TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
278
This rule will trigger when the packet has a pattern 'SLmail v3.1'. This attack will raise the CPU usage of the
slsmtp.exe process to almost 100%.
Signature ID: 2039
Microsoft Exchange Server Invalid MIME Header charset = "" DoS Vulnerability
Threat Level: Warning
Industry ID: CVE-2000-1006
Bugtraq: 1869 Nessus: 10558
Signature Description: Microsoft Exchange Server is a messaging and collaborative software product developed by
Microsoft. Microsoft Exchange Server, version 5.5, is a denial of service vulnerability. This rule will trigger when an
attacker send an email with malformed MIME headers with an empty value for charset. The successful exploitation of
this issue will allow an attacker to cause the information Store service to fail and crash the Exchange server.
Signature ID: 2040
W32/Frethem Malicious Code
Threat Level: Information
Signature Description: W32/Frethem is a malicious Windows program with an internal SMTP mail delivery agent.
W32/Frethem arrives as an email message containing three MIME parts (multipart/alternative,
boundary=L1db82sd319dm2ns0f4383dhG) with the subject "Re: Your password!" The body of the message is
contained in the first MIME part and includes a specially crafted IFRAME tag that will cause the malicious attachment
to be executed when this part is rendered in a vulnerable mail user agent+D3.
Signature ID: 2041
IMC SMTP EHLO Buffer Overrun vulnerability
Threat Level: Information
Industry ID: CVE-2002-0698 Bugtraq: 5306 Nessus: 11053
Signature Description: The Internet Mail Connector (IMC) provides SMTP functionality for the Microsoft Exchange
Server. The Internet Mail Connector in Exchange Server 5.5 is vulnerable to a buffer overflow in the code that handles
Extended Hello (EHLO) commands, which are used to query other servers to obtain a list of supported SMTP
operations. A successful exploitation of this attack will allow an attacker to execute arbitrary code with the privileges
of system. This rule will triggers when an attempt is made to exploit this vulnerability. Upgrade the patches are
available from vendors web site.
Signature ID: 2050
SMTP From comment overflow+D64
Threat Level: Information
Signature Description: A vulnerability exists in the Sendmail MTA Daemon that could allow an attacker the
opportunity to gain root access. A programming error exists such that a buffer overflow can be caused using the header
fields in an SMTP session. Using the '<' and '>' characters in the 'from' field, an attacker can increment a counter to the
extent that the buffer exceeds it's limit.
Signature ID: 2051
VIRUS OUTBOUND .hsq file attachment
Threat Level: Information
Signature Description: Virus is a computer program that can copy itself and infect a computer without permission or
knowledge of the user. The team 'virus' is also commonly used, to refer to many different types of malware and adware
programs. This rule will trigger when attach '.hsq' file then blocks the attachment. When a prohibited attachment has
been blocked, it will not deliver the attachment to the recipient but the message will still be delivered. The sender will
not receive any notification that the attachment has been removed.