iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Cyber Attack

( 538 Alerts)

SERVER-APACHE Apache Struts remote code execution attempt

This Snort rule is specifically crafted to detect attempts to exploit specific patterns associated with Apache Struts remote code execution vulnerabilities. It looks for these patterns in the HTTP request body of an established TCP connection on standard HTTP ports. If the patterns are detected, the rule triggers an alert.

SERVER-APACHE Apache Struts remote code execution attempt

This Snort rule is specifically crafted to detect attempts to exploit specific patterns associated with Apache Struts remote code execution vulnerabilities. It looks for these patterns in the HTTP header of an established TCP connection on standard HTTP ports. If the patterns are detected, the rule triggers an alert.

NF – VNC server response

this Snort rule is designed to detect VNC server responses in TCP traffic from external networks to the internal network on any port. If the specified patterns are found within the payload of an established TCP connection, the rule triggers an alert. The rule is crafted to identify VNC server responses based on specific content patterns in the payload.

SERVER-APACHE Apache Struts remote code execution attempt

This Snort rule is specifically crafted to detect attempts to exploit the Apache Struts remote code execution vulnerability. It looks for specific patterns in the HTTP payload, indicating an attempt to exploit this known vulnerability. If the patterns are detected in the payload of an established TCP connection on standard HTTP ports, the rule triggers an alert.

SERVER-APACHE Apache Struts remote code execution attempt

This Snort rule is specifically crafted to detect attempts to exploit the Apache Struts remote code execution vulnerability. It looks for specific patterns in the HTTP payload, indicating an attempt to exploit this known vulnerability. If the patterns are detected in the payload of an established TCP connection on standard HTTP ports, the rule triggers an alert.

NF – ICMP Payload to big for normal use – Covert Channel

this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.

NF – POLICY – SSH Client detected on non SSH standard port

this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.

NF – SSH connection established

this Snort rule is designed to detect SSH connections established from external networks to the internal network on the standard SSH port (port 22). If such a connection is established and occurs at least once within a 10-second window, the rule triggers an alert. The rule is crafted to identify SSH traffic based on the presence of the "SSH-" string in the payload.

ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection

This rule detects unusual TCP traffic on port 1433, commonly associated with Microsoft SQL Server. Specifically, it looks for SYN packets coming from internal network addresses to any destination on port 1433 and triggers an alert if a certain threshold of such traffic is reached within a specific time frame. This kind of rule is often used to detect scanning behavior or potential infections targeting specific ports.

MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt

This Snort rule searches for HTTP traffic, specifically looking for PowerShell commands utilizing "ExecutionPolicy Bypass". It could indicate an attempt to execute malicious scripts or commands bypassing security policies. When this activity is detected based on the specified conditions, an alert will be generated.