[Snort-sigs] SID: 2190

Jon Hart warchild at ...288...
Mon Jul 21 08:32:03 EDT 2003


On Fri, Jul 18, 2003 at 06:40:15PM +0200, Iv?n Mota Alberca wrote:
> Rule:  alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"CISCO IOS DOS
> Attempt Proto 55"; ip_proto:55; dsize:26<>256; content:"|0001 0203
> 0405 0607 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819|";
> reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
> sid:2190;
> classtype:denial-of-service; rev:1;)

Comments inline.  I see that someone already commented on the payload
issue, so I won't touch that.

> --
> Attack Scenarios:
> Anyone able to craft a special packet meeting the appropiate conditions
> will be able to actually hung any not patched Cisco IOS running device.
> --
> Ease of Attack:

Simple.  Exploit code is publicly available and any number of freely
available tools such as hping, packit, or any number of tools made with
Libnet (or other) that are capable of crafting IP packets.

> --
> False Positives:
> Not known

Entirely possible.  Depending on the network configuration, IP protocol
#55 might actually be flying around on your network segment(s) for
perfectly legit reasons.

> --
> False Negatives:
> Not known

So long as the sigs don't use anything that is payload content/size
specific, then there should be none.

-jon




More information about the Snort-sigs mailing list