[Snort-users] Anyone got a rule for the latest Cisco bug?

james hackerwacker at ...9340...
Thu Jul 17 16:52:02 EDT 2003


May be hard to do, Snort does not understand all of these protocols.We would need more info. to do a content match on
the IP packet.It also may be malformed protocol headers, seems this would requireSnort to understand these
protocols.james<snip>Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4)packets by
default. A rare, specially crafted sequence of IPv4 packets withprotocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND),
or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the
device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing
inbound traffic on that interface. This can cause routing protocols to drop due to dead timers. access-list 101 deny 53
any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!--- insert any other previously applied ACL entries here
!--- you must permit other protocols through to allow normal
!--- traffic -- previously defined permit lists will work
!--- or you may use the permit ip any any shown here
access-list 101 permit ip any any





More information about the Snort-users mailing list