[Snort-sigs] SID 1546 documentation
kevin.peuhkurinen at ...1555...
Wed Jun 11 11:59:06 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Cisco /%% DOS attempt"; flow:to_server,established; uricontent:"/%%";
reference:bugtraq,1154; sid:1546; rev:6;)
This is an attemped denial of service attack against a Cisco router or
If successful, the router will hang for two minutes, then reboot.
Under certain circumstances, the router will hang until power cycled
The HTTP server that is part of some versions of the Cisco IOS software
has a bug that causes it to enter an infinite loop when handling a
request for "/%%".
The following Cisco products can be affected. Whether they actually
are vulnerable or not depends on the version of IOS that they are
running. To properly determine if your product is vulnerable, see the
Cisco website referenced below.
Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 800, ubr900, 1000,
2500, 2600, 3000, 3600, 3800, 4000, 4500, 4700, AS5200, AS5300, AS5800,
6400, 7000, 7200, ubr7200, 7500, and 12000 series.
Most recent versions of the LS1010 ATM switch.
The Catalyst 6000 if it is running IOS.
Some versions of the Catalyst 2900XL and 3500XL LAN switches.
The Cisco DistributedDirector.
This attack creates a denial of service.
Ease of Attack:
This signature only looks for attacks against systems that are included
in the $HTTP_SERVERS group. Many administrators do not consider
routers or switches to be web servers, and therefore may not include
vulnerable devices in this group, causing an attack to proceed
unnoticed. If you think one of your routers or switches is vulnerable,
reference it in the $HTTP_SERVERS group.
Turn off the web server functionality, use access lists to ensure only
trusted hosts have access to the device, or upgrade your version of IOS.
More information about the Snort-sigs