Name:Cisco Smart Install Oversized Packet Detection id:3b8d2b4f-4e1e-4a9e-9b43-8a7a3a9c7e21 version:1 date:2025-08-21 author:Bhavin Patel, Michael Haag, Splunk status:production type:TTP Description:This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786
within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and
protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message
sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance
against Cisco devices exposing Smart Install.
Data_source:
-Splunk Stream TCP
search:| tstats `security_content_summariesonly` avg(All_Traffic.packets) as avg_packets, max(All_Traffic.bytes) as max_bytes from datamodel=Network_Traffic where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp by All_Traffic.src_ip, All_Traffic.dest_ip, _time span=1h | `drop_dm_object_name("All_Traffic")` | where max_bytes > 500 | eval severity=case(max_bytes>1400, "critical", max_bytes>1000, "high", 1=1, "medium") | `cisco_smart_install_oversized_packet_detection_filter`
how_to_implement:To implement this search, ingest network traffic into the Network_Traffic data model (e.g., via Splunk Stream with
sourcetype "stream:tcp"). The search analyzes TCP traffic to destination port 4786 (Cisco Smart Install) over hourly
buckets, flags sessions with unusually large maximum bytes, and assigns a basic severity based on size thresholds.
You may tune thresholds or restrict to perimeter-facing traffic. Consider blocking or disabling Smart Install where
not required.
known_false_positives:Legitimate Smart Install operations (e.g., image/config transfers) can produce larger payloads. Baseline typical sizes
for your environment and allowlist known management stations when appropriate.
References: -https://blog.talosintelligence.com/static-tundra/ -https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2 drilldown_searches: name:'View the detection results for - "$dest_ip$"' search:'%original_detection_search% | search dest_ip = "$dest_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Smart Install Remote Code Execution CVE-2018-0171' asset_type:Network mitre_attack_id: - 'T1190' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network cve: - 'CVE-2018-0171'
