Rule Document 1:560

Rule Category

APP-DETECT -- Snort attempted to take unique patterns of traffic and match them to a known application pattern, to confirm whether traffic should be allowed or stopped. (For example, a Get request is usually an HTTP/web application exchange, perhaps Facebook Messenger or other instant messenger, etc.).

Alert Message

APP-DETECT VNC server response

Rule Explanation

This event is generated when network traffic indicating the use of an application or service that may violate a corporate security policy. Impact: This may be a violation of corporate policy since some applications can be used to bypass security measures designed to restrict the flow of corporate information to destinations external to the corporation. In some instances this event may indicate behavior contrary to best security practices. In this case the event is generated when a VNC server response is detected. This traffic indicates that a VNC client has made an attempt to connect to a VNC server. Virtual Network Computing (VNC) allows users to connect machines across a network. It allows full control of the connected machine to take place, the user can access all resources on the machine and any other resources that machine is connected to. Details: This event may indicate a violation of corporate policy. It may also indicate the use of services or applications that may be the antithesis of best security practices. Ease of Attack: Not applicable

What To Look For

This event is generated when network traffic indicating the use of an application or service that may violate a corporate security policy.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Brian Caswell Nigel Houghton