[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

William Stearns wstearns at ...157...
Fri Jul 18 11:00:57 EDT 2003


Good afternoon, all,

On Fri, 18 Jul 2003, William Stearns wrote:

> On Fri, 18 Jul 2003, William Stearns wrote:
> 
> > On Fri, 18 Jul 2003 Bryce_Alexander at ...1336... wrote:
> > 
> > > It would be nice to see some tcpdump output of what the exploit looks 
> > > like, Then we could build a signature for the IDS community.  I am not on 
> > > the full disclosure list so I haven't been able to get my hands on it 
> > > yet.... Anybody have a tcpdump to share with the group?
> > 
> > 	This is based on an early signature to the snort-sigs list, with
> > content and depth added.  I haven't tested it yet, but I'll disconnect
> > from the net in a little bit, do so, and send back a tcpdump of the
> > packets, and perhaps some new rules.  If anyone has snort running and now
> > and can confirm or deny that this works, that would be great too.
> > 
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 53 Cisco DOS Packet"; ip_proto: 53; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 55 Cisco DOS Packet"; ip_proto: 55; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 77 Cisco DOS Packet"; ip_proto: 77; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (content:"|0001 0203 0405 0607|"; depth: 8; msg:"IP Protocol 103 Cisco DOS Packet"; ip_proto: 103; classtype:denial-of-service;)
> 
> 	The above rules seem to work just fine.  I've attached a pcap file 
> of a test run from shadowchode; the command used was "./sc 172.27.1.252 1"

	Well, you _would_ have seen a pcap attachment, except for the fact 
that the mail server stripped it.  :-)
	The file is at http://www.stearns.org/pcap/shadowchode.pcap .
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Real programmers use 'cat > a.out'."
(Courtesy of Dan Pilone <pilone at ...1684...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------





More information about the Snort-sigs mailing list