TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
462
parameter using the above mentioned procedure. Administrators are advised to install the updates downloadable from
the Oracle website.
Signature ID: 12201
ICMP Address Mask Reply
Threat Level: Warning
Signature Description: ICMP Address Mask Reply. Internal server replies to an external request for network subnet
mask information, which may allow an attacker to learn information about the network for use in later attacks.
Signature ID: 12202
ICMP Address Mask Reply undefined code
Threat Level: Information
Signature Description: This event is generated when an ICMP Address Mask Reply message with an unsupported code
is found in the network traffic. As per RFC 950, the intended use of the ICMP messages - ICMP Address Mask
Requests and Reply- is that a host, when booting, broadcast an "Address Mask Request" message and a gateway (or a
host acting in lieu of a gateway) that receives this message responds with an "Address Mask Reply". But most
implementations do not support these messages, and it should not be part normal network traffic. Only ICMP code zero
is valid for this message. Sending a ICMP message with undefined ICMP Code values should be considered as a
nefarious activity on the network.
Signature ID: 12203
ICMP Address Mask Request undefined code
Threat Level: Information
Signature Description: This event is generated when an ICMP Address Mask Requests with an unsupported code is
found in the network traffic. As per RFC 950, the intended use of the ICMP messages - ICMP Address Mask Requests
and Reply- is that a host, when booting, broadcast an "Address Mask Request" message and a gateway (or a host acting
in lieu of a gateway) that receives this message responds with an "Address Mask Reply". But most implementations do
not support these messages, and it should not be part normal network traffic. Only ICMP code zero is valid for this
message. Sending a ICMP message with undefined ICMP Code values should be considered as a nefarious activity on
the network.
Signature ID: 12204
ICMP Alternate Host Address
Threat Level: Information
Signature Description: This event is generated when an ICMP Alternate Host Address is found in the network traffic.
ICMP Alternate Host Address messages were never part of standard RFC. This message can be potentially misused for
information gathering activities. This ICMP Type is not implemented in most standard operating systems and is a
potential indication of information gathering activities.
Signature ID: 12205
ICMP Alternate Host Address undefined code
Threat Level: Information
Signature Description: This event is generated when an ICMP Alternate Host Address message is found in the network
traffic. An ICMP Alternate Host Address message were never part of standard RFC and was used by some of the
implantations to direct hosts to the correct IP address of neighboring hosts. Only ICMP code zero is valid for this
message. Sending a ICMP message with undefined ICMP Code values should be considered as a nefarious activity on
the network.