Capture, inspect, and analyze network traffic to understand protocol behavior, detect anomalies, and defend against network-based attacks.
| Protocol โ | Description โ | Why Monitor โ | Risk โ |
|---|---|---|---|
| HTTPHyperText Transfer Protocol | Transmits web pages over the internet in plaintext | Targeted for SQL injection, XSS, and malware delivery | โฌ High |
| HTTPSHTTP Secure | Encrypted web traffic via SSL/TLS | Can conceal malicious activities within encrypted tunnels | โก Medium |
| DNSDomain Name System | Resolves domain names to IP addresses | Vulnerable to spoofing, cache poisoning, and DDoS amplification | โฌ High |
| SMTPSimple Mail Transfer Protocol | Protocol for sending emails between servers | Primary vector for phishing, spamming, and malware distribution | โฌ High |
| IMAPInternet Message Access Protocol | Retrieves and manages email from mail servers | Vector for email-based threats and account compromise | โก Medium |
| POP3Post Office Protocol 3 | Downloads email from a remote server | Essential for detecting email-based threats and exfiltration | โก Medium |
| FTPFile Transfer Protocol | Transfers files between systems in plaintext | Vulnerable to credential theft, data interception, unauthorized access | โฌ High |
| SFTPSSH File Transfer Protocol | Encrypted file transfer using SSH | Monitor for unusual activity; generally secure but not immune | โฌ Low |
| SSHSecure Shell | Encrypted remote login and command execution | Critical for detecting unauthorized access and brute-force attacks | โฌ Low |
| TelnetTeletype Network | Remote login without encryption (legacy) | Highly insecure; credentials sent in plaintext over the network | โฌ High |
| RDPRemote Desktop Protocol | Provides graphical remote desktop access | Commonly targeted for ransomware deployment and remote attacks | โฌ High |
| SMBServer Message Block | File sharing and network resource browsing | Exploited by EternalBlue; major ransomware attack vector | โฌ High |
| LDAPLightweight Directory Access Protocol | Manages directory services and authentication | Target for directory traversal and unauthorized access attacks | โก Medium |
| SNMPSimple Network Management Protocol | Monitors and manages network devices | Exploited for network reconnaissance and unauthorized control | โก Medium |
| NTPNetwork Time Protocol | Synchronizes clocks across networked devices | Used in DDoS amplification attacks; time manipulation attacks | โก Medium |
| ICMPInternet Control Message Protocol | Diagnostic messaging and error reporting (ping) | Used for network scanning, tunneling, and DDoS attacks | โก Medium |
| TFTPTrivial File Transfer Protocol | Simplified FTP often used for device booting | No authentication; highly vulnerable to unauthorized file transfers | โฌ High |
| MSSQLMicrosoft SQL Server Protocol | Access and management of MS SQL databases | Targeted for SQL injection and large-scale data breaches | โฌ High |
| MySQLMySQL Database Protocol | Access and management of MySQL databases | Common target for SQL injection and unauthorized data access | โฌ High |
| SyslogSystem Logging Protocol | Collects and transmits system event logs | Essential for incident detection and forensic log analysis | โฌ Low |