IDS mailing list archives

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS)

From: "Srinivasa Addepalli" <srao () intoto com>
Date: Mon, 7 Jul 2008 09:09:49 -0700

You are right that these kinds of DoS attacks are difficult to detect
at Network IDS/IPS level due to the problems you mentioned - false
positives and false negatives.

I suggest that you consider "version" of cisco routers in your rules
to avoid false positives in deployment scnearios where CISCO routers
are not used.

Thanks
Srini

On Fri, Jul 4, 2008 at 9:03 AM, Ravi Chunduru
<ravi.is.chunduru () gmail com> wrote:


Please see these links for more information on vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1151
http://www.cisco.com/en/US/products/products_security_advisory09186a0080969862.shtml

According to this vulnerability report,  PPTP process in CISCO routers
leak memory upon every PPTP termination. Eventually memory is used up
and no other PPTP connections are entertained.

How does one go about writing signatures for detecting exploits
targeting this vulnerability?
Only possibility I can think of, based on capabilities of signature
language, is to check for the rate at which these PPTP connections are
made. If it checks for higher rate, there could be false negatives
where attacker makes the connections at very slow rate.  If it checks
for lower rate,  then there is possibility of false positives. What is
the right way of writing signatures?


thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Ravi Chunduru (Jul 04)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Secure Scorp (Jul 07)
- Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Srinivasa Addepalli (Jul 07)
  - Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Secure Scorp (Jul 09)
    - RE: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Srinivasa Addepalli (Jul 14)