SIP EVENT EMPTY REQUEST URI
AM SCAN RDP bruteforce attempt failed logons
AM POLICY RDP session ended with RST
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement
ET SCAN Potential SSH Scan
ET POLICY SMB2 NT Create AndX Request For a .bat File
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
ET DNS Query for .to TLD
ET POLICY Vulnerable Java Version 1.8.x Detected
AM Exploit Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow attack
ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
ET SCAN Sipvicious Scan
ET SCAN Behavioral Unusually fast Terminal Server Traffic Potential Scan or Infection (Inbound)
ET P2P Edonkey Connect Request
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
ET INFO Observed DNS Query to .biz TLD
ET POLICY Python-urllib/ Suspicious User Agent
AM CURRENT_EVENTS IPv6 SLAAC Attack possible
AM TROJAN Possible Trojan.Tinba DGA NXDOMAIN Responses (net)
AM CURRENT_EVENTS Rails Path Traversal(Request)
AM Exploit Possible Kodi Web Server Remote DOS
ET DNS Query for .cc TLD
AM INFO Self Signed Certificate Retrieved
ET INFO Observed DNS Query to .world TLD
ET INFO Generic IOT Downloader Malware in GET (Inbound)
ET WEB_SERVER ThinkPHP RCE Exploitation Attempt
ET INFO Observed DNS Query to .cloud TLD
AM Exploit Apache Struts 2.3.0 < 2.3.32 / 2.5.0 < 2.5.10 RCE
ET INFO Windows OS Submitting USB Metadata to Microsoft
ET INFO Packed Executable Download
AM TROJAN Suspicious CAPSed Host header
ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03
ET P2P Bittorrent P2P Client User-Agent (uTorrent)
ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted
GPL WEB_SERVER DELETE attempt
ET P2P BitTorrent DHT ping request
AM USER_AGENTS Suspicious User-Agent - Possible dirb
ET P2P Vuze BT UDP Connection (5)
ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows
ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)
AM EXPLOIT Oracle WebLogic Deserialization RCE Vulnerability wls-wsat URL
AM Exploit Webmin 1.920 RCE
AM Exploit URL Directory traversal
ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix
AM Exploit RCE Oracle WebLogic Server component of Oracle Fusion Middleware
ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M2
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) M3
ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638)
AM Exploit HTTP Body Directory Traversal
AM INFO DNS Query for Suspicious .xyz Domain
ET POLICY Possible Powershell .ps1 Script Use Over SMB
ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
ET POLICY HTTP POST contains pass= in cleartext
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Outbound Multiple Non-SMTP Server Emails
ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement
ET POLICY External IP Lookup (avast .com)
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
ET TROJAN Zeus GameOver Possible DGA NXDOMAIN Responses
ET POLICY Cleartext WordPress Login
ET POLICY Http Client Body contains pwd= in cleartext
AM TROJAN Trojan.Banload Activity - ZIP File Request with minimal header
AM POLICY POST to phpmyadmin from external network
ET INFO Observed DNS Query for OpenNIC Alternative DNS TLD (.null)
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
GPL P2P BitTorrent transfer
ET POLICY Vulnerable Java Version 1.7.x Detected
ET POLICY User-Agent (Launcher)
ET DNS Query to a *.top domain - Likely Hostile
ET DNS DNS Lookup for localhost.DOMAIN.TLD
ET INFO UPnP Discovery Search Response vulnerable UPnP device 1
ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing
AM Policy RC4 Encryption type in TGS-REQ
ET WEB_SERVER WebShell Generic - wget http - POST
ET WEB_SERVER 401TRG Generic Webshell Request - POST with wget in body
ET INFO EXE - Served Attached HTTP
ET POLICY PE EXE or DLL Windows file download HTTP
SIP EVENT UNKOWN METHOD
ET USER_AGENTS Steam HTTP Client User-Agent
ET P2P BTWebClient UA uTorrent in use
AM Exploit Possible RCE in PHP-fpm
ET POLICY Dropbox.com Offsite File Backup in Use
SIP EVENT AUTH INVITE REPLAY ATTACK
ET INFO Observed DNS Query to .life TLD
ET SCAN Zmap User-Agent (zgrab)
AM DNS Query for coronavirus-monitor.ru
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag true)
ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)
ET INFO DNS Query for Suspicious .ml Domain
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
ET POLICY Inbound RDP Connection with Minimal Security Protocol Requested
AM EXPLOIT MikroTik RouterOS 6.42 Winbox Arbitrary File Read exploit
GPL POLICY PCAnywhere server response
ET DNS Query to a .tk domain - Likely Hostile
ET POLICY SMB2 NT Create AndX Request For a .sys File - Possible Lateral Movement
ET POLICY RDP connection confirm
ET P2P BitTorrent peer sync
ET P2P BitTorrent Traffic
AM Info EICAR String detected
AM TROJAN Win.Trojan.Glupteba C&C server HELLO request to client
AM TROJAN MSIL/Razy Cryptominer.NS
ET INFO Suspicious POST Request with Possible COVID-19 URI M1
ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
ET SCAN Sipvicious Scan
AD HIGH ARP REPLY NUMBER
AD HIGH VALUE OF SYN TCPIPFLAGS UPLOAD
AD LOW VALUE OF DATA TCPIP UPLOAD
AD HIGH SYN/ACK PACKET NUMBER
AD HIGH VALUE OF FIN TCPIPFLAGS UPLOAD
AD LOW VALUE OF ACK TCPIPFLAGS UPLOAD
AD UNUSUALLY LOW TCP TRAFFIC
AD HIGH VALUE OF RST TCPIPFLAGS UPLOAD
AM Exploit URL Directory traversal
ET POLICY Possible Powershell .ps1 Script Use Over SMB
ET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File
STREAM5_WINDOW SLAM
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010
ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray
ET POLICY Vulnerable Java Version 1.7.x Detected
ET POLICY User-Agent (Launcher)
AD HIGH VALUE OF DATA AND UNEXPECTED TCPIP FLAGS
AD UNUSUALLY HIGH UDP TRAFFIC
SIP EVENT UNKOWN METHOD
ET USER_AGENTS Steam HTTP Client User-Agent
ET P2P BTWebClient UA uTorrent in use
AM Exploit Possible RCE in PHP-fpm
ET POLICY Dropbox.com Offsite File Backup in Use
HI SERVER JS EXCESS WS
ET SCAN Zmap User-Agent (zgrab)
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
AD HIGH NOT TCP/IP TRAFFIC
GPL P2P BitTorrent announce request
HI CLIENT SIMPLE REQUEST
ET P2P BitTorrent Announce
ET POLICY Java Url Lib User Agent Web Crawl
ET EXPLOIT HackingTrio UA (Hello, World)
AD LOW SYN/ACK PACKET NUMBER
ET P2P BitTorrent DHT announce_peers request
ET MALWARE Lavasoft PUA/Adware Client Install
AM USER_AGENTS Malicious Blank User-Agent
ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside
ET POLICY possible Xiaomi phone data leakage HTTP
AM TROJAN Win.Trojan.Glupteba C&C server HELLO request to client
AM Exploit Possible SAP GUI EAI WebViewer3D ActiveX Stack Buffer Overflow attack or Control Arbitrary File Overwrite
AM Exploit Apple QuickTime Image Description Atom Sign Extension Vulnerability
AM Exploit Possible HTTP EnjoySAP SAP_GUI ActiveX Control Buffer Overflow shell bind tcp
AM Exploit Possible SAP GUI TabOne ActiveX Control Caption List Buffer Overflow attack
AM Exploit Possible HTTP SAP AG SAPgui sapirrfc.dll Remote Buffer Overflow Vulnerability