[Snort-users] Anyone got a rule for the latest Cisco bug?

Jon Hart warchild at ...8039...
Thu Jul 17 17:29:28 EDT 2003

On Fri, Jul 18, 2003 at 10:12:09AM +1200, Jason Haar wrote:
> Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
> Apparently some hacked IPv4 packet sent at a Cisco router's actual IP
> address can cause a table to fill up - causing the router to become unusable.
> Anyone got a pattern match for it? Frankly the CERT alert about it was next
> to useless - they have some example ACLs that "may" help - but there's not
> enough to go on really (I mean, if I want to allow SSH access to a router
> from one IP address on the Internet, can I make an ACL to allow that, and
> block all other IP, or does this attack mean that if the baddie fakes the
> SYN packet to match my "good" address, then the attack still works???)

The advisory has been updated:

"Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence
of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77
(Sun ND), or 103 (Protocol Independent Multicast - PIM) which is
handled by the processor on a Cisco IOS device may force the device to
incorrectly flag the input queue on an interface as full, which will
cause the router to stop processing inbound traffic on that interface.
This can cause routing protocols to drop due to dead timers."

A situation like this was guessable based on their initial advisory
which said, basically, that you could protect yourself if you blocked
all unnecessary/unused protocols.

Because they aren't very specific about what this "rare, specially
crafted sequence" is, there is only so much you can do with snort
signatures.  Snort rules allow you to match based on IP protocol number,
so all we can do for now is something like this:

alert ip any any -> any any (msg:"DOS Cisco SWIPE Protocol";
alert ip any any -> any any (msg:"DOS Cisco IP Mobility Protocol";
alert ip any any -> any any (msg:"DOS Cisco Sun ND Protocol";
alert ip any any -> any any (msg:"DOS Cisco PIM Protocol";

Depending on what type of network you are on, those could be very noisy,
so use at your own risk.  Also, if you are using spp_conversation, it
could be picking up rogue packets if its configured properly:

preprocessor conversation: allowed_ip_protocols 1 6 17 47 89, timeout
180, max_conversations 65535, alert_odd_protocols

That is what I'm currently using, and I haven't heard a peep yet. 

May the force be with you,


More information about the Snort-users mailing list