LoFP / legitimate smart install operations (e.g., image/config transfers) can produce larger payloads. baseline typical sizes for your environment and allowlist known management stations when appropriate.

Techniques

• T1190

Sample rules

Cisco Smart Install Oversized Packet Detection

• source: splunk
• technicques:
  • T1190

Description

This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786 within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and protocol abuse (e.g., CVE-2018-0171; activity reported by the “Static Tundra” threat actor). Monitoring message sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance against Cisco devices exposing Smart Install.

Detection logic

| tstats `security_content_summariesonly` 
    avg(All_Traffic.packets) as avg_packets,
    max(All_Traffic.bytes) as max_bytes 
    from datamodel=Network_Traffic 
    where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp
    by All_Traffic.src_ip, All_Traffic.dest_ip, _time span=1h

| `drop_dm_object_name("All_Traffic")`

| where max_bytes > 500

| eval severity=case(max_bytes>1400, "critical", max_bytes>1000, "high", 1=1, "medium")

| `cisco_smart_install_oversized_packet_detection_filter`