TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

351

352

353

354

355

356

357

358

359

360

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

359

'EXPN' command followed by 2041 characters to Seattle Labs Slmail 3.0.2421 or before will cause the SLMail service

to stop functioning. This results in a denial of service condition.

Signature ID: 4051

IPSEC IKE check Denial of Service vulnerability

Threat Level: Warning

Nessus: 10941

Signature Description: The remote IPSEC server may be negotiating bogus IKE requests. An attacker may use this

flaw to disable victim's VPN remotely. Administrators are advised to give access to the trusted users. This rule hits

when any UDP packet flowing from the source port 1500 to the destination port 500.

Signature ID: 4052

IBM DB2 server single byte DoS vulnerability

Threat Level: Warning

Industry ID: CVE-2001-1143 Bugtraq: 3010 Nessus: 10871

Signature Description: DB2 is one of IBM's relational database management system (RDBMS) software products.

IBM DB2 7.0 allows a remote attacker to cause a denial of service (crash) via a single byte packet to 'db2ccs.exe' or

'db2jds.exe'. 'db2ccs.exe' listens on TCP port 6790 and 'db2jds.exe' listens on TCP port 6789. The service must be

restarted to resume services.

Signature ID: 4054

Routed trace file vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0215 Bugtraq: 2658

Signature Description: BSD 4.4 based routed has the ability for a packet to be sent to the daemon that will turn on

debug mode. The RIP packet is able to specify the file which is later opened without any checks being placed on that

file open. The result is that an attacker can append to any file on the filesystem. Attackers can construct packets

(typically with spoofed source addresses) to turn on this feature and cause routed to append debugging information to

the specified trace file. Although the information thus written is limited to the normal routed debugging output, the files

specified could include /dev files and therefore this could lead to a number of damaging scenarios including memory

and disk corruption, denial of service, etc.

Signature ID: 4055

In.comsat Denial of Service Vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0194

Signature Description: The incomsat daemon is vulnerable to a denial of service attack. An attacker could flood the

user and obfuscate their screen. The comsat daemon is a program which watches incoming mail, and notifies a user of

newly arrived mail. The problem with comsat is that it can be fooled into issuing endless messages, resulting in a denial

of service attack to users.

Signature ID: 4060

Oracle9iAS Web Cache Buffer Overflow

Threat Level: Warning

Industry ID: CVE-2001-0836

CVE-2002-0102 Bugtraq: 3449,3443,3760 Nessus: 11069,11081

Signature Description: A buffer overflow condition can be triggered in Oracle 9iAS Web Cache 2.0.0.1 to 2.0.0.2 NT

(inclusive) by submitting a malicious URL. Unsuccessful overflow attempts can cause the Web Cache process to exit

or hang causing a denial of service condition. A successful attempt can allow arbitrary code execution on the server.

This signature detects Overflow attempts on TCP port 1100.