TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
63
Signature ID: 360
HTTP Absolute URI Present vulnerability
Threat Level: Information
Industry ID: CVE-2001-0647
Bugtraq: 2432 Nessus: 10636
Signature Description: According to RFC 2396, A Uniform Resource Identifier (URI) is a compact string of characters
for identifying an abstract or physical resource by denoting them in either absolute or relative form. An absolute
identifier refers to a resource independent of the context in which the identifier is used. In contrast, a relative identifier
refers to a resource by describing the difference within a hierarchical name space between the current context and an
absolute identifier of the resource. A relative URI always starts with a '/' and normally HTTP clients request by using
this method (except proxy, in that case, absolute URI is used).
Signature ID: 361
HTTP Multiple Slashes in URI vulnerability
Threat Level: Information
Nessus: 10843
Signature Description: This is an anti IIPS evasion technique. According to HTTP RFC, every URI should use '/' to
traverse directory. However, most of the HTTP servers interpret '//' as '/'. Therefore "//cgi-bin//some.cgi" will correctly
be treated as "/cgi-bin/some.cgi" by the web server. However, if an IDS/IPS is not aware of this interpretation, it will
not match "//cgi-bin//some.cgi" as the signature will be "/cgi-bin/some.cgi". However, Smart ID systems tend to
correctly interpret this by logically combining all slashes into one or at least reporting such an attempt.
Signature ID: 362
URI Reverse Traversal vulnerability
Threat Level: Information
Industry ID: CVE-2002-0893 Bugtraq: 4795 Nessus: 10959
Signature Description: This is an anti IIPS evasion technique. This rule is more informational in nature. A classic trick
is to break apart a request such as "/cgi-bin/some.cgi HTTP/1.0" by using reverse traversal directory tricks:GET /cgi-
bin/blahblah/../some.cgi HTTP/1.0" which equates to "/cgi-bin/some.cgi". Most smart ID systems account for this (it's a
core feature of what makes them 'smart'), and raw ID systems usually alert the fact that the request contains "/../".
Signature ID: 363
Attempt to Access Objects Beyond Web Root
Threat Level: Critical
Industry ID: CVE-2000-0664 CVE-2000-0884 CVE-2000-0919 CVE-2002-0307 CVE-2001-1204 CVE-2001-0871
CVE-2000-0187 CVE-2000-0674 CVE-2000-0126 CVE-2000-1076 CVE-2001-0804 CVE-2000-1019 CVE-2001-
1209 CVE-1999-0776 CVE-1999-1509 CVE-2002-0661 CVE-2008-1145 CVE-2005-2847 Nessus:
10831,11001,10872,10819,10669,10818,10489,10025,10065,10467,10602,10115,10537,10589,10562,10789,10593,10
750,10574,10776,10656,10770,10817,10584,10542,10297,10367,10830,10672,10875,10010,10536,10063
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP is a client-server type protocol, wherein a client makes a request and server tries to fulfill
that request. As the web server runs one system, which serves some other services to user and therefore may contain
some sensitive data, like password to the system itself in "etc/passwd" file. There exist a possibility that some client
may request a sensitive file also. In order to deal with such problems, a root directory of the web server is defined. All
the files, which can be requested are, generally, kept under this directory. If a client has to request something sensitive,
he will have to come out from the root directory of the server by doing a directory traversal (/../../..). This rule triggers
an alarm when there has been an attempt to access objects which are beyond the web root directory. Such an attempt is
suspicious, specially from outside, and should be monitored for further analysis by the administrator. The rule triggers
when it encounters "/../" in the request.