TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
591
Signature ID: 24953
DNS message integrity check for invalid DNS operation Flag
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 and tries to exchange the dns information in the form of RRs(resource
records) with DNS query/response packets. As per RFC standards, each DNS message header section contains a field
called 'OPCODE' and this is a four bit field that specifies kind of query in DNS message. This value is set by the
originator of a query and copied into the response. This rule gets hit when a system catches cathes a malformed DNS
packet having unknown opcode value in the message header. These integrity errors are protocol anomalies that should
be detected as some DNS handlers could fail to handle such packets, resulting in denial of service conditions.
Signature ID: 24954
DNS message integrity check for abnormal domain name length.
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 tries to exchange the dns information in the form of RRs(resource
records) with DNS query/response packets. Domain names in messages are expressed in terms of a sequence of labels
and these labels seperated by dots and are expressed as character strings. RFC restricts the length of the domain name
to 255 bytes. This rule gets hit when a system catches a malformed DNS packet having abnormal length in any of the
domain name. These integrity errors are protocol anomalies that should be detected as some DNS handlers could fail to
handle such packets, resulting in denial of service conditions.
Signature ID: 24955
DNS message integrity check for abnormal label length.
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53 and tries to exchange the dns information in the form of RRs(resource
records) with DNS query/responce packets. Domain names in messages are expressed in terms of a sequence of labels
and these labels seperated by dots and are expressed as character strings. RFC restricts the length of the label to 63
bytes. This rule gets hit when a system catches a malformed DNS packet having abnormal length in any of the label.
These integrity errors are protocol anomalies that should be detected as some DNS handlers could fail to handle such
packets, resulting in denial of service conditions.
Signature ID: 24956
DNS message integrity check for invalid dns label Offset
Threat Level: Critical
Signature Description: Domain Name System (DNS) is a protocol that provides mapping service between domain
names and IP addresses. DNS clients send DNS queries with domain names and the DNS servers answer with the IP
address associated with the domain name (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS server typically uses UDP port 53. DNS uses compression to eliminate the repetition of domain names in
a message in order to reduce message size. The compression schema uses a pointer to refer to a prior name string when
the string repeats later in a DNS message. In this schema, a DNS message having a pointer contains an OFFSET value.
The OFFSET field specifies an offset from the start of the message (i.e., the first octet of the ID field in the domain