[Snort-users] Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability

Matt Ploessel matt.ploessel at ...427...
Thu Jul 17 17:51:45 EDT 2003


In the Foundstone web seminar today covering the details of the Cisco
IOS vulnerability released this morning, some users asked for snort
rules to detect potential Cisco DoS attempts. The simple rule below
should do the job. Tomorrow morning Foundstone will have a follow-up
seminar covering new information and our current findings. I am
interested to track the presence of malicious scanning of this
vulnerability in the wild. For those who apply the below rules, please
attempt to share sanitized information (number of  detections and size
of IP space covered by your IDS) with me so statistics of the
vulnerability presence can be generated based on a larger consensus.

Thank You.

Information on the Foundstone web seminar:
http://www.foundstone.com/company/pressrelease_template.htm?indexid=79

Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability 

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
classtype:attempted-dos; ip_proto 53;) 
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
classtype:attempted-dos; ip_proto 55;) 
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
classtype:attempted-dos; ip_proto 17;) 
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
classtype:attempted-dos; ip_proto 103;) 

...

Matt Ploessel
Network Security Engineer
Foundstone, Inc.
Strategic Security

949.297.5622 Tel 
949.297.5575 Fax 

http://www.foundstone.com

PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914

This email may contain confidential and privileged information for the
sole use of the intended recipient. Content disclosure to third parties
is strictly prohibited. Verify sender and message body authenticity
against the above PGP key only, retrieved via a secure and dependable
method. Thank you.




More information about the Snort-users mailing list