TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
409
Signature ID: 10022
TFTP GET shadow
Threat Level: Information
Signature Description: The "shadow" file normally stores encrypted password hashes and users names for Unix based
systems. If this file is being transferred over the network using TFTP it is normally indicates that system is
compromised by remote user and is transferring sensitive files to the attacker system. This log is generated when a
TFTP GET request is made for the "shadow" file.
Signature ID: 10024
TFTP NULL command attempt
Threat Level: Information
Bugtraq: 7575
Signature Description: TFTP is used to transfer files between hosts. Verilink NetEngine 6100-4 (Netengine routers) are
vulnerable to denial of service attack. If a UDP packet containing a double-null opcode is sent to the router's TFTP port
the router may crash, thus causing the DoS. This event is indicative of spurious activity in TFTP traffic from a host to a
router.
Signature ID: 10026
Symantec Scan Engine File Disclosure Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-0232 Bugtraq: 17637
Signature Description: Symantec Scan Engine is a TCP/IP server and programming interface that enables third parties
to incorporate support for Symantec content scanning technologies into their proprietary applications. There is a
vulnerability in Symantec Scan Engine 5.0 that allows unauthenticated remote users to download any file located under
the Symantec Scan Engine installation directory. For instance, the configuration file, the scanning logs, and the current
virus definitions can all be accessed by any remote user using regular or specially crafted requests on tcp port 8004.
This signature detects if remote attacker could send a URL request for any known file within the Symantec\Scan
Engine\ directory, including log files, virus definitions and .xml configuration files.
Signature ID: 10027
Symantec Scan Engine File Disclosure Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-0232
Bugtraq: 17637
Signature Description: Symantec Scan Engine is a TCP/IP server and programming interface that enables third parties
to incorporate support for Symantec content scanning technologies into their proprietary applications. There is a
vulnerability in Symantec Scan Engine 5.0 that allows unauthenticated remote users to download any file located under
the Symantec Scan Engine installation directory. For instance, the configuration file, the scanning logs, and the current
virus definitions can all be accessed by any remote user using regular or specially crafted requests on tcp port 8004.
This signature specifically detects if an attacker try to access .log or .dat extension files from Symantec Scan Engine
directory.
Signature ID: 10028
Microsoft SSL PCT buffer overflow attempt
Threat Level: Critical
Industry ID: CVE-2003-0719 Bugtraq: 10116 Nessus: 12209
Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some
cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is