TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

401

402

403

404

405

406

407

408

409

410

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

408

may attempting to scan the system for Denial of Service vulnerability. UDP packets are flooded with ECHO or

CHARGEN by connecting a host ECHO service to a local or remote CHARGEN service.

Signature ID: 10014

Ident version request

Threat Level: Information

Signature Description: Auth/Ident servers which will run on the local user's machine opens port 113 and listen for

incoming connections and queries from remote machines. These querying machines provides already existing

connections between the machines. The user's ident server is tasked with looking up and returning the connection's

"USER ID" and also additional information, such as an eMail address, full name, or whatever.

Signature ID: 10018

MIT Magic Cookie

Threat Level: Information

Signature Description: This rule detects an attempt to exploit a weakness in the authentication mechanism that uses

MIT magic cookie to connect to an X windows server. The MIT Magic Cookie is a security authentication protocol.it

uses private tokens to authenicate clients trying to access X server, token is bound to the X server and vaild only during

one session.<br>

Signature ID: 10019

Xopen

Threat Level: Information

Signature Description: This rule detects an attempt to launch X windows application on an X windows server from

external network. Launching this application from external network is very suspicious activity.This rule hits only for

the attack pattern towards 6000 destination port.

Signature ID: 10020

TFTP Server Long File Name Buffer Overflow Vulnerability

Threat Level: Severe

Industry ID: CVE-2002-0813 Bugtraq: 5328,6199 Nessus: 11056

Signature Description: Trivial File Transfer Protocol (TFTP) allows remote users to copy, transfer, or write to files

without requiring authentication. To read or write files TFTP uses GET (\x00\x01) or PUT (\x00\x02)commands. The

structure of these packets consists of a fielname field, name of file to send or download and a Mode field that specifies

the transfer mode such as octet or ascii. This rule triggers when a request is made to TFTP server using GET or PUT

and a long filename is mentioned. Mentioning a long file name may overflow buffer at the server and may cause

execution of arbitrary code or cause denial of service. Products like Cisco IOS 11.1, 11.2, and 11.3 and TFTPD32 2.50

are vulnerable to this issue. Upgrade to latest version of the product.

Signature ID: 10021

TFTP GET nc.exe

Threat Level: Information

Signature Description: Netcat is a computer networking utility for reading from and writing to network connections on

either TCP or UDP. When it is installed in the victim PC attacker has a chance to execute arbitrary data in the victim

PC. This log will get generate when an attempt to download Netcat utility (nc.exe) is made using TFTP application.