iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Cyber Attack

( 538 Alerts)

SERVER-OTHER Apache Log4j logging remote code execution attempt

the alert detects attempts to exploit the Apache Log4j vulnerability for remote code execution. The rule matches on HTTP requests containing the string ${jndi: in the URI. The rule generates an alert when such traffic is detected flowing towards the server on an established connection. This rule helps to identify potential attempts to exploit the known Apache Log4j vulnerabilities and can aid in mitigating the risks associated with this critical security issue.

SERVER-OTHER Apache Log4j logging remote code execution attempt

the alert detects attempts to exploit the Apache Log4j vulnerability for remote code execution. The rule matches on HTTP requests containing the string ${jndi: in the URI. The rule generates an alert when such traffic is detected flowing towards the server on an established connection. This rule helps to identify potential attempts to exploit the known Apache Log4j vulnerabilities and can aid in mitigating the risks associated with this critical security issue.

(spp_sip) URI is too long

When this rule is triggered, it suggests that the SIP message being analyzed contains a URI (such as a web address or SIP identifier) that exceeds the length limitations specified in the protocol standards. This could be an indication of a malformed or potentially malicious SIP message. This rule is helpful for identifying abnormal or potentially harmful SIP traffic, which could be a result of misconfigurations, malformed requests, or attempts to exploit vulnerabilities in SIP-based systems. When this rule triggers, it's essential to investigate the specific SIP message to understand the nature of the excessive URI length. It might require analyzing the source and destination IP addresses, ports, and the content of the SIP message to determine if it's a legitimate request with an unusually long URI or if it's a malicious attempt to exploit a vulnerability in the SIP implementation.

(spp_ssh) Challenge-Response Overflow exploit

The rule triggers when an attempt is made to exploit an overflow vulnerability in the challenge-response mechanism of SSH. An overflow vulnerability in this context suggests that an attacker is trying to send data that exceeds the allocated buffer size, potentially leading to arbitrary code execution or other security compromises.

(http_inspect) POST W/O CONTENT-LENGTH OR CHUNKS

this rule is designed to flag HTTP POST requests that lack proper information about the size of the message body. This could be an indication of malformed or suspicious HTTP traffic that might need further analysis.

(http_inspect) PROTOCOL-OTHER HTTP server response before client request

If a server sends an HTTP response without receiving a corresponding request from the client, it could indicate a misconfiguration, a potential security issue, or an attempt to exploit vulnerabilities in the server or application. This rule is a part of the HTTP inspection preprocessor in Snort. It aims to identify and alert on this unusual behavior in the HTTP protocol, which could be indicative of abnormal network activity or a potential attack. When this rule is triggered, it suggests that further investigation is needed to understand why the server is sending responses without proper client requests.

(dcerpc2) Connection-oriented DCE/RPC – Invalid major version

The rule is triggered when an attempt is made to establish a DCE/RPC connection, but the protocol version specified in the traffic is invalid or not recognized. In this case, the major version is not a valid version for the DCE/RPC protocol. This rule can be used to detect potential attacks or misconfigurations where an attacker is trying to exploit vulnerabilities or conduct unauthorized actions by sending malformed or malicious DCE/RPC traffic with an invalid major version. When this rule is triggered, it indicates that there might be a security issue or a misconfiguration in the network, and further investigation is needed to understand the nature of the traffic and take appropriate actions to mitigate any potential risks.

SERVER-WEBAPP Cisco Security Manager XmpFileDownloadServlet directory traversal attempt

This Snort rule is specifically crafted to detect attempts to exploit the directory traversal vulnerability in the Cisco Security Manager's XmpFileDownloadServlet. If the specified patterns are detected in the HTTP URI, the rule triggers an alert.

SMBv3 Negotiate Protocol Request with Compression Capabilities Context

This Snort rule is specifically crafted to detect SMBv3 negotiation packets with particular content patterns. If a packet matches these patterns, the rule triggers an alert.

TDC-SOC – Possible BlackNurse attack from external source 3,3

This Snort rule is specifically crafted to detect ICMP packets with the specific type and code associated with BlackNurse attacks. The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20Mbit/s can be effective for disrupting a victim's network. If a packet matches these criteria and meets the threshold defined by the detection filter, the rule triggers an alert that can indicate of an existance of the virus within the network.