iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

SYN Flood Attack

This alert is triggered when detecting a potential SYN Flood attak. In the attack, the attacked server, has been overwhelmed by the flood of SYN requests, eventually reaches its limit for pending connections and cannot accept any new legitimate connection requests from other clients. This results in a denial of service for legitimate users who are unable to connect to the server.

SERVER-WEBAPP JBoss web console access attempt

This alert is triggered when detecting an attempt to access the web console of a JBoss application server. The JBoss web console is a graphical user interface provided by JBoss Application Server for managing and monitoring the server and its applications. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss web console, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.

VxWorks Debug Service Information Disclosure Attempt

This alert is triggered when detecting an attempt to access the VxWorks Debug Service. VxWorks is a real-time operating system (RTOS) developed by Wind River Systems. The debug service in VxWorks is a feature used by developers for troubleshooting and optimization; however, it can disclose sensitive information if it's improperly secured. This alert may be triggered when an adversary is attempting to exploit the VxWorks Debug Service by sending crafted packets to port 17185 in order to extract sensitive information, such as configuration data or operational details of the targeted device.

SMBv3 Negotiate Protocol Response with Compression Capabilities Context

This alert is triggered when detecting an SMBv3 data compression response communication. SMBv3 is a network protocol used to provide shared access to files, printers, and other communication on a network. Data compression is the process of reducing the size of data files for storage by finding and eliminating redundancy in data. This alert may be triggered when an adversary is attempting to exploit a vulnerability in the SMBv3 Data compression process.

SERVER-WEBAPP JBoss JMXInvokerServlet access attempt

This alert is triggered when detecting an attempt to access the JMXInvokerServlet in the JBoss application server. JBoss JMXInvokerServlet is a component of JBoss Application Server that provides access to the JMX (Java Management Extensions) console, enabling users to manage and monitor resources in a Java Virtual Machine (JVM). This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss JMXInvokerServlet, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.