as the communication mode, data format, and other settings necessary for successful data exchange.
The rule detects TCP traffic containing specific byte sequences in the payload that correspond to a Connection Request (CR) Connect Request. This rule could be useful for monitoring and detecting certain types of communication attempts related to Siemens SIMATIC S7 devices or systems using the CR protocol.
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 - Read SZL ID=0x001c" command requests the PLC to return the system data with ID 0x001c. The ID refers to a specific data record in the SZL area that contains predefined data.
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 - Request Security functions/Set PLC session password" command initiates the setup of security functions or allows setting a password for the PLC session. It is used to enable security features in the communication between the client (e.g., HMI, SCADA system) and the PLC to protect against unauthorized access or tampering.
The rule is related to Siemens S7 communication protocol, which is used for communication with Siemens PLCs. Each command serves a specific purpose in interacting with the PLC. "S7 - Start upload" command signals the beginning of an upload process from the PLC. It prepares the PLC to send specific data (e.g., program code, configuration) to the client (e.g., programming tool) during the upload.