TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1057
Signature Description: The WinNuke attack sends OOB (Out-of-Band) data to an IP address of a Windows machine
connected to a network and/or Internet. Usually, the WinNuke program connects via port 139, but other ports are
vulnerable if they are open. When a Windows machine receives the out-of-band data, it is unable to handle it and
exhibits odd behavior, ranging from a lost Internet connection to a system crash (resulting in the infamous Blue Screen
of Death). Older versions of Microsoft Windows (95, Windows for Workgroups 3.11, Windows NT up to and
including 4.0), as well as SCO Open Server 5.0, have a vulnerability relating to the way they handle TCP/IP "Out of
Band" data. According to Microsoft, "A sender specifies "Out of Band" data by setting the URGENT bit flag in the
TCP header. The receiver uses the URGENT POINTER to determine where in the segment the urgent data ends.
Windows NT bug checks when the URGENT POINTER points to the end of the frame and no normal data follows.
Windows NT expects normal data to follow." As a result of this assumption not being met, Windows gives a "blue
screen of death" and stops responding. Windows port 139 (NetBIOS) is most susceptible to this attack. although other
services may suffer as well.
Signature ID: 100020
Invalid Sequence number for ACK flagged Packet during TCP Three-way Handshake
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. During three-way handshake, initial
SYN is acknowledged by ACK+SYN packet and is the connection needs to be terminated, SYN is replied by
RST+ACK. This rule hits when system detects ACK+SYN or RST+ACK packet with sequence number not exactly
what is expected i.e. (SEQ+1). There is a probability that such packets are being generated by malfunctioning
machines.
Signature ID: 100021
Zero length IP option
Threat Level: Critical
Signature Description: Zero length IP option
Signature ID: 100022
Unaligned Timestamp Option In IP Packet
Threat Level: Critical
Signature Description: IP header has a field "Timestamp" to provide the option for inserting timestamp for every
packet. This service is available under "options" field of IP packet. These options are aligned to 4-byte boundary. There
are few implementation of IP stacks which are unable to handle unaligned Timestamp option. For example, It is
possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP
Timestamp option. This rule hits when IPS device detects an IP packet with unaligned Timestamp option set. This log
can be ignored if the remote systems are patched.
Signature ID: 100023
Data Arrives before TCP Three-way Handshake
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. The connection is established after the three-way handshake is over, which ensures that final
ACK has been sent. This rule hits when IPS device detects a data packet before the completion of three-way
handshake. This may not impose any serious security risk, but indicates the possibility of some data injection attempt.
It, however, should be noted that this can be a false positives also as client starts sending data, just after the final ACK
packet and due to some network problem data packet arrives early than the final ACK. The administrator, therefore, is
advised to monitor this connection.