SID 1:64001

Report a false positive

Rule Category

POLICY-OTHER --

Alert Message

POLICY-OTHER SSH inbound connection from non-standard port

Rule Explanation

This rule alerts on unusually low client ports connecting to SSH servers. While not necessarily malicious, it is highly unusual for a benign client to use a low numbered port (one within the list of "well-known" ports) to open a connection. For instance, the Mozi variant of the Mirai botnet has been observed connecting to SSH servers from unusually low ports.

What To Look For

This rule fires on inbound SSH connections from SSH clients using an unusually low TCP port.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This rule will detect all incoming SSH connections from SSH clients using a TCP port within the range of 1:1023.

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Policy::Other

MITRE::ATT&CK Framework::Enterprise::Command and Control::Non-Standard Port

Rule Categories::Potentially Unwanted Applications::Application Detection

CVE

None

Additional Links

attack.mitre.org/techniques/T1571/

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None