TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1064
A log is generated by this signature if the session module could not send final ack packet of TCP connection
negotiation to the internal system.
Signature ID: 100058
Invalid ACK number in SYN+ACK Packet for a SYN packet During TCP Three-Way
Handshake
Threat Level: Severe
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each TCP connection starts with three-way handshake. The client sends a packet with SYN
flag set, which is replied back by the server with a packet with SYN+ACK flags are set. Finally the connection is
established when client sends a packet with ACK flag set. The ACK number in SYN+ACK packet is equal to SYN+1
of the first SYN packet. This rule hits when system detects a SYN+ACK packet in which ACK value is not equal to
SYN+1 of the previous packet. Such packet does not present any security risk as such, but indicates network protocol
anomaly.
Signature ID: 100059
Invalid ACK number in RST+ACK Packet for a SYN packet During TCP Three-Way
Handshake
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each TCP connection starts with three-way handshake. The client sends a packet with SYN
flag set, which is replied back by the server with a packet with SYN+ACK flags set. Finally the connection is
established when client sends a packet with ACK flag set. If the server wants to deny a SYN request, it sends a reset
packet with ACK value set to the sum of the sequence number and segment length of the incoming segment. This rule
hits when system detects a reset packet whose ACK value does not comply with the above mentioned rule. Such
behavior is shown by many windows machines normally and therefore, may not be a indicative of any attack as such
rather than some anomaly.
Signature ID: 100060
TCP Packet with Invalid SEQ Number During 3-way Handshake
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each of the packet is acknowledged to prevent data loss. If the acknowledgement is not
received, the system retransmits the packet. The retransmitted packet must be identical to the original packet. This rule
hits when, during TCP three-way handshake, system detects a retransmitted SYN or SYN+ACK packet whose
sequence number is not equal to the sequence number of the original packet.
Signature ID: 100061
TCP Packet with Invalid Timestamp Value
Threat Level: Critical
Signature Description: Both IP and TCP protocols provide an optional field in the packet header to specify Time stamp
. This Time stamp is used to defend from replay attacks. The value in this field increases sequentially to denote the
temporal position of every packet. If any packet is received at any point of time, it can be verified easily whether the
packet is fresh or is being used again by comparing the time stamp with that of the current ongoing session. Being a
stateful device, system maintains a list of current time stamp value for each session. This rule hits when system detects
a packet whose Time stamp value is older than the previously stored timestamps value. Such activity may indicate
some type of packet injection attempt. However, due to network congestion, the packets may arrive late out-of-order
and will cause this rule to hit.