Manualshelf

TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
65
characters. Such complexity has led to some IDS evasion techniques also. Therefore it is of paramount importance to
decode UTF-16 characters correctly. The rule triggers if it finds encoding, which is not strictly following, standard.
Such HTTP requests may be indicative of some malicious activities.
Signature ID: 370
Null Bytes in HTTP Request vulnerability
Threat Level: Critical
Industry ID: CVE-2000-0671 Bugtraq: 1510,3810 Nessus: 10479,10837
Signature Description: According to HTTP RFC, no NULL byte should be present in the URI. However, many server
happen to ignore NULL byte and process the request. An attacker, by taking advantage, can send Null bytes (encoded
or not) in HTTP request so that if any c function is being used by the IDS/IPS device, he/she can avoid matching as
most of the c functions take NULL byte as 'end of string'. In this way, the pattern may not be matched. This rule hits
when system detects any such attempt in HTTP request.
Signature ID: 371
URI Invalid UTF-8 Coding vulnerability
Threat Level: Information
Industry ID: CVE-2001-1217 Bugtraq: 3727 Nessus: 10854
Signature Description: HTTP(HyperText Transfer Protocol) is a protocol used by the World Wide Web. It is used for
transferring files(text, graphic, images, sound, video, and other multimedia files) on the World Wide Web. HTTP web
servers are enabled with unicode encoding and decoding. They support UTF-8 and UTF-16 encoding sstyle. There are
reports on the misuse of UTF encoding to launch various attacks. This rule hits when an invalid UTF-8 uni-coding
detected in HTTP request.
Signature ID: 372
Unknown Unicode Mapping in HTTP Request vulnerability
Threat Level: Information
Signature Description: HTTP web servers are enabled with unicode encoding and decoding. Eah unicode is mapped to
a specific character and therefore, depending on the region, a suitable unicode page is used. There are reports on the
misuse of unicode encoding to launch various attacks. This signature detects the unknown Unicode Mapping in HTTP
request.
Signature ID: 373
Null Character in HTTP Version String vulnerability
Threat Level: Information
Signature Description: This is an anti IIPS evasion technique. Many C string libraries use the NULL character to
denote the end of the string. Many ID/IP systems use these libraries (they are typically too slow for these high-speed
applications), without realizing the outcome of NULL as string terminator. Attacker can use this to her advantage with
the following type of request: GET /cgi-bin/some.cgi HTTP\0/1.0. This type of behavior can fool an IDS/IPS, because
IDS/IPS will not be able to parse the URI properly.
Signature ID: 374
FastCGI Echo.exe Cross Site Scripting vulnerability
Threat Level: Information
Nessus: 10838
Signature Description: FastCGI is an open extension to CGI that provides high performance without the limitations of
server specific APIs, and is included in the default installation of the Oracle9i Application Server. Various other web
servers support the FastCGI extensions. Two sample CGI's are installed with FastCGI(echo.exe and echo2.exe under
Windows). Both of these CGI's output a list of environment variables and path information for various applications.