TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1061
scan packets include the data-link header, an IP header, and a UDP header. That's all. By varying the destination port
number value in the UDP header and watching the responses, a hacker can determine which UDP ports are listening on
the target device. If a target device does not listen on a port, the device replies with an ICMP: Destination unreachable
(Port unreachable) packet. This rule hits when IPS device detects a rise in such packets (on the same destination, but
different ports) during a short period of time.
Signature ID: 100041
IP Protocols Scan
Threat Level: Information
Signature Description: The IP protocol scan is a bit different than the other scans. The IP protocol scan is for searching
additional IP protocols in use by the remote station, such as ICMP, TCP, and UDP. If a router is scanned, additional IP
protocols such as EGP or IGP may be identified. An unavailable IP protocol does not respond to the scan. An available
IP Protocol provides a response specific to the protocol type, like RST packet for TCP. This rule hits when IPS device
detects a rise in such packets, for different destinations, during a short period of time.
Signature ID: 100042
IP Packet with Protocol Field as Zero
Threat Level: Critical
Signature Description: IP is the protocol which works as carrier to higher level protocols, like UDP etc. There are
many header fields in IP packet. "protocol" field indicates the underlying transport layer protocol, like TCP, UDP etc.
As of IPv4, there is no protocol with code 0. The value 0 is reserved. This rule hits when system detects an IP packet
whose "protocol field is set to 0. Such type of traffic is generated by many IDS/IPS testing tools, for example, TFN2K.
Signature ID: 100043
ICMP Uncommon Type Packet
Threat Level: Critical
Signature Description: ICMP is the protocol used by IP to inform about the error (or some other information) in
delivering the packet at the destination. Most commonly (and normally) seen ICMP packet types are 0, 3, 4, 5, 6 and
11. Packets with these types are seen normally on most of the networks. The IPS device generates an alert when it sees
an ICMP packet with type, not mentioned above. In case of L2 implementation, type 5 also causes IIPS to generate the
alarm. The reason for dropping and generating alarm for such packets is that these ICMP types may disclose some
information about the network. Also, for normal operations, such ICMP types are not required.
Signature ID: 100044
TCP/UDP Packet with Mismatching Checksum Value
Threat Level: Critical
Signature Description: IP is the protocol which works as carrier to higher level protocols, like TCP, UDP etc. Each of
these transport layer protocols has mechanism to detects data damage during transmission. This is done by calculating
the "Checksum" of the data being sent. The sender puts this value in one of the header fields, called "Checksum". The
same algorithm is applied by the receiving host to calculate the checksum and if both values are identical, packet is
accepted as "received." This rule hits when system detects a TCP/UDP packet for which "checksum value" from the
packet and calculated checksum do not match. This may not pertain to any attack as due to layer one transmission
problem, such error may occur. However, the administrator should check such traffic if there is an application which
may be a target of man-in-the-middle attack.
Signature ID: 100045
ICMP Type: invalid Code: Received duplicate sequence number
Threat Level: Critical
Signature Description: ICMP Type: invalid Code: Received duplicate sequence number