TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
572
Signature ID: 21105
SMB sa Login Failed Event
Threat Level: Information
Signature Description: This rule alerts IPS administrator about the possibility of brute force login attempts to SMB
server. It is observed that many of these attempts includes 'sa' as one of the user name.
Signature ID: 21106
Access with Stored Procedure sp_adduser
Threat Level: Information
Signature Description: Microsoft's SQL server provides many stored procedures. These procedures can be used to run
commands on windows machines. A stored procedure on SQL Server called sp_adduser could be used to create new
user accounts. Access to such procedure from external network is suspecious.This rule hits when sp_asuser command is
passed on to victim by UTF encoding. Attacker uses this encoding technique to evade security systems.
Signature ID: 21107
Access with Stored Procedure sp_delete_alert
Threat Level: Information
Signature Description: Microsoft's SQL server provides many stored procedures. These procedures can be used to run
commands on windows machines. A stored procedure on SQL Server called sp_delete_alert could be used to all alart
logs. Access to such procedures from external network is suspecious.
Signature ID: 21108
Access with Stored Procedure sp_password
Threat Level: Information
Signature Description: Microsoft's SQL server provides many stored procedures. These procedures can be used to run
commands on windows machines. A stored procedure on SQL Server called sp_password could be used to change
user's password. Invocation of this procedure from external network is suspecious.
Signature ID: 21109
Microsoft SQL Server xp_SetSQLSecurity Buffer Overflow Vulnerability
Threat Level: Information
Industry ID: CVE-2000-1088
Bugtraq: 2043
Signature Description: Microsoft's SQL server provides many Extended Stored Procedures. These procedures can be
used to run commands on windows machines. The API Srv_paraminfo(), which is implemented by XPs in Microsoft
SQL Server and Data Engine, is susceptible to a buffer overflow vulnerability which may cause the application to fail
or arbitrary code to be executed on the target system depending on the data entered into the buffer.
Signature ID: 21110
Access with Stored Procedure sp_password
Threat Level: Information
Signature Description: Microsoft's SQL server provides many stored procedures. These procedures can be used to run
commands on windows machines. A stored procedure on SQL Server called sp_start_job could be used to Instructs
SQL Server Agent to execute a job immediately. Access with such procedures from outside is suspecious.