TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

431

432

433

434

435

436

437

438

439

440

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

440

as a proxy. A Gopher server may support proxy connections to FTP servers. This allows an user to assume the source

IP of the Gopher server when connecting to an FTP server. This may be used to bypass FTP access restrictions based

on source IP's. An user who is normally restricted access to an FTP server based on the originating IP may attempt to

circumvent this by attempting access from a Gopher server that supports proxy connections to FTP servers.

Signature ID: 12012

HP JetDirect LCD Display Modification Vulnerability

Threat Level: Information

Bugtraq: 2245 Nessus: 10103

Signature Description: Certain versions of HP LaserJet printers allows to change the printer display text remotely. This

can be used with other social engineering tricks to gether information about the network. It is advised to turn-off this

service.

Signature ID: 12013

XDMCP Query

Threat Level: Information

Signature Description: This rule gets hit when an attempt is made to query the XDMCP service. An XDMCP query can

provide a wealth of information about a host such as a login screen, a list of users on the host, and to bypass access

control restrictions used by tcpwrapper and to bypass the restriction of login by user "root" on the box. An attacker can

use this to find out information about the machine and then either launch a specific attack or connect to the X windows

server using XDMCP.

Signature ID: 12014

Access on X Display Manager Control Protocol (XDMCP)

Threat Level: Information

Nessus: 10891

Signature Description: The host is running XDMCP. This protocol is used to provide X display connections for X

terminals. XDMCP is completely insecure, as the traffic and passwords are not encrypted. An attacker may use this

flaw to capture all the keystrokes of the users using this host through their X terminal, including passwords. Also

XDMCP is an additional login mechanism which may be enable without your knowledge. This could provide a very

weak login.

Signature ID: 12015

Large UDP Packet

Threat Level: Information

Signature Description: This rule gets hit when an UDP packet of size morethan 4000 bytes is observed. UDP payloads

are typically smaller than 4000 bytes since the UDP protocol is intended to be used for the transmission of smaller

payloads. When a large payload is observed, it may be a sign of anomalous activity, perhaps an attempted denial of

service against the remote host. This rule may also generate a false positive as there may be UDP services offered that

naturally support large payload sizes.

Signature ID: 12016

Microsoft UPnP NOTIFY Buffer Overflow Vulnerability

Threat Level: Severe

Industry ID: CVE-2001-0876

Bugtraq: 3723 Nessus: 11765

Signature Description: Universal Plug and Play (UPnP) is a capability that allows devices on a network to discover

other devices and determine how to work with them. When a device that supports UPnP (for instance, a UPnP-capable

printer) boots, there may already be UPnP-capable computers on the network that would like to use it. The device

broadcasts a message (called a NOTIFY directive) to all computers within reach, announcing its presence on the