Snort mailing list archives
Re: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability
From: Pawel Rogocz <pawel () rogocz com>
Date: Fri, 18 Jul 2003 02:07:52 -0700
Yeah right, let's alert on all UDP packets :-) According to Cisco http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml it is protocol 77 not 17. Pawel On Thu, Jul 17, 2003 at 05:46:22PM -0700, Matt Ploessel wrote:
In the Foundstone web seminar today covering the details of the Cisco IOS vulnerability released this morning, some users asked for snort rules to detect potential Cisco DoS attempts. The simple rule below should do the job. Tomorrow morning Foundstone will have a follow-up seminar covering new information and our current findings. I am interested to track the presence of malicious scanning of this vulnerability in the wild. For those who apply the below rules, please attempt to share sanitized information (number of detections and size of IP space covered by your IDS) with me so statistics of the vulnerability presence can be generated based on a larger consensus. Thank You. Information on the Foundstone web seminar: http://www.foundstone.com/company/pressrelease_template.htm?indexid=79 Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 53;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 55;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 17;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 103;) ... Matt Ploessel Network Security Engineer Foundstone, Inc. Strategic Security 949.297.5622 Tel 949.297.5575 Fax http://www.foundstone.com PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914 This email may contain confidential and privileged information for the sole use of the intended recipient. Content disclosure to third parties is strictly prohibited. Verify sender and message body authenticity against the above PGP key only, retrieved via a secure and dependable method. Thank you. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users
-- ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 17)
- Re: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Pawel Rogocz (Jul 18)
- <Possible follow-ups>
- Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 18)
- Re: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Jason Haar (Jul 17)
- RE: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 18)