Traffic-Monitoring — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/traffic-monitoring/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 28 May 2026 17:48:00 +0000Prohibited Network Traffic Allowedhttps://feed.craftedsignal.io/briefs/2026-05-prohibited-traffic/Thu, 28 May 2026 17:48:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-prohibited-traffic/This analytic detects instances where prohibited network traffic is allowed, highlighting potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration, ultimately allowing attackers to bypass network defenses.This detection identifies instances where network traffic, defined as prohibited by port and transport layer protocol in the “lookup_interesting_ports” table, is being allowed. It leverages the Network_Traffic data model to cross-reference traffic data against security policies. The core concern is the potential for misconfigurations or policy violations, which can create pathways for unauthorized access or data exfiltration. If the allowed traffic is indeed malicious, attackers could circumvent established network defenses, increasing the risk of data breaches and compromising the organization’s overall security. This analytic is valuable for security operations centers (SOCs) as it directly addresses potential security gaps in network traffic management.

Attack Chain

  1. An attacker attempts to connect to a prohibited port (e.g., a port associated with known malware or a disallowed service).
  2. The network traffic passes through a firewall or other network control device.
  3. The firewall’s configuration incorrectly allows the traffic based on a misconfiguration or outdated policy.
  4. The traffic is allowed, bypassing the intended network security controls.
  5. The attacker establishes a connection to the internal system on the prohibited port.
  6. The attacker exploits a vulnerability associated with the service running on the prohibited port.
  7. The attacker gains unauthorized access to sensitive data or systems.
  8. The attacker exfiltrates data or establishes a command and control channel.

Impact

A successful bypass of prohibited network traffic controls can lead to significant security breaches. The impact ranges from unauthorized access to sensitive data to the establishment of persistent command and control channels within the network. The severity depends on the type of data accessed, the attacker’s objectives, and the duration of the compromise. This can also lead to ransomware deployment if the prohibited traffic allows access to vulnerable systems.

Recommendation

  • Deploy the Sigma rule Prohibited Network Traffic Allowed to your SIEM to detect instances where prohibited ports and protocols are allowed through your firewall.
  • Investigate any alerts generated by the Prohibited Network Traffic Allowed rule, focusing on the source and destination IPs involved in the traffic.
  • Review and update the “lookup_interesting_ports” table to ensure that all prohibited ports and protocols are accurately defined.
  • Verify firewall configurations and policies to identify and correct any misconfigurations that allow prohibited traffic.
  • Ensure that the Network_Traffic data model is properly populated with data from firewalls and other network control devices.
  • Investigate any findings from this analytic to see if it correlates with the analytic story: “Prohibited Traffic Allowed or Protocol Mismatch”.
]]>highadvisorynetworkpolicy-violationfirewalltraffic-monitoring