TCP bad flags

An illegal or unlikely combination of TCP flags. The SYN, SYN/ACK, ACK, PSH, FIN, and RST flags are normal when they're used in the appropriate places; anything otherwise warrants investigation.

SYN packet contains data

The initial TCP SYN packet should never contain payload data; it is used to establish a session only. Note, however, that the third ACK packet in the TCP can contain data.

Suspicious datagram payload contents

References to the operating system or other non-application directories, strange executables, or other payload data that doesn't seem to fit the purpose of the application being used to send the data.

Suspicious ping payload text

The text used to fill in the payload of an ICMP Echo Request packet is usually a benign sequential series of letters and numbers or similar meaningless text. If this text appears to carry commands or meaningful data, it warrants investigation.

Clear text passwords in FTP or Telnet sessions

Seeing FTP used to transport sensitive business data, or Telnet to administer switches and routers, isn't malicious intent by a hacker. It's negligent practice by employees as both protocols, by design, transmit clear text login IDs and passwords over the network, making it easy for even an unsophisticated hacker to capture them. There are Secure FTP (sftp) and Secure Shell (SSH) (Telnet alternative) solutions for all platforms available on the Web.