Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability

From: "Matt Ploessel" <matt.ploessel () foundstone com>
Date: Fri, 18 Jul 2003 08:04:29 -0700
Pawel,

 good observation, a simple fat-fingered mistake on my part. Thank you
for pointing it out.

 


-----Original Message-----
From: Pawel Rogocz [mailto:pawel () rogocz com] 
Sent: Friday, July 18, 2003 2:08 AM
To: Matt Ploessel
Cc: snort-users () lists sourceforge net; 
jason.haar () trimble co nz; hackwacker () tarpit cybermesa com
Subject: Re: [Snort-users] Rule for Cisco IOS Interface 
Blocked by IPv4 Packet Vulnerability


Yeah right, let's alert on all UDP packets :-)

According to Cisco 

http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

it is protocol 77 not 17.



Pawel

On Thu, Jul 17, 2003 at 05:46:22PM -0700, Matt Ploessel wrote:


In the Foundstone web seminar today covering the details of 

the Cisco 

IOS vulnerability released this morning, some users asked for snort 
rules to detect potential Cisco DoS attempts. The simple rule below 
should do the job. Tomorrow morning Foundstone will have a 

follow-up 

seminar covering new information and our current findings. I am 
interested to track the presence of malicious scanning of this 
vulnerability in the wild. For those who apply the below 

rules, please 

attempt to share sanitized information (number of  

detections and size 

of IP space covered by your IDS) with me so statistics of the 
vulnerability presence can be generated based on a larger consensus.

Thank You.

Information on the Foundstone web seminar: 


http://www.foundstone.com/company/pressrelease_template.htm?indexid=79


Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; 
classtype:attempted-dos; ip_proto 53;) alert ip 

$EXTERNAL_NET any -> 

$HOME_NET any (msg:"Cisco IPv4 DoS"; 

classtype:attempted-dos; ip_proto 

55;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 
DoS"; classtype:attempted-dos; ip_proto 17;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
classtype:attempted-dos; ip_proto 103;) 

...

Matt Ploessel
Network Security Engineer
Foundstone, Inc.
Strategic Security

949.297.5622 Tel
949.297.5575 Fax 

http://www.foundstone.com

PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914

This email may contain confidential and privileged 

information for the 

sole use of the intended recipient. Content disclosure to third 
parties is strictly prohibited. Verify sender and message body 
authenticity against the above PGP key only, retrieved via a secure 
and dependable method. Thank you.


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single 
machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
machines at the same time. Free trial click here: 
http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listort-users


-- 




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: