iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

NF – POLICY – LLMNR – Link-local Multicast name resolution in use – Unsafe to use

Traffic of LLMNR was detected. LLMNR (Link-Local Multicast Name Resolution) is a protocol used in modern Windows operating systems (starting from Windows Vista and later) to resolve the names of neighboring computers on the same local network (link-local) when traditional DNS (Domain Name System) resolution fails

NF – POLICY – AnyDesk – Replay domain lookup

A DNS reply from AnyDesk (remote control tool) was made from the internal network to the internet.

NF – POLICY – AnyDesk – BOOT domain lookup

A DNS request for AnyDesk (remote control tool) was made from the internal network to the internet.

SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt

This alert is triggered when detecting an attempt to exploit CVE-2013-6810 a directory traversal vulnerability in EMC Connectrix Manager. EMC Connectrix Manager is an application used to manage storage infrastructure. This rule is particularly looking for signs of an attacker attempting to exploit the system by specifying a file path that navigates outside of the intended directory, potentially aiming to overwrite system files or place malicious scripts on the server.

SERVER-WEBAPP Synology DiskStation Manager SLICEUPLOAD remote command execution attempt

This alert is triggered when detecting an attempt to exploit CVE-2013- 6955 a remote command execution vulnerability in Synology DiskStation Manager. The Synology DiskStation Manager is an operating system used by Synology's NAS devices. This rule is particularly looking for signs of an attacker attempting to exploit the 'SLICEUPLOAD' feature by specifying the 'imageSelector.cgi' endpoint and a specific header, potentially aiming to execute malicious commands.