This alert is triggered when detecting UDP traffic towards port 1434 (typically associated with Microsoft SQL Server) containing a specific content pattern suggesting the use of the NNG MS02-039 exploit false positive generator. MS02-039 is a Microsoft security bulletin related to buffer overflows in SQL Server 2000. The NNG tool referenced in this rule can be used to generate traffic patterns that mimic the exploit, this tool can be used for testing and validating the IDS/IPS setups. This alert may be triggered when an adversary is attempting to distract or mislead the monitoring system by generating false positives, potentially concealing a genuine attack.
This alert is triggered when detecting multiple FTP Administrator login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "Administrator" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the Administrator account.
This alert is triggered when detecting multiple FTP root login attempts from a single source, suggesting a possible brute force attack. FTP (File Transfer Protocol) is a standard internet protocol used to transfer files between a client and a server over a network. The rule checks for the use of the username "root" in login attempts, which is the superuser account in many systems. This alert may be triggered when an adversary is attempting to gain unauthorized access to the FTP server by trying to brute-force the root account.
This alert is triggered when detecting TCP traffic that matches a specific content pattern indicative of an Amap scan. Amap is a scanning tool that is designed to identify application protocols running on non-standard ports. It attempts to determine what application is listening behind a given port. This alert may be triggered when an adversary is attempting to perform reconnaissance on network services by identifying the underlying application protocol of open ports.