Rule Category

POLICY-SOCIAL -- Snort has detected a violation of the corporate policy. Similar to an IOC, this activity may not be directly malicious, but could be a symptom of compromise, or of a misuse of the network. Examples are cryptocurrency mining and strade (Bitcoin, et al). The ISP won’t block these, but corporate policies likely prohibit them. In this case, Snort has detected a violation of social media policy. Some companies choose to disallow some or all social media, or to only allow in-network social sharing. This can prevent simple productivity loss or serious NDA breaches (sharing of files from the internal network, etc.).

Alert Message


Rule Explanation

This event is generated when network traffic that indicates POLICY-SOCIAL IRC G-line active is being used. Impact: Possible policy violation. The use of POLICY-SOCIAL IRC G-line active may be prohibited by corporate policy in some network environments. Details: This event indicates that the POLICY-SOCIAL IRC G-line active is being used on the protected network. Ease of Attack: Simple.

What To Look For

Known Usage

No public information

False Positives

No known false positives


Cisco Talos

MITRE ATT&CK Framework



For reference, see the MITRE ATT&CK vulnerability types here:

Additional Links

Rule Vulnerability

CVE Additional Information