[Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

William Stearns wstearns at ...157...
Fri Jul 18 11:38:28 EDT 2003


Good afternoon, Jon,

On Fri, 18 Jul 2003, Jon Hart wrote:

> On Fri, Jul 18, 2003 at 01:46:39PM -0400, Gary Morris wrote:
> > 
> > Just to be sure, and becaue in an ideal world I shouldn't really be
> > seeing any of these protocols in my network, I've left my definitions
> > somewhat more broad.. 
> > 
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
> > (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
> > (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
> > (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
> > (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> 
> If you are using those sigs in Snort, you might also want to make use of
> spp_conversation which can catch all unwanted and/or unused protocols
> that might be swimming around your network(s).  See the config I posted
> here:
> 
> http://marc.theaimsgroup.com/?l=snort-users&m=105849030507605&w=2
> 
> Also, a number of people have posted sigs that are not only matching
> based on IP protocol number, but also on content.  Obviously this will
> only catch the *tool* being used, and not the *exploit* which is far

	_Excellent_ point.  It might even make sense to use both sets of 
rules; the content-specific rules to identify that the original tool is 
being used, and the more generic protocol-only rules afterwards to show 
that someone's trying to exploit those protocols, but they're using a 
different tool.
	Cheers,
	- Bill

---------------------------------------------------------------------------
        "Cogito ergo sum...cogito."
(Courtesy of Bob Hillery <rhillery at ...1687...>)
--------------------------------------------------------------------------
William Stearns (wstearns at ...157...).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------





More information about the Snort-sigs mailing list