Identify activity caused by incorrectly configured systems

Systems that are configured incorrectly can cause malfunctions and introduce vulnerabilities that are hard to detect and remedy. It is not always clear whether the misconfiguration is an honest mistake or if it is malicious. You can use information about incorrectly configured systems to help troubleshoot problems in your network and identify possible vulnerabilities.

Misconfigured systems

Systems can be misconfigured accidentally by employee misuse, or misconfigured due to poor design. Attackers can sometimes exploit misconfigured system to gain access. The following can cause misconfigurations in your network:
  • New or updated software or hardware
  • Incompatible software or hardware
  • Systems that are accidentally misconfigured by employees
  • Back doors that are created for legitimate maintenance reasons
Note: If an attacker misconfigures a system to gain access or cause harm, this situation is considered an attack, not a misconfigured system, and must be investigated.

Examples of events that are caused by misconfigured systems

Misconfigured systems can trigger certain events if the corresponding signatures are enabled in your policies. Use the following examples to help you identify misconfigured systems:
  • Subnet masks

    Legitimate hosts are sometimes on IP addresses that are typically used for broadcast addresses or subnet masks, such as These hosts can sometimes trigger events that identify exploits that use broadcast addresses, such as denial of service attacks or smurf attack.

  • SMB authentication and share events

    These events are caused by hosts that freely share data with other hosts or authenticate without requiring a password, or requiring a weak or easily guessed password. Although it is not the best method, some administrators allow internal hosts to communicate this way. This activity can trigger events that detect host-to-host communication that is weak or out of compliance, such as the Smb_empty_password and Smb_guessable_password events.

  • Routing errors

    Administrators sometimes neglect to disable IP routing, which is enabled by default on hosts that run the UNIX operating system. In most cases, these hosts are typically not configured properly and they can drop a significant number of packets.