TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1058
Signature ID: 100024
ICMP error message (uninitiated traffic)
Threat Level: Critical
Signature Description: Since the Internet Protocol is an unreliable protocol, there are no guarantees that a datagram
sent by one device to another will ever actually get there. The inter-network of hosts and routers will make a
“best effort” to deliver the datagram but it may not get where it needs to for any number of reasons.
When IP datagram deliveries to fail, ICMP error messages like Destination Unreachable, Source Quench, Time
Exceeded will be send to the source node for indicating failure of the delivery of IP packet. ALL ICMP error messages
include a portion of the datagram that could not be delivered, which helps the recipient of the error figure out what the
problem is. When an ICMP error message is received, The Session tracking module of IPS will extract the IP datagram
included inside the error message, extract the selector information from this IP packet and then check whether a
corresponding session exist. This log will be generated if a corresponding session could not be located. This may be
caused by either the session already timed out before this ICMP error message is reached, the chances for this is very
less, or network RECONNAISSANCE scanning activity/DOS attack is in progress by using some tool to craft the
packet.
Signature ID: 100026
Invalid TCP Response when ACK+SYN or RST+ACK Expected
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each TCP connection starts with three-way handshake. The client sends a packet with SYN
flag set, which is replied back by the server with a packet with SYN+ACK flags are set. Finally the connection is
established when client sends a packet with ACK flag set. This rule hits when system detects only ACK packet (or any
other flag except RST) when a SYN+ACK or RST+ACK is expected. This log does not represent any vulnerability,
instead indicates that few old (outdated/malfunctioning) TCP/IP stacks are active.
Signature ID: 100027
TCP Packet with No Flag Set
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. This state-awareness comes by using
flags, which are control bits to indicate a type of packet. Each TCP packet should have some flag set. This rule hits
when IPS device detects a TCP packet with no flag set. This activity is indicative of a scan method called "TCP
NULL." If the remote end is listening on any port, a RESET packet should be returned, which gives a hint to attacker.
This attack is opposite to XMAS, where all TCP flags are set.
Signature ID: 100028
ICMP Error Message Misbehavior (Repeated transmission)
Threat Level: Critical
Signature Description: ICMP is the protocol used by IP to inform about the error in delivering the packet at the
destination or to know the status of the remote host. Once the session is established, any error in connection is returned
by ICMP error packet (e.g. ICMP type 3) from the destination side. Under normal conditions, only one such packet will
be sent and is the same error is encountered again with another packet delivery, another ICMP error packet is sent. In
other words, between any two ICMP error packets from the same direction, there must be another IP packet from the
other direction. This rule hits when system detects more than one ICMP error packet from the same direction
continuously. Such behavior may be observed due to network abnormality. There is a chance that some attacker may
start flooding with error messages, as some organization allow ICMP error packets.