Rule

Description

Impact

ET SHELLCODE Rothenburg Shellcode

This rule identifies the presence of Rothenburg Shellcode, which is a type of malicious code used to exploit vulnerabilities in systems.

Detects attempts to inject shellcode into a system, providing early warning of potential exploitation attempts.

ET ATTACK_RESPONSE Net User Command Response

This rule detects the response from the 'net user' command, which attackers often use to enumerate user accounts on a compromised system.

Helps identify post-exploitation activities where attackers gather information about user accounts.

ET HUNTING SUSPICIOUS IRC - PRIVMSG .(exe|tar|tgz|zip) download command

This rule flags suspicious IRC messages that attempt to download executable files, archives, or compressed files

Aids in the detection of malicious file transfers over IRC, a common tactic used by attackers to distribute malware.

ET EXPLOIT Malformed HeartBeat

This rule identifies malformed Heartbeat messages, which can be indicative of exploitation attempts against vulnerabilities such as the Heartbleed bug.

Provides early detection of attempts to exploit Heartbeat message handling vulnerabilities.

ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)

This rule detects attempts to exploit the remote code execution vulnerability in Apache Log4j via TCP LDAP traffic.

Critical detection of attempts to exploit CVE-2021-44228, a high-severity vulnerability in the Log4j library.

Possible Apache log4j RCE Attempt - Any Protocol TCP (CVE-2021-44228)

This rule identifies potential remote code execution attempts against Apache Log4j over any TCP protocol.

Broad detection capability for various exploitation attempts targeting CVE-2021-44228.

GPL ATTACK_RESPONSE id check returned root

This rule flags responses to the 'id' command that return 'root', indicating that the attacker has gained root privileges on the system.

Critical alert for unauthorized elevation of privileges to root, a major security breach.