Snort mailing list archives
Re: Q? what would have generated this.
From: John Sage <jsage () finchhaven com>
Date: Sun, 25 Nov 2001 18:48:25 -0800
Kenneth:The rule itself (Arachids, 129 -- at least that which comes with snort-1.8.2 build 86) states:
misc.rules: alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:1;)So is there a possibility that $HOME_NET and $EXTERNAL_NET are misconfigured, or that $HOME_NET and $EXTERNAL_NET are somehow seen by snort as identical?
If that's so, then the packet you show below meets the rest of the rule, i.e. apparent source port 7161, ACK/SYN flags set.
Otherwise, the rule should only match on an *outgoing* packet, one would think.
I've forwarded this to the snort list, to see if anyone has any ideas... HTH.. - John Kenneth Brown wrote:
i know its bad to make you think on sundays... would ne one know what would have generated a CVE-1999-0430 from a source machine running redhat linux? i include the packet. src and dest have been modified to protect identities.... i also attached the cve kenneth gf brown ceo shadowplay.net Generated by ACID v0.9.6b11 on Sun November 25, 2001 03:06:31 ---------------------------------------------------------------------------- -- #(1 - 528) [2001-11-21 22:39:14] [arachNIDS/129] [CVE/CVE-1999-0430] MISC Cisco Catalyst Remote Access IPv4: outsideip -> insideip hlen=5 TOS=0 dlen=44 ID=0 flags=0 offset=0 TTL=43 chksum=56994 TCP: port=7161 -> dport: 1736 flags=***A**S* seq=3331448114 ack=2418700017 off=6 res=0 win=5840 urp=0 chksum=19127 Options: #1 - MSS len=4 data=0578 Payload: none CVE-1999-0430 CVE Version: 20010918 This is an entry on the CVE list, which standardizes names for security problems. It was reviewed and accepted by the CVE Editorial Board before it was added to CVE. Name CVE-1999-0430 Description Cisco Catalyst LAN switches running Catalyst 5000 supervisor software allows remote attackers to perform a denial of service by forcing the supervisor module to reload. References ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches CISCO:Cisco Catalyst Supervisor Remote Reload XF:cisco-catalyst-crash
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Q? what would have generated this. John Sage (Nov 25)