POLICY-SOCIAL -- Snort has detected a violation of the corporate policy. Similar to an IOC, this activity may not be directly malicious, but could be a symptom of compromise, or of a misuse of the network. Examples are cryptocurrency mining and strade (Bitcoin, et al). The ISP wonâ€™t block these, but corporate policies likely prohibit them. In this case, Snort has detected a violation of social media policy. Some companies choose to disallow some or all social media, or to only allow in-network social sharing. This can prevent simple productivity loss or serious NDA breaches (sharing of files from the internal network, etc.).
POLICY-SOCIAL IRC nick change
This event is generated when activity relating to network chat clients is detected.
Policy Violation. Use of chat clients to communicate with unkown external sources may be against the policy of many organizations.
Instant Messaging (IM) and other chat related client software can allow users to transfer files directly between hosts. This can allow malicious users to circumvent the protection offered by a network firewall.
Vulnerabilities in these clients may also allow remote attackers to gain unauthorized access to a host.
This event indicates that an IRC nickname change has been made from a client originating from the protected network to an IRC server external to the protected network.
Ease of Attack:
What To Look For
No public information
No known false positives
Sourcefire vulnerability research team
Brian Caswell email@example.com
Nigel Houghton firstname.lastname@example.org
MITRE ATT&CK Framework
For reference, see the MITRE ATT&CK vulnerability types here:
CVE Additional Information