[Snort-sigs] SID 1546 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Wed Jun 11 11:59:06 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%"; 
classtype:web-application-attack; reference:cve,CVE-2000-0380; 
reference:bugtraq,1154; sid:1546; rev:6;)
This is an attemped denial of service attack against a Cisco router or 
If successful, the router will hang for two minutes, then reboot.   
Under certain circumstances, the router will hang until power cycled 
Detailed Information:
The HTTP server that is part of some versions of the Cisco IOS software 
has a bug that causes it to enter an infinite loop when handling a 
request for "/%%".
Affected Systems:
The following Cisco products can be affected.   Whether they actually 
are vulnerable or not depends on the version of IOS that they are 
running.   To properly determine if your product is vulnerable, see the 
Cisco website referenced below.
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000, 
2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800, 
6400, 7000, 7200, ubr7200, 7500, and 12000 series.
Most recent versions of the LS1010 ATM switch.
The Catalyst 6000 if it is running IOS.
Some versions of the Catalyst 2900XL and 3500XL LAN switches.
The Cisco DistributedDirector.
Attack Scenarios:
This attack creates a denial of service.
Ease of Attack:
Very easy.   
False Positives:
False Negatives:
This signature only looks for attacks against systems that are included 
in the $HTTP_SERVERS group.   Many administrators do not consider 
routers or switches to be web servers, and therefore may not include 
vulnerable devices in this group, causing an attack to proceed 
unnoticed.   If you think one of your routers or switches is vulnerable, 
reference it in the $HTTP_SERVERS group.
Corrective Action:
Turn off the web server functionality, use access lists to ensure only 
trusted hosts have access to the device, or upgrade your version of IOS.
Kevin Peuhkurinen
Additional References:

More information about the Snort-sigs mailing list