Category: Preprocessor
( 15 Alerts)SMTP_B64_DECODING_FAILED
This alert is triggered when an SMTP (email) message fails Base64 decoding, which may indicate a malformed or potentially suspicious email, possibly attempting to bypass security filters.
(spp_sip) URI is too long
When this rule is triggered, it suggests that the SIP message being analyzed contains a URI (such as a web address or SIP identifier) that exceeds the length limitations specified in the protocol standards. This could be an indication of a malformed or potentially malicious SIP message. This rule is helpful for identifying abnormal or potentially harmful SIP traffic, which could be a result of misconfigurations, malformed requests, or attempts to exploit vulnerabilities in SIP-based systems. When this rule triggers, it's essential to investigate the specific SIP message to understand the nature of the excessive URI length. It might require analyzing the source and destination IP addresses, ports, and the content of the SIP message to determine if it's a legitimate request with an unusually long URI or if it's a malicious attempt to exploit a vulnerability in the SIP implementation.
(spp_ssh) Challenge-Response Overflow exploit
The rule triggers when an attempt is made to exploit an overflow vulnerability in the challenge-response mechanism of SSH. An overflow vulnerability in this context suggests that an attacker is trying to send data that exceeds the allocated buffer size, potentially leading to arbitrary code execution or other security compromises.
(http_inspect) POST W/O CONTENT-LENGTH OR CHUNKS
this rule is designed to flag HTTP POST requests that lack proper information about the size of the message body. This could be an indication of malformed or suspicious HTTP traffic that might need further analysis.
(http_inspect) PROTOCOL-OTHER HTTP server response before client request
If a server sends an HTTP response without receiving a corresponding request from the client, it could indicate a misconfiguration, a potential security issue, or an attempt to exploit vulnerabilities in the server or application. This rule is a part of the HTTP inspection preprocessor in Snort. It aims to identify and alert on this unusual behavior in the HTTP protocol, which could be indicative of abnormal network activity or a potential attack. When this rule is triggered, it suggests that further investigation is needed to understand why the server is sending responses without proper client requests.
(dcerpc2) Connection-oriented DCE/RPC – Invalid major version
The rule is triggered when an attempt is made to establish a DCE/RPC connection, but the protocol version specified in the traffic is invalid or not recognized. In this case, the major version is not a valid version for the DCE/RPC protocol. This rule can be used to detect potential attacks or misconfigurations where an attacker is trying to exploit vulnerabilities or conduct unauthorized actions by sending malformed or malicious DCE/RPC traffic with an invalid major version. When this rule is triggered, it indicates that there might be a security issue or a misconfiguration in the network, and further investigation is needed to understand the nature of the traffic and take appropriate actions to mitigate any potential risks.
(spp_ssh) Protocol mismatch
The rule is designed to trigger an alert when it detects a protocol mismatch in the SSH communication. This could occur if the SSH client and server attempt to communicate using different SSH protocol versions or incompatible encryption algorithms. Such protocol mismatches may result from misconfigurations, attempts to use non-standard SSH implementations, or potential man-in-the-middle attacks attempting to interfere with SSH communication.
(spp_ssl) Invalid Client HELLO after Server HELLO Detected
The rule is designed to trigger an alert when it detects an invalid SSL client hello message. The client hello message is the first message sent by a client when initiating an SSL handshake with a server. It includes various parameters and cipher suites supported by the client, allowing the server to negotiate a secure connection.
(http_inspect) WEBROOT DIRECTORY TRAVERSAL
The rule is designed to trigger an alert when it detects a potential webroot directory traversal attack in the HTTP request. Directory traversal (also known as path traversal) is a web application vulnerability where an attacker tries to access files or directories outside of the intended web application's root directory. This attack is possible when the web application does not properly validate and sanitize user input used to construct file paths.
(spp_sip) Empty request URI
The rule is designed to trigger an alert when it detects SIP events where the request URI (Uniform Resource Identifier) is empty. The request URI in a SIP message identifies the target of the SIP request, indicating the desired communication session. An empty request URI is abnormal and can indicate a potential security issue or malformed SIP message.