TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

381

382

383

384

385

386

387

388

389

390

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

388

private keys for that user are also at risk.This rule generates an event in case an attempt is made to transfer the file

"authorized_keys" using FTP.<br>

Signature ID: 6139

FTP format string Vulnerability

Threat Level: Information

Signature Description: Some of the FTP Servers are reported to be prone to a format string vulnerability.The issue

exists due to lack of sufficient format checks against user-supplied data.A remote attacker may send malicious data as

an argument.This could potentially lead to the execution of arbitrary code in the context of the server or cause a denial

of service.

Signature ID: 6141

Invalid FTP Transfer MODE detection

Threat Level: Information

Signature Description: This signature includes a list of acceptable FTP Transfer MODEs . These MODEs are believed

to represent normal usage of the FTP protocol. Usage of any other Transfer MODE indicates intrusion.This signatures

raises an info alarm when a MODE other than the listed Transfer MODEs is detected.

Signature ID: 6142

FTP iss scan Vulnerability

Threat Level: Warning

Signature Description: ISS is a security scanner which checks for common system vulnerabilities. When it detects a

vulnerable ftp server, it logs in anonymously using the password '-iss@iss' to gain information about the FTP

server.This can lead to future attacks.

Signature ID: 6143

FTP large PWD command

Threat Level: Severe

Industry ID: CVE-2008-4321 CVE-2007-1082 CVE-2003-1319

Signature Description: File Transfer Protocol (FTP) is a network protocol used to transfer data from one computer to

another through a network such as the Internet. PWD is used to Print the name of the current working directory on the

remote machine. Buffer overflows exist PWD command in FlashGet 1.9, SmartFTP 1.0.973 and other versions before

1.0.976 and FTP Explorer 1.0.1 Build 047 and other versions before 1.0.1.52. These may lead to a variety of attacks

from Dos to code execution. This is a generic signature that detects such attacks.

Signature ID: 6145

FTP pass wh00t

Threat Level: Warning

Signature Description: Wh00t is a backdoor password that can be used to login to a Unix-based operating system.

wh00t is the default password for the root account. The presence of wh00t may indicate that the system has been

compromised and a backdoor root account with wh00t! as the password value has been installed. An attacker could

create a backdoor or search for systems containing the backdoor and obtain remote root access.

Signature ID: 6146

FTP passwd file retrieval attempt

Threat Level: Warning

Signature Description: This event is generated when an attempt to download a copy of the "passwd" file from the