This alert is triggered when an adversary is attempting to exploit a remote command execution vulnerability in the HTTP server (httpd) of the DD-WRT firmware for wireless routers. DD-WRT is an open-source Linux-based firmware for wireless routers, and its HTTP server is used for its web-based configuration interface.
This alert is designed to detect an attempt to exploit a command execution vulnerability in SAP systems using the ConfigServlet. The rule is specifically searching for network traffic directed at port 50000 (often used by SAP applications) containing a specific sequence of URI patterns indicating a possible attack.
This alert is triggered when detecting an access attempt to the HP OpenView Operations Agent. HP OpenView Operations Agent is a component of the HP OpenView suite that offers centralized monitoring and management of IT environments. The rule specifically checks for requests to the "/Hewlett-Packard/OpenView/Coda" URI, which is related to the OpenView Operations Agent. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the HP OpenView Operations Agent, such as CVE-2012-2019 and CVE-2012-2020.
This alert is triggered when detecting specific content indicative of an attempt to exploit CVE-2009-2011 a vulnerability in Worldweaver DX Studio Player. Worldweaver DX Studio Player is a multimedia application that's used for creating interactive 3D web applications. The rule is detecting an attempt to exploit a known vulnerability in the application that enables command execution via the shell.execute command.
This alert is triggered when detecting an access attempt to the JBoss JMX console. The JBoss JMX (Java Management Extensions) console is a web-based interface used for managing and monitoring JBoss Application Server resources. The rule checks for access attempts to the /jmx-console/ URI, which indicates an effort to access this management console. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss JMX, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.
This alert is triggered when detecting an attempt to access the admin console of a JBoss application server. The JBoss admin console is a web-based interface used for managing and configuring JBoss Application Server resources. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss admin console, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.
This alert is triggered when an adversary is attempting to exploit CVE-2013-6810 a directory traversal vulnerability in the EMC Connectrix Manager via its FileUploadController. EMC Connectrix Manager is a web application for managing Connectrix switches. A directory traversal vulnerability would allow an attacker to access files on the server that are outside the intended directory. The specific point of interest here is the "FileUploadController," which the attacker is trying to exploit by sending specially crafted filenames in their request.
This alert is triggered when an adversary is attempting to exploit CVE-2005-2917 a denial of service vulnerability in the Squid proxy server, specifically related to how it handles authentication headers. Squid is a widely-used proxy server that helps organizations increase their web performance by caching web content and also providing filtering capabilities. The vulnerability is linked to how Squid handles "Proxy-Authorization" headers with "NTLM" authentication.
This alert is triggered when an adversary is attempting to exploit CVE-2011-0807 and gain access to the Oracle GlassFish Server without providing a "JSESSIONID". Oracle GlassFish Server is an open-source application server provided by Oracle for the Java EE platform. The rule specifically detects attempts to bypass authentication by targeting the "/applications/upload" URI and looking for specific patterns in the request.
This alert is triggered when an internal host sends a UPnP request to another internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an internal entity is scanning or probing other internal devices' UPnP services, which is unusual behavior for typical internal network traffic.