Snort mailing list archives

Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

From: Rich Adamson <radamson () routers com>
Date: Sun, 20 Jul 2003 11:41:27 -0600

Right on!  I was going to post a similar response (only without the ttl
observation), but your response covers it nicely. For the purposes of an
ethernet-based snort, I'd have to guess and say the ttl is likely to be
any value and should not be included in the rule.

------------------------

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
(Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
(IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
(SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
(PIM) detected"; ip_proto: 103; classtype:denial-of-service;)


A couple of thoughts:
1) as discussed on a couple of other lists, the ttl at the destination
device would be 0? or 1? (guess I need to attack myself and look)

2) I would expect that our snort boxes are NOT configured on the WAN
(serial/frame relay/fiber) side of our routers so we won't pick up
directed attacks against our correct router, however, any dual WAN routers
that are used for our subnets will pick it up, as well as anyone doing
address sweeps.  Without snort listening on the OUTSIDE of your router, you
won't pick up the attack.

3) The CISCO released ACL snipps may prove a better way to watch the
traffic (put the acl's on for the above protocols, even if you have
upgraded your firmware and use the 'log' or 'log-interface' option if you
have multiple interfaces.  If you want to feed these logs to snort, you
can do it with one of several add-ons, or, make snort sig to watch the
syslog udp going from your router to your syslog server.





-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Fw: Cisco Vulnerability Testing Results Jon Hart (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results William Stearns (Jul 18)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Michael Scheidell (Jul 20)
  - Re: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Rich Adamson (Jul 20)
    - snort.conf Tantravahi Venkata Aditya (Jul 20)
    - RE: snort.conf Scott Renna (Jul 20)
    - preprocessor logs Tantravahi Venkata Aditya (Jul 20)
    - Re: preprocessor logs Matt Kettler (Jul 21)
    - Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
    - RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
    - Re: Viewing ACID set's off P..O..R..N rules ... Jason Whitson (Jul 21)
    - RE: Viewing ACID set's off P..O..R..N rules ... Scott Renna (Jul 21)
- <Possible follow-ups>
- Re: Fw: Cisco Vulnerability Testing Results Marc Quibell (Jul 22)