SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: SUSPICIOUS-TRAFFIC

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent certain types of traffic that are almost always associated with malicious requests. This category includes requests that have very little use except to attackers who wish to cause a denial of service or perform reconaissance on a particular network in preparation for a future attack.

The first set of signatures in this category are standard requests for transport layer protocols that ask for port 0, and invalid port that can cause errors on servers. A TCP request to port 0, for example, can cause the server to return an error message that includes information about the server, including the version numbers of installed software that can give attackers vital leads on how to design attacks to compromise the machine. A UDP packet to port 0 can cause even more serious problems; some servers crash in response to this packet, causing a denial of service.

This category also detects particular SYN requests that are sent to multicast addresses. SYN requests are a particular TCP request that ask a remote computer to intiate a connection and wait for an acknolwedgement. These requests are used to initiate TCP connections so the computers on both ends are synchronized. Attackers often modify the "source host" field SYN packets to perform a denial of service attack. A computer recieving a forged SYN packet will respond to the computer named in the source host field, initiating a connection that neither computer needed to initiate in the first place. When a flood of these packets are sent to a multicast address, they are forwarded to all of the computers on that address' subnet, causing all of those computers to initiate TCP connections with the computer named as the source host. In addition to choking bandwidth on the subnet used to amplify the signal, this can cause the supposed "source host" computer to run out of connections or crash, disrupting any services that it may provide. This is commonly known as a "smurfing" attack.

Because traffic detected by SonicWALL Bad-Traffic signatures is mostly harmless on its own, these signatures are classified as low priority. However, if administrators recognize that an inordinate amount of this traffic is traversing their network, they can enable the signatures for prevention to cut off imminent attacks.

  Riskware MalHTML IOC
  Drovorub WebSocket Payload IOC
  Locky Ransomware IOC
  Remote Desktop Connection Insecure Library Loading (MS11-017)
  Microsoft Visual Studio MFC Insecure Library Loading (MS11-025)
  RDP Malformed Request 1
  Windows Components Insecure Library Loading (MS11-071)
  LPD Malformed Request 2
  Client Application sti.dll Insecure Library Loading
  Client Application iacenc.dll Insecure Library Loading
  Client Application wintab32.dll Insecure Library Loading 1
  Client Application ncrypt.dll Insecure Library Loading
  Server Application Remote Code Execution 10
  Server Application Remote Code Execution 25
  Server Application Directory Traversal 4
  Client Application Binary Planting 4
  Client Application wintab32.dll Insecure Library Loading 2
  Client Application Code Execution 13
  Server Application Directory Traversal 7
  Server Application Remote Code Execution 12
  Server Application Format String Attack 4
  Server Application Remote Code Execution 21
  Server Application Remote Code Execution 29
  ICMPv4 Malformed Traffic 1
  DHCP Malformed Request 3
  CUPS Malformed Request 2
  Telnet Malformed Request 1
  Client Application quserex.dll Insecure Library Loading
  Client Application wintab32.dll Insecure Library Loading 3
  Server Application Directory Traversal 8
  Spoofed Facebook Domain Access
  Client Application api-ms-win-core-winrt.dll Insecure Library Loading
  Client Application msdaora.dll Insecure Library Loading 1
  Client Application phoneinfo.dll Insecure Library Loading
  NTP Malformed Request 3
  Client Application ceutil.dll Insecure Library Loading
  DHCP Malformed Request 4
  Suspicious UDP Traffic 3
  Server Application Remote Code Execution 32
  Server Application Directory Traversal 9
  SNMP Malformed Request 1
  Server Application Remote Code Execution 33
  Server Application Remote Code Execution 34
  Spoofed Apple Services Domain Access 1
  Spoofed Apple Services Domain Access 2
  Client Application Binary Planting 6
  Client Application ehtrace.dll Insecure Library Loading 1
  Client Application ehtrace.dll Insecure Library Loading 2
  Client Application ehtrace.dll Insecure Library Loading 3
  Client Application msdaora.dll Insecure Library Loading 2
  SQL Slammer Attack Traffic
  Greeting Card.zip Attachments IOC
  PPTP Malformed Request 1
  Server Application Remote Code Execution 35
  Client Application Binary Planting 1
  Telnet Malformed Request 2
  Client Application dwmapi.dll Insecure Library Loading
  Server Application Remote Code Execution 2 -c2
  Gopher Malformed Response
  Client Application Code Execution 25
  Client Application Code Execution 26
  Client Application Code Execution 27
  Client Application Code Execution 24
  Server Application Directory Traversal 10
  Server Application Remote Code Execution 28
  PPTP Malformed Request 2
  PPTP Malformed Request 3
  Server Application Remote Code Execution 20 -c2
  ISAKMP Malformed Request 1
  ISAKMP Malformed Request 2
  Server Application Directory Traversal 1
  Suspicious UDP Traffic 4
  Server Application Directory Traversal 2
  Client Application Code Execution 9
  Autodesk AutoCAD Insecure Library Loading
  Server Application Remote Code Execution 19
  Microsoft Office Chinese Grammar Checker Insecure Library Loading 1
  Microsoft Office Chinese Grammar Checker Insecure Library Loading 2
  Client Application Code Execution 7
  SSH Malformed Request 1
  Client Application Code Execution 1
  Server Application Directory Traversal 3
  Server Application Remote Code Execution 11
  Server Application Remote Code Execution 13
  Corel PDF Fusion Insecure Library Loading
  Server Application Remote Code Execution 7
  Server Application Remote Code Execution 14
  CUPS Malformed Request 1
  Server Application Remote Code Execution 3
  Server Application Remote Code Execution 3 -c2
  Server Application Format String Attack 1
  Server Application Format String Attack 2
  Server Application Format String Attack 3
  Client Application Code Execution 17
  Server Application Remote Code Execution 5
  LPD Malformed Request 1
  Server Application Remote Code Execution 6
  Client Application Code Execution 3
  Server Application Remote Code Execution 23
  Server Application Remote Code Execution 3 -c3
  Server Application Remote Code Execution 20
  Server Application Remote Code Execution 24
  Suspicious UDP Traffic 1
  Suspicious UDP Traffic 2
  Client Application Code Execution 4
  Server Application Remote Code Execution 1
  NTP Malformed Request 1
  Server Application Remote Code Execution 31
  Client Application Code Execution 8
  Server Application Remote Code Execution 27
  Client Application Code Execution 20
  Server Application Remote Code Execution 2
  Server Application Remote Code Execution 22
  Server Application Remote Code Execution 9
  Server Application Remote Code Execution 9 -c2
  Client Application Code Execution 14
  Server Application Remote Code Execution 30
  Client Application Code Execution 6
  Server Application Remote Code Execution 15
  Server Application Remote Code Execution 16
  Client Application Format String Attack 1
  Client Application Format String Attack 2
  Client Application Format String Attack 3
  Client Application Binary Planting 2
  Server Application Remote Code Execution 17
  Server Application Remote Code Execution 26
  Server Application Remote Code Execution 18
  Server Application Remote Code Execution 8
  Client Application Code Execution 22
  Client Application Code Execution 18
  Client Application Code Execution 19
  Client Application Code Execution 23
  Client Application Code Execution 5
  Client Application Code Execution 11
  Client Application Binary Planting 5
  Client Application Code Execution 2
  NTP Malformed Request 2
  Client Application Code Execution 12
  Corel PaintShop Pro Insecure Library Loading
  Client Application Code Execution 10
  DHCP Malformed Request 1
  DHCP Malformed Request 2
  Server Application Remote Code Execution 4
  Server Application Directory Traversal 5
  Server Application Directory Traversal 6
  Client Application Code Execution 16
  Client Application Binary Planting 3
  Client Application Code Execution 15


Relevant Information