TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

501

502

503

504

505

506

507

508

509

510

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

505

Signature ID: 16071

Nisd Reserved Vulnerability

Threat Level: Information

Signature Description: The rpc.nisd daemon is a Remote Procedure Call service that implements the NIS+ service.

This daemon must be running on all servers that serve a portion of the NIS+ namespace. rpc.nisd is usually started from

a system startup script. Nisd daemon is probably vulnerable to port hijacking and should be moved to reserved port.

The Administrators are advised to run the nisd service on a reserve port, If a nisd running over. This signature

specifically detects when an attacker send a request by using TCP service.

Signature ID: 16072

YpBindReserved vulnerability

Threat Level: Information

Signature Description: Ypbind finds the server for NIS domains and maintains the NIS binding information. The client

(normaly the NIS routines in the standard C library)could get the information over RPC from Ypbind or read the

binding files. The binding files resides in the directory /var/yp/bind-ing. Ypbind is vulnerable to a security threat in the

future. This signature generates an event, when an attacker try to identify whether Ypbind service is running.

Administrators are advised to disable the Ypbind service if it is not needed. This signature specifically detects when an

attacker send request on portmap service by using tcp service.

Signature ID: 16073

YpServReserved

Threat Level: Information

Signature Description: An attacker may probe to know whether the target has a ypserv running over a non-reserved

port. This daemon is probably vulnerable to port hijacking and should be moved to a reserved port.

Signature ID: 16074

Ypxfrd service access

Threat Level: Information

Signature Description: The ypxfrd daemon is designed to significantly improve the efficiency of transferring NIS maps

between hosts. The ypxfrd process registers with the RPC portmapper as program 100069. Ypxfrd is vulnerable to a

security threat in the future. This signature generates an event, when an attacker try to identify whether ypxfrd service

is running. Administrators are advised to disable the ypxfrd service if it is not needed. This signature specifically

detects when an attacker send malicious pattern on RPC-TCP traffic.

Signature ID: 16075

Mountd Reserved Access

Threat Level: Information

Signature Description: The mountd Remote Procedure Call (RPC) implements the NFS mount protocol. When an NFS

client requests a mount of an NFS file system, mountd examines the list of exported file systems. If the NFS client is

permitted access to the requested file system, mountd returns a file handle for the requested directory. An attacker or

legitimate NFS client may request a list of exported file systems and client mount permissions. This signature generates

an event, when an attacker try to identify whether mountd service is running. Administrators are advised to disable the

mountd service if it is not needed.

Signature ID: 16078

Sun Solaris cachefsd mount file buffer overflow vulnerability

Threat Level: Information

Industry ID: CVE-2002-0084

Bugtraq: 4674