[Snort-users] Anyone got a rule for the latest Cisco bug?

Du Feu, Richard r.dufeu at ...9670...
Fri Jul 18 02:17:07 EDT 2003

I'm fairly new to snort and am not yet good at writing rules for it, however I do have a packet capture of an attack against a cisco device.  This is the exploit released on netssys. It looks roughly like this:

09:45:29.846575 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id 17168, len 46)
09:45:29.846738 > a.b.c.d: mobile > a.b.c.d: [] > (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
09:45:29.846770 > a.b.c.d:  nd 26 [ttl 1] (id 38906, len 46)
09:45:29.846795 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)

The ttl needs to be the number of hops to the target system. The source IPs are spoofed. Is this enough for someone who is clued up to write a rule for it?  


-----Original Message-----
From: Jason Haar [mailto:Jason.Haar at ...294...]
Sent: 17 July 2003 23:12
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Anyone got a rule for the latest Cisco bug?

Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet

Apparently some hacked IPv4 packet sent at a Cisco router's actual IP
address can cause a table to fill up - causing the router to become unusable.

Anyone got a pattern match for it? Frankly the CERT alert about it was next
to useless - they have some example ACLs that "may" help - but there's not
enough to go on really (I mean, if I want to allow SSH access to a router
from one IP address on the Internet, can I make an ACL to allow that, and
block all other IP, or does this attack mean that if the baddie fakes the
SYN packet to match my "good" address, then the attack still works???)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list