TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
470
datagram. Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure
condition occurs. ICMP Type 40 Code 2 datagrams are generated when a received datagram fails the decompression
check for a given SPI (Security Parameters Index). Normally this is an indication that hosts using IP Security Protocols
such as AH or ESP have been configured incorrectly or are failing to establish a session with another host.
Signature ID: 12246
ICMP Type 40 Code 3 Decryption Failed datagram
Threat Level: Information
Signature Description: This rule gets hit when a host generates an ICMP Type 40 Code 3 Decryption Failed datagram.
Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure condition
occurs. ICMP Type 40 Code 3 datagrams are generated when a received datagram fails the decryption check for a
given SPI (Security Parameters Index). By default, these messages should be blocked unless deemed necessary after
evaluation.<br>
Signature ID: 12247
ICMP Type 40 datagrams with undefined ICMP code
Threat Level: Information
Signature Description: This rule gets hit when a host generates and ICMP Type 40 datagram with an undefined ICMP
Code. Hosts using IP Security Protocols such as AH or ESP generate ICMP Type 40 datagrams when a failure
condition occurs. ICMP Type 40 datagrams are generated when a received datagram fails an integrity check for a given
SPI (Security Parameters Index). ICMP Type 40 datagrams should never be generated with an undefined ICMP Code,
this could be an indication of malicious network activity.
Signature ID: 12248
ICMP Redirect for TOS and Host
Threat Level: Information
Signature Description: This rule gets hit when an ICMP Redirect for the Type of Service and Host message is detected.
ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a
gateway device receives an Internet datagram from a host on the same network a check is performed to determine the
address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next
hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect
message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the
original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway
device.Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised
gateway devices
Signature ID: 12249
ICMP Redirect for TOS and Network
Threat Level: Information
Signature Description: This rule gets hit when an ICMP redirect message for type of Service and Network (code = 2) is
detected. ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists.
When a gateway device receives an Internet datagram from a host on the same network a check is performed to
determine the address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward
to the next hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP
Redirect message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs
the original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway
device. Attackers on the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised
gateway devices.