ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection
This alert is triggered when detecting communication on port 135 between devices in the network. Port 135 is used by the Remote Procedure Call service, this service enables other systems to identify what services are available on an asset and which port they use. communication on port 135 can be an indication of Potential scanning of the network by an adversary.
ID Number
4000745
Signature
alert tcp $HOME_NET any -> any 135 (msg:"ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001581; classtype:misc-activity; sid:4000745; rev:14; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
Check if this communication is from a legitimate service in your network, there may be a service that uses this port. Block all communication on this port, except for legitimate services that need it.