Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

From: William Stearns <wstearns () pobox com>
Date: Fri, 18 Jul 2003 14:37:15 -0400 (EDT)
Good afternoon, Jon,

On Fri, 18 Jul 2003, Jon Hart wrote:


On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:


Just to be sure, and becaue in an ideal world I shouldn't really be
seeing any of these protocols in my network, I've left my definitions
somewhat more broad.. 

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
(Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
(IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
(SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
(PIM) detected"; ip_proto: 103; classtype:denial-of-service;)


If you are using those sigs in Snort, you might also want to make use of
spp_conversation which can catch all unwanted and/or unused protocols
that might be swimming around your network(s).  See the config I posted
here:

http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2

Also, a number of people have posted sigs that are not only matching
based on IP protocol number, but also on content.  Obviously this will
only catch the *tool* being used, and not the *exploit* which is far


        _Excellent_ point.  It might even make sense to use both sets of 
rules; the content-specific rules to identify that the original tool is 
being used, and the more generic protocol-only rules afterwards to show 
that someone's trying to exploit those protocols, but they're using a 
different tool.
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "Cogito ergo sum...cogito."
(Courtesy of Bob Hillery <rhillery () tec nh us>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: