[Snort-users] Re: Q? what would have generated this.

John Sage jsage at ...2022...
Sun Nov 25 18:49:02 EST 2001


Kenneth:

The rule itself (Arachids, 129 -- at least that which comes with 
snort-1.8.2 build 86) states:

misc.rules:
  alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any
(msg:"MISC Cisco Catalyst Remote Access";
  flags:SA; reference:arachnids,129; reference:cve,CVE-1999-0430;
  classtype:bad-unknown; sid:513; rev:1;)


So is there a possibility that $HOME_NET and $EXTERNAL_NET are 
misconfigured, or that $HOME_NET and $EXTERNAL_NET are somehow seen by 
snort as identical?

If that's so, then the packet you show below meets the rest of the rule, 
i.e. apparent source port 7161, ACK/SYN flags set.

Otherwise, the rule should only match on an *outgoing* packet, one would 
think.

I've forwarded this to the snort list, to see if anyone has any ideas...

HTH..


- John


Kenneth Brown wrote:

> i know its bad to make you think on sundays...
> 
> would ne one know what would have generated a
> CVE-1999-0430 from a source machine running redhat linux?
> 
> i include the packet.
> src and dest have been modified to protect identities....
> i also attached the cve
> 
> kenneth gf brown
> ceo shadowplay.net
> 
> 
> 
> Generated by ACID v0.9.6b11 on Sun November 25, 2001 03:06:31
> 
> ----------------------------------------------------------------------------
> --
> #(1 - 528) [2001-11-21 22:39:14] [arachNIDS/129] [CVE/CVE-1999-0430]  MISC
> Cisco Catalyst Remote Access IPv4: outsideip -> insideip
>       hlen=5 TOS=0 dlen=44 ID=0 flags=0 offset=0 TTL=43 chksum=56994
> TCP:  port=7161 -> dport: 1736  flags=***A**S* seq=3331448114
>       ack=2418700017 off=6 res=0 win=5840 urp=0 chksum=19127
>       Options:
>        #1 - MSS len=4 data=0578
> Payload: none
> 
> 
> 
> 
> CVE-1999-0430
> CVE Version: 20010918
> This is an entry on the CVE list, which standardizes names for security
> problems. It was reviewed and accepted by the CVE Editorial Board before it
> was added to CVE.
> 
> Name	CVE-1999-0430
> 
> Description	Cisco Catalyst LAN switches running Catalyst 5000 supervisor
> software allows remote attackers to perform a denial of service by forcing
> the supervisor module to reload.
> References
> ISS:Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet
> Switches
> CISCO:Cisco Catalyst Supervisor Remote Reload
> XF:cisco-catalyst-crash







More information about the Snort-users mailing list