[Snort-users] Suggested Sig for Cisco DOS Vulnerability

Muenz, Michael linux at ...6950...
Fri Jul 18 05:59:21 EDT 2003


> Hey guys,
> Doesn't look like a exploit exists as of yet but Cisco just released what
IP
> protocols cause the DOS so it won't be long until there is one!

On heise.de ... a public german IT News site they told about
exploits found in the wild.

> Here's what I'm using to try to identify this traffic:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 53 Cisco DOS
> Packet"; ip_proto: 53; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 55 Cisco DOS
> Packet"; ip_proto: 55; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 77 Cisco DOS
> Packet"; ip_proto: 77; classtype:denial-of-service;)
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"IP Protocol 103 Cisco
DOS
> Packet"; ip_proto: 103; classtype:denial-of-service;)

proto 53 is very noisy in my network. In my list it's only
called "SWIPE - IP with Encryption".

- Michael





More information about the Snort-users mailing list