TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
509
Signature ID: 16097
RPC rpc.xfsmd xfs_export attempt UDP
Threat Level: Information
Industry ID: CVE-2002-0359
Bugtraq: 5072,5075
Signature Description: Xfsmd service is installed and started by default on all versions of the IRIX operating system
starting from version 6.2 to 6.5.16 (after full OS installation). There are multiple vulnerabilities in the xfsmd service.
Due to a programming error, the service does not correctly check for certain meta-characters and they are not stripped
from the request, thereby making it suitable to run other shell commands. It also suffers from authentication bypass
vulnerability. Any access to this program is suspicious. This signature detects when an attacker send malicious pattern
on UDP-RPC traffic.
Signature ID: 16098
RPC rpc.xfsmd xfs_export attempt on TCP
Threat Level: Information
Industry ID: CVE-2002-0359 CVE-2002-0652 Bugtraq: 5072,5075
Signature Description: Xfsmd service is installed and started by default on all versions of the IRIX operating system
starting from version 6.2 to 6.5.16 (after full OS installation). There are multiple vulnerabilities in the xfsmd service.
Due to a programming error, the service does not correctly check for certain meta-characters and they are not stripped
from the request, thereby making it suitable to run other shell commands. It also suffers from authentication bypass
vulnerability. Any access to this program is suspicious. This signature detects when an attacker send malicious pattern
on TCP-RPC traffic.
Signature ID: 16099
RPC portmap UNSET attempt TCP 111 Vulnerability
Threat Level: Information
Signature Description: The RPC portmapper implements the UNSET procedure, which allows RPC program to
unregister themselves with the protmapper. This destroys the mapping between a program's RPC number and port
number inside the portmapper. The UNSET procedure is usually called as a service shuts down. An attacker able to
unset port bindings can replace system services with Trojans or backdoor programs. This signature specifically detects
when an attacker send a request by using TCP service.
Signature ID: 16100
3270 mapper service Vulnerability
Threat Level: Information
Industry ID: CVE-1999-0008 Bugtraq: 677,104 Nessus: 10208
Signature Description: The RPC 3270_mapper service is a server. The clients wishing to communicate with some
mainframes are required to use a 3270 terminal emulation program, which under many implementations requires this
service to be running. The 3270_mapper register with the RPC protmapper as program 100013. This service may
become a security threat. This rule generates an event when an attacker try to know the 3270_manner service is running
or not by using portmap request. Administrators are advised to disabled the service, if it is not necessary. This signature
specifically detects when an attacker send request by using tcp service.
Signature ID: 16103
Automounter daemon(amd) service portmap request vulnerability
Threat Level: Warning
Industry ID: CVE-1999-0704
Bugtraq: 614 Nessus: 10211
Signature Description: Automounter daemon(amd) is a daemon that automatically mounts filesystems whenever a file
or directory within that filesystem is accessed. Filesystems are automatically unmounted when they appear to have
become quiescent. Automounter daemon(am-utils-6.0.1) is vulnerable to a buffer overflow under several operating