TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

561

562

563

564

565

566

567

568

569

570

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

565

attacker might exploit this vulnerability under certain conditions to overwrite memory and execute arbitrary code on the

system. This rule hits for the attack pattern towards the destination port 445.

Signature ID: 21064

Access to SMB share from External Network

Threat Level: Warning

Signature Description: This rule detects any attempt to access SMB share on a Windows/Linux host from an external

Network. Giving share access without proper permissions can be treated as security risk.

Signature ID: 21065

Microsoft Windows NetBIOS disk enumeration

Threat Level: Severe

Signature Description: This event is triggered when an attempt is made from the external network to retrive disk

information using netbios protocol.This attack uses NetServerDiskEnum API. The Administrators or Account

Operators local group can successfully execute the NetServerDiskEnum function on a remote computer.

Signature ID: 21066

Microsoft Windows NetBIOS Registry enumeration

Threat Level: Warning

Signature Description: This event is triggered when an attempt to retrive disk information using netbios protocol is

made from the external network.

Signature ID: 21070

Microsoft Windows LSASS buffer overflow attempt

Threat Level: Critical

Industry ID: CVE-2003-0533 Bugtraq: 10108 Nessus: 12209

Signature Description: In Microsoft Windows LSASS is a management interface for local security, domain

authentication, and Active Directory processes. A buffer overrun vulnerability exists in LSASS that could allow remote

code execution on an affected system. Some Active Directory service functions generate a debug log file in the "debug"

subdirectory located in the Windows directory. A logging function implemented in LSASRV.DLL is called to write

entries to the log file. In this function, the vsprintf() routine is used to create a log entry. The string arguments for this

logging function are supplied as parameters to vsprintf() without any bounds checking, so if we can pass a long string

argument to the logging function, then a buffer overflow will occur. An attacker who successfully exploited this

vulnerability could take complete control of the affected system.(MS04-011)

Signature ID: 21072

Microsoft SSL PCT buffer overflow attempt

Threat Level: Critical

Industry ID: CVE-2003-0719 Bugtraq: 10116 Nessus: 12209

Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,

which is part of the Microsoft Secure Sockets Layer (SSL) library. Systems that are SSL enabled, and in some cases

Windows 2000 domain controllers are vulnerable to this attack. An attacker who successfully exploited this

vulnerability could take complete control of an affected system. Although SSL is generally associated with Internet

Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely

to be vulnerable. This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet

Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft

Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server

2000), and any third-party programs that use PCT (MS04-011)