Table of Contents
Advertisement
Table 124: Deep Inspection Alarm Log Entries (continued)
Attack Name
FTP:PROFTP:PPC-FS2
FTP:PROFTP:PROFTPD-GEN-GLOB-DOS
FTP:PROFTP:SIZE-DOS2
FTP:PROFTP:USER-DOS
FTP:REQERR:GNULS-WIDTH-DOS
FTP:REQERR:REQ-MISSING-ARGS
FTP:SERVU:CHMOD-OVERFLOW
FTP:USER:ROOT
Copyright © 2010, Juniper Networks, Inc.
Attack Description
This signature detects attempts to exploit a format string
vulnerability in ProFTPD. Versions 1.2pre6 and earlier are
vulnerable.
This signature detects denial-of-service (DoS) attempts
against ProFTPD. Because ProFTPD uses inadequate
globbing algorithms, attackers may send wildcards in the
argument of a maliciously crafted command to DoS the
server.
This signature detects attempts to exploit a vulnerability in
ProFTPD. Version 1.2.0pre* is vulnerable. Attackers may send
multiple SIZE requests with a static pathname to create a
denial-of-service (DoS).
This signature detects attempts to exploit a vulnerability in
ProFTPD. Versions 1.2.0rc* and 1.2.0pre* are vulnerable.
Attackers may send a maliciously crafted USER command
to create a denial-of-service (DoS).
This signature detects denial-of-service (DoS) attempts
against GNU ls. If the FTP daemon uses a vulnerable version
of GNU ls, attackers may send an oversized width parameter
to GNU ls to cause the server CPU utilization to temporarily
reach 100% and exhaust system memory. This condition
can persist for several minutes depending on the width
specified.
This protocol anomaly is an FTP command with an
incomplete argument list, such as a USER command with
no user name, a RETR command with no file name, etc. This
may indicate command line access to the FTP server or an
exploit attempt.
This signature detects attempts to exploit a vulnerability in
the ServU FTP server CHMOD command. The CHMOD
command is typically used to change the permissions of a
file on the server. Attackers may send an overly long filename
argument to the CHMOD command to execute arbitrary
code with system privileges.
This signature detects attempts to login to an FTP server
using the "root" account. This may indicate an attacker trying
to gain root-level access, or it may indicate poor security
practices. FTP typically uses plain-text passwords, and using
the root account to FTP could expose sensitive data over
the network.
Appendix E: Log Entries
Severity
Versions
critical
sos5.0.0,
sos5.1.0
medium
sos5.0.0,
sos5.1.0
high
sos5.0.0,
sos5.1.0
high
sos5.0.0,
sos5.1.0
medium
sos5.0.0,
sos5.1.0
medium
sos5.0.0,
sos5.1.0
critical
sos5.1.0
medium
sos5.0.0,
sos5.1.0
883
Advertisement
Table of Contents
Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
Related Products for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING J SERIES SERVICES ROUTERS AND SRX SERIES SERVICES GATEWAYS GUIDE REV
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper NETWORK AND SECURITY MANAGER 2010.2
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008