Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 973

POP3:OVERFLOW:QPOP-OF3
POP3:OVERFLOW:QPOP-OF4
POP3:OVERFLOW:TXTLINE_2LONG
POP3:OVERFLOW:USER
POP3:REQERR:REQ-MESSAGE-NUMBER
POP3:REQERR:REQ-SYNTAX-ERROR
SCAN:AMAP:FTP-ON-HTTP
SCAN:AMAP:SAP-R3-ON-HTTP
SCAN:AMAP:SSL-ON-HTTP
SCAN:AMAP:SSL-ON-POP3
SCAN:METASPLOIT:SMB-ACTIVE
SCAN:MISC:HTTP:HTR-OVERFLOW
Copyright © 2010, Juniper Networks, Inc.
This signature detects buffer overflow attempts to exploit
a vulnerability in the Qpopper daemon. Some 3.0 beta
versions are vulnerable.
This signature detects a buffer overflow attempt to exploit
a vulnerability in Qpopper using custom shellcode. Version
3.0beta20 and many earlier versions are vulnerable.
This protocol anomaly is a message data line that exceeds
the defined maximum length (sc_mime_textline_length).
This protocol anomaly is a POP3 USER command argument
that is too long. This may indicate a buffer overflow attempt.
This protocol anomaly is a POP3 message number that is
unreasonably high. This may indicate a huge mailbox or an
exploit attempt.
This protocol anomaly is an unparsed POP command line
or header line. This may indicate a nonstandard e-mail client
or server or a backdoor/exploit attempt.
This signature detects the scanner tool amap, made by the
Hacker's Choice. THC-AMAP is used in initial reconnaissance
for an attacker to determine services running on target hosts
before launching other attacks.
This signature detects the scanner tool AMAP, made by The
Hacker's Choice (THC). Attackers may use THC-AMAP during
their initial reconnaissance to determine services running on
target hosts before launching other attacks.
This signature detects the scanner tool AMAP, made by The
Hacker's Choice (THC). Attackers may use THC-AMAP during
their initial reconnaissance to determine services running on
target hosts before launching other attacks.
This signature detects the scanner tool AMAP, made by The
Hacker's Choice (THC). Attackers may use THC-AMAP during
their initial reconnaissance to determine services running on
target hosts before launching other attacks.
This signature detects traffic generated by the open-source
exploiting tool Metasploit Framework. Other signatures may
also trip. This indicates that someone is using this tool on
your network. Follow-up investigation of source or target
machines may be required.
"This signature detects denial-of-service (DoS) attacks
against Microsoft IIS 4.0 and 5.0. Attackers may send
maliciously crafted HTR requests (.htr) with long variable
names to overflow the buffer in the ism.dll ISAPI extension
that implements HTR scripting and create a denial of service
or execute arbitrary commands.
Appendix E: Log Entries
critical sos5.0.0,
sos5.1.0
critical sos5.0.0,
sos5.1.0
high sos5.1.0
high sos5.0.0,
sos5.1.0
high sos5.0.0,
sos5.1.0
medium sos5.0.0,
sos5.1.0
low sos5.1.0
low sos5.1.0
low sos5.1.0
low sos5.1.0
high sos5.1.0
medium sos5.0.0
sos5.1.0
923