[Snort-sigs] Suggested Sig for Cisco DOS Vulnerability

Compton, Rich RCompton at ...1352...
Fri Jul 18 05:37:26 EDT 2003


Hey guys, 
Doesn't look like a exploit exists as of yet but Cisco just released what IP
protocols cause the DOS so it won't be long until there is one!

Here's what I'm using to try to identify this traffic:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 53 Cisco DOS
Packet"; ip_proto: 53; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 55 Cisco DOS
Packet"; ip_proto: 55; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 77 Cisco DOS
Packet"; ip_proto: 77; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 103 Cisco DOS
Packet"; ip_proto: 103; classtype:denial-of-service;)

Here's the Cisco advisory: 
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml

-Rich Compton




More information about the Snort-sigs mailing list