Snort mailing list archives
Re: Fw: Cisco Vulnerability Testing Results
From: Jon Hart <warchild () spoofed org>
Date: Fri, 18 Jul 2003 14:02:50 -0400
On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:
Just to be sure, and becaue in an ideal world I shouldn't really be seeing any of these protocols in my network, I've left my definitions somewhat more broad.. alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53 (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55 (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77 (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103 (PIM) detected"; ip_proto: 103; classtype:denial-of-service;) -gary morris, gcia
If you are using those sigs in Snort, you might also want to make use of spp_conversation which can catch all unwanted and/or unused protocols that might be swimming around your network(s). See the config I posted here: http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2 Also, a number of people have posted sigs that are not only matching based on IP protocol number, but also on content. Obviously this will only catch the *tool* being used, and not the *exploit* which is far from ideal. For similar signatures to the ones you posted, see the ones I posted here: http://marc.theaimsgroup.com/?l=snort-users&m=105849245609117&w=2 Or get the latest and greatest Snort rules from Snort CVS. -jon ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Fw: Cisco Vulnerability Testing Results Jon Hart (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results William Stearns (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Michael Scheidell (Jul 20)
- Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)
- snort.conf Tantravahi Venkata Aditya (Jul 20)
- RE: snort.conf Scott Renna (Jul 20)
- preprocessor logs Tantravahi Venkata Aditya (Jul 20)
- Re: preprocessor logs Matt Kettler (Jul 21)
- Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
- RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
- Re: Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
- Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)