TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1063
Signature ID: 100050
TCP Packet with Out-of-Range Sequence Number Received
Threat Level: Severe
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. In order to have packet in order, TCP
makes use of sequence numbers. Each packet carries a unique sequence number for that session. Sequence number
depends on the window size, which is being published by the recipient. A sequence number is said to be valid if it falls
within the range of "last packet's sequence number" and "last packet's sequence number" + window size. This rule hits
when IPS device detects a packet whose sequence number violates the above mentioned range. Such packet is
indicative of a possible packet injection attempt.
Signature ID: 100051
Packet with Short GRE Header Length
Threat Level: Severe
Signature Description: Generic Routing Encapsulation (GRE) is the protocol to encapsulate one protocol packet within
another protocol packet. Originally it is defined in RFC 1701. Generally, IP is the delivery protocol to encapsulate a
GRE packet. In the GRE header, there are many optional fields, like Checksum, and there are certain necessary fields.
The minimum length of GRE header is, therefore, 4 bytes. Packets less than the minimum length are suspeciouc or may
represent some anomaly. This rule hits when IPS device detects such packets.
Signature ID: 100052
TCP Packet with Unexpected ACK Value
Threat Level: Severe
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. In order to have packet in order, TCP
makes use of sequence numbers. Each packet carries a unique sequence number for that session. Sequence number
depends on the window size, which is being published by the recipient. The receiver will send an ACK that equals the
senders sequence number plus the Len, or amount of data, at the TCP layer. Since, ACK number depends on SEQ
number, its expected value is linked to expected value of SEQ number, i.e SEQ+DATA (windows size). This rule hits
when IPS device detects a packet whose ACK number violates the above mentioned range. Such packet is indicative of
a possible packet injection attempt, but may not be imposing any security risk.
Signature ID: 100055
Unable to send sync in SYN cookie case
Threat Level: Information
Signature Description: When number of the associations created is more than the 80 % of the max threshold limit set,
for all the new TCP connections from the external network, the session module will respond with the syn – ack
packet. The association is created only if the external network system responds with with the final ack packet . Only
after the successful connection negotiation complete , a connection negotiation will be initiated to the internal system.
A log is generated by this signature if the session module could not send syn packet to the internal system.
Signature ID: 100056
Sending final ACK to target failed
Threat Level: Information
Signature Description: When number of the associations created is more than the 80 % of the max threshold limit set,
for all the new TCP connections from the external network, the session module will respond with the syn – ack
packet. The association is created only if the external network system responds with with the final ack packet . Only
after the successful connection negotiation complete , a connection negotiation will be initiated to the internal system.