SERVER-WEBAPP HP OpenView Operations Agent request attempt
This alert is triggered when detecting an access attempt to the HP OpenView Operations Agent. HP OpenView Operations Agent is a component of the HP OpenView suite that offers centralized monitoring and management of IT environments. The rule specifically checks for requests to the "/Hewlett-Packard/OpenView/Coda" URI, which is related to the OpenView Operations Agent. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the HP OpenView Operations Agent, such as CVE-2012-2019 and CVE-2012-2020.
ID Number
24313
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 383 (msg:"SERVER-WEBAPP HP OpenView Operations Agent request attempt"; flow:to_server,established; content:"/Hewlett-Packard/OpenView/Coda"; fast_pattern:only; http_uri; flowbits:set,hp_openview_coda; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, service http; reference:cve,2012-2019; reference:cve,2012-2020; classtype:misc-activity; sid:24313; rev:14;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to verify the legitimacy of the access attempt, it might be part of a routine operation by a system administrator. If possible, block communication Attempts from external networks, or enable access from specific external devices only. Verify if HP OpenView Operations Agent is running a vulnerable version. If so, patch or update the software to a non-vulnerable version.