Suspicious Behaviors
These rules relate to detecting known threats and other suspicious network behaviors.
Detect Protocol Mismatch on Port
Rule | Flow_ProtoMismatchPort.lrl |
Description | This rule detects non-standard applications running on well known ports (20, 21, 22, 25, 53, 80). |
Detect Protocol Mismatch on Application
Rule | Flow_ProtoMismatchApp.lrl |
Description | This rule detects well known applications (ftp, ssh, smtp, rdp) that are not running on their well-known ports. |
Detect Curl Commands over Pastebin
Rule | Flow_PastebinCurl.lrl |
Description | This rule detects curl commands being passed over pastebin. This vector is often used for command and control of exploits. |
Classify Traffic Direction
Rule | Flow_IdentifyTrafficDirection.lrl |
Description | This rule enriches all flow data by adding a field indicating network traffic direction (ingress, egress, lateral). This rule does not raise alarms. You must enable this rule to use the Ingress Egress Traffic Dashboard. |
Classify Top Level Domains
Rule | Flow_TopLevelDomain.lrl |
Description | This rule enriches HTTP session flow data by adding fields that split out the top level domain, second level domain, and FQDN from the request URL. This rule does not raise alarms. You must enable this rule to use the Top Level Domain Dashboard. |