[Snort-users] Anyone got a rule for the latest Cisco bug?

Erek Adams erek at ...950...
Fri Jul 18 02:30:05 EDT 2003


On Fri, 18 Jul 2003, Du Feu, Richard wrote:

> I'm fairly new to snort and am not yet good at writing rules for it,
> however I do have a packet capture of an attack against a cisco device.
> This is the exploit released on netssys. It looks roughly like this:
>
> 09:45:29.846575 8.145.50.78 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id
> 17168, len 46)
> 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d:
> [] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
> 09:45:29.846770 201.211.15.73 > a.b.c.d:  nd 26 [ttl 1] (id 38906, len 46)
> 09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)
>
> The ttl needs to be the number of hops to the target system. The source
> IPs are spoofed. Is this enough for someone who is clued up to write a
> rule for it?

It's something to start with, but it's not quite enough to get a really
good sig.  A "full" packet capture of the entire packet would be the best
thing.  Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!?  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list