This Snort rule is specifically crafted to detect attempts to exploit specific patterns associated with Apache Struts remote code execution vulnerabilities. It looks for these patterns in the HTTP request body of an established TCP connection on standard HTTP ports. If the patterns are detected, the rule triggers an alert.
This Snort rule is specifically crafted to detect attempts to exploit specific patterns associated with Apache Struts remote code execution vulnerabilities. It looks for these patterns in the HTTP header of an established TCP connection on standard HTTP ports. If the patterns are detected, the rule triggers an alert.
this Snort rule is designed to detect VNC server responses in TCP traffic from external networks to the internal network on any port. If the specified patterns are found within the payload of an established TCP connection, the rule triggers an alert. The rule is crafted to identify VNC server responses based on specific content patterns in the payload.
This Snort rule is specifically crafted to detect attempts to exploit the Apache Struts remote code execution vulnerability. It looks for specific patterns in the HTTP payload, indicating an attempt to exploit this known vulnerability. If the patterns are detected in the payload of an established TCP connection on standard HTTP ports, the rule triggers an alert.
This Snort rule is specifically crafted to detect attempts to exploit the Apache Struts remote code execution vulnerability. It looks for specific patterns in the HTTP payload, indicating an attempt to exploit this known vulnerability. If the patterns are detected in the payload of an established TCP connection on standard HTTP ports, the rule triggers an alert.
this Snort rule is designed to detect ICMP packets with a payload size outside the range of 100 to 130 bytes. If such packets are detected and occur more than 50 times within a 10-second window for a specific destination IP address, the rule triggers an alert. The rule is specifically crafted to identify potential covert channels where the payload size is used as a covert communication mechanism.
this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.
this Snort rule is designed to detect SSH connections established from external networks to the internal network on the standard SSH port (port 22). If such a connection is established and occurs at least once within a 10-second window, the rule triggers an alert. The rule is crafted to identify SSH traffic based on the presence of the "SSH-" string in the payload.
This rule detects unusual TCP traffic on port 1433, commonly associated with Microsoft SQL Server. Specifically, it looks for SYN packets coming from internal network addresses to any destination on port 1433 and triggers an alert if a certain threshold of such traffic is reached within a specific time frame. This kind of rule is often used to detect scanning behavior or potential infections targeting specific ports.
This Snort rule searches for HTTP traffic, specifically looking for PowerShell commands utilizing "ExecutionPolicy Bypass". It could indicate an attempt to execute malicious scripts or commands bypassing security policies. When this activity is detected based on the specified conditions, an alert will be generated.