[Snort-sigs] Cisco TCP RST Exploit Signature

David A. Koran webjedi at ...2282...
Tue Apr 27 07:50:44 EDT 2004


Here's a preliminary signature for the RST exploit tool located at: 
(http://www.k-otik.com/exploits/04222004.reset.dpr.php)

The TTL may vary, but I've compiled and run the tool several times 
locally to refine it. This should work for Snort 1.9.0 and up, however, 
since the tool creates a lot of traffic, I would recommend a threshold 
statement for Snort 2.x and up.

### CISCO TCP RST Exploit (04-22-2004)
alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA; 
fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos; 
reference:url,www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml; 
sid:1000000;)







More information about the Snort-sigs mailing list