TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

541

542

543

544

545

546

547

548

549

550

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

547

Signature ID: 18106

SNMP communication with no community string

Threat Level: Information

Industry ID: CVE-1999-0517

Bugtraq: 2112 Nessus: 10264

Signature Description: This rule gets hit when SNMP communications do not contain a community name. An SNMP

community string is the authentication process that a host running SNMP uses to grant access. By supplying a blank

community string an attacker may be attempting to gain access to SNMP functionality for a device that has not been

configured correctly.

Signature ID: 18107

SNMP NULL community string attempt

Threat Level: Information

Industry ID: CVE-1999-0517 Bugtraq: 2112 Nessus: 10264

Signature Description: This event is generated when SNMP communications contain a NULL value as the

authentication string. An SNMP community string is the authentication process that a host running SNMP uses to grant

access. An attacker can launch a scan of all network attached devices looking for port 161 and then attempt to gain

access using SNMP.

Signature ID: 18110

SNMP requests with 'public' community access

Threat Level: Information

Industry ID: CVE-1999-0517 Bugtraq: 2112 Nessus: 10264

Signature Description: SNMP (Simple Network Management Protocol) v1 uses communities and IP addresses to

authenticate communication between the SNMP client and SNMP daemon. Many SNMP implementations come pre-

configured with 'public' and 'private' communities. If these are not disabled, the attacker can gather a great deal of

information about the device running the SNMP daemon. Best practices require administrators to change the

community string to a non default value.

Signature ID: 20002

Chargen Service

Threat Level: Information

Industry ID: CVE-1999-0103

CVE-1999-0635 Nessus: 10043

Signature Description: The chargen service runs on TCP/UDP port 19, and when contacted, chargen responds with

some random (something like all the characters in the alphabet in row). The 'chargen' service should only be enabled

when testing the machine. When contacted via UDP, it will respond with a single UDP packet. When contacted via

TCP, it will continue spewing characters until the client closes the connection. An easy attack 'pingpong' is possible, in

which an attacker spoofs a packet between two machines running chargen. They will commence spewing characters at

each other, slowing the machines down and saturating the network.

Signature ID: 20003

Daytime

Threat Level: Information

Industry ID: CVE-1999-0103

CVE-1999-0635 Nessus: 10052

Signature Description: The daytime service runs on TCp/UDP port 13. The date format issued by this service may

sometimes help an attacker to guess the operating system type. In addition to that, when the UDP version of daytime is

running, an attacker may link it to the echo port using spoofing, thus creating a possible denial of service.