SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt
detects attempts to exploit a denial-of-service (DoS) vulnerability in the Cisco IOS HTTP server. The rule looks for specific content patterns in the HTTP URI that may indicate a DoS attack against the server.
ID Number
30342
Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco IOS HTTP server denial of service attempt"; flow:to_server,established; content:"?/"; http_uri; pcre:"/\w*?\?\/$/U"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,10014; reference:bugtraq,1838; reference:url,www.cisco.com/en/US/products/hw/routers/ps295/products_security_notice09186a008020ce3f.html; classtype:attempted-dos; sid:30342; rev:2;)
MITRE ATT&CK Technique
"Resource Exhaustion (T1499)" "Service Stop (T1489)" " Exploit Public-Facing Application (T1190)" "Data Destruction (T1485)"
Severity
medium
Recommendations/Investigative actions
Ensure that you are using the latest version of Cisco IOS that includes security patches and updates. Keep the firmware of Cisco routers up-to-date with the latest vendor-released patches. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection, If there are internet IP's involved check if there are more alerts that this IP is involved, block the IP's in the FW and investigate the relevant IP address.