TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

114

Signature ID: 928

Kill command web execute vulnerability

Threat Level: Severe

Signature Description: This is an attempt to either stop or restart system processes on a web server. By stopping a

service the attacker can effectively issue a "Denial of Service" to a particular process on a machine. When used to

restart a process, the attacker can force a legitimate process to re-read the associated configuration file and possibly

compromise the service by replacing the original configuration with one crafted by the attacker. The presence of the

"kill" command in web traffic indicates that an attacker is attempting to trick the web server to execute in non-

interactive mode.

Signature ID: 929

Lsof command web execute vulnerability

Threat Level: Severe

Signature Description: This rule generates an event when a "losf" command is used over a plain-text connection on one

of the specified web ports to the target web server. The "lsof" command lists information about files that are open by

the running processes. An open file may be a regular file, a directory, a block special file, a character special file, an

executing text reference, a library, a stream or a network file. The attacker could possibly gain information needed for

other attacks on the system.

Signature ID: 930

HTTP mail command web execute vulnerability

Threat Level: Severe

Signature Description: This rule generates an event when a "mail" command is used over a plain-text connection on

one of the specified web ports to the target web server. The "mail" command is used to read and send email on UNIX

systems. The presence of the "mail" command in the URL indicates that an attacker attempted to trick the web server

into executing a system command in non-interactive mode.

Signature ID: 932

WEB-ATTACKS netcat command vulnerability

Threat Level: Warning

Signature Description: This rule generates an event when a "netcat" command is used over a plain-text connection on

one of the specified web ports to the target web server. The "netcat" command may be used to establish an interactive

shell session to the machine and also transfer files over the connection. The presence of the "netcat" command in the

URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode.

Signature ID: 933

Nmap command web execute vulnerability

Threat Level: Warning

Signature Description: This rule generates an event when a "nmap" command is used over a plain-text (unencrypted)

connection on one of the specified web ports to the target web server. The "nmap" command may be used to discover

open ports, services and operating system information on hosts. The presence of the "nmap" command in the URI

indicates that an attacker attempting to trick the web server into executing system in non-interactive mode.

Signature ID: 934

WEB-ATTACKS nt admin addition vulnerability

Threat Level: Information

Signature Description: This rule generates an event when an attempt is made to gain unauthorized access to a web

server or an application running on a web server. Some applications do not perform stringent checks when validating