TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
560
Signature ID: 21038
Microsoft SMB ADMIN$ Hidden Share Access
Threat Level: Severe
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end (ADMIN$). These shares will allow anyone who can authenticate as
any member of the local Administrators group access to the root directory of every hard drive on the system thus
accessing the share contents remotely. They are not generally used or useful outside of an enterprise environment.
Allowing these shares to access remotely is a poor security practise. It is recommanded to disable these hidden shares
by editing the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21039
Samba SMB Share access by directory traversal
Threat Level: Information
Signature Description: This rule is detected when an attempt is made to use Samba to gain access to private or
administrative shares on a host by using directory traversal techniques.
Signature ID: 21040
Samba SMB Private Resource Access
Threat Level: Information
Signature Description: This rule is triggered when an attempt is made to use Samba to gain access to private or
administrative shares on a host which are outside the scope of current share.
Signature ID: 21041
Microsoft SMB C$ Hidden Share Access
Threat Level: Severe
Signature Description: This rule hits for the attack pattern targetted towards 139 destination port.Every Windows NT
based Microsoft Windows system (NT/2K/XP/2003) automatically creates a network share of every hard drive. The
Administrative shares are the default shares created by Windows whose share name contains the drive letter with a "$"
at the end (For example, C$). These shares will allow anyone who can authenticate as any member of the local
Administrators group access to the root directory of every hard drive on the system thus accessing the share contents
remotely. They are not generally used or useful outside of an enterprise environment. Allowing these shares to access
remotely is a poor security practise. It is reommanded to disable these hidden shares by editing the registry at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters and setting values of
'AutoShareServer' and 'AutoShareWks' to 0.
Signature ID: 21042
Microsoft SMB C$ Hidden Share Access
Threat Level: Severe
Signature Description: This rule hits when attempt towards 445 destination port.Every Windows NT based Microsoft
Windows system (NT/2K/XP/2003) automatically creates a network share of every hard drive. The Administrative
shares are the default shares created by Windows whose share name contains the drive letter with a "$" at the end (For
example, C$). These shares will allow anyone who can authenticate as any member of the local Administrators group
access to the root directory of every hard drive on the system thus accessing the share contents remotely. They are not
generally used or useful outside of an enterprise environment. Allowing these shares to access remotely is a poor
security practise. It is recommanded to disable these hidden shares by editing the registry at