{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/policy-violation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["network","policy-violation","firewall","traffic-monitoring"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where network traffic, defined as prohibited by port and transport layer protocol in the \u0026ldquo;lookup_interesting_ports\u0026rdquo; table, is being allowed. It leverages the Network_Traffic data model to cross-reference traffic data against security policies. The core concern is the potential for misconfigurations or policy violations, which can create pathways for unauthorized access or data exfiltration. If the allowed traffic is indeed malicious, attackers could circumvent established network defenses, increasing the risk of data breaches and compromising the organization\u0026rsquo;s overall security. This analytic is valuable for security operations centers (SOCs) as it directly addresses potential security gaps in network traffic management.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker attempts to connect to a prohibited port (e.g., a port associated with known malware or a disallowed service).\u003c/li\u003e\n\u003cli\u003eThe network traffic passes through a firewall or other network control device.\u003c/li\u003e\n\u003cli\u003eThe firewall\u0026rsquo;s configuration incorrectly allows the traffic based on a misconfiguration or outdated policy.\u003c/li\u003e\n\u003cli\u003eThe traffic is allowed, bypassing the intended network security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a connection to the internal system on the prohibited port.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability associated with the service running on the prohibited port.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates data or establishes a command and control channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bypass of prohibited network traffic controls can lead to significant security breaches. The impact ranges from unauthorized access to sensitive data to the establishment of persistent command and control channels within the network. The severity depends on the type of data accessed, the attacker\u0026rsquo;s objectives, and the duration of the compromise. This can also lead to ransomware deployment if the prohibited traffic allows access to vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eProhibited Network Traffic Allowed\u003c/code\u003e to your SIEM to detect instances where prohibited ports and protocols are allowed through your firewall.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eProhibited Network Traffic Allowed\u003c/code\u003e rule, focusing on the source and destination IPs involved in the traffic.\u003c/li\u003e\n\u003cli\u003eReview and update the \u0026ldquo;lookup_interesting_ports\u0026rdquo; table to ensure that all prohibited ports and protocols are accurately defined.\u003c/li\u003e\n\u003cli\u003eVerify firewall configurations and policies to identify and correct any misconfigurations that allow prohibited traffic.\u003c/li\u003e\n\u003cli\u003eEnsure that the Network_Traffic data model is properly populated with data from firewalls and other network control devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any findings from this analytic to see if it correlates with the analytic story: \u0026ldquo;Prohibited Traffic Allowed or Protocol Mismatch\u0026rdquo;.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T17:48:00Z","date_published":"2026-05-28T17:48:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-prohibited-traffic/","summary":"This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.","title":"Prohibited Network Traffic Allowed","url":"https://feed.craftedsignal.io/briefs/2026-05-prohibited-traffic/"}],"language":"en","title":"CraftedSignal Threat Feed — Policy-Violation","version":"https://jsonfeed.org/version/1.1"}