[Snort-sigs] rule for detect tcpdump rsvp exploit

rmkml rmkml at ...324...
Wed Aug 31 13:25:48 EDT 2005


Hi,

please check and add this rule :

  dos.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS TCPDUMP 
rsvp attack"; ip_proto:46; content:"|00 08 14 01 03 00 00 00|"; reference:cve,2005-1280; reference:cve,2005-1281; reference:bugtraq,13391; classtype:attempted-dos;)

tested on tcpdump 382 : loop !
not loop on tcpdump 372
not success with tethereal01010

Regards
Rmkml




More information about the Snort-sigs mailing list