[Snort-sigs] Cisco TCP RST Exploit Signature
mwatchinski at ...435...
Tue Apr 27 19:28:10 EDT 2004
You might want to check out sid 2523, as it handles a number of other cases we
discovered during our testing.
dos.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed
connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track
by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230;
classtype:attempted-dos; sid:2523; rev:2;)
David A. Koran wrote:
> Here's a preliminary signature for the RST exploit tool located at:
> The TTL may vary, but I've compiled and run the tool several times
> locally to refine it. This should work for Snort 1.9.0 and up, however,
> since the tool creates a lot of traffic, I would recommend a threshold
> statement for Snort 2.x and up.
> ### CISCO TCP RST Exploit (04-22-2004)
> alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA;
> fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos;
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs