TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

371

372

373

374

375

376

377

378

379

380

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

380

Signature ID: 6081

FTP STAT command directory traversal Vulnerability

Threat Level: Information

Signature Description: Some remote FTP servers like South River Technologies' Titan FTP Server are vulnerable to a

flaw which allows users to access files which are outside the FTP server root by issuing a specially crafted STAT

command.The issue is due to the STAT command not properly sanitizing user input, specifically traversal style attacks

(../../) supplied via the stat variable.Only trusted users have to be allowed access to the FTP service.<br>

Signature ID: 6082

AIX ftpd CEL Command Buffer Overflow Vulnerability

Threat Level: Information

Industry ID: CVE-1999-0789 Bugtraq: 679 Nessus: 10009

Signature Description: IBM AIX 4.3.X FTP Server can be crashed using the command: CEL aaaa[...]aaaa This

problem is known as the 'AIX FTPd' overflow and may allow the remote user to easily gain access to the root (super-

user) account on the remote system.

Signature ID: 6083

FTP Pub scanning using Omega Scanner.

Threat Level: Information

Signature Description: Pub scanning involves scanning for FTP sites which allow the attackers to upload or download

his/her own stuff.Omega scanner is a script based scanner widely employed by attackers to scan for such FTP sites.

Some of the scripts used by attackers employ the password 'ncoic77@hotmail.com'. This rule raises an info alarm

whenever a PASS command is received with argument 'ncoic77@hotmail.com' . Such activities are the indicators for

possible misuse of the site in future.

Signature ID: 6084

FTP Pub scanning using Grim's Ping tool.

Threat Level: Information

Signature Description: Pub scanning involves scanning for FTP sites which allow the attackers to upload or download

his/her own stuff.Grim's Ping scanner is widely employed by attackers to scan for such FTP sites.The companion

software used employs the password 'guest@here.com' .This rule raises an info alarm whenever a PASS command is

received with argument 'guest@here.com' .Such activities are the indicators of possible misuse of the site in future.

Signature ID: 6098

FTP Bounce Attack

Threat Level: Information

Industry ID: CVE-1999-0017 Bugtraq: 126

Signature Description: By using the PORT command in active FTP mode, an attacker may be able to establish

connections to arbitrary ports on machines other than the originating client. This behavior is RFC compliant, but it is

also potentially a source of security problems for some sites. The solution from a security perspective is to ensure that

the FTP server software cannot establish connections to arbitrary machines other than the client. This signature is

implemented as a protocol anamoly and logs an event of type info if the received PORT command specifies an IP

Address that is not used for the control connection.

Signature ID: 6099

FTPd buffer overflow vulnerability

Threat Level: Critical

Industry ID: CVE-1999-0789

CVE-2000-1194 Bugtraq: 679,1227 Nessus: 10084