[Snort-users] Anyone got a rule for the latest Cisco bug?

Jason Haar Jason.Haar at ...294...
Thu Jul 17 15:14:38 EDT 2003

Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

Apparently some hacked IPv4 packet sent at a Cisco router's actual IP
address can cause a table to fill up - causing the router to become unusable.

Anyone got a pattern match for it? Frankly the CERT alert about it was next
to useless - they have some example ACLs that "may" help - but there's not
enough to go on really (I mean, if I want to allow SSH access to a router
from one IP address on the Internet, can I make an ACL to allow that, and
block all other IP, or does this attack mean that if the baddie fakes the
SYN packet to match my "good" address, then the attack still works???)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list