Snort mailing list archives
RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results
From: "Smith, Donald" <Donald.Smith () qwest com>
Date: Mon, 21 Jul 2003 07:31:01 -0600
The exploit allows you to set the ttl from 0-255. -----Original Message----- From: Michael Scheidell To: Jon Hart Cc: Gary Morris; intrusions () incidents org; snort-sigs () lists sourceforge net; snort-users () lists sourceforge net Sent: 7/20/2003 12:07 PM Subject: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
53
(Swipe) detected"; ip_proto: 53; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
55
(IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
77
(SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
103
(PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
A couple of thoughts: 1) as discussed on a couple of other lists, the ttl at the destination device would be 0? or 1? (guess I need to attack myself and look) 2) I would expect that our snort boxes are NOT configured on the WAN (serial/frame relay/fiber) side of our routers so we won't pick up directed attacks against our correct router, however, any dual WAN routers that are used for our subnets will pick it up, as well as anyone doing address sweeps. Without snort listening on the OUTSIDE of your router, you won't pick up the attack. 3) The CISCO released ACL snipps may prove a better way to watch the traffic (put the acl's on for the above protocols, even if you have upgraded your firmware and use the 'log' or 'log-interface' option if you have multiple interfaces. If you want to feed these logs to snort, you can do it with one of several add-ons, or, make snort sig to watch the syslog udp going from your router to your syslog server. -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Smith, Donald (Jul 21)
- <Possible follow-ups>
- RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results scheidell (Jul 21)
- Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Marc Quibell (Jul 22)
- RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results Smith, Donald (Jul 22)