Protocol Or Port Mismatch

Description

This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Operations

Alert Volume

This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.

SPL Difficulty

None

Journey

Stage 2

MITRE ATT&CK Tactics

Exfiltration

MITRE ATT&CK Techniques

Exfiltration Over Alternative Protocol

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

MITRE Threat Groups

APT32
APT33
FIN6
FIN8
Lazarus Group
OilRig
Thrip
Wizard Spider

Kill Chain Phases

Command and Control

Data Sources

Network Communication

   Help

Protocol Or Port Mismatch Help

Running this search properly requires a technology that can inspect network traffic and identify common protocols. Technologies such as Bro and Palo Alto Networks firewalls are two examples that will identify protocols via inspection, and not just assume a specific protocol based on the transport protocol and ports.

   Search

Open in Search