[Snort-sigs] Cisco TCP RST Exploit Signature
David A. Koran
webjedi at ...2282...
Tue Apr 27 07:50:44 EDT 2004
Here's a preliminary signature for the RST exploit tool located at:
The TTL may vary, but I've compiled and run the tool several times
locally to refine it. This should work for Snort 1.9.0 and up, however,
since the tool creates a lot of traffic, I would recommend a threshold
statement for Snort 2.x and up.
### CISCO TCP RST Exploit (04-22-2004)
alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA;
fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos;
More information about the Snort-sigs