Snort mailing list archives
Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results
From: William Stearns <wstearns () pobox com>
Date: Fri, 18 Jul 2003 14:37:15 -0400 (EDT)
Good afternoon, Jon, On Fri, 18 Jul 2003, Jon Hart wrote:
On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:Just to be sure, and becaue in an ideal world I shouldn't really be seeing any of these protocols in my network, I've left my definitions somewhat more broad.. alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53 (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55 (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77 (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103 (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)If you are using those sigs in Snort, you might also want to make use of spp_conversation which can catch all unwanted and/or unused protocols that might be swimming around your network(s). See the config I posted here: http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2 Also, a number of people have posted sigs that are not only matching based on IP protocol number, but also on content. Obviously this will only catch the *tool* being used, and not the *exploit* which is far
_Excellent_ point. It might even make sense to use both sets of rules; the content-specific rules to identify that the original tool is being used, and the more generic protocol-only rules afterwards to show that someone's trying to exploit those protocols, but they're using a different tool. Cheers, - Bill --------------------------------------------------------------------------- "Cogito ergo sum...cogito." (Courtesy of Bob Hillery <rhillery () tec nh us>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org Linux articles at: http://www.opensourcedigest.com -------------------------------------------------------------------------- ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Fw: Cisco Vulnerability Testing Results Jon Hart (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results William Stearns (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Michael Scheidell (Jul 20)
- Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)
- snort.conf Tantravahi Venkata Aditya (Jul 20)
- RE: snort.conf Scott Renna (Jul 20)
- preprocessor logs Tantravahi Venkata Aditya (Jul 20)
- Re: preprocessor logs Matt Kettler (Jul 21)
- Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
- RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
- Re: Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
- RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
- Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)