Prohibited Traffic Allowed or Protocol Mismatch
Description
Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Resolution, Network_Traffic
- Last Updated: 2017-09-11
- Author: Rico Valdez, Splunk
- ID: 6d13121c-90f3-446d-8ac3-27efbbc65218
Narrative
A traditional security best practice is to control the ports, protocols, and services allowed within your environment. By limiting the services and protocols to those explicitly approved by policy, administrators can minimize the attack surface. The combined effect allows both network defenders and security controls to focus and not be mired in superfluous traffic or data types. Looking for deviations to policy can identify attacker activity that abuses services and protocols to run on alternate or non-standard ports in the attempt to avoid detection or frustrate forensic analysts.
Detections
Reference
source | version: 1