Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual page 964

Network and Security Manager Administration Guide
SHELLCODE:AIX:NOOP-PKT
SHELLCODE:BSDX86:GEN-1-PKT
SHELLCODE:BSDX86:GEN-2-PKT
SHELLCODE:DIGITAL:NOOP-PKT
SHELLCODE:HP-UX:HP-NOOP-1-PKT
SHELLCODE:HP-UX:HP-NOOP-2-PKT
SMB:AUDIT:INV-PROTOCOL
SMB:CONNECT-FROM-LOCALHOST
SMB:ENUM:NAME-LOOKUP
SMB:ERROR:GRIND
SMB:ERROR:INV-MSG-LEN
914
This signature scans PACKETS for at least four in a raw AIX
NOOP instructions, which are very common in buffer
overflow exploits. You may want to apply this signature to
all non-TCP traffic to your AIX servers.
This signature scans PACKETS for an x86 BSD (all flavors)
instruction sequence, common in buffer overflow exploits.
You may want to apply this signature to all non-TCP traffic
to your BSD servers.
This signature scans PACKETS for an x86 BSD (all flavors)
instruction sequence, common in buffer overflow exploits.
You may want to apply this signature to all non-TCP traffic
to your BSD servers.
This signature scans PACKETS for at least four in a row DEC
ALPHA NOOP instructions, which are very common in buffer
overflow exploits. You may want to apply this signature to
all non-TCP traffic to your DEC ALPHA servers.
This signature scans PACKETS for a HP-UX PA-RISC
instruction sequence, common in buffer overflow exploits.
You may want to apply this signature to all non-TCP traffic
to your HP-UX servers.
This signature scans PACKETS for a HP-UX PA-RISC
instruction sequence, common in buffer overflow exploits.
You may want to apply this signature to all non-TCP traffic
to your HP-UX servers.
This protocol anomaly is an invalid SMB protocol. The first
four bytes of valid SMB messages are 0xff, 'S', 'M', 'B'. This
may be a misbehaving client or an attempt to tunnel through
the NETBIOS port.
This signature detects attempts to remotely connect to SMB
shares with the NetBIOS hostname of Localhost. Because
Localhost logins are not typically performed over the
network, this may indicate that an attacker is trying to bypass
host-based access controls.
This protocol anomaly is the \pipe\lsarpc (Local Security
Authority) named pipe transaction used to execute the
LookupAccountName function. Programs such as user2sid
and Hyena use this named pipe transaction to validate
usernames on the target host.
This protocol anomaly is multiple login/authentication
failures between a unique pair of hosts within a short period
of time. Vulnerability scanners and programs like enum that
perform dictionary based or password-guessing attacks will
likely trigger this attack.
This protocol anomaly is an invalid session message length
in an SMB message.
medium sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
info sos5.1.0
low sos5.1.0
medium sos5.1.0
high sos5.1.0
high sos5.1.0
Copyright © 2010, Juniper Networks, Inc.