SID 1:59077

Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER SAP Internet Communication Manager HTTP request smuggling attempt

Rule Explanation

This rule targets an HTTP smuggling attack on SAP back-end servers. The attack can be executed using a specially crafted HTTP request that is incorrectly processed by a front-end server or proxy and forwarded to the back end server. This causes the back-end server to process additional requests that may or may not be valid.

What To Look For

This rule triggers on an attempt to exploit a SAP back-end server vulnerable to CVE-2022-22536.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

Rule Categories::Server::Other

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other applications with Internet accessible open sockets, such as web servers and related services.

CVE

CVE-2022-22536

Additional Links

wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

CVE-2022-22536

Loading description

MITRE ATT&CK Framework

Tactic: Initial Access

Technique: Exploit Public-Facing Application

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org