[Snort-sigs] Cisco TCP RST Exploit Signature

David A. Koran webjedi at ...2282...
Tue Apr 27 07:50:44 EDT 2004

Here's a preliminary signature for the RST exploit tool located at: 

The TTL may vary, but I've compiled and run the tool several times 
locally to refine it. This should work for Snort 1.9.0 and up, however, 
since the tool creates a lot of traffic, I would recommend a threshold 
statement for Snort 2.x and up.

### CISCO TCP RST Exploit (04-22-2004)
alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA; 
fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos; 

More information about the Snort-sigs mailing list