TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

501

502

503

504

505

506

507

508

509

510

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

502

including password data) services are some times running on non reserved ports. An attacker may probe to identify

whether these services are running on non reserved ports. If these services running on non-reserved ports are most

likely vulnerable to port hijacking. Then an attacker intercept or supply data from or to client programs. This signature

specifically detects when an attacker send request by using udp service.

Signature ID: 16052

Portmapper register/un+C55Portmapper register/unregister through callitregister through

callit

Threat Level: Information

Signature Description: An attacker may probe to identify whether portmapper services can be set and unset by utilizing

a feature within the portmapper/rpcbind program known as callit(). The callit() function allows forwarding of requests

to local services as though they were coming from the local system itself. This allows attackers to bypass IP address

based authentication checks, to register and un-register services, in addition to exploiting other services. This check

attempts to register a new service on the portmapper/rpcbind by utilizing this technique. In this way the set request

appears to come from the local machine and may bypass address checks.

Signature ID: 16053

Portmapper register/unregister through callit(1)

Threat Level: Information

Signature Description: An attacker may probe to identify whether portmapper services can be set and unset by utilizing

a feature within the portmapper/rpcbind program known as callit(). The callit() function allows forwarding of requests

to local services as though they were coming from the local system itself. This allows attackers to bypass IP address

based authentication checks, to register and un-register services, in addition to exploiting other services. This check

attempts to register a new service on the portmapper/rpcbind by utilizing this technique. In this way the set request

appears to come from the local machine and may bypass address checks. This Signature detects when an attacker send

specially-carafted pattern on UDP RPC.

Signature ID: 16054

Portmapper register/unregister through callit

Threat Level: Information

Signature Description: The portmapper (version 2 ) services can be set and unset by utilizing a feature within the

portmapper/rpcbind program known as callit(). The callit() function allows forwarding of requests to local services as

though they were coming from the local system itself. This allows attackers to bypass IP address based authentication

checks, to register and un-register services, in addition to exploiting other services.

Signature ID: 16058

Solaris automountd vulnerability

Threat Level: Information

Bugtraq: 235

Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file

or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have

become quiescent. A vulnerability in that may allow an unauthorized user to send arbitrary commands to the

automounter daemons. These commands given automounter's SUID root status, then the attacker execute arbitrary

commands on the system. This signature specifically detects 'procno=2' by using UDP service.