Snort mailing list archives

Re: Fw: Cisco Vulnerability Testing Results

From: Jon Hart <warchild () spoofed org>
Date: Fri, 18 Jul 2003 14:02:50 -0400

On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:


Just to be sure, and becaue in an ideal world I shouldn't really be
seeing any of these protocols in my network, I've left my definitions
somewhat more broad.. 

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
(Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
(IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
(SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
(PIM) detected"; ip_proto: 103; classtype:denial-of-service;)

-gary morris, gcia


If you are using those sigs in Snort, you might also want to make use of
spp_conversation which can catch all unwanted and/or unused protocols
that might be swimming around your network(s).  See the config I posted
here:

http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2

Also, a number of people have posted sigs that are not only matching
based on IP protocol number, but also on content.  Obviously this will
only catch the *tool* being used, and not the *exploit* which is far
from ideal.  For similar signatures to the ones you posted, see the ones
I posted here:

http://marc.theaimsgroup.com/?l=snort-users&m=105849245609117&w=2

Or get the latest and greatest Snort rules from Snort CVS.

-jon



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Fw: Cisco Vulnerability Testing Results Jon Hart (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results William Stearns (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Michael Scheidell (Jul 20)
  - Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)
    - snort.conf Tantravahi Venkata Aditya (Jul 20)
    - RE: snort.conf Scott Renna (Jul 20)
    - preprocessor logs Tantravahi Venkata Aditya (Jul 20)
    - Re: preprocessor logs Matt Kettler (Jul 21)
    - Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
    - RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
    - Re: Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)

(Thread continues...)