IDS mailing list archives
Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)
From: "Ravi Chunduru" <ravi.is.chunduru () gmail com>
Date: Fri, 4 Jul 2008 09:03:59 -0700
Please see these links for more information on vulnerability: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1151 http://www.cisco.com/en/US/products/products_security_advisory09186a0080969862.shtml According to this vulnerability report, PPTP process in CISCO routers leak memory upon every PPTP termination. Eventually memory is used up and no other PPTP connections are entertained. How does one go about writing signatures for detecting exploits targeting this vulnerability? Only possibility I can think of, based on capabilities of signature language, is to check for the rate at which these PPTP connections are made. If it checks for higher rate, there could be false negatives where attacker makes the connections at very slow rate. If it checks for lower rate, then there is possibility of false positives. What is the right way of writing signatures? thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Ravi Chunduru (Jul 04)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Secure Scorp (Jul 07)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Srinivasa Addepalli (Jul 07)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Secure Scorp (Jul 09)
- RE: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Srinivasa Addepalli (Jul 14)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Secure Scorp (Jul 09)