Manualshelf

TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
78
Signature Description: DCShop is a CGI-based ecommerce system from DCScripts. DCShop beta version 1.002 found
does not properly protect user and credit card information. This rule triggers if request is made to access
auth_user_file.txt present in dcshop/auth_data directory which contains administrator name and password in plain text
format.
Signature ID: 444
Double Nibble Encoding vulnerability
Threat Level: Information
Signature Description: Double nibble hex encoding is based on the standard hex encoding method. Each hexadecimal
nibble value is encoded using the standard hex encoding. For example, to encode a capital A, the encoding would be
%%34%31.The normal hex encoding for A is %41.So, the first nibble, 4, is encoded as %34 (the ASCII value for the
numeral 4), and the second nibble, 1, is encoded as %31 (the ASCII value for the numeral 1).
Signature ID: 445
Double Percent Hex encoding vulnerability
Threat Level: Information
Signature Description: Double percent hex encoding is based on the normal method of hex encoding. The percent is
encoded using hex encoding followed by the hexadecimal byte value to be encoded. To encode a capital A, the
encoding is %2541.As can be seen, the percent is encoded with the %25 (this equals a '%'). The value is then decoded
again with the value this time being %41 (this equals the 'A').This encoding is supported by Microsoft IIS. <br>NOTE:
Even though some administrator use double percentage encoding in the URL, these are not widely used. Also this is
considered as a well known evasion technique. Please ignore this log if the double percentage encoding is purposefully
Signature ID: 446
IIS %u Unicode wide character encoding vulnerability
Threat Level: Information
Industry ID: CVE-2001-0669 Bugtraq: 3292
Signature Description: Microsoft Internet Information Server (IIS) allows wide characters to be Unicode encoded in
URL requests in a format that uses "%u". Such encoded characters appear as "%uXXXX", where "XXXX" represents
hexadecimal characters (0-9, A-F). For example, the character 'b' can be encoded as "%u0062". A remote attacker can
use this form of encoding to attempt to bypass intrusion detection systems(IDS)/intrusion prevention
systems(IPS).Many public ".ida" overflow exploits (including the CodeRed worms) use this type of encoding when
executing a buffer overflow attempt.
Signature ID: 524
DHCP server info gathering
Threat Level: Warning
Nessus: 10663
Signature Description: Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked devices
(clients) to obtain the parameters necessary for operation in an Internet Protocol network. This protocol reduces system
administration workload, allowing devices to be added to the network with little or no manual configuration. Some
DHCP server provide sensitive information such as the NIS domain name, or network layout information such as the
list of the network www servers, and so on. Using such information, an attacker may focus his future attacks on the
network. DHCP server should not be available to an external network.
Signature ID: 525
Microsoft Exchange Public Folders Information Leak vulnerability
Threat Level: Information
Nessus: 10755