ET SCAN Suspicious inbound to PostgreSQL port 5432

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 5432 (PostgreSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

Categories:

ID Number

4000756

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 5432 (msg:"ET SCAN Suspicious inbound to PostgreSQL port 5432"; flow:to_server; flags:S; threshold: type limit, count 5, seconds 60, track by_src; metadata: former_category POLICY; reference:url,doc.emergingthreats.net/2010939; classtype:bad-unknown; sid:4000756; rev:3; metadata:created_at 2010_07_30, updated_at 2018_03_27;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

It is recommended to disable all external communications to the DB, Disable PostgreSQL port 5432. If there is a need to allow external access to the DB, enable access to specific assets.