Snort mailing list archives
RE: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability
From: "Matt Ploessel" <matt.ploessel () foundstone com>
Date: Fri, 18 Jul 2003 08:04:29 -0700
Pawel, good observation, a simple fat-fingered mistake on my part. Thank you for pointing it out.
-----Original Message----- From: Pawel Rogocz [mailto:pawel () rogocz com] Sent: Friday, July 18, 2003 2:08 AM To: Matt Ploessel Cc: snort-users () lists sourceforge net; jason.haar () trimble co nz; hackwacker () tarpit cybermesa com Subject: Re: [Snort-users] Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Yeah right, let's alert on all UDP packets :-) According to Cisco http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml it is protocol 77 not 17. Pawel On Thu, Jul 17, 2003 at 05:46:22PM -0700, Matt Ploessel wrote:In the Foundstone web seminar today covering the details ofthe CiscoIOS vulnerability released this morning, some users asked for snort rules to detect potential Cisco DoS attempts. The simple rule below should do the job. Tomorrow morning Foundstone will have afollow-upseminar covering new information and our current findings. I am interested to track the presence of malicious scanning of this vulnerability in the wild. For those who apply the belowrules, pleaseattempt to share sanitized information (number ofdetections and sizeof IP space covered by your IDS) with me so statistics of the vulnerability presence can be generated based on a larger consensus. Thank You. Information on the Foundstone web seminar:http://www.foundstone.com/company/pressrelease_template.htm?indexid=79Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 53;) alert ip$EXTERNAL_NET any ->$HOME_NET any (msg:"Cisco IPv4 DoS";classtype:attempted-dos; ip_proto55;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 17;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; classtype:attempted-dos; ip_proto 103;) ... Matt Ploessel Network Security Engineer Foundstone, Inc. Strategic Security 949.297.5622 Tel 949.297.5575 Fax http://www.foundstone.com PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914 This email may contain confidential and privilegedinformation for thesole use of the intended recipient. Content disclosure to third parties is strictly prohibited. Verify sender and message body authenticity against the above PGP key only, retrieved via a secure and dependable method. Thank you. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listort-users--
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 17)
- Re: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Pawel Rogocz (Jul 18)
- <Possible follow-ups>
- Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 18)
- Re: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Jason Haar (Jul 17)
- RE: Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability Matt Ploessel (Jul 18)