TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1054
Signature ID: 100005
Uninitiated ICMP Echo Response
Threat Level: Severe
Signature Description: ICMP is the protocol used by IP to inform about the error in delivering the packet at the
destination or to know the status of the remote host. In order to know whether a particular host is up, ICMP echo (type
8) packet is sent, which is replied by the receiving host by sending ICMP echo reply (type 0) to confirm that it is up.
Thus the logical flow of these messages is that first a ICMP echo request should go, which should be answered by a
echo reply. The following rule hits when IPS device sees a echo reply without any corresponding echo request, which
is a suspecious activity. Such events indicates some DoS, like smurf. The administrator should monitored the
corresponding IPs closely.
Signature ID: 100006
Uninitiated UDP Echo Response
Threat Level: Critical
Signature Description: Echo service uses UDP and TCP port 7 and is used as a debugging tool to send any datagrams
received from a source, back to that source. These are just for debugging purpose and these traffic will not be present in
normal network traffic. The server will send the echo response only after receiving a echo request from the client. IPS
will generate this log when UDP echo response packet is seen in the network without sending a UDP echo request.
Signature ID: 100007
Invalid IP Header Length or Total Length
Threat Level: Critical
Signature Description: Each IP packet has a field for IP header length. The minimum value is 20 bytes and maximum
value is 60 bytes. There is another field called "Total Length [TL]" , which specifies the total length of the IP packet
that include higher level protocol header plus data. Many IP stack implementation are prone to misbehaving when
receive IP packets which are not following the RFC. This rule hits in two cases. 1) when IPS device detects a IP packet,
whose minimum IP header length is less then the minimum value of IHL and, 2) when the length of the data in TCP
packet is less than that indicated by TL of IP header. Such type of traffic is generated by many IDS/IPS testing tools,
for example, TFN2K. A very particular type of attack from TFN2K, is TARGA3 attack. The TARGA3 attack, as
spewed from TFN2K, generates invalid IP packets of various protocols. The traffic does not affect the end server --
most packets are invalid and discarded immediately. However, it does make a slight bandwidth impact, by engaging the
gateway device busy for quite often.
Signature ID: 100008
IP Packet with No Data
Threat Level: Critical
Signature Description: IP is the primary protocol in the Internet Layer of the Internet Protocol Suite and has the task of
delivering datagrams (packets) from the source host to the destination host solely based on its address. For this purpose
the Internet Protocol defines addressing methods and structures for datagram encapsulation. Data from an upper layer
protocol is encapsulated inside one or more packets/datagrams (the terms are basically synonymous in IP). The size of
the payload encapsulated inside a IP Packet will depend on the transport layer protocol used for the data transfer like
UDP and TCP and at the minimum should have the these header. In no condition a IP packet with no data in the
payload will be found in the network traffic and such activity is suspicious. This rule will hit when system detect a IP
packet which has no payload data ( The total length of IP packet is equal to the size of IP header).