[Snort-users] Anyone got a rule for the latest Cisco bug?

Jon Hart warchild at ...8039...
Thu Jul 17 18:04:47 EDT 2003


On Thu, Jul 17, 2003 at 05:43:10PM -0700, twig les wrote:
> If you create a variable in snort.conf for your Cisco interfaces
> (including loopbacks?  hmmm...) and use that variable as the
> destination instead of "any" you might actually get some good
> mileage from the examples below.  Of course I'm not too familiar
> with these protocols so they may have a legitimate reason to
> talk directly to a router, but I doubt it (aside from NAT).
> 
> May the schwartz be with *you*

Yeah, good point.  I guess its partially a matter of preference, and
partially a matter of how your network is configured.  When someone
starts to exploit this, chances are that they won't be targeted attacks,
but rather sprayings of packets over entire networks.  Sure, if a
particularly malicious user wanted to, they could probably target their
attacks and be pretty good about it, but personally I'd rather see both
apparently targeted attacks and mass "packeting".  That said, maybe
these are a bit better (wrapped at 80 characters -- if you use these, be
sure to format them correctly in your rule files):

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco SWIPE 
Protocol"; ip_proto:53; classtype:attempted-dos; 
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; 
rev:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco IP 
Mobility Protocol"; ip_proto:55; classtype:attempted-dos; 
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)


alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco Sun ND 
Protocol"; ip_proto:77; classtype:attempted-dos; 
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Cisco PIM  
Protocol"; ip_proto:103; classtype:attempted-dos; 
reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;
rev:2;)








More information about the Snort-users mailing list