GEN:SID | 1:488 |
Message | INFO Connection Closed MSG from Port 80 |
Summary | This event is generated when a connection is closed from a resource external to the protected network.
|
Impact | Unknown.
|
Detailed Information | This event indicates that an established connection has been closed from a source external to the protected network. Since the external connection port is 80, this is unusual behavior. It may be that an attacker is using port 80 on the external machine to initiate a connection to a machine on the protected network in an attempt to bypass firewall protection. When this connection is terminated, this rule will generate an event.
|
Affected Systems | All systems |
Attack Scenarios | An attacker can use port 80 from a compromised machine to connect to another compromised host in an attempt to bypass firewall restrictions by imitating normal web traffic.
|
Ease of Attack | Simple.
|
Corrective Action | Investigate the host for signs of system compromise.
|
Additional References | |