iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

ET SCAN Non-Allowed Host Tried to Connect to MySQL Server

This alert is triggered when a non-allowed host tries to connect to a MySQL server on the monitored network. MySQL is an open-source relational database management system. This rule specifically identifies the error message returned by MySQL servers when a host, which is not allowed, tries to establish a connection. This alert may be triggered when an adversary or unauthorized entity is attempting to access a MySQL database to which they do not have permissions.

ET SCAN External to Internal UPnP Request tcp port 2555

This alert is triggered when an external host sends a UPnP request to an internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an external adversary or scanner is probing internal devices' UPnP services. Receiving an external UPnP request on port 2555 is suspicious.

ET SCAN Internal to Internal UPnP Request tcp port 2555

This alert is triggered when an internal host sends a UPnP request to another internal host on TCP port 2555. UPnP (Universal Plug and Play) is a set of networking protocols that allows devices to seamlessly discover each other's presence on the network and establish functional services for data sharing and communications. This alert may be triggered when an internal entity is scanning or probing other internal devices' UPnP services, which is unusual behavior for typical internal network traffic.

ET SCAN MYSQL 4.1 brute force root login attempt

This alert is triggered when detecting multiple MySQL 4.1 root login attempts from a single source, implying a possible brute force attack. MySQL is a widely used open-source relational database management system. The rule specifically checks for attempts to login as the "root" user. This alert may be triggered when an adversary is attempting to gain unauthorized access to the MySQL database by trying to brute-force the root account.

ET SCAN MYSQL 4.0 brute force root login attempt

This alert is triggered when detecting multiple MySQL 4.0 root login attempts from a single source, implying a possible brute force attack. MySQL is a widely used open-source relational database management system. The rule specifically checks for attempts to login as the "root" user. This alert may be triggered when an adversary is attempting to gain unauthorized access to the MySQL database by trying to brute-force the root account.