TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

111

112

113

114

115

116

117

118

119

120

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

116

application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on

the host. Logs will be generated for this signature when tclsh pattern is sent to the http server.

Signature ID: 941

Tftp command web execute vulnerability

Threat Level: Warning

Signature Description: Trivial File Transport Protocol(TFTP) is a very simple file transfer protocol, with the

functionality of a very basic form of FTP. This rule will triggers when possible attempt to gain information using the

Trivial File Transfer Protocol (tftp) to access sensitive files on a web server. It is also possible that an attempt is being

made to remotely boot or reboot a device using tftp.

Signature ID: 942

WEB-ATTACKS traceroute command Vulnerability

Threat Level: Warning

Signature Description: Traceroute is a computer network tool used to determine the route taken by packets across an IP

network. The traceroute tool is available on practically all Unix-like operating systems. This rule looks for the

"traceroute" command in the client to web server network traffic but does not indicate whether the command was

actually successful. The presence of the "traceroute" command in the URI indicates that an attacker attempted to trick

the web server into executing system commands in non-interactive mode i.e. without a valid shell session.

Signature ID: 943

Uname -a command web execute Vulnerability

Threat Level: Warning

Signature Description: Uname is a UNIX command that will return information about the operating system, the

machine's architecture, the processor architecture and the version level of the software being used. This information is

valuable to an attacker who can use it to plan further attacks based on possible vulnerabilities in the machine's

operating system. This rule generates an event when an attacker sent "uname" pattern to the http server.

Signature ID: 944

WGet NTLM Username Buffer Overflow Vulnerability

Threat Level: Warning

Industry ID: CVE-2005-3185

Bugtraq: 15102

Signature Description: Wget is GNU software that allows for retrieval of files using HTTP, HTTPS and FTP. wget

1.10.1 is vulnerable to a buffer overflow. A successful exploitation of this attack will allow an attacker to execute

arbitrary commands on the vulnerable system. This rule generates an event when an attacker sent wget pattern. This

issue is fixed in wget 1.10.2 version. Administrators are advised to upgrade the 1.10.2 or later version to resolve this

issue.

Signature ID: 945

Xterm command attempt

Threat Level: Warning

Industry ID: CVE-2007-2797

Bugtraq: 26710

Signature Description: This rule generates an event when a "xterm" command is used over a plain-text connection on

one of the specified web ports to the target web server. The "xterm" command may be used to establish an interactive

shell session to the machine. The presence of the "xterm" command in the URI indicates that an attacker attempted to

trick the web server into executing system in non-interactive mode.