TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

471

472

473

474

475

476

477

478

479

480

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

471

Signature ID: 12250

ICMP Redirect with undefined ICMP code

Threat Level: Information

Signature Description: This rule gets hit when an ICMP Redirect message with an undefined ICMP code is detected.

ICMP Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a

gateway device receives an Internet datagram from a host on the same network a check is performed to determine the

address of the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next

hop on the route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect

message and sends it back to the host that originally generated the traffic. The ICMP redirect message informs the

original host that a shorter route exists and any additional traffic should be forwarded directly to the closer gateway

device. ICMP datagrams with undefined codes should never be seen on the network. This could be an indication of

nefarious activity on the network.

Signature ID: 12251

ICMP Type 19 datagram with ICMP code zero

Threat Level: Information

Signature Description: This rule gets hit when an ICMP Type 19 Code 0 (ICMP Reserved for Security) datagram is

detected on the network. ICMP Type 19 is not defined for use and is not expected network activity.

Signature ID: 12252

ICMP Type 19 datagram with undefined ICMP code

Threat Level: Information

Signature Description: This rule gets hit when an ICMP Type 19 datagram with an undefined ICMP Code is detected

on the network. ICMP Type 19 is not defined for use and is not expected network activity. Any ICMP datagram with

an undefined ICMP Code should be investigated.

Signature ID: 12253

ICMP SKIP message

Threat Level: Information

Signature Description: This rule gets hit when a valid ICMP "SKIP" message is detected. An ICMP "SKIP" message is

issued when a SKIP (Simple Key Management protocol for IP) request to provide keying material fails. This may occur

when the sender makes a request via a SKIP packet for some kind of algorithm, such as encryption, that is not

supported by the receiver. The receiver responds with this ICMP message to indicate that the requested algorithm is not

supported. This is not an attack unless these messages are sent in volume for an attempted denial of service.

Signature ID: 12254

ICMP SKIP message with non-zero ICMP code

Threat Level: Information

Signature Description: This rule gets hit when an ICMP "SKIP" message is detected with a non-zero ICMP code. An

ICMP "SKIP" message is issued when a SKIP request to provide keying material fails. The ICMP code value for this

message should be 0. If a non-zero code for the ICMP code is observed, it may be an indication that the packet was

crafted with an invalid value. An attacker may craft an ICMP "SKIP" message with an invalid ICMP code. A single

packet itself is not harmful, but the unusual ICMP code may indicate that this packet was abnormally

generated.Sending a ICMP message with undefined ICMP Code values should be considered as a nefarious activity on

the network.