You are a SOC analyst reviewing IDS/IPS alerts from the last hour. Your SIEM has surfaced 6 alerts.
For each alert, classify it as: True Positive (real attack), False Positive (benign activity misflagged),
True Negative (no alert, no attack), or False Negative (real attack, no alert).
Then answer the rule-writing question at the bottom.
๐ Environment Context
Known Good IPs
10.0.0.5 โ Vuln Scanner 10.0.0.10 โ Web Server 10.0.0.50 โ Backup Agent
Threat Intel
203.0.113.99 โ Known C2 198.51.100.42 โ Tor exit node Port 4444 โ Meterpreter default
DNS queries: <500/hr
Outbound HTTPS: normal 443
SSH: internal only
Classify each alert โ use the context above
Alert ID
Time
Signature / Description
Src IP โ Dst IP
Severity
Classification
#1001
04:03
Port scan detected โ TCP SYN to 1024 ports
10.0.0.5 โ 10.0.0.0/24
MEDIUM
#1002
08:41
Outbound connection to known C2 โ TCP 443
10.0.0.87 โ 203.0.113.99
CRITICAL
#1003
09:15
SQL injection attempt โ pattern: OR 1=1
198.51.100.42 โ 10.0.0.10
HIGH
#1004
02:04
Large outbound data transfer โ 4.2 GB to 10.0.0.50
10.0.0.10 โ 10.0.0.50
MEDIUM
#1005
11:30
Meterpreter reverse shell โ TCP port 4444
10.0.0.23 โ 198.51.100.42
CRITICAL
#1006
13:45
SSH brute-force โ 847 failed attempts in 2 min
192.0.2.55 โ 10.0.0.10
HIGH
๐ Rule Writing Question
Alert #1005 (Meterpreter on port 4444) was detected but not blocked โ the device was configured as an IDS, not IPS.
Which Snort rule would correctly alert AND block outbound TCP connections to port 4444?