IRC (Internet Relay Chat) Protocol Activity to the Internet
This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol
11that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and
12data transfers to and from a network.
13"""
14false_positives = [
15 """
16 IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC
17 activity involving an unusual source or destination may be more suspicious. IRC activity involving a production
18 server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain
19 conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence.
20 In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon
21 and usually only appears in local traffic using private IPs, which does not match this rule's conditions.
22 """,
23]
24from = "now-9m"
25index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
26language = "kuery"
27license = "Elastic License v2"
28name = "IRC (Internet Relay Chat) Protocol Activity to the Internet"
29risk_score = 47
30rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa"
31severity = "medium"
32tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and
38 source.ip:(
39 10.0.0.0/8 or
40 172.16.0.0/12 or
41 192.168.0.0/16
42 ) and
43 not destination.ip:(
44 10.0.0.0/8 or
45 127.0.0.0/8 or
46 169.254.0.0/16 or
47 172.16.0.0/12 or
48 192.168.0.0/16 or
49 224.0.0.0/4 or
50 "::1" or
51 "FE80::/10" or
52 "FF00::/8"
53 )
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59
60[rule.threat.tactic]
61id = "TA0011"
62name = "Command and Control"
63reference = "https://attack.mitre.org/tactics/TA0011/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1048"
68name = "Exfiltration Over Alternative Protocol"
69reference = "https://attack.mitre.org/techniques/T1048/"
70
71
72[rule.threat.tactic]
73id = "TA0010"
74name = "Exfiltration"
75reference = "https://attack.mitre.org/tactics/TA0010/"
Related rules
- FTP (File Transfer Protocol) Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Proxy Port Activity to the Internet
- SMTP to the Internet
- SQL Traffic to the Internet