TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1056
Signature ID: 100015
TCP Packet Received after Reseting the Connection
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. To terminate a connection, there are two methods. One is FIN-ACK and other one is RESET.
FIN-ACK is a four-way handshake method to agree on terminating the connection, whereas RESET is one way method
to terminate the connection. Either client or server can send RESET packet to declare that "they dont want any data and
will not send any data." This rule hits when IPS device detects at least one packet (from the same direction with no
RST flag) after client or server has sent a RESET packet. This may imply that earlier RESET was injected by some
attacker to launch a RESET attack. There is a chance that due to network congestion, RESET packet arrives earlier than
the data packet from the same source and are dropped by IPS device.
Signature ID: 100016
Blind Spoofing Attempt
Threat Level: Critical
Industry ID: CVE-2001-0288
Signature Description: Blind Spoofing Attack is a type of attack to guess initial sequence number (ISN) to hijack a tcp
connection. Attackers usually send several packets to the target machine in order to figure out sequence numbers.
Since, now a days, most OSs implement random sequence number generation today, it becomes more difficult to
predict the sequence number accurately. Therefore, this attack is not very effective now a days. If, however, the
sequence number was compromised, data could be sent to the target.
Signature ID: 100017
Zero bytes transferred for connection
Threat Level: Information
Signature Description: IPS creates a session for each and every network connections for state tracking of that session.
During this it keep track of the number of byte transferred using this session. These sessions will either time out
because of non transferring of data for specified period ( inactivity time out period) or closed gracefully by tracking
session termination flags set in the TCP header ( FIN). Each and every network connections is established for
transferring data between peer systems. This log is generated when IPS detect a session which is getting terminated
with out transferring any data in that connections. One or two such log may be due to some network error. But
excessive generation of this log should be analyzed for suspicious network activity like port scan or a probe.
Signature ID: 100018
TCP Packet with Invalid Sequence Number Received
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. In order to have packet in order, TCP
makes use of sequence numbers. Each packet carries a unique sequence number for that session. Sequence number
depends on the window size, which is being published by the recipient. A sequence number is said to be valid if it falls
within the range of "last packet's sequence number" and "last packet's sequence number" + window size. This rule hits
when IPS device detects a packet whose sequence number having invalid and falling in the above mentioned range.
Such packet is indicative of a possible packet injection attempt.
Signature ID: 100019
WinNuke Attack
Threat Level: Critical
Industry ID: CVE-1999-0153 Bugtraq: 2010