TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
474
Signature ID: 12265
Undefined ICMP Type 7 datagram in network traffic
Threat Level: Information
Industry ID: CVE-cve 1999-0454
Signature Description: This rule gets hit when an ICMP message with a undefined Type 7 is detected on the network.
ICMP Type 7 is not defined for use and is not expected network activity. Host sending the undefined ICMP datagram
should be investigated for malicious activity.
Signature ID: 12266
Inbound ICMP Ping Packet with TTL Value 1 Found
Threat Level: Warning
Signature Description: Time to Live (TTL) field in IP header is set by the sender of the datagram, and reduced by
every host on the route to its destination. If the TTL field reaches zero before the datagram arrives at its destination,
then the datagram is discarded and an ICMP error datagram (11 - Time Exceeded) is sent back to the sender. Usually IP
datagrams with ttl value 1 will rarely appear. Windows Traceroute 'tracert' command uses an ICMP echo request with a
lower than normal Time to Live (TTL) value (initially ttl=1 then 2, 3, and so on...) to identify live hosts and network
topolgies. An attacker can use traceroute to gain knowledge of a target network. Some DHCP servers issue ICMP pings
with ttl value 1 to detect for IP addresses that may be reclaimed by the server.
Signature ID: 12267
ICMP Destination Unreachable Communication Administratively Prohibited
Threat Level: Information
Signature Description: This indicates that a router is unable to forward a packet due to filtering, which could be the
result of malicious activities, such as spoofed traffic or Denial-of-Service (DoS) attack. In a DoS attack, it is common
to use spoofed source IP addresses. If and when the traffic gets filtered and an ICMP message is returned, the spoofed
source address will be the recipient of the ICMP message. A similar situation may occur when a large portscan is
occurring and an attempt is made to mask the true source of the scan by tossing in spoofed source addresses.This rule
hits when icmptype 3, and icmpcode 13 found in the traffic.
Signature ID: 12268
ICMP Destination Unreachable Communication with Destination Host is Administratively
Prohibited
Threat Level: Warning
Signature Description: This indicates that a router is unable to forward a packet due to filtering, which could be the
result of malicious activities, such as spoofed traffic or Denial-of-Service (DoS) attack. In a DoS attack, it is common
to use spoofed source IP addresses. If and when the traffic gets filtered and an ICMP message is returned, the spoofed
source address will be the recipient of the ICMP message. A similar situation may occur when a large portscan is
occurring and an attempt is made to mask the true source of the scan by tossing in spoofed source addresses. This rule
hits when icmp packet contains icmptype 3 and icmpcode 10 found.
Signature ID: 12269
ICMP Destination Unreachable Communication with Destination Network is Administratively
Prohibited
Threat Level: Warning
Signature Description: This indicates that a router is unable to forward a packet due to filtering, which could be the
result of malicious activities, such as spoofed traffic or Denial-of-Service (DoS) attack. In a DoS attack, it is common
to use spoofed source IP addresses. If and when the traffic gets filtered and an ICMP message is returned, the spoofed