NF – HTTP traffic on port 443 (HEAD)
This alert is triggered when HTTP traffic using the "HEAD" request method is sent over port 443, which is typically reserved for HTTPS traffic. This may indicate an unusual or suspicious use of HTTP on an encrypted port.
ET SCAN MS Terminal Server Traffic on Non-standard Port
This alert is triggered when traffic associated with Microsoft Terminal Server (RDP) is detected on a non-standard port (any port other than 3389). Such activity could indicate an attempt to avoid standard RDP detection, possibly as part of reconnaissance or unauthorized access efforts.
NF – POLICY – Remote Desktop connection request on non-standard port
This alert is triggered when a Remote Desktop Protocol (RDP) connection is attempted from an external network to the internal network on a non-standard port (any port other than 3389). This may indicate an attempt to bypass standard RDP monitoring or restrictions.
NF – Outbound mail setup command EHLO
This alert is triggered when an outbound SMTP connection is made from the internal network, and the email client sends the "EHLO" command to initiate communication. This command is typically used in setting up an email connection but may be flagged in networks where outbound email should be restricted.
NF – Bad TLD domain – download DNS query – Check domains
This alert is triggered when a DNS query from the internal network attempts to resolve a domain ending in .download, sometimes linked to phishing activity.