TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

441

442

443

444

445

446

447

448

449

450

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

444

Signature ID: 12042

Possible LDAP Exchange Overflow Attempt

Threat Level: Information

Industry ID: CVE-1999-0385 Bugtraq: 0503

Signature Description: A buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access

Protocol) server allows read access to the Exchange server directory by using an LDAP client. This buffer overflow

consists of a malformed bind request that overflows the buffer making it possible for attacker to either run commands

or crash the server.

Signature ID: 12043

Access to LDAP Monitor

Threat Level: Information

Signature Description: A potential attacker can gain information about the LDAP server by accessing the LDAP

monitor. The LDAP server dumps monitoring information, such as the LDAP server version, the connections, the

number of backends, and who's logged on. Such information cam help an attacker to plan attack properly. This rule

detects any access made to LDAP monitor.

Signature ID: 12044

LDAP Null Subtree Information Discloser Vulnerability

Threat Level: Information

Signature Description: If LDAP allows a NULL base in an LDAP search with a scope set to subtree, the LDAP server

will dump all viewable information in a directory. This rule detects the attempts made to access a NULL subtree via

LDAP search.

Signature ID: 12045

Attempt to LDAP Schema Information Gathering

Threat Level: Information

Signature Description: A potential attacker can gain information about the LDAP server by accessing the LDAP

schema. The LDAP server dumps its schema, which can show all necessary attributes needed for an object, including

hidden or non-readable attributes. This rule detects any attempt to access LDAP schema.

Signature ID: 12046

CDDBD is Running

Threat Level: Information

Industry ID: CVE-1999-1240

Signature Description: A CD Database daemon is a server program that feeds requests from remote CD players and

returns information about CDs currently being played on those systems such as artist, title, album, etc. There are

vulnerabilities, found in this application. This rule alerts the IPS administrators about the active CDDB service, which

is vulnerable.

Signature ID: 12048

Sasser Worm [Command Shell] Attack

Threat Level: Information

Industry ID: CVE-2003-0533

Bugtraq: 10108 Nessus: 12209

Signature Description: The Sasser Worm exploits a vulnerability in the Windows Local Security Authority Subsystem

Service (LSASS).This worm spreads by scanning randomly selected IP addresses for vulnerable systems. It attempts to

exploit the LSASS vulnerability and open a remote shell on TCP ports 9995 (version D of the worm) or 9996 (versions