[Snort-sigs] SID: 2190

Nigel Houghton nigel.houghton at ...435...
Mon Jul 21 09:28:19 EDT 2003


The documents for the Cisco IOS rules already exist, they just haven't 
quite made it to snort.org yet. However, I will note your information 
and include where appropriate.

Jon Hart wrote:
> On Fri, Jul 18, 2003 at 06:40:15PM +0200, Iv?n Mota Alberca wrote:
> 
>>Rule:  alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"CISCO IOS DOS
>>Attempt Proto 55"; ip_proto:55; dsize:26<>256; content:"|0001 0203
>>0405 0607 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819|";
>>reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
>>sid:2190;
>>classtype:denial-of-service; rev:1;)
> 
> 
> Comments inline.  I see that someone already commented on the payload
> issue, so I won't touch that.
> 
> 
>>--
>>Attack Scenarios:
>>Anyone able to craft a special packet meeting the appropiate conditions
>>will be able to actually hung any not patched Cisco IOS running device.
>>--
>>Ease of Attack:
> 
> 
> Simple.  Exploit code is publicly available and any number of freely
> available tools such as hping, packit, or any number of tools made with
> Libnet (or other) that are capable of crafting IP packets.
> 
> 
>>--
>>False Positives:
>>Not known
> 
> 
> Entirely possible.  Depending on the network configuration, IP protocol
> #55 might actually be flying around on your network segment(s) for
> perfectly legit reasons.
> 
> 
>>--
>>False Negatives:
>>Not known
> 
> 
> So long as the sigs don't use anything that is payload content/size
> specific, then there should be none.
> 
> -jon
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs






More information about the Snort-sigs mailing list