Re: Suggested Sig for Cisco DOS Vulnerability

["Muenz, Michael" <linux () leute server de>]

> Hey guys,
> Doesn't look like a exploit exists as of yet but Cisco just released what
IP
> protocols cause the DOS so it won't be long until there is one!

On heise.de ... a public german IT News site they told about
exploits found in the wild.

> Here's what I'm using to try to identify this traffic:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 53 Cisco DOS
> Packet"; ip_proto: 53; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 55 Cisco DOS
> Packet"; ip_proto: 55; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 77 Cisco DOS
> Packet"; ip_proto: 77; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 103 Cisco
DOS
> Packet"; ip_proto: 103; classtype:denial-of-service;)

proto 53 is very noisy in my network. In my list it's only
called "SWIPE - IP with Encryption".

- Michael



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users