TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

591

592

593

594

595

596

597

598

599

600

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

594

Signature ID: 25044

Microsoft Windows IP Source Routing Vulnerability

Threat Level: Warning

Industry ID: CVE-1999-0909 Bugtraq: 646

Signature Description: Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions

via a malformed packet with IP options. This vulnerability within the stack's inability to properly process source routed

packets where the offset value is set greater than the specified route length. In this case, the data in the packet could

passed to the application layer of the host for further processing (instead of being dropped by the stack). So the attacker

can spoof the source address and, instead, use a source address of a known host on an internal network (assuming the

Windows host is dual-homed), the datagram reply will be sent to the host on the internal network, here Spoofed the

Route Pointe. Microsoft Windows NT Terminal Server 4.0, Microsoft Windows NT 4.0 SP1 to Microsoft Windows NT

4.0 SP5, Microsoft Windows NT 4.0, Microsoft Windows 98SE, Microsoft Windows 98b and Microsoft Windows 98a

are vulnerable to this attack.

Signature ID: 25045

Listen on FTP server to ports less than 1024

Threat Level: Information

Signature Description: FTP server uses TCP port 20 for data connections by default. It is very unusual for the FTP

client port for the data connection to fall below 1024. This rule alerts IPS administor when the FTP client uses such

suspicious port.

Signature ID: 25046

Listen to DNS servers for queries to port less than 1024

Threat Level: Information

Signature Description: DNS servers listen on port 53 for queries from DNS clients. It is very unusual to use to have a

DNS client port value, less than 1024. This rule alerts IPS administor when the DNS client uses such suspicious ports

Signature ID: 25047

Insecure TIMBUKTU Password

Threat Level: Information

Industry ID: CVE-2000-0086

Bugtraq: 935

Signature Description: Netopia's Timbuktu Pro is a remote administration software package which runs on Microsoft

Windows NT. It sends user IDs and passwords in cleartext, which allows remote attackers to obtain them via sniffing.

This rule just alerts IPS administrator about such clear text password transmission event.

Signature ID: 25049

Ramen worm detection

Threat Level: Warning

Signature Description: Linux.Ramen is a Linux worm that uses a tool called synscan that has been modified to fit its

needs. Using this tool, the worm contacts a randomly generated IP address and checks the FTP banner to determine if

the machine is running Red Hat Linux 6.2 or Red Hat Linux 7.0. For machines running Red Hat 6.2, the worm will

attempt to exploit a vulnerable rpc.statd or wuftpd service. For Red Hat 7.0, the worm tries to exploit an LPRng bug to

gain access to the system.