NF – USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0)
This alert is triggered when an HTTP request with a suspicious "Mozilla/5.0" User-Agent header is detected. This User-Agent string might be used by fake or malicious clients and is flagged if it doesn’t match typical patterns or known safe domains.
SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt
This alert is triggered when identifying an attempt to exploit CVE-2016-6304, a denial of service vulnerability. this is indicated by a high volume of OCSP (Online Certificate Status Protocol) requests sent to an internal server over HTTP.
NF – POLICY – AnyDesk Client – Outbound Connection – TLS client keyx
This alert is triggered when an AnyDesk client attempts an outbound connection over TLS (port 443). AnyDesk is a remote desktop application that a malicious actor may use to gain access or exfiltrate data from the network.
NF – Bad TLD domain – win DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .win. This domain ending is commonly used for games and is sometimes linked to suspicious or malicious activities.
NF – Outbound mail setup command HELO
This alert is triggered when an outbound email connection is made from the internal network, and the "HELO" command is used to initiate the SMTP conversation. This command is typically used in email setups but may indicate unauthorized outbound email activity, especially in restricted environments.