[Snort-sigs] Cisco TCP RST Exploit Signature

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Wed Apr 28 07:16:03 EDT 2004

Any idea about why I receive the following error (with snort -T):

ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4

I am able to use other thresholding rules with snort 2.1.2. Is this rule
now part of the current/stable snort ruleset?


                      Matthew Watchinski                                                                                                         
                      <mwatchinski at ...435...        To:       snort-sigs at lists.sourceforge.net                                              
                      >                                  cc:                                                                                     
                      Sent by:                           Subject:  Re: [Snort-sigs] Cisco TCP RST Exploit Signature                              
                      snort-sigs-admin at ...551...                                                                                                
                      04/27/2004 10:04 AM                                                                                                        

You might want to check out sid 2523, as it handles a number of other cases
discovered during our testing.

dos.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP
connection reset attempt"; flow:established; flags:RSF*; threshold:type
by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230;
classtype:attempted-dos; sid:2523; rev:2;)


David A. Koran wrote:
> Here's a preliminary signature for the RST exploit tool located at:
> (http://www.k-otik.com/exploits/04222004.reset.dpr.php)
> The TTL may vary, but I've compiled and run the tool several times
> locally to refine it. This should work for Snort 1.9.0 and up, however,
> since the tool creates a lot of traffic, I would recommend a threshold
> statement for Snort 2.x and up.
> ### CISCO TCP RST Exploit (04-22-2004)
> alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA;
> fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos;

> sid:1000000;)
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list