[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

William Stearns wstearns at ...157...
Fri Jul 18 10:58:06 EDT 2003


Good afternoon, all,

On Fri, 18 Jul 2003, William Stearns wrote:

> On Fri, 18 Jul 2003 Bryce_Alexander at ...1336... wrote:
> 
> > It would be nice to see some tcpdump output of what the exploit looks 
> > like, Then we could build a signature for the IDS community.  I am not on 
> > the full disclosure list so I haven't been able to get my hands on it 
> > yet.... Anybody have a tcpdump to share with the group?
> 
> 	This is based on an early signature to the snort-sigs list, with
> content and depth added.  I haven't tested it yet, but I'll disconnect
> from the net in a little bit, do so, and send back a tcpdump of the
> packets, and perhaps some new rules.  If anyone has snort running and now
> and can confirm or deny that this works, that would be great too.
> 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 53 Cisco DOS Packet"; ip_proto: 53; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 55 Cisco DOS Packet"; ip_proto: 55; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 77 Cisco DOS Packet"; ip_proto: 77; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 103 Cisco DOS Packet"; ip_proto: 103; classtype:denial-of-service;)

	The above rules seem to work just fine.  I've attached a pcap file 
of a test run from shadowchode; the command used was "./sc 172.27.1.252 1"
	Cheers,
	- Bill

---------------------------------------------------------------------------
	How's my programming?  Call 1-800-DEV-NULL
(Courtesy of http://www.tux.org/~ricdude/)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shadowchode.pcap
Type: application/octet-stream
Size: 472 bytes
Desc: shadowchode.pcap
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030718/cfdf6b52/attachment.obj>


More information about the Snort-sigs mailing list