Flow_InboundTELNET
ID: 100452
Description:
Inbound TELNET - This behavior alerts on successful (more than 0 bytes each direction) inbound TELNET, which is insecure - KLK
Repository: Group: Compliance Type: metaflow
Default Status:
Enabled
| Tags: |
|---|
| TELNET |
Selector:
Query:
dp:23 AND txB>0 AND rxB>0
Filters:
| Field | MUST hit |
|---|---|
| dip | entity: [ HOME_NET ] |
| Field | MUST NOT hit |
|---|---|
| sip | entity: [ HOME_NET ] |
| entity: [ TELNET_SourceAllowList ] | |
| dip | entity: [ TELNET_DestinationAllowList ] |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| dip | ip | network access |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| destIP | dip |
| recvBytes | rxB |
| transBytes | txB |
| sourceIP | sip |
| srcCity | s_city |
| srcCountry | s_country |
Correlation Rules:
First Occurrence:
| Name | Window | Fields | |
|---|---|---|---|
| NewInboundTELNETDestination | 10 days | dip | |
| Risks: | ALERT_END_POINT | ML_NEW_SERVICE |
History:
| User | Date |
|---|---|
| ke*y@fluencysecurity.com | 2021 Sep 29 04:13:02 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)