TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1059
Signature ID: 100030
Reset replay attack
Threat Level: Critical
Signature Description: A TCP Reset attack is a denial of service attack(DOS) in which the Attacker attempts to
prematurely terminate a victims active TCP session.The attacker spoofs a packet that matches the source port ,IP
address and current sequence number of the active TCP connection.Sets the RST bit on the spoofed packet and then
send the spoofed packet.So when received spoofed packet by host, host immediately terminates the connection.This
does not present a serious risk for many connections, but could create significant damage and or disruption if used
effectively.
Signature ID: 100031
Connection Closed by RST/FIN before Any Data Transfer
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Normally, if a TCP connection is established, some data should flow from either of the
directions. This rule hits when IPS device detects connection termination, before any data starts flowing. This type of
behavior is indicative of scanning activity called "Full TCP Scan". If there are many logs generated during a small
period of time, administrator is advised to be alert as some scanning activity is underway.
Signature ID: 100033
TCP SYN Scan
Threat Level: Information
Signature Description: SYN scan is the most popular form of TCP scanning. A port scanner generates raw IP packets
to initiate a TCP connection on a particular port and monitors for responses. This scan type is also known as "half-open
scanning," because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the
target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the
connection before the handshake is completed. This rule hits when system detects a rise in half-open TCP connections
during a short period of time.
Signature ID: 100034
TCP Connect Scan
Threat Level: Information
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. A connection is established only when the three-way is completed, which implies that the
corresponding port is open. Therefore, TCP three-way handshake completion can be used for TCP port scanning.
Unlike the TCP SYN scan, the TCP connect scan uses a normal TCP connection to determine if a port is available and
after that closes the connection by sending a RST packet. This rule hits when IPS device detects a rise in such TCP
connections.
Signature ID: 100035
TCP FIN Scan
Threat Level: Information
Signature Description: Attackers use TCP FIN scan to identify listening TCP port numbers based on how the target
device reacts to a transaction close request for a TCP port (even though no connection may exist, i.e. TCP three-way is
not completed, before these close requests (FIN packets) are made). This type of scan can get through basic firewalls
and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP
packets used in this scan include only the TCP FIN flag setting. If the target device's TCP port is closed, the target
device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and
sends no reply. This rule hits when IPS device detects a rise in such packets during a short period of time.