TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

881

882

883

884

885

886

887

888

889

890

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

890

Signature ID: 35138

HTTP request line with sql comment statements

Threat Level: Severe

Signature Description: This rule hits when http request attribute value consists of sql comments. Attacker uses this

techniques to bypass validations on the server side. , most of the database systems allows comment statements in the

query. Attacker make use of this functionality to bypass authentications.

Signature ID: 35139

Internet Explorer browser is vulnerable to a protocol handler command-injection and

proprietary opera attack

Threat Level: Severe

Signature Description: Microsoft’s Internet Explorer browser and opera browsers are vulnerable to a protocol

handler command-injection vulnerability that could allow malicious code attacks with limited user action. Attacker can

constructs malicious HTML to influence command-line parameters for the external application that will run when a

URI is loaded or The attacker embeds the malicious HTML code in a web page or sends it through HTML email. The

malicious code may be automatically loaded when the page or HTML email is rendered. User interaction is required as

they must follow a link to a malicious site or open a malicious email. Since windows systems allow websites to force

launching firefox if the “firefoxurl://” URI is called. Attackers can inject commands using

–chrome parameter.

Signature ID: 35140

HREF and XML entity XSS injections

Threat Level: Severe

Signature Description: Attackers can inject cross-site-script using href and XML tags. Remote style sheets can be

called by using href tag of HTML, using this flaw, an attacker can inject cross-site-script. Internet explorer and

Netscape navigators are found to be vulnerable to this kind of script injections.CDATA of XML tag is used to send the

data to be stored in the database. Attackers can use this XML tag to store script in the database, whenever that data is

retrieved then attack is may be succeeded.

Signature ID: 35141

Suspicious html elements with some attributes

Threat Level: Warning

Bugtraq: 29025,29191,29571

Signature Description: This rule hits when HTML suspicious tags found in the request arguments. This rule checks the

HTTP request lines for any of these contructs frame, applet, script, input, button, textarea, style, base, body, meta, link,

object, embed, param, plaintext, xmp, image, img, port.

Signature ID: 35142

Possible Evasion with nullbytes and HTTP Response splitting

Threat Level: Warning

Signature Description: This rule hits when http request or response contains more number of null bytes or small chunks

of data. Attacker uses these techniques to evade IPS/IDS Security Detection systems. Any request or response contains

more number of null bytes or more number of chunked data then these can be treated as malicious activity.