TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

481

482

483

484

485

486

487

488

489

490

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

486

Signature ID: 12336

Rsyncd module list access

Threat Level: Information

Signature Description: Rsync is an open source utility that provides fast incremental file transfer. It has the ability to

operate as either a client or server when transferring data over a network. When ran with --daemon option rsync

becomes a rsync server listening on TCP port 873. The rsync server configuration file rsyncd.conf controls

authentication, access, logging and available modules. An rsync client can list the available modules from rsyncd.conf

if list option is not disabled in server. This rule detects if rsyncd module list is accessed.

Signature ID: 12337

Integer overflow vulnerability in rsync

Threat Level: Information

Industry ID: CVE-2003-0962 Bugtraq: 9153 Nessus: 11943,14093,13818,13666,12609,12440

Signature Description: Rsync is an open source utility that provides fast incremental file transfer. It has the ability to

operate as either a client or server when transferring data over a network. An integer overflow error has been

discovered in a portion of rsync's memory handling routines. An attacker sending an extremely large, specifically

crafted file may be able to exploit this error to execute arbitrary code from the heap of the rsync process address space.

This error results in a vulnerability primarily when the rsync program is used in server mode, accepting input from

remote clients over the network. Versions of the rsync software 2.5.6 and earlier contain this flaw. An attacker may be

able to execute arbitrary code in the context of the user running the rsync server, often root.

Signature ID: 12338

Slapper Worm admin traffic

Threat Level: Information

Industry ID: CVE-2002-0656 Bugtraq: 5362,5363 Nessus: 11060

Signature Description: Slapper Worm is a family of worms that use an OpenSSL buffer overflow exploit (CAN-2002-

0656) to run a shell on a remote computer. Each variant of the family targets vulnerable installations of the Apache

Web server on Linux operating systems, which include versions of SuSe, Mandrake, RedHat, Slackware, and Debian.

The worm also contains code for a Distributed Denial of Service (DDoS) attack.

Signature ID: 12339

X Font Server (XFS) Remote Buffer Overrun Vulnerability

Threat Level: Information

Industry ID: CVE-2002-1317

Bugtraq: 6241 Nessus: 11188

Signature Description: The X font server (xfs) provides a standard mechanism for an X server to communicate with a

font renderer, frequently running on a remote machine. It usually runs on TCP port 7100 or thereabouts. A Buffer

overflow vulnerability in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote

attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.

Signature ID: 12340

XTACACS failed login response

Threat Level: Information

Signature Description: XTACACS (Extended TACACS) is a later version of TACACS (Terminal Access Controller

Access Control System), an authentication protocol common to Unix networks that allows a remote access server to

forward a user's logon password to an authentication server to determine whether access can be allowed to a given

system. This rule tries to detect XTACACS failed login response.