security testing or vulnerability scanners might trigger this. investigate any potential matches to determine if they're legitimate.

Techniques

Sample rules

Cisco Secure Firewall - React Server Components RCE Attempt

source: splunk
technicques:
- T1190

Description

This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.

Detection logic

`cisco_secure_firewall` 
EventType=IntrusionEvent 
signature_id = 65554

| fillnull

| stats min(_time) as firstTime
        max(_time) as lastTime
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(src_ip) as src_ip
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        by dest_ip

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___react_server_components_rce_attempt_filter`

Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt

source: splunk
technicques:
- T1203
- T1059

Description

This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.

Detection logic

`cisco_secure_firewall` 
EventType=IntrusionEvent 
signature_id = 65118

| fillnull

| stats min(_time) as firstTime
        max(_time) as lastTime
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(src_ip) as src_ip
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        by dest_ip

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___citrix_netscaler_memory_overread_attempt_filter`