HTTPS connection attempt
This alert is triggered when an attempt is made to initiate a new HTTPS connection (TCP port 443) that does not complete the handshake. This could indicate potential scanning or probing activity aimed at identifying open HTTPS ports without establishing a full connection.
ID Number
4999998
Signature
alert tcp any any -> any 443 (flow:not_established; msg: "HTTPS connection attempt"; sid:4999998; rev:1; threshold:type limit, track by_src, count 1 , seconds 1200 )
Severity
High
Recommendations/Investigative actions
Find the device or IP making the incomplete HTTPS connection to assess if it’s expected or unauthorized.
Consider blocking or limiting access from IPs with repeated incomplete connections to reduce the likelihood of potential probing or scanning.