ET SCAN Potential VNC Scan 5800-5820

This alert is triggered when detecting communication on ports 5800-5820 from an external source. Ports 5800-5820 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.

Categories:

ID Number

4000716

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg:"ET SCAN Potential VNC Scan 5800-5820"; flags:S,12; threshold: type both, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/2002910; classtype:attempted-recon; sid:4000716; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

It is recommended to limit VNC communication from external networks. If there is no use of VNC, it's recommended to disable the communication.

Comments

There are 6 rules all detecting an attempt to exploit the Bash Shellshock vulnerability over HTTP, but they each look for specific attack patterns in different parts of the HTTP request.