TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

571

572

573

574

575

576

577

578

579

580

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

571

Signature ID: 21097

Possible RFPoison DoS Attempt

Threat Level: Severe

Industry ID: CVE-1999-0980

Bugtraq: 754

Signature Description: RFPoison DoS is a popular attacks against Windows NT systems. A specially crafted packet

can cause a denial of service on an NT 4.0 host, rendering local administration and network communication nearly

unusable. This attack will crash the "services.exe", thereby making the machine unusable

Signature ID: 21098

Microsoft SMB IPC$ Share Access

Threat Level: Warning

Signature Description: The Inter-Process Communication (IPC) share or ipc$ is a hidden network share on computers

running Microsoft Windows. This share is used to facilitate communication between processes and computers, often to

exchange authentication data between computers. This rule triggers when an attempt is made to access SMB share from

an external network. Access to IPC$ share allow an attacker to gather important information about system and users. It

is advised to IPS administrators to restrict the access to SMB shares from external network. This rule hits when the hex

pattern "49 00 50 00 43 00 24 00 00 00" found. This signature detects Inter-Process Communication (IPC) share access

over SMB using SMB_COM_TREE_CONNECT and SMB_COM_TREE_CONNECT_ANDX requests on port 139.

Signature ID: 21099

Microsoft SMB IPC$ Share Access

Threat Level: Warning

Signature Description: The Inter-Process Communication (IPC) share or ipc$ is a hidden network share on computers

running Microsoft Windows. This share is used to facilitate communication between processes and computers, often to

exchange authentication data between computers. This rule triggers when an attempt is made to access SMB share from

an external network. Access to IPC$ share allow an attacker to gather important information about system and users. It

is advised to IPS administrators to restrict the access to SMB shares from external network. This signature detects

Inter-Process Communication (IPC) share access over SMB using SMB_COM_TREE_CONNECT and

SMB_COM_TREE_CONNECT_ANDX requests on port 445.

Signature ID: 21102

SMB Directory Traversal Attempt

Threat Level: Information

Signature Description: Server Message Block is a protocol which allows sharing of files, printers, serial ports, and

other abstractions. The SMB protocol is supported on many platforms and architectures, including many Microsoft

products. This signature detects when an attacker send directory traversal(\\..|2f 00 00 00|) via on TCP port 139. This

successful exploitation may allow an attacker to obtain sensitive information.

Signature ID: 21103

SMB Directory Traversal Attempt (2)

Threat Level: Information

Signature Description: Server Message Block is a protocol which allows sharing of files, printers, serial ports, and

other abstractions. The SMB protocol is supported on many platforms and architectures, including many Microsoft

products. This signature detects when an attacker send directory traversal(\\..|00 00 00|) via on TCP port 139. This

successful exploitation may allow an attacker to obtain sensitive information.