[Snort-users] Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Rich Adamson radamson at ...908...
Sun Jul 20 09:46:19 EDT 2003

Right on!  I was going to post a similar response (only without the ttl
observation), but your response covers it nicely. For the purposes of an
ethernet-based snort, I'd have to guess and say the ttl is likely to be
any value and should not be included in the rule.

> > > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
> > > (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> > > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
> > > (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> > > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
> > > (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> > > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
> > > (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> > > 
> A couple of thoughts:
> 1) as discussed on a couple of other lists, the ttl at the destination
> device would be 0? or 1? (guess I need to attack myself and look)
> 2) I would expect that our snort boxes are NOT configured on the WAN
> (serial/frame relay/fiber) side of our routers so we won't pick up
> directed attacks against our correct router, however, any dual WAN routers
> that are used for our subnets will pick it up, as well as anyone doing
> address sweeps.  Without snort listening on the OUTSIDE of your router, you
> won't pick up the attack.
> 3) The CISCO released ACL snipps may prove a better way to watch the
> traffic (put the acl's on for the above protocols, even if you have
> upgraded your firmware and use the 'log' or 'log-interface' option if you
> have multiple interfaces.  If you want to feed these logs to snort, you
> can do it with one of several add-ons, or, make snort sig to watch the
> syslog udp going from your router to your syslog server. 

More information about the Snort-sigs mailing list