splApache-2.0from splunk/security_content

Cisco Smart Install Oversized Packet Detection

This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786 within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance against Cisco devices exposing Smart Install.

Quality

FP risk

—

Forks

Views

Rule source🔒 locked

title: ████████████████████████
id: ████████-████-████-████-████████████
status: ██████████
description: ██████████████████████████████████████████
             ████████████████████████████████████████
author: ████████
tags:
  - attack.████
  - attack.████
logsource:
  product: ████████
  category: ████████████
detection:
  selection:
    Image|endswith: '████████████████'
    CommandLine|contains:
      - '████████████████████████'
      - '████████████████████████'
      - '██████████████████'
  condition: selection
level: ████████
falsepositives:
  - ████████████████████

🔒

Sign in to view the rule source

Free accounts can view the source for the top-ranked rules. Create one in seconds — no credit card required.