TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
308
victim's computer. These actions include Shutting down or restarting the host system, retrieving saved and cached
passwords, modifying the host system's registry, uploading, downloading, and deletion of files on the host system,
intercepting keyboard activity or overtaking the keyboard input remotely and viewing the host system's current screen
or webcam output. The attacker can also communicate to the host system's user or as the host system's user over
various messaging systems.
Signature ID: 3125
Access to NetXRay 3 Probe
Threat Level: Information
Signature Description: If the NetXRay 3.x Probe service is running on a machine, a user can connect to the probe and
sniff network traffic on your machine. If no password is required to connect to the probe, any user could sniff network
traffic on your machine.
Signature ID: 3126
DDOS shaft agent to handler
Threat Level: Information
Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:
10350,10024,10152,10151,10409,10053,10270,10501,10288,10307,10920,10921,10501
Signature Description: Shaft is a Distributed Denial of Service (DDoS) attack tool that includes a handler and an agent.
The attacker needs to install the Shaft handler and agent manually. The attacker, through Transmission Control
Protocol (TCP) port 20432, controls the handlers that can control many agent hosts. To communicate with the agents,
the handler uses User Data Protocol (UDP) port 18753, while the agents responds using UDP port 20433. After the
connections are made, the handler requests a password. These agents execute DDoS attacks including UDP flood
attacks, TCP Synchronous (SYN) flood attacks, and Internet Control Message Protocol (ICMP) flood attacks against
one or more target systems. For a UDP flood attack, the agent sends a large number of UDP packets to the target
system.
Signature ID: 3128
BackOrifice detection
Threat Level: Information
Industry ID: CVE-1999-0660 Nessus:
10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: A backdoor is a method of bypassing normal authentication, securing remote access to a
computer, obtaining access to plain text, etc. while attempting to remain undetected. Back Orifice (BO) is a
controversial computer program designed for remote system administration. It enables a user to control a computer
running the Microsoft Windows operating system from a remote location.Although Back Orifice has legitimate
purposes, the server can hide itself from cursory looks by users of the system and can be installed without user
interaction hence it is distributed as payload of a Trojan horse. Back Orifice was designed with a client-server
architecture. A small and unobtrusive server program is installed on one machine, which is remotely manipulated by a
client program with a graphical user interface on another computer system. The two components communicate with
one another using the TCP and/or UDP network protocols commonly on port 31337. A cracker may use it to steal your
passwords, modify your data, and prevent you from working properly. This signature detects BackOrifice 1.x traffic.
Signature ID: 3129
BACKDOOR Dagger_1.4.0
Threat Level: Information
Signature Description: The Dagger backdoor is one of many backdoor programs that attackers can use to access
victims computer without the knowledge or consent of the victim. Once installed it places a server on TCP port 2589 or
TCP port 1386, which allows a remote client to connect to your computer. This Trojan also has the ability to delete