Rule Category

POLICY-SOCIAL -- Snort has detected a violation of the corporate policy. Similar to an IOC, this activity may not be directly malicious, but could be a symptom of compromise, or of a misuse of the network. Examples are cryptocurrency mining and strade (Bitcoin, et al). The ISP won’t block these, but corporate policies likely prohibit them. In this case, Snort has detected a violation of social media policy. Some companies choose to disallow some or all social media, or to only allow in-network social sharing. This can prevent simple productivity loss or serious NDA breaches (sharing of files from the internal network, etc.).

Alert Message

POLICY-SOCIAL IRC dns request

Rule Explanation

This event is generated when activity relating to network chat clients is detected. Impact: Policy Violation. Use of chat clients to communicate with Unknown external sources may be against the policy of many organizations. Details: Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall. Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host. Ease of Attack: Simple.

What To Look For

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Brian Caswell Nigel Houghton

MITRE ATT&CK Framework

Tactic:

Technique:

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Rule Vulnerability

CVE Additional Information