TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
529
Signature ID: 16253
Ypupdated arbitrary command attempt TCP
Threat Level: Information
Industry ID: CVE-1999-0208
Signature Description: The "rpc.ypupdated" program is a server used to change NIS(Network Information Service)
information from a network-based client, using various methods of authentication. When the client communicates to a
server, the server checks to see if the connection is authentic using secure RPC. But the server does not check to see if
the client is authorized to modify the NIS data, or, if the given NIS map exists. Even after an unsuccessful attempt to
update the NIS information, the "rpc.ypupdated" server invokes the 'make' program to propagate possible changes. The
invocation of 'make' is implemented in an insecure fashion which allows the requesting client to pass malicious
arguments to the call resulting in the execution of arbitrary commands on NIS master and slave servers.This rule
detects the attack pattern on RPC-TCP Traffic.
Signature ID: 16254
Ypupdated arbitrary command attempt UDP
Threat Level: Information
Industry ID: CVE-1999-0208
Signature Description: The "rpc.ypupdated" program is a server used to change NIS(Network Information Service)
information from a network-based client, using various methods of authentication. When the client communicates to a
server, the server checks to see if the connection is authentic using secure RPC. But the server does not check to see if
the client is authorized to modify the NIS data, or, if the given NIS map exists. Even after an unsuccessful attempt to
update the NIS information, the "rpc.ypupdated" server invokes the 'make' program to propagate possible changes. The
invocation of 'make' is implemented in an insecure fashion which allows the requesting client to pass malicious
arguments to the call resulting in the execution of arbitrary commands on NIS master and slave servers.This rule
detects the attack pattern on RPC-UDP Traffic.
Signature ID: 16950
Malformed RPC message
Threat Level: Critical
Signature Description: SUN RPC or ONC RPC, is a widely deployed remote procedure call system. It serializes data
using the XDR to transmit it across a network connection link in binary form. ONC then delivers the XDR payload
using either UDP or TCP. Some fields should be present in all RPC messages namely - the Transaction ID(xid),
message type, rpc version, program number, version, procedure number. All these fields are 4 byte integer value and
any RPC message length should be grater than these fields put together ( 24 byte). Some fields in the message like
credential , verify are variable length fields. The first four byte of these fields indicates the length of these fields with in
the message. The length specified in these fields should be with in the message boundary. This rule is generated when
the IPS find a RPC message either with a length less than 24 byte or when any one of the variable fields specified
length are not with in the message boundary indicating malformed RPC message. This may be indication of attacker
sending malformed RPC message to cause a denial of service attack or may be because some non RPC message is
being send using port number assigned to some of the RPC service.
Signature ID: 16951
Multiple RPC request response message in same TCP connections
Threat Level: Information
Signature Description: Even though IPS has the capability of buffering the TCP RPC message, which can be split into
various fragment message, each fragment may be transferred in multiple TCP segment, it expect only one RPC request
response is processed in one TCP connection. This log is generated as information to indicate multiple RPC request is
found in the same TCP connection and IPS can drop the connection or ignore the second requests depending on the
action setting of this log. This is not an attack is generated purely for information purpose.