Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Detects XSS attempts injected via GET requests in access logs
Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
Detects a flashplayer update from an unofficial location