TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

471

472

473

474

475

476

477

478

479

480

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

473

Signature ID: 12259

Traceroute tool

Threat Level: Information

Signature Description: Traceroute can be used as a reconnaissance tool as it can reveal information about the layout of

a network. Traceroute works by sending an ICMP Echo Request packet to a destination host with a TTL value of 1. If

the host is more than one hop away, the first router that receives the packet will send back an ICMP packet indicating

that the TTL was exceeded. The address of this router is then listed as the first hop. The packet is then sent out again

with a TTL of 2. This continues until the destination host is able to reply or some maximum TTL value is reached.

Other implementations use the same TTL-based concept with an ICMP type of 30(traceroute) or with an UDP packet

destined for an ephemeral port. This rule gets hit if an ICMP packet with ICMP type 30 and ICMP code greaterthan

zero.

Signature ID: 12260

ICMP Type 1 datagram with ICMP code zero

Threat Level: Information

Signature Description: This rule gets hit when an ICMP Type 1 datagram with an ICMP Code zero is detected on the

network. ICMP Type 1 is not defined for use and is not expected network activity.Host sending the undefined ICMP

datagram should be investigated for malicious activity.

Signature ID: 12261

Undefined ICMP Type 1 datagram found in network traffic

Threat Level: Information

Signature Description: This rule gets hit when an undefined ICMP Type 1 datagram is detected on the network. ICMP

Type 1 is not defined for use and is not expected network activity. Host sending the undefined ICMP datagram should

be investigated for malicious activity.

Signature ID: 12262

ICMP Type 2 datagram with ICMP code zero

Threat Level: Warning

Signature Description: This rule gets hit when an ICMP Type 2 datagram with an ICMP Code zero is detected on the

network. ICMP Type 2 is not defined for use and is not expected network activity. Any ICMP datagram with an ICMP

Code zero should be investigated.

Signature ID: 12263

Undefined ICMP Type 2 datagram in network traffic

Threat Level: Information

Signature Description: This rule gets hit when an undefined ICMP Type 2 datagram with an undefined ICMP Code is

detected on the network. ICMP Type 2 is not defined for use and is not expected network activity. Host sending the

undefined ICMP datagram should be investigated for malicious activity.

Signature ID: 12264

ICMP Type 7 datagram with ICMP code zero

Threat Level: Information

Signature Description: This rule gets hit when an ICMP Type 7 datagram with an ICMP Code zero is detected on the

network. ICMP Type 7 is not defined for use and is not expected network activity. Host sending the undefined ICMP

datagram should be investigated for malicious activity.