Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Q? what would have generated this.

From: John Sage <jsage () finchhaven com>
Date: Sun, 25 Nov 2001 18:48:25 -0800
Kenneth:
The rule itself (Arachids, 129 -- at least that which comes with snort-1.8.2 build 86) states: 

misc.rules:
 alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any
(msg:"MISC Cisco Catalyst Remote Access";
 flags:SA; reference:arachnids,129; reference:cve,CVE-1999-0430;
 classtype:bad-unknown; sid:513; rev:1;)
So is there a possibility that $HOME_NET and $EXTERNAL_NET are misconfigured, or that $HOME_NET and $EXTERNAL_NET are somehow seen by snort as identical?
If that's so, then the packet you show below meets the rest of the rule, i.e. apparent source port 7161, ACK/SYN flags set.
Otherwise, the rule should only match on an *outgoing* packet, one would think. 

I've forwarded this to the snort list, to see if anyone has any ideas...

HTH..


- John


Kenneth Brown wrote:


i know its bad to make you think on sundays...

would ne one know what would have generated a
CVE-1999-0430 from a source machine running redhat linux?

i include the packet.
src and dest have been modified to protect identities....
i also attached the cve

kenneth gf brown
ceo shadowplay.net



Generated by ACID v0.9.6b11 on Sun November 25, 2001 03:06:31

----------------------------------------------------------------------------
--
#(1 - 528) [2001-11-21 22:39:14] [arachNIDS/129] [CVE/CVE-1999-0430]  MISC
Cisco Catalyst Remote Access IPv4: outsideip -> insideip
      hlen=5 TOS=0 dlen=44 ID=0 flags=0 offset=0 TTL=43 chksum=56994
TCP:  port=7161 -> dport: 1736  flags=***A**S* seq=3331448114
      ack=2418700017 off=6 res=0 win=5840 urp=0 chksum=19127
      Options:
       #1 - MSS len=4 data=0578
Payload: none




CVE-1999-0430
CVE Version: 20010918
This is an entry on the CVE list, which standardizes names for security
problems. It was reviewed and accepted by the CVE Editorial Board before it
was added to CVE.

Name    CVE-1999-0430

Description     Cisco Catalyst LAN switches running Catalyst 5000 supervisor
software allows remote attackers to perform a denial of service by forcing
the supervisor module to reload.
References
ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet
Switches
CISCO:Cisco Catalyst Supervisor Remote Reload
XF:cisco-catalyst-crash





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: