[Snort-sigs] FP with EIGRP rule sid:2464

Jason Haar Jason.Haar at ...651...
Sun Aug 26 19:54:24 EDT 2007

Hi there

We have having "EXPLOIT EIGRP prefix length overflow attempt" triggering
continually on our network on EIGRP traffic between our routers. Packet
length 338 if that matters.

The CVE records refer to a bug in Ethereal from 2004. Sounds like that
old bug could be triggered by valid EIGRP packets? As such it may mean
this is a hard one to write a rule for with the current simple byte_test.

I can send someone a sample packet if they want (the content looks like
gobblygook to me - but for all I know contains some Cisco passwords - so
no copying to the list! ;-)]


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list