Snort mailing list archives
Re: Anyone got a rule for the latest Cisco bug?
From: Jon Hart <warchild () spoofed org>
Date: Thu, 17 Jul 2003 21:03:19 -0400
On Thu, Jul 17, 2003 at 05:43:10PM -0700, twig les wrote:
If you create a variable in snort.conf for your Cisco interfaces (including loopbacks? hmmm...) and use that variable as the destination instead of "any" you might actually get some good mileage from the examples below. Of course I'm not too familiar with these protocols so they may have a legitimate reason to talk directly to a router, but I doubt it (aside from NAT). May the schwartz be with *you*
Yeah, good point. I guess its partially a matter of preference, and partially a matter of how your network is configured. When someone starts to exploit this, chances are that they won't be targeted attacks, but rather sprayings of packets over entire networks. Sure, if a particularly malicious user wanted to, they could probably target their attacks and be pretty good about it, but personally I'd rather see both apparently targeted attacks and mass "packeting". That said, maybe these are a bit better (wrapped at 80 characters -- if you use these, be sure to format them correctly in your rule files): alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco SWIPE Protocol"; ip_proto:53; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco IP Mobility Protocol"; ip_proto:55; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco Sun ND Protocol"; ip_proto:77; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco PIM Protocol"; ip_proto:103; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;) ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? james (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- <Possible follow-ups>
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)