[Snort-sigs] Cisco TCP RST Exploit Signature

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Wed Apr 28 07:16:03 EDT 2004


Any idea about why I receive the following error (with snort -T):

ERROR: Threshold-RuleOptionParse: incorrect argument count, should be 4
pairs

I am able to use other thresholding rules with snort 2.1.2. Is this rule
now part of the current/stable snort ruleset?

Thanks,
Mark


                                                                                                                                                 
                      Matthew Watchinski                                                                                                         
                      <mwatchinski at ...435...        To:       snort-sigs at lists.sourceforge.net                                              
                      >                                  cc:                                                                                     
                      Sent by:                           Subject:  Re: [Snort-sigs] Cisco TCP RST Exploit Signature                              
                      snort-sigs-admin at ...551...                                                                                                
                      ceforge.net                                                                                                                
                                                                                                                                                 
                                                                                                                                                 
                      04/27/2004 10:04 AM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 




You might want to check out sid 2523, as it handles a number of other cases
we
discovered during our testing.

dos.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP
spoofed
connection reset attempt"; flow:established; flags:RSF*; threshold:type
both,track
by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230;
reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm;
classtype:attempted-dos; sid:2523; rev:2;)

Cheers
-matt

David A. Koran wrote:
> Here's a preliminary signature for the RST exploit tool located at:
> (http://www.k-otik.com/exploits/04222004.reset.dpr.php)
>
> The TTL may vary, but I've compiled and run the tool several times
> locally to refine it. This should work for Snort 1.9.0 and up, however,
> since the tool creates a lot of traffic, I would recommend a threshold
> statement for Snort 2.x and up.
>
> ### CISCO TCP RST Exploit (04-22-2004)
> alert tcp any any -> $HOME_NET any (msg: "TCP RST Exploit"; flags:RA;
> fragbits:!MD; flow:from_client; ttl:128; rev:1; classtype:attempted-dos;
>
reference:url,www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml;

> sid:1000000;)
>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
> For a limited time only, get FREE Ground shipping on all orders of $35
> or more. Hurry up and shop folks, this offer expires April 30th!
> http://www.thinkgeek.com/freeshipping/?cpg=12297
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs









More information about the Snort-sigs mailing list