Just looking at the payload to determine IP/ports and make sure the behavior is within reason and allowed. Anything more than 2GB is going to make me suspicious, 99% of these alerts are under 1 gig though which is mostly False Positives for us.
1 Like