IRC (Internet Relay Chat) Protocol Activity to the Internetedit

Detects events that use common ports for Internet Relay Chat (IRC) to the Internet. IRC is a common protocol that can be used for chat and file transfers. This protocol is also a good candidate for remote control of malware and data transfers to and from a network.

Rule type: query

Rule indices:

  • filebeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100


  • Elastic
  • Network

Version: 3 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positivesedit

IRC activity may be normal behavior for developers and engineers but is unusual for non-engineering end users. IRC activity involving an unusual source or destination may be more suspicious. IRC activity involving a production server is often suspicious. Because these ports are in the ephemeral range, this rule may false under certain conditions, such as when a NAT-ed web server replies to a client which has used a port in the range by coincidence. In this case, these servers can be excluded. Some legacy applications may use these ports, but this is very uncommon and usually only appears in local traffic using private IPs, which does not match this rule’s conditions.

Rule queryedit

network.transport:tcp and destination.port:(6667 or 6697) and
source.ip:( or or and not
destination.ip:( or or or or "::1")

Threat mappingedit


Rule version historyedit

Version 3 (7.7.0 release)

Updated query, changed from:

network.transport: tcp and destination.port:(6667 or 6697) and (
network.direction: outbound or ( source.ip: ( or or and not destination.ip: (
or or ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.