TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
478
the local subnet could potentially use ICMP Redirect messages to force hosts to use compromised gateway devices.
ICMP Redirect datagrams are legitimate Internet traffic if a shorter route to a destination actually exists.
Signature ID: 12286
ICMP Redirect Network message
Threat Level: Information
Industry ID: CVE-2003-1398
CVE-1999-0265
Signature Description: This rule gets hit when an ICMP Redirect Network message was detected in network traffic.
Several susceptible IP Stack implementations may result in the system hanging or crashing when malformed or
corrupted ICMP Redirect Network (Type 5, Code 0) packets are sent to them. A malicious user may send corrupted
ICMP Redirect Net messages to networks in an attempt to crash a system. Any ICMP Network Redirect will generate
an event. Under normal network conditions ICMP Redirect Network packets will occur in a number of situations.
Signature ID: 12287
Attempt to download admin.dll using TFTP
Threat Level: Warning
Industry ID: CVE-2001-0154 CVE-2000-0884
Signature Description: This rule gets hit when an exploited Internet Information Server (IIS) host attempts to perform a
tftp download of the file admin.dll to infect the host with the nimda worm. The nimda worm uses multiple propagation
methods. One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to
execute commands on the target server. An attempt is made to execute a tftp download of the file admin.dll from the
infected attacking host to the victim server. The admin.dll file is a copy of the nimda worm that is activated on the
newly infected victim server.
Signature ID: 12288
TFTP GET Request from Outside
Threat Level: Warning
Industry ID: CVE-1999-0183 CVE-2000-0015
Signature Description: This rule gets hit when a TFTP GET request is made from external network to internal network.
The TFTP (Trivial File Transfer Protocol) allows remote users to read or write files without having to log in. Attackers
may use TFTP to upload and download files from server that are properly or improperly configured. Cisco IP phone
running a SIP-compatible image including model 7960 are vulnerable to such an attack. Normally attackers attempt to
locate TFTP servers using automated scanners and tools.
Signature ID: 12289
TFTP Parent directory reference attempt
Threat Level: Warning
Industry ID: CVE-1999-0183 CVE-2002-1209 CVE-2001-0783 Bugtraq: 6045
Signature Description: This rule gets hit when a TFTP request is made with a parent directory designation of "..". This
may be an indication of an attempt to request or place files on the TFTP server outside the root directory configured for
the TFTP server. Vulnerable TFTP servers such as SolarWinds TFTP Server Standard Edition 5.0.55 may allow remote
attackers to transfer files to directories outside the normal root directory configured for the TFTP server. Cisco TFTP
server 1.1 allows remote attackers to read arbitrary files via a ..(dot dot) character sequence in the GET command. This
could result in sensitive files being transferred off the system or arbitrary files being upload to the system.
Signature ID: 12290
Remote Integer Overflow in detection code of SSH CRC32 overflow attack
Threat Level: Warning
Industry ID: CVE-2001-0144 CVE-2001-0144 CVE-2002-1024 Bugtraq: 2347,5114 Nessus: