IRC (Internet Relay Chat) Protocol Activity to the Internetedit

Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Network
  • Threat Detection
  • Command and Control

Version: 5 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.

Rule queryedit

event.category:(network or network_traffic) and network.transport:tcp
and (destination.port:(6667 or 6697) or event.dataset:zeek.irc) and
source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16 or "::1")

Threat mappingedit

Framework: MITRE ATT&CKTM

Rule version historyedit

Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    network.transport:tcp and destination.port:(6667 or 6697) and
    source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not
    destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16 or "::1")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    network.transport: tcp and destination.port:(6667 or 6697) and (
    network.direction: outbound or ( source.ip: (10.0.0.0/8 or
    172.16.0.0/12 or 192.168.0.0/16) and not destination.ip: (10.0.0.0/8
    or 172.16.0.0/12 or 192.168.0.0/16) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.