/
Firewall detections
Document toolboxDocument toolbox

Firewall detections

Owned by Former user (Deleted)
Last updated: Sept 07, 2023 by Former user (Deleted)
4 min read

Firewalls are network security devices that monitor incoming and outgoing network traffic. Firewalls have been on the defensive line for security for over 25 years. The traffic monitoring enables firewalls to be able to allow and block specific traffic baed on a defined set of rules. Firewall data is ingested into Devo from a large number of vendors and aggregated into firewall.all.traffic tables.   

Firewalls can be hardware, software, or both. In any deployment model firewalls establish a barrier between secured and controlled internal networks, separating trusted and untrusted networks. 

Detects outbound traffic destined for unexpected countries. Users must populate a lookup table containing home/domestic/expected country codes.

Source table → firewall.all.traffic

Detects TFTP to an external network address. TFTP is rared used externally and has been observed as a means to stage data remotely for exfiltration.

Source table → firewall.all.traffic

Detects outbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes.

Source table → firewall.all.traffic

Detects inbound SMB scanning from a single external source IP.

Source table → firewall.all.traffic

Detects excessive Palo Alto firewall authentication failures for a single user account within a short period of time.

Source table → firewall.paloalto.system

Control over the navigation of the users and systems of the networks is considered essential to avoid risks. Access to anonymous navigation networks must be monitored.

Source table → firewall.all.traffic

Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.

Source table → firewall.all.traffic

Detects when a single internal IP is scanning other internal IPs using different ports for each scan attempt. This is a low and slow technique intended to avoid triggering traditional port scan and port sweep alerts.

Source table → firewall.all.traffic

This alert detects SMB traffic from internal to external sources allowed through the firewall.

Source table → firewall.all.traffic

Detects excessive Palo Alto firewall authentication failures for a single IP within a short period of time.

Source table → firewall.paloalto.system

Fortinet Firewall detected a critical risk application within the environment.

Source table → firewall.fortinet.traffic.forward

This alert is meant to be used to tune and utilize as a supplement to helping to identify potentially mirrored traffic

Source table → firewall.all.traffic

Used to identify the default port for VNC connections

Source table → firewall.all.traffic

Detects port scanning activity from an internal IP address to multiple other internal IP addresses on the same destination port which may indicate an attacker enumerating the network for lateral movement.

Source table → firewall.all.traffic

Identifies traffic across a port lower than 1024 that is unassigned by IANA. These ports are rarely used by legitimate services and may indicate malicious activity or traffic.

Source table → firewall.all.traffic

Detects scanning activity from an internal IP address to multiple ports on other internal IP addresses. The time threshold and a number of destination ports threshold should be tuned to fit organizational needs.

Source table → firewall.all.traffic

Detects excessive firewall blocks within a short time frame. The threshold should be adjusted in accordance with normal traffic patterns in an organization's environment.

Source table → firewall.all.traffic

Detects excessive firewall blocks for outbound traffic from a single IP in a short period. This activity may be indicative of C2 traffic and should be reviewed.

Source table → firewall.all.traffic

Identifies SMB traffic from external sources allowed through the firewall. Due to known vulnerabilities/insecurities with the SMB protocol, this type of external traffic falls outside best practices.

Source table → firewall.all.traffic

Since ICMP packets are typically very small, this alert will detect ICMP packets that are larger than expected. A large amount of data sent over ICMP may indicate the presence of command and control traffic or data exfiltration.

Source table → firewall.all.traffic

Alerts when Fortinet Firewall detects a high risk application within the environment.

Source table → firewall.fortinet.traffic.forward

Detects inbound traffic sent to an embargoed country. A lookup table should be populated with a list of embargoed country codes.

Source table → firewall.all.traffic

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by monitoring for suspicious outbound DNS traffic over TCP. The destination name server should be examined for legitimacy.

Source table → firewall.all.traffic

Detects brute force attacks via the Palo Alto firewalls. A source IP address attempted and failed to authenticate multiple times while providing multiple usernames.

Source table → firewall.paloalto.system

This search looks for Collective Defense matches in firewall data.

Source table → firewall.all.traffic

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.

Source table → firewall.all.traffic

Alert that checks traffic logs on firewalls if a connection against a server related to recent CVE-2021-4428 (Log4Shell) attacks has been performed. It makes use of a lookup table containing the IP of servers related to these malicious activities.

Source table → firewall.all.traffic

Identifies RDP traffic from external sources allowed through the firewall. This type of traffic may indicate an adversary is in possession of valid accounts and is accessing a host from outside the network.

Source table → firewall.all.traffic

The REvil Ransomware has hit 40 service providers globally due to multiple Kaseya VSA Zero-days. the attack was pushed out via a infected IT Management update from Kaseya.

Source table → firewall.all.traffic

This search looks for Collective Defense matches in firewall data.

Source table → firewall.all.traffic

Identifies a host scanning other hosts for open SMB shares. Triggers when a single source IP connects to more than 25 destinations using SMB.

Source table → firewall.all.traffic

Detects outbound traffic over IRC (TCP on ports 194 or 6697). Compromised hosts can utilize IRC for command and control operations.

Source table → firewall.all.traffic

Identifies a host external to the monitored network showing behavior consistent with a scan for a port on multiple destination addresses in a short time.

Source table → firewall.all.traffic

Related content