[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Jon Hart warchild at ...288...
Fri Jul 18 11:16:10 EDT 2003

On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:
> Just to be sure, and becaue in an ideal world I shouldn't really be
> seeing any of these protocols in my network, I've left my definitions
> somewhat more broad.. 
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
> (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
> (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
> (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
> (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> -gary morris, gcia

If you are using those sigs in Snort, you might also want to make use of
spp_conversation which can catch all unwanted and/or unused protocols
that might be swimming around your network(s).  See the config I posted


Also, a number of people have posted sigs that are not only matching
based on IP protocol number, but also on content.  Obviously this will
only catch the *tool* being used, and not the *exploit* which is far
from ideal.  For similar signatures to the ones you posted, see the ones
I posted here:


Or get the latest and greatest Snort rules from Snort CVS.


More information about the Snort-sigs mailing list