PROTOCOL-SNMP request udp
This alert is triggered when an external source sends an SNMP getbulk request to an internal Windows server on UDP port 161. This behavior may be associated with attempts to gather large amounts of SNMP data, potentially exploiting CVE-2006-5583 a known vulnerability in Windows SNMP services.
OS-WINDOWS Microsoft Windows getbulk request attempt
This alert is triggered when an external source sends an SNMP getbulk request to an internal Windows server on UDP port 161. This behavior may be associated with attempts to gather network information, potentially as part of reconnaissance or exploiting CVE-2002-0013 and CVE-2002-0012, known vulnerabilities in Windows SNMP services.
PROTOCOL-ICMP PING Windows
This alert is triggered when an ICMP echo request (ping) with a specific payload pattern, commonly associated with Windows systems, is sent from an external network to an internal network. This may indicate network scanning or probing activity.
NF – POLICY – Outbound SMB – Connection attempt
This alert is triggered when an outbound connection attempt is made from an internal network device to an external server over SMB (ports 139 or 445). Outbound SMB traffic may expose internal resources to external threats or be exploited for data exfiltration.
NF – Generic – Large number of NXDOMAIN replies
This alert is triggered when a large number of NXDOMAIN responses (non-existent domain replies) are received from external DNS servers. A high frequency of NXDOMAIN replies may indicate potential malicious activity like DNS tunneling or reconnaissance.