TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1055
Signature ID: 100009
Packet with Invalid TCP Header Length
Threat Level: Critical
Signature Description: :IP is the protocol which works as carrier to higher level protocols, like TCP etc. There are
many header fields in IP packet. "Total Length [TL]" is one of them. This specifies the total length of the IP packet. In
TCP header, the "offset" field points the size of the TCP header. The minimum value of TCP header length is 20. Also,
it can be observed that TCP_Hdr_len < TL-IHL, where TCP_Hdr_len is TCP header length, TL is total IP length and
IL is IP header length. This rule hits when IPS device detects a TCp packet which does not comply with either of the
two normal conditions. Such type of taffic is generated by many IDS/IPS testing tools, for example, TFN2K. A very
particular type of attack from TFN2K, is TARGA3 attack.
Signature ID: 100010
TCP Null Scan Attack Detected
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. This state-awareness comes by using
flags, which are control bits to indicate a type of packet. Each TCP packet should have some flag set. This rule hits
when IPS device detects a TCP packet with no flag set and SEQ is set to 0. This activity is indicative of a scan method
called "TCP NULL." If the remote end is listening on any port, a RESET packet should be returned, which gives a hint
to attacker. This attack is opposite to XMAS, where all TCP flags are set.
Signature ID: 100011
Packet with Invalid UDP Header Length
Threat Level: Critical
Signature Description: IP is the protocol which works as carrier to higher level protocols, like UDP etc. There are
many header fields in IP packet. "Total Length [TL]" is one of them. This specifies the total length of the IP packet. In
UDP header, the "length" field denotes total size of the UDP data, including header. The minimum value of UDP
"length" is 8. Also, it can be observed that UDP_len < TL-IHL, where UDP_len is UDP data length, TL is total IP
length and IL is IP header length. This rule hits when system detects a UDP packet which does not comply with either
of the two normal conditions. Such type of taffic is generated by many IDS/IPS testing tools, for example, TFN2K.
Signature ID: 100012
ICMP Packet with Short Total Length
Threat Level: Critical
Signature Description: ICMP is a protocol used to test the connectivity between hosts or networks. ICMP works over
IP. The minimum ethernet packet size should be 64 bytes, which includes 20 bytes for IP header. The minimum ICMP
header size is only 8 bytes. Therefore, in order to make ethernet frame 64 bytes, extra bytes (random data) is appended
to each icmp packet. This rule hits when IPS device detects a ICMP packet whose length is shorter than the minimum
length. Such packets are often generated by tools to generate bogus traffic for some malicious task.
Signature ID: 100014
Post Connection SYN Received
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each TCP connection starts with three-way handshake. The client sends a packet with SYN
flag set, which is replied back by the server with a packet with SYN+ACK flags are set. Finally the connection is
established when client sends a packet with ACK flag set. This rule hits when IPS device detects a packet with SYN
flag set for some established connection. This may be pertaining to some scanning activities.