TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
501
used on NFS clients to do UID or GID mapping. The ugidd RPC interface contains a vulnerability that forces a system
to make user names secretly. A remote attacker maps a given uid or gid to a user or group name. This successful
exploitation of this issue will allow an attacker to obtain a complete list of user names on the victim system. The names
should be used for subsequent brute force login attacks. Administrators are advised to disabled the rpc ugidd service, if
it is not necessary. This signature specifically detects when an attacker send request by using udp service.
Signature ID: 16047
RPC TCP Portmapper DUMP Call request Vulnerability
Threat Level: Warning
Signature Description: The RPC portmapper is a server that converts RPC program numbers into TCP/IP protocol
numbers. It must be running in order to make RPC calls to RPC servers on that machine. When an RPC server is
started, it will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve.
Attackers can send a DUMP RPC call to the Portmap daemon to obtain a list of available RPC programs for a host.
This successful exploitation of this issue will allow an attacker to gain information and more targeted attacks. This
signature specifically detects when an attacker send request by using tcp service.
Signature ID: 16048
Access rpc.statd link/unlink
Threat Level: Information
Industry ID: CVE-1999-0019 Bugtraq: 6831
Signature Description: The rpc.statd server is an RPC server that implements the Network Status and Monitor RPC
protocol. It's a component of the Network File System (NFS) architecture. rpc.statd program is part of the 'nfs-utils'
package. This signature generates an event when an attacker try to identify whether rpc.statd service is running.
Administrators are advised to disable the rpc.statd service if it is not needed.
Signature ID: 16049
NIS domain name check
Threat Level: Information
Signature Description: NIS (Network Information System) does most of its authentication by having the client pass the
server the NIS domain name as a password. When a client provides the correct NIS domain name, it may request NIS
maps. Often an NIS domain name is easily guessable. If this is the case then a user anywhere on the Internet who
knows your NIS domain name may request your maps - Passwd.byname, for example. This signature detects when an
attacker send request on portmap service by using RPC-UDP.
Signature ID: 16050
Rpc.rwalld vulnerability
Threat Level: Information
Industry ID: CVE-1999-0181
Signature Description: The rwall daemon is a service which will broadcast messages from remote hosts to all users
who are logged into the system. While it is useful for sending broadcast messages across an entire network for
administrative purposes, it lacks proper authentication. This provides an attacker with the ability to send messages to
every user logged into your servers. This also allows an attacker to flood users with messages. This signature detects
when an attacker send request on portmap service by using RPC-UDP.
Signature ID: 16051
Mount & NIS services on non-reserved ports check Vulnerability(1)
Threat Level: Information
Signature Description: Mount(Mount is to make a group of files in a file system structure accessible to a user or user
group) and NIS(Network Information System allow many machines on a network to share configuration information,