The rule detects the use of cleartext protocols via Netflow, specifically monitoring for traffic over certain destination ports commonly associated with unencrypted protocols. Cleartext communication can expose sensitive user credentials and data, making it vulnerable to interception and exploitation by adversaries. The rule targets specific ports such as HTTP (80), FTP (21), and others used by databases and administrative interfaces (e.g., MySQL on port 3306, Oracle on port 1521, and others). The main objective of the rule is to ensure that all usernames and authentication credentials are transmitted over encrypted channels, strengthening the security posture against credential access attacks. Proper implementation thus protects sensitive information in transit, ensuring that all network communications, especially those involving administrative accounts, are secured via encryption protocols. The rule supports compliance with various security frameworks and standards by highlighting potential misuse of protocols that could lead to unauthorized access and data breaches.