Snort mailing list archives
RE: Anyone got a rule for the latest Cisco bug?
From: "Du Feu, Richard" <r.dufeu () lancaster ac uk>
Date: Fri, 18 Jul 2003 10:16:16 +0100
I'm fairly new to snort and am not yet good at writing rules for it, however I do have a packet capture of an attack against a cisco device. This is the exploit released on netssys. It looks roughly like this: 09:45:29.846575 8.145.50.78 > a.b.c.d: ip-proto-53 26 [ttl 1] (id 17168, len 46) 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d: [] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46) 09:45:29.846770 201.211.15.73 > a.b.c.d: nd 26 [ttl 1] (id 38906, len 46) 09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46) The ttl needs to be the number of hops to the target system. The source IPs are spoofed. Is this enough for someone who is clued up to write a rule for it? Richard -----Original Message----- From: Jason Haar [mailto:Jason.Haar () trimble co nz] Sent: 17 July 2003 23:12 To: snort-users () lists sourceforge net Subject: [Snort-users] Anyone got a rule for the latest Cisco bug? Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Apparently some hacked IPv4 packet sent at a Cisco router's actual IP address can cause a table to fill up - causing the router to become unusable. Anyone got a pattern match for it? Frankly the CERT alert about it was next to useless - they have some example ACLs that "may" help - but there's not enough to go on really (I mean, if I want to allow SSH access to a router from one IP address on the Internet, can I make an ACL to allow that, and block all other IP, or does this attack mean that if the baddie fakes the SYN packet to match my "good" address, then the attack still works???) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? james (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- <Possible follow-ups>
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)