TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

881

882

883

884

885

886

887

888

889

890

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

886

Signature ID: 35112

Unicode or Octal or Hex representation of attribute values detected(Possible evasion)

Threat Level: Severe

Signature Description: Most of the Attackers uses Unicode or hex or octal representation of attacking and to bypass the

IPS signatures, This Rule hits when octal character, Unicode, hex code is transferring to the internal systems.

Signature ID: 35113

Directory traversal attempt with dot dot slash in the URI

Threat Level: Severe

Signature Description: Attacker access unauthorized information by passing ../ or ..\ or these patterns in Unicode or

hex code or octal code to evade IPS. This Rule hits when directory traversal attempt is made.

Signature ID: 35114

Attempt to access Sensitive Directories or path traversal

Threat Level: Severe

Signature Description: Attacker gains access to sensitive directories like boot.ini by specifying full known path. This

rule hits when sensitive directory path found in the uri request line for all linux, windows etc, platforms.

Signature ID: 35115

Attempt to access etc/passwd file from remote

Threat Level: Severe

Signature Description: Etc/passwd file on the linux kind of platforms contains one-way encrypted passwords for

corresponding usernames. Any authorized access does not need this file from remote. But attacker may try to access

this file to know about the username on the target system, by using some tools he can try to decrypt the encrypted

password on off-line. Access to etc/passwd file from remote can be treated an attack. This rule hits when an attempt to

access to etc/passwd.

Signature ID: 35116

HTML breaking attempts via half or fullwidth encoded unicode

Threat Level: Severe

Industry ID: CVE-2007-2688 Bugtraq: 23980

Signature Description: A Sophisticated attacker can bypass cross side scripting detection systems by sending well

formed html breaking statements by fully encoding unicode encryption or encrypting with unicode. most of the security

systems fails to detect the encoded attack patterns. This rule hits when encrypted(unicode) html breaking statements

found in the request line.

Signature ID: 35117

Cross site Scripting with encoded or packed functions

Threat Level: Severe

Signature Description: Attacker sends attack pattern as encrypted data along with some script which decrypts on the

victims machine. This Rule hits when a request with a script, which has encoding library terms such as base64 or

import from some other encoding library.

Signature ID: 35118

Attempt to Change HTML Document with Javascript DOM objects and properties

Threat Level: Severe

Signature Description: HTML DOM is a set of well-defined procedures or script which can change the document