Category: Radiflow
( 189 Alerts)ET SCAN Internal to Internal UPnP Request tcp port 2555
This alert is triggered when an internal host sends a UPnP request to another internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an internal entity is scanning or probing other internal devices' UPnP services, which is unusual behavior for typical internal network traffic.
ET SCAN External to Internal UPnP Request tcp port 2555
This alert is triggered when an external host sends a UPnP request to an internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an external adversary or scanner is probing internal devices' UPnP services. Receiving an external UPnP request on port 2555 is suspicious.
ET SCAN Non-Allowed Host Tried to Connect to MySQL Server
This alert is triggered when a non-allowed host tries to connect to a MySQL server on the monitored network. MySQL is an open-source relational database management system. This rule specifically identifies the error message returned by MySQL servers when a host, which is not allowed, tries to establish a connection. This alert may be triggered when an adversary or unauthorized entity is attempting to access a MySQL database to which they do not have permissions.
ET SCAN NNG MS02-039 Exploit False Positive Generator – May Conceal A Genuine Attack
This alert is triggered when detecting UDP traffic towards port 1434 (typically associated with Microsoft SQL Server) containing a specific content pattern suggesting the use of the NNG MS02-039 exploit false positive generator. MS02-039 is a Microsoft security bulletin related to buffer overflows in SQL Server 2000. The NNG tool referenced in this rule can be used to generate traffic patterns that mimic the exploit, this tool can be used for testing and validating the IDS/IPS setups. This alert may be triggered when an adversary is attempting to distract or mislead the monitoring system by generating false positives, potentially concealing a genuine attack.
ET SCAN MYSQL 4.0 brute force root login attempt
This alert is triggered when detecting multiple MySQL 4.0 root login attempts from a single source, implying a possible brute force attack. MySQL is a widely used open-source relational database management system. The rule specifically checks for attempts to login as the "root" user. This alert may be triggered when an adversary is attempting to gain unauthorized access to the MySQL database by trying to brute-force the root account.
ET SCAN MYSQL 4.1 brute force root login attempt
This alert is triggered when detecting multiple MySQL 4.1 root login attempts from a single source, implying a possible brute force attack. MySQL is a widely used open-source relational database management system. The rule specifically checks for attempts to login as the "root" user. This alert may be triggered when an adversary is attempting to gain unauthorized access to the MySQL database by trying to brute-force the root account.
ET SCAN Amap TCP Service Scan Detected
This alert is triggered when detecting TCP traffic that matches a specific content pattern indicative of an Amap scan. Amap is a scanning tool that is designed to identify application protocols running on non-standard ports. It attempts to determine what application is listening behind a given port. This alert may be triggered when an adversary is attempting to perform reconnaissance on network services by identifying the underlying application protocol of open ports.
ET SCAN Multiple FTP Root Login Attempts from Single Source – Possible Brute Force Attempt
This alert is triggered when detecting multiple FTP root login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "root" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the root account.
ET SCAN Multiple FTP Administrator Login Attempts from Single Source – Possible Brute Force Attempt
This alert is triggered when detecting multiple FTP Administrator login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "Administrator" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the Administrator account.