Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 902

Network and Security Manager Administration Guide
Table 122: Deep Inspection Alarm Log Entries (continued)
Attack Name
DNS:QUERY:NULL-QUERY
DNS:QUERY:VERSION-QUERY
DOS:NETDEV:CISCO-HTTPD-DOS
DOS:NETDEV:CISCO-RTR-DOS
DOS:NETDEV:LINKSYS-GOZILA-DOS2
DOS:NETDEV:LINKSYS-GOZILA-DOS3
DOS:NETDEV:NETWORK-3COM-DOS
DOS:NETDEV:WEBJET-FRAMEWORK
DOS:NETDEV:WEBJET-FW-INFOLEAK
852
Attack Description
This protocol anomaly is a DNS request with the question,
answer, additional, and name server counts are zero. This
can indicate a malicious user trying to crash the DNS server.
This protocol anomaly is a DNS query for version.bind with
the type set to TXT and the class set to CHAOS. BIND servers
support the ability to be remotely queried for their versions.
This can indicate a reconnaissance attempt; when attackers
know the BIND version, they can then attempt to exploit
vulnerabilities on the server.
This signature detects attempts to exploit a vulnerability in
Cisco IOS. Versions prior to 11.0, 11.2.8SA1, 12.1(1a)T1, and
12.1(1.3)T are susceptible. Attackers may remotely request
URLs containing the %% string from the IP HTTP server,
causing the router to crash/reboot/power cycle.
This signature detects denial-of-service (DoS) attempts
against Cisco (routers). Cisco has identified multiple affected
versions of IOS and customers are advised to check with
their vendor or on Cisco's Web site for information. Attackers
may send invalid HTTP traffic to a Cisco IOS device to cause
a DoS on the device.
This signature detects attempts to exploit a vulnerability in
a LinkSys Cable/DSL router. Attackers may submit an overly
long sysPasswd parameter within a malicious HTTP request
to crash a LinkSys Cable/DSL router.
This signature detects attempts to exploit a vulnerability in
a LinkSys Cable/DSL router. Attackers may submit an overly
long DomainName parameter within a malicious HTTP
request to crash a LinkSys Cable/DSL router.
This signature detects attempts to exploit a firmware
vulnerability in the 3COM OfficeConnect 812 and 840
DSL/ADSL routers. OCR812 versions 1.1.9 and earlier are
susceptible. Attackers may remotely request long strings
from the HTTP daemon, making the router reboot/power
cycle and creating a denial-of-service (DoS).
This signature detects attempts to exploit a vulnerability in
HP Web JetAdmin service. Web JetAdmin version 6.5 is
vulnerable. Attackers may access sensitive configuration
information. If you run an HP Web JetAdmin server on your
network, configure DI to monitor the server port that is
configured to listen; by default, the listening port is
TCP/8000.
This signature detects attempts to exploit a vulnerability in
HP Web JetAdmin service. Web JetAdmin version 6.5 is
vulnerable. Attackers may access sensitive configuration
information.
Severity Versions
high sos5.1.0
medium sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.1.0
medium sos5.1.0
medium sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.1.0
medium sos5.0.0,
sos5.1.0
Copyright © 2010, Juniper Networks, Inc.