Sign In

SID 1:24098

Report a false positive

Rule Category

APP-DETECT -- Snort attempted to take unique patterns of traffic and match them to a known application pattern, to confirm whether traffic should be allowed or stopped. (For example, a Get request is usually an HTTP/web application exchange, perhaps Facebook Messenger or other instant messenger, etc.).

Alert Message

APP-DETECT Teamviewer remote connection attempt

Rule Explanation

This rule listens for periodic UDP heardbeats sent by TeamViewer

What To Look For

Teamviewer contains unique patterns in its traffic. This rule helps to inform security operations that Teamviwer is in use on their network for awareness.

Known Usage

Attacks/Scans seen in the wild

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

attack.mitre.org/techniques/T1219

en.wikipedia.org/wiki/TeamViewer

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None

MITRE ATT&CK Framework

Tactic: Command and Control

Technique: Custom Command and Control Protocol

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Privacy Policy | Snort License | FAQ | Sitemap

©2025 Cisco and/or its affiliates. Snort, the Snort and Pig logo are registered trademarks of Cisco. All rights reserved.