TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1069
Signature Description: The XDR (external data representation) libraries are used to provide platform-independent
methods for sending data from one system process to another, typically over a network connection. Such routines are
commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers
who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the
XDR library provided by Sun Microsystems contains an integer overflow. This signature detects when an attacker
passing an overly long number of elements to xdr_array through RPC services such as dmispd and rpc.cmsd. The
successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on the system. This
signature specifically detects when an attacker send request by using UDP service.
Signature ID: 160144
Dmisd RPC service is running
Threat Level: Information
Industry ID: CVE-2002-0391 Bugtraq: 5356
Signature Description: The XDR (external data representation) libraries are used to provide platform-independent
methods for sending data from one system process to another, typically over a network connection. Such routines are
commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers
who need to use common interfaces to interact with many different types of systems. The xdr_array() function in the
XDR library provided by Sun Microsystems contains an integer overflow. This signature detects when an attacker
passing an overly long number of elements to xdr_array through RPC services such as dmispd and rpc.cmsd. The
successful exploitation may allow an attacker to overflow a buffer and execute arbitrary code on the system. This
signature specifically detects when an attacker send request by using TCP service.
Signature ID: 160145
RPC portmap request for bootparamd RPC service is detected
Threat Level: Information
Industry ID: CVE-1999-0647
Signature Description: This rule hits for TCPRPC traffic which consists of attack pattern.The bootparamd RPC service
is running.It is used by diskless clients to get the necessary information needed to boot properly.If an attacker uses the
BOOTPARAMPROC_WHOAMI and provides the correct address of the client,then he will get its NIS domain back
from the server. Once the attacker discovers the NIS domain name, it may easily get your NIS password file.
Signature ID: 160146
RPC portmap request for bootparamd RPC service is detected
Threat Level: Information
Industry ID: CVE-1999-0647
Signature Description: This rule hits for UDP-RPC Traffic which consists of attack pattern.The bootparamd RPC
service is running.It is used by diskless clients to get the necessary information needed to boot properly.If an attacker
uses the BOOTPARAMPROC_WHOAMI and provides the correct address of the client,then he will get its NIS
domain back from the server. Once the attacker discovers the NIS domain name, it may easily get your NIS password
file.
Signature ID: 160147
DCE RPC Interface Buffer Overflow Exploit
Threat Level: Information
Signature Description: DCOM/RPC worm is capable of spreading to Windows 2000 and Windows XP systems.
According to ISC, the worm uses RPC/DCOM to propagate itself, sending a self-extracting compressed file that is
6176 bytes in size, and about 11KB when uncompressed. The captured worm came in the form of a file called
mblast.exe, which has an MD5 checksum of 5ae700c1dffb00cef492844a4db6cd69.Once the worm executes on an
infected system, it spawns a backdoor on port 4444 and then tries to download more worm files from a range of Trvial
FTP (TFTP) servers. This signature detects attacks on TCP based RPC traffic.