forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprohibited_traffic_allowed_or_protocol_mismatch.yml
27 lines (27 loc) · 1.3 KB
/
prohibited_traffic_allowed_or_protocol_mismatch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Prohibited Traffic Allowed or Protocol Mismatch
id: 6d13121c-90f3-446d-8ac3-27efbbc65218
version: 1
date: '2017-09-11'
author: Rico Valdez, Splunk
description: Detect instances of prohibited network traffic allowed in the environment,
as well as protocols running on non-standard ports. Both of these types of behaviors
typically violate policy and can be leveraged by attackers.
narrative: A traditional security best practice is to control the ports, protocols,
and services allowed within your environment. By limiting the services and protocols
to those explicitly approved by policy, administrators can minimize the attack surface.
The combined effect allows both network defenders and security controls to focus
and not be mired in superfluous traffic or data types. Looking for deviations to
policy can identify attacker activity that abuses services and protocols to run
on alternate or non-standard ports in the attempt to avoid detection or frustrate
forensic analysts.
references:
- http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/
tags:
analytic_story: Prohibited Traffic Allowed or Protocol Mismatch
category:
- Best Practices
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Security Monitoring