This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.

Read More

This rule detects Suricata high severity alerts that are observed for the first time in the previous 5 days of alert history. Analysts can use this to prioritize triage and response.

Read More

This detection correlates Suricata alerts with Elastic Defend network events to identify the source process performing the network activity.

Read More

This rule identifies network security alerts related to CVE-2025-55182 exploitation attempts from different network security integrations. CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor.

Read More