Available Alerts¶
Checks are executed for hosts, interfaces, SNMP devices, and other network elements, and are configurable under Checks from the Settings left sidebar.
Checks are desiged to verify specific conditions and when they are not met, trigger an alert.
Interface Types¶
Checks can be available on both, ZMQ Interfaces and Packets Interfaces, or just on one of them;
- Packet interface:
- ZMQ interface:
Alerts List¶
Below you can find the list of check families and available alerts
- Host Behavioural Checks
- Countries Contacts
- Dangerous Host
- DNS Flood
- DNS Server Contacts
- DNS Traffic
- Domain Name Contacts
- Flow Flood
- Flows Anomaly
- Host External Check (REST)
- Host User Check Script
- ICMP Flood
- NTP Server Contacts
- Remote Connection
- RST Scan
- RX-only Host Scan
- Scan Detection
- Score Anomaly
- Score Threshold Exceeded
- Server Port Detected
- SMTP Server Contacts
- SNMP Flood
- SYN Flood
- SYN Scan
- TCP FIN Scan
- Interface Behavioural Checks
- Local Networks Behavioural Checks
- SNMP Behavioural Checks
- Flow Behavioural Checks
- ALPN/SNI Mismatch
- Anonymous Subscriber
- Binary App/.exe Transfer
- Binary file/data transfer (attempt)
- Blacklisted Client Contact
- Blacklisted Country
- Blacklisted Flow
- Blacklisted Server Contact
- Broadcast Non-UDP Traffic
- Clear-Text Credentials
- Crawler/Bot
- Desktop/File Sharing
- DNS Data Exfiltration
- DNS Invalid Characters
- Elephant flow
- Error Code
- External Alert
- Flow User Check Script
- Fragmented DNS Message
- Fully Encrypted Flow
- HTTP Obsolete Server
- HTTP Susp. Content
- HTTP Susp. Header
- HTTP Susp. URL
- HTTP Susp. User-Agent
- HTTP/TLS/QUIC Numeric Hostname/SNI
- ICMP Data Exfiltration
- IEC Invalid Command Transition
- IEC Invalid Transition
- IEC Unexpected TypeID
- Invalid DNS Query
- Known Proto on Non Std Port
- Large DNS Packet (512+ bytes)
- Long Lived
- Low Goodput
- Malformed packets
- Malicious JA3 Fingerp.
- Malicious JA3 SHA1 Cert.
- Malware Host Contacted
- Minor Issues
- Missing SNI TLS Extn
- ModbusTCP Invalid Transition
- ModbusTCP Too Many Exceptions
- ModbusTCP Unexpected Function Code
- Not Purged
- Obsolete SSH Client Version or Cipher
- Obsolete SSH Server Version or Cipher
- Old TLS Version
- Periodic Flow
- Periodicity Changed
- Possible Exploit
- Possible Remote Code Execution (RCE)
- Possible SQL Inj
- Probing Attempt
- Punicody IDN
- Rare Destination
- Remote Access
- Remote to Local Insecure Protocol
- Remote to Remote Flow
- Risky ASN
- Risky Domain
- Service Map Lateral Movement Detection
- SMB insecure
- Susp. Device Protocol
- Susp. DGA Domain name
- Susp. DNS traffic
- Susp. Entropy
- TCP connection Issues
- TCP connection refused
- TCP Flow Reset
- TCP No Data Exchanged
- TCP Packets Issues
- TCP With No Answer
- TCP Zero Window
- TLS (probably) Not Carrying HTTPS
- TLS Cert About To Expire
- TLS Cert Expired
- TLS Cert Issues
- TLS Cert Self-Signed
- TLS Cert Validity Too Long
- TLS Fatal Alert
- TLS Susp ESNI Usage
- TLS Susp. Extension
- TLS Uncommon ALPN
- TLS Unsafe Ciphers
- Unexpected DHCP
- Unexpected DNS Server
- Unexpected NTP Server
- Unexpected SMTP Server
- Unidirectional Flow
- Unsafe protocol
- VLAN Bidirectional Flow
- WEb Mining
- XSS Attack
- System Behavioural Checks
- Active Monitoring Behavioural Checks
- Syslog Behavioural Checks
- Local Traffic Volume Rules