NF – SSH connection established
this Snort rule is designed to detect SSH connections established from external networks to the internal network on the standard SSH port (port 22). If such a connection is established and occurs at least once within a 10-second window, the rule triggers an alert. The rule is crafted to identify SSH traffic based on the presence of the "SSH-" string in the payload.
NF – POLICY – SSH Client detected on non SSH standard port
this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.
NF – ICMP Payload to big for normal use – Covert Channel
this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.
Modbus – Slave Device Busy Exception Code Delay
This Snort rule is crafted to detect specific byte sequences in Modbus TCP traffic, indicating a potential protocol violation or attack scenario related to Modbus communication. If packets matching this pattern are detected in the specified threshold, an alert will be triggered.
MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt
This Snort rule searches for HTTP traffic, specifically looking for PowerShell commands utilizing "ExecutionPolicy Bypass". It could indicate an attempt to execute malicious scripts or commands bypassing security policies. When this activity is detected based on the specified conditions, an alert will be generated.