TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1060
Signature ID: 100036
TCP NULL Scan
Threat Level: Information
Signature Description: Port Scanning is one of the most commonly carried out process amongst Hackers. Almost
always, the first thing that a hacker would do on his quest to get root on a remote system is to conduct a port scan on
the target system and get a list of open ports. There are different types of port scanning techniques employed by various
port scanners and TCP NULL scan is one among them. Each flag in the TCP header is supposed to perform a particular
function. According to the function that you wish to perform, the various TCP flags are turned on and turned off. Now,
when the client sends a packet with all the flags turned off, then the server has absolutely no idea as to what it has to do
with the packet or as to why the client sent the packet. If the NULL packet is directed to an open port, then the service
running on that port replies with a error message. However, if the NULL packet is directed to a closed port, then the
remote system replies with a RST or reset because the NULL packet it received did not contain enough information to
establish a connection.
Signature ID: 100037
TCP XMAS Scan
Threat Level: Information
Signature Description: Attackers use the TCP XMAS scan to identify listening TCP ports. This scan uses a series of
strangely configured TCP packets, which contain a sequence number of 0 and the Urgent (URG), Push (PSH), and FIN
flags. Again, this type of scan can get through some basic firewalls and boundary routers that filter on incoming TCP
packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet
in reply. If the target device's TCP port is open, the target discards the TCP XMAS scan, sending no reply. This rule
hits when IPS device detects a rise in such packets during a short period of time.
Signature ID: 100038
TCP Ack Scan
Threat Level: Information
Signature Description: Attackers use the TCP ACK scan to identify, for example, active web sites that may not respond
to standard ICMP pings because these web sites have been configured not to respond to these pings. The TCP ACK
scan uses TCP packets with the ACK flag set to a probable port number--a port number that is most likely open on the
destination. For example, port 80 is the standard port used for HTTP communications. The purpose of the TCP ACK
packet is to simply determine if the host is active. If the target device is available and the HTTP port is open, the target
device sends a TCP RST packet in reply. This rule hits when IPS device detects a rise in such packets during a short
period of time.
Signature ID: 100039
Ping Scan
Threat Level: Information
Signature Description: Ping is the ICMP based utility that is used to know the status of a host. It sends a ICMP echo
request (type 8) to the destination and if the host id up, it sends back ICMP echo reply (type 0) to the sender. An
attacker can know valid IP addresses by sending ping to inside hosts. This rule hits when IPS device detects a rise in
such packets, for different destinations, during a short period of time.
Signature ID: 100040
UDP Scan
Threat Level: Information
Signature Description: Attackers use UDP Port scans to identify listening UDP ports on a target host. These port
numbers identify the UDP-based application-layer protocols, such as DNS, which are running on a target device. UDP