[Snort-users] Anyone got a rule for the latest Cisco bug?
erek at ...950...
Fri Jul 18 02:30:05 EDT 2003
On Fri, 18 Jul 2003, Du Feu, Richard wrote:
> I'm fairly new to snort and am not yet good at writing rules for it,
> however I do have a packet capture of an attack against a cisco device.
> This is the exploit released on netssys. It looks roughly like this:
> 09:45:29.846575 184.108.40.206 > a.b.c.d: ip-proto-53 26 [ttl 1] (id
> 17168, len 46)
> 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d:
>  > 220.127.116.11 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
> 09:45:29.846770 18.104.22.168 > a.b.c.d: nd 26 [ttl 1] (id 38906, len 46)
> 09:45:29.846795 22.214.171.124 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)
> The ttl needs to be the number of hops to the target system. The source
> IPs are spoofed. Is this enough for someone who is clued up to write a
> rule for it?
It's something to start with, but it's not quite enough to get a really
good sig. A "full" packet capture of the entire packet would be the best
thing. Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!? :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users