[Snort-sigs] Cisco TCP RST Exploit Signature

Matthew Watchinski mwatchinski at ...435...
Tue Apr 27 19:28:10 EDT 2004


You might want to check out sid 2523, as it handles a number of other cases we 
discovered during our testing.

dos.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed 
connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track
by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230; 
reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; 
classtype:attempted-dos; sid:2523; rev:2;)

Cheers
-matt

David A. Koran wrote:
> Here's a preliminary signature for the RST exploit tool located at: 
> (http://www.k-otik.com/exploits/04222004.reset.dpr.php)
> 
> The TTL may vary, but I've compiled and run the tool several times 
> locally to refine it. This should work for Snort 1.9.0 and up, however, 
> since the tool creates a lot of traffic, I would recommend a threshold 
> statement for Snort 2.x and up.
> 
> ### CISCO TCP RST Exploit (04-22-2004)
> alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA; 
> fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos; 
> reference:url,www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml; 
> sid:1000000;)
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list