TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
530
Signature ID: 16952
Big TCP RPC message
Threat Level: Information
Signature Description: When using TCP as a transport mechanism, SUN RPC unpacks a single message into smaller
fragments. At the other end these fragments are reassembled to form a complete RPC message. IPS will buffer these
RPC fragments to get the complete message. During the buffering of TCP RPC message, which are send in multiple
TCP segments( may be in multiple RPC fragments), if the length of one complete RPC message is found to be bigger
than 2 K ( which is the buffer size configured in IPS) this log is generated indicating that the IPS could not buffer the
full RPC message because of size limitations. This is not an attack and generated only for informational purpose.
Signature ID: 16953
More data transferred in the TCP connection than the value specified in the RPC fragment
header
Threat Level: Critical
Signature Description: When using a TCP for transmitting the RPC fragment messages, the first 4 byte in the packet
indicate what is the fragment length and the most significant bit in this indicate whether this particular fragment is a last
one or not. Normally when this happen, the byte transferred in the packet should match with the numbers indicated in
the RPC fragment header. This log is generated when IPS find more number of byte in the TCP transaction packets
than value indicated in the RPC fragment header fields that mean the byte transferred in the connections is more than
the value specified in the fragment headers put together.
Signature ID: 16956
RPC server response with out a client request
Threat Level: Critical
Signature Description: SUN RPC or ONC RPC, is a widely deployed remote procedure call system. A client
application sends a request message and data to the remote program first, these where send to the remote system using
RPC message syntax, that are processed in remote system, and finally the results are passed back to the calling
program. The server will never initiate any response with out receiving a request from the client and RPC response
message from server with out a client request should be treated as for malicious activity.
Signature ID: 16959
XDR syntax representation error
Threat Level: Critical
Signature Description: In the RPC messages, the argument very much specific to a remote procedure call represented
by program number, procedure number, and "version combination and is represented to External Data Representation
(XDR. IPS provide the capability to define the XDR syntax representation for a remote procedure call through
signature and if present parse the argument portion with in the RPC message by using this definition. During these
parsing, IPS check for syntax anomaly like lesser or more data length in RPC message which are not matching with the
XDR definition uploaded through signature, if some variable filed is present in the argument check whether this length
is with the RPC message boundary etc and if anomaly is detected it will raise this log. It is possible to create a DOS
attack by sending a specially crafted RPC packet with wrong syntax mentioned above.
Signature ID: 18003
Obtain network interfaces list via SNMP
Threat Level: Information
Nessus: 10551
Signature Description: Attackers may exploit SNMP to obtain the list of the network interfaces that are installed on the