[Snort-users] Anyone got a rule for the latest Cisco bug?

Stephen Dunn sdunn at ...9569...
Thu Jul 17 18:01:12 EDT 2003


"Cisco routers are configured to process and accept Internet Protocol
version 4 (IPv4) packets by default. A rare, specially crafted sequence of
IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND),
or 103 (Protocol Independent Multicast - PIM) which is handled by the
processor on a Cisco IOS device may force the device to incorrectly flag
the input queue on an interface as full, which will cause the router to
stop processing inbound traffic on that interface. This can cause routing
protocols to drop due to dead timers"

Unless you use ip protocols 53, 55, 77, and 103 on your network (Not too
likely in most environments), you may want to setup a rule(s) like:

alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 53;)
alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 55;)
alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 77;)
alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 103;)

I imagine there is a bit more mischief in the ip header than just the
non-standard protocol, but this may tide you over until Brian or someone
else gets better details on the exploit to create a more distinct
signature.  Meanwhile, ingress/egress filters on your Cisco routers should
protect you while you wait to upgrade your IOS.  Details for the ACL
implementation are in the above-mentioned link.

Stephen Dunn

> Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet
> Apparently some hacked IPv4 packet sent at a Cisco router's actual IP
> address can cause a table to fill up - causing the router to become
> unusable.
> Anyone got a pattern match for it? Frankly the CERT alert about it was
> next to useless - they have some example ACLs that "may" help - but
> there's not enough to go on really (I mean, if I want to allow SSH
> access to a router from one IP address on the Internet, can I make an
> ACL to allow that, and block all other IP, or does this attack mean that
> if the baddie fakes the SYN packet to match my "good" address, then the
> attack still works???)
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single machine.
> WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
> same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list