TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

581

582

583

584

585

586

587

588

589

590

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

589

Signature ID: 24021

DNS zone transfer TCP Vulnerability

Threat Level: Information

Industry ID: CVE-1999-0532

Nessus: 10595

Signature Description: DNS Zone transfers are normally used between DNS Servers to replicate zone information. A

malicious user may request a Zone Transfer to gather information before commencing an attack. This can give the user

a list of hosts to target.This rule raises an event when an attempt is made to request a zone transfer from a DNS

Server.Configure the DNS servers to only allow zone transfers from authorised hosts, limit the information available

from publicly acessible DNS server by using Split Horizon DNS or separate DNS Servers for internal networks. This

signature detects attacks using TCP DNS.

Signature ID: 24022

DNS zone transfer UDP Vulnerability

Threat Level: Information

Industry ID: CVE-1999-0532 Nessus: 10595

Signature Description: DNS Zone transfers are normally used between DNS Servers to replicate zone information. A

malicious user may request a Zone Transfer to gather information before commencing an attack. This can give the user

a list of hosts to target.This rule raises an event when an attempt is made to request a zone transfer from a DNS

Server.Configure the DNS servers to only allow zone transfers from authorised hosts, limit the information available

from publicly acessible DNS server by using Split Horizon DNS or separate DNS Servers for internal networks. This

signature detects attacks using UDP DNS.

Signature ID: 24023

DNS TCP inverse query buffer overflow Vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0009 Bugtraq: 134

Signature Description: A root name server is a DNS server that answers requests for the DNS root zone, and redirects

requests for a particular top-level domain (TLD) to that TLD's nameservers. Sun Solaris 2.3 to Sun Solaris 2.5.1 _x86,

SGI IRIX 3.2 to SGI IRIX 6.3, NetBSD NetBSD 1.0 to NetBSD NetBSD 1.3.1 NEC UX/4800 (64), ISC BIND 8.1,

IBM AIX 4.1 to IBM AIX 4.3, Data General DG/UX 5.4 4.11, Data General DG/UX 5.4 4.1, Data General DG/UX 5.4

3.1, Data General DG/UX 5.4 3.0, Caldera OpenLinux Standard 1.0, BSDI BSD/OS 2.1, BSDI BSD/OS 2.0.1 and

BSDI BSD/OS 2.0 are vulnerable. A buffer overflow exists in certain versions of BIND, the nameserver daemon

currently maintained by the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when

processing an inverse query. Upon a memory copy, portions of the program can be overwritten, and arbitrary

commands run on the affected host.

Signature ID: 24024

DNS TCP inverse query overflow attempt

Threat Level: Severe

Industry ID: CVE-1999-0009 Bugtraq: 134

Signature Description: A buffer overflow exists in certain versions of BIND, the nameserver daemon maintained by

the Internet Software Consortium (ISC). BIND fails to properly bound the data recieved when processing an inverse

query. Upon a memory copy, portions of the program can be overwritten, and arbitrary commands run on the affected

server.When using TCP this can result in the attacker causing a heap overflow.Upgrading to the latest version of bind

will eliminate this vulnerability.