ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
This rule detects unusual TCP traffic on port 1433, commonly associated with Microsoft SQL Server. Specifically, it looks for SYN packets coming from internal network addresses to any destination on port 1433 and triggers an alert if a certain threshold of such traffic is reached within a specific time frame. This kind of rule is often used to detect scanning behavior or potential infections targeting specific ports.
ID Number
4000747
Signature
alert tcp $HOME_NET any -> any 1433 (msg:"ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 40 , seconds 60; metadata: former_category SCAN; reference:url,doc.emergingthreats.net/2001583; classtype:misc-activity; sid:4000747; rev:15; metadata:created_at 2010_07_30, updated_at 2017_05_11;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
Identify the source and destination and check if SQL Server is installed or part of software installed. Sometimes it triggered because of behaviour of software. It is recommended to search for a relevant cyber attack alerts on the same time, it can be an attempt to perform lateral movement. If one of the IPs from the internet check if there any relations with a known malware.