[Snort-users] Anyone got a rule for the latest Cisco bug?

McLaughlin, Andrew Andrew.McLaughlin at ...9580...
Thu Jul 17 18:48:26 EDT 2003


Any idea when this will be available via snortcenter rules update or
should I just add it manually?

-----Original Message-----
From: twig les [mailto:twigles at ...131...] 
Sent: Friday, 18 July 2003 10:43 AM
To: Jon Hart; Jason Haar
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Anyone got a rule for the latest Cisco bug?


If you create a variable in snort.conf for your Cisco interfaces
(including loopbacks?  hmmm...) and use that variable as the destination
instead of "any" you might actually get some good mileage from the
examples below.  Of course I'm not too familiar with these protocols so
they may have a legitimate reason to talk directly to a router, but I
doubt it (aside from NAT).

May the schwartz be with *you*

> so all we can do for now is something like this:
> 
> alert ip any any -> any any (msg:"DOS Cisco SWIPE Protocol";
> ip_proto:53;)
> alert ip any any -> any any (msg:"DOS Cisco IP Mobility Protocol";
> ip_proto:55;)
> alert ip any any -> any any (msg:"DOS Cisco Sun ND Protocol";
> ip_proto:77;)
> alert ip any any -> any any (msg:"DOS Cisco PIM Protocol";
> ip_proto:103;)
> 
> Depending on what type of network you are on, those could be very 
> noisy, so use at your own risk.  Also, if you are using
> spp_conversation, it
> could be picking up rogue packets if its configured properly:
> 
> preprocessor conversation: allowed_ip_protocols 1 6 17 47 89, timeout
> 180, max_conversations 65535, alert_odd_protocols
> 
> That is what I'm currently using, and I haven't heard a peep yet.
> 
> May the force be with you,
> 
> -jon
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a single 
> machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual
> machines at the
> same time. Free trial click here:
> http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list