TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
562
Signature ID: 21047
Microsoft Windows RPC DCOM interface buffer overflow
Threat Level: Information
Industry ID: CVE-2003-0352 Bugtraq: 8205 Nessus: 11808
Signature Description: The Distributed Component Object Model (DCOM) handles DCOM requests sent by clients to
a server using RPC. Microsoft Windows implementation of Distributed Component Object Model (DCOM) interface
of the RPC (Remote Procedure Call) service is vulnerable to a buffer overflow attack. By sending a malformed
message to the RPC service, a remote attacker can overflow a buffer and execute arbitrary code on the system with
Local System privileges. Microsoft Windows 2000, Windows NT 4.0, Windows XP, and Windows Server 2003 are
vulnerable to this issue.
Signature ID: 21048
Microsoft Windows SMB NetServerEnum2 transaction Request Buffer Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-2002-0724 CVE-2002-0720 Bugtraq: 5556,5480 Nessus: 11110,11300
Signature Description: SMB is a protocol for sharing data and resources between computers. It is included in many
versions of Microsoft Windows. A machine running SMB may crash if it recieves a specially crafted packet containing
a NetServerEnum, NetServerEnum2, or NetServerEnum3 transaction request. If either of the paramaters "Max
Parameter Count" or "Max Data Count" are set to 0, then a vulnerable system will crash. This signature detects if the
parameters "Max Parameter Count" and "Max Data Count" are set to 0. Microsoft Windows NT, Windows 2000, and
Windows XP suffers from this vulnerability.
Signature ID: 21049
Repeated logon failure while acessing SMB share
Threat Level: Critical
Signature Description: Every Windows NT based Microsoft Windows system (NT/2K/XP/2003) automatically creates
a network share of every hard drive. The Administrative shares are the default shares created by Windows whose share
name contains the drive letter with a "$" at the end. These shares will allow anyone who can authenticate as any
member of the local Administrators group access to the root directory of every hard drive on the system thus accessing
the share contents remotely. This rule indicates that multiple failed attempts have been made to access an SMB network
share. This may indicate a determined effort by an unauthorized user to access information and data on a network
share. This rule will trigger when the attacker tries to access Repeated login access through SMB port 139.
Signature ID: 21050
Startup folder access via SMB
Threat Level: Critical
Signature Description: This rule detects an attempt that is made to access a system folder via SMB. If this folder is
accessible via SMB the attacker can replace or view important operating system files.
Signature ID: 21051
Startup folder unicode access via SMB
Threat Level: Critical
Signature Description: This rule detects an attempt that is made to access a system folder via SMB. If this folder is
accessible via SMB the attacker can replace or view important operating system files.This rule hits for the Pattern
"Start Menu Programs Start up" encoded with UTF is found in the SMB packet.