Re: SID 1545: DOS Cisco attempt

["D PH" <flying_triguy () hotmail com>]

Ok, I've looked high and low, and I can't find anything that this would 
correspond to. A couple people emailed me privately indicating that the 
problem was

"Cisco IOS HTTP %% Vulnerability"
http://www.securityfocus.com/bid/1154/discussion/

except that I don't see how a vulnerability that presumbaly requires a valid 
HTTP request (minimum "GET /%% HTTP/1.0") can correspond with a signature 
that looks for a 1 byte packet that contains a Hex-13 byte.

Now perhaps it's just me, but I think that someone would have had to write 
the rule, or at least consider it a bit before allowing it into the rule 
base.  I could even accept that it's an old rule that everyone has forgotten 
about why it's in there, except that someone promoted it from experimental 
recently. And in my archived downloads of rules files, the rule itself does 
not appear until late September or early October sometime... although it is 
in the sid-msg.map .

If anyone has any ideas (perhaps whomever commited it into the rulebase 
hmmm??), I would appreciate knowing. If no one knows what the purpose is, 
perhaps it should be removed.

D

> From: twig les <twigles () yahoo com>
> To: D PH <flying_triguy () hotmail com>, snort-sigs () lists sourceforge net,  
> snort-users () lists sourceforge net
> Subject: Re: [Snort-users] SID 1545: DOS Cisco attempt
> Date: Mon, 17 Mar 2003 10:01:49 -0800 (PST)
>
> I'm not 100% but it's probably regarding that old DoS on a Cisco
> box running Cisco's Satanic(TM) web server.  Check Cisco's site
> for more info, but basically you can send a router a simple url
> that will make it hang for a minute or so and then reboot.  I've
> tried it myself (on private equipment) and I must admit it's
> funny.
>
> It sounds like you're fine, but I implore anyone reading this
> ... hunt down and turn off any web server that Cisco touched,
> this isn't the only vuln and there are no patches.
>
> --- D PH <flying_triguy () hotmail com> wrote:
> > Hey all, running into a bit of a wall, I can't find out what
> > vulnerability
> > this rule applies to. There is no CVE, CERT or Bugtraq
> > information in it.
> >
> > I am seeing a few of these every now and then on my external
> > interface of a
> > class C and before I comment it out as being not applicable to
> > me, I would
> > like to know what vulnerability it is. I can't figure it out
> > unless it is
> > mis-named. It is looking for a 1 byte packet destined for a
> > web port with
> > 0x13 as the only byte.
> >
> > The rule was promoted out of Experimental rules and into
> > dos.rules, but I am
> > at a loss as to what it means.
> >
> > dos.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
> > (msg:"DOS cisco
> > attempt"; flow:to_server,established; content:"|13|"; dsize:1;
> >
> > classtype:web-application-attack; sid:1545; rev:4;)
> >
> > Any ideas? Any hints? I can't even tell if I should be looking
> > for CISCO DoS
> > information or web-app vulnerabilities.
> >
> > DP
> >
> >
> _________________________________________________________________
> > STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by:Crypto Challenge is now
> > open!
> > Get cracking and register here for some mind boggling fun and
> > the chance of winning an Apple iPod:
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> =====
> -----------------------------------------------------------
> Know yourself and know your enemy and you will never fear defeat.
> -----------------------------------------------------------
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users