iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Cyber Attack

( 538 Alerts)

(http_inspect) WEBROOT DIRECTORY TRAVERSAL

The rule is designed to trigger an alert when it detects a potential webroot directory traversal attack in the HTTP request. Directory traversal (also known as path traversal) is a web application vulnerability where an attacker tries to access files or directories outside of the intended web application's root directory. This attack is possible when the web application does not properly validate and sanitize user input used to construct file paths.

(spp_sip) Empty request URI

The rule is designed to trigger an alert when it detects SIP events where the request URI (Uniform Resource Identifier) is empty. The request URI in a SIP message identifies the target of the SIP request, indicating the desired communication session. An empty request URI is abnormal and can indicate a potential security issue or malformed SIP message.

(spp_sip) Maximum dialogs within a session reached

The rule is designed to trigger an alert when it detects a SIP event where the maximum number of allowed dialogs within a session is exceeded. In SIP, a dialog represents a peer-to-peer communication relationship between two user agents (e.g., phones, softphones, etc.). A session can include multiple dialogs for different communication exchanges.

(http_inspect) JUNK LINE BEFORE HTTP RESPONSE HEADER

The rule is designed to trigger an alert when it detects a junk line or invalid data before the response headers in an HTTP server's response. Normally, an HTTP response should start with a valid set of response headers, and any deviation from this expected format may indicate a potential issue or anomaly in the server's response.

(http_inspect) OVERSIZE REQUEST-URI DIRECTORY

Oversized Request-URI directories in HTTP requests can sometimes indicate attempts to exploit vulnerabilities in web applications or perform various types of attacks, such as directory traversal attacks. These attacks aim to access files or directories outside of the web server's intended directory structure. The "http_inspect" preprocessor in Snort monitors the HTTP traffic, and when it encounters an HTTP request with an excessively large Request-URI directory, it triggers this alert

(http_inspect) SERVER CONSECUTIVE SMALL CHUNK SIZES

The rule is designed to trigger an alert when it detects consecutive small chunk sizes in the HTTP server's response during a chunked transfer encoding scenario. In HTTP chunked transfer encoding, the server divides the response data into smaller chunks and sends them in succession, with each chunk's size specified before the chunk itself. Consecutive small chunk sizes in the server's response could indicate potential issues or anomalies in the HTTP communication. This behavior might be seen in malformed or manipulated HTTP traffic, which may require further investigation.

NF – TTL below 30 – TTL Expiry Attack from inside to outside

A TTL (Time To Live) below 30 attack refers to a specific type of network attack where an attacker intentionally sets the TTL value to a very low value (typically below 30) in packets they send out. This attack aims to exploit the Time To Live mechanism in the IP protocol to perform reconnaissance or evade network security measures.

NF – Don’t Fragment bit set – check for covert channel

The purpose of this rule is to potentially detect patterns associated with covert channels that abuse ICMP echo requests with the Don't Fragment bit set

(http_inspect) INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS

The rule is designed to trigger an alert when it detects invalid chunked data in the HTTP response during a chunked transfer encoding scenario. This can happen if the server sends an HTTP response with chunked data that does not adhere to the proper syntax or format required for chunked transfer encoding. Invalid chunked data in an HTTP response could indicate potential issues or anomalies in the server's response.

NF – POLICY – AnyDesk – BOOT domain lookup

A DNS request for AnyDesk (remote control tool) was made from the internal network to the internet.