TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
960
This update provides version 6.0.10.50 of rmoc3260.dll. No remedy available as of July 2008, user can set killbit to the
clsid CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA and 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 to resolve
this issue.
Signature ID: 35513
RealNetworks RealPlayer RealMedia File Format Processing Heap Corruption
Threat Level: Warning
Industry ID: CVE-CVE-2007-5081 Bugtraq: 26214
Signature Description: RealNetworks RealPlayer is prone to multiple memory-corruption vulnerabilities that arise
when the application processes specially crafted files.A remote user can create a specially crafted MP3, RM, SWF,
RAM, or PLS file that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the
target system. The code will run with the privileges of the target user.RealNetworks RealPlayer 8, 10, 10.1 and possibly
10.5 and RealOne Player 1 and 2 are vulnerable. Solution is to Update the latest versions and see the vendor's advisory
for details.This signature will trigger only when the SET signature for RM arrives and ignore in the traffic attack
pattern.
Signature ID: 35515
Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Threat Level: Severe
Industry ID: CVE-CVE-2008-1447 Bugtraq: 30132
Signature Description: Cisco products are vulnerable to DNS cache poisoning attacks due to insufficient random DNS
transaction IDs and UDP source ports in the DNS queries. The Domain Name System (DNS) is responsible for
translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker
to introduce forged DNS information into the cache of a caching name server. The DNS protocol specification includes
a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly
selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully
predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that
fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are
generated by a number of implementations. As part of DNS cache poison attack, the attacker will send lot of DNS
response with increasing number of transaction ID in a span of seconds hoping that one of the packet will match the
transaction ID of request. This rule will hit when 100 DNS responses with one are more RRs within 10 seconds
duration.
Signature ID: 35516
Multiple Cisco Products Vulnerable to DNS Cache Poisoning Attacks
Threat Level: Severe
Industry ID: CVE-CVE-2008-1447 Bugtraq: 30132
Signature Description: Cisco products are vulnerable to DNS cache poisoning attacks due to insufficient random DNS
transaction IDs and UDP source ports in the DNS queries. The Domain Name System (DNS) is responsible for
translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected
systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker
to introduce forged DNS information into the cache of a caching name server. The DNS protocol specification includes
a transaction ID field of 16 bits. If the specification is correctly implemented and the transaction ID is randomly
selected with a strong random number generator, an attacker will require, on average, 32,768 attempts to successfully
predict the ID. Some flawed implementations may use a smaller number of bits for this transaction ID, meaning that
fewer attempts will be needed. Furthermore, there are known errors with the randomness of transaction IDs that are
generated by a number of implementations. As part of DNS cache poison attack, the attacker will send lot of DNS
response with increasing number of transaction ID in a span of seconds hoping that one of the packet will match the
transaction ID of request. This rule will hit when 100 DNS NXDOMAIN responses within 10 seconds duration.