Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when an egress connection is made over port 6667 (IRC).

Strategy

Egress connections to unknown hosts over port 6667 should be rare. Internet Relay Chat (IRC) is a protocol that is commonly abused by malicious botnet operators. Malicious commands built into the malware include methods to fetch system information, download additional malware, or execute attacks targeting other hosts.

Triage and response

  1. Determine the process making the connection.
  2. Verify if there is a legitimate reason for the host to communicate over this port. Search network flows to determine whether the activity is happening on other hosts.
  3. Isolate the workload, preserving it for analysis.
  4. Review related signals to understand the full timeline of the incident.
  5. Find and repair the root cause of the incident.

This detection is based on data from Network Performance Monitoring.

PREVIEWING: may/unit-testing