TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
477
Signature ID: 12282
Webtrends Scanner
Threat Level: Information
Signature Description: Webtrends is a vulnerability scanner. This rule hits when Webtrends Security Scanner generates
an ICMP echo request message. . A remote attacker can scan a large range of hosts using ICMP echo requests to
determine what hosts are operational on the network.This could be a reconnaissance scan against target network using
Webtrends application.
Signature ID: 12283
ICMP Router Discovery Protocol (IRDP) router advertisement message
Threat Level: Information
Industry ID: CVE-1999-0875 Bugtraq: 578
Signature Description: This rule gets hit when an ICMP Router Discovery Protocol (IRDP) router advertisement
message is sent to an internal server from external network. IRDP messages broadcast network routing information,
and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to
determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their
local routing tables before using routes discovered via DHCP. An attacker can exploit this behavior by broadcasting
IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on
that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message
contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing
a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. This rule
may generate an alert if legitimate ICMP traffic of type 9 is sent from an external server to an internal server.
Signature ID: 12284
ICMP Router Discovery Protocol (IRDP) router advertisement message
Threat Level: Information
Industry ID: CVE-1999-0875 Bugtraq: 578
Signature Description: This rule gets hit when an ICMP Router Discovery Protocol (IRDP) router advertisement
message is sent to an internal server from external network. IRDP messages broadcast network routing information,
and computers with IRDP enabled will store this routing information in their default routing tables. There is no way to
determine whether the IRDP broadcast is authentic or spoofed, and some hosts will use the routes that appear in their
local routing tables before using routes discovered via DHCP. An attacker can exploit this behavior by broadcasting
IRDP messages with erroneous routing information to a target network. This will cause some IRDP-enabled hosts on
that network to route traffic through the route advertised in the spoofed IRDP message. If the spoofed IRDP message
contains nonexistent/inaccessible routing addresses, the target will not be able to connect to external networks, causing
a denial of service. This may also facilitate man-in-the-middle attacks or interception of data by an attacker. This rule
may generate an alert if legitimate ICMP traffic of type 10 is sent from an external server to an internal server.
Signature ID: 12285
ICMP Redirect for host datagram
Threat Level: Information
Industry ID: CVE-1999-0265
Signature Description: This rule gets hit when a network host generates an ICMP Redirect for Host datagram. ICMP
Redirect messages are generated by gateway devices when a shorter route to the destination exists. When a gateway
device receives an Internet datagram from a host on the same network a check is performed to determine the address of
the next hop (gateway) in the route to the datagrams destination. The datagram is then forward to the next hop on the
route. If this gateway device is also on the same network, the gateway device generates an ICMP Redirect message and
sends it back to the host that originally generated the traffic. The ICMP redirect message informs the original host that
a shorter route exists and any additional traffic should be forwarded directly to the closer gateway device. Attackers on