[Snort-users] Rule for Cisco IOS Interface Blocked by IPv4 Packet Vulnerability

Matt Ploessel matt.ploessel at ...427...
Fri Jul 18 08:08:07 EDT 2003


Pawel,

 good observation, a simple fat-fingered mistake on my part. Thank you
for pointing it out.

 

> -----Original Message-----
> From: Pawel Rogocz [mailto:pawel at ...5803...] 
> Sent: Friday, July 18, 2003 2:08 AM
> To: Matt Ploessel
> Cc: snort-users at lists.sourceforge.net; 
> jason.haar at ...294...; hackwacker at ...9340...
> Subject: Re: [Snort-users] Rule for Cisco IOS Interface 
> Blocked by IPv4 Packet Vulnerability
> 
> 
> Yeah right, let's alert on all UDP packets :-)
> 
> According to Cisco 
> 
> http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml
> 
> it is protocol 77 not 17.
> 
> 
> 
> Pawel
> 
> On Thu, Jul 17, 2003 at 05:46:22PM -0700, Matt Ploessel wrote:
> > 
> > In the Foundstone web seminar today covering the details of 
> the Cisco 
> > IOS vulnerability released this morning, some users asked for snort 
> > rules to detect potential Cisco DoS attempts. The simple rule below 
> > should do the job. Tomorrow morning Foundstone will have a 
> follow-up 
> > seminar covering new information and our current findings. I am 
> > interested to track the presence of malicious scanning of this 
> > vulnerability in the wild. For those who apply the below 
> rules, please 
> > attempt to share sanitized information (number of  
> detections and size 
> > of IP space covered by your IDS) with me so statistics of the 
> > vulnerability presence can be generated based on a larger consensus.
> > 
> > Thank You.
> > 
> > Information on the Foundstone web seminar: 
> > 
> http://www.foundstone.com/company/pressrelease_template.htm?indexid=79
> > 
> > Snort Rule for the Cisco IOS Interface IPv4 Packet Vulnerability
> > 
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS"; 
> > classtype:attempted-dos; ip_proto 53;) alert ip 
> $EXTERNAL_NET any -> 
> > $HOME_NET any (msg:"Cisco IPv4 DoS"; 
> classtype:attempted-dos; ip_proto 
> > 55;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 
> > DoS"; classtype:attempted-dos; ip_proto 17;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Cisco IPv4 DoS";
> > classtype:attempted-dos; ip_proto 103;) 
> > 
> > ...
> > 
> > Matt Ploessel
> > Network Security Engineer
> > Foundstone, Inc.
> > Strategic Security
> > 
> > 949.297.5622 Tel
> > 949.297.5575 Fax 
> > 
> > http://www.foundstone.com
> > 
> > PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914
> > 
> > This email may contain confidential and privileged 
> information for the 
> > sole use of the intended recipient. Content disclosure to third 
> > parties is strictly prohibited. Verify sender and message body 
> > authenticity against the above PGP key only, retrieved via a secure 
> > and dependable method. Thank you.
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: VM Ware
> > With VMware you can run multiple operating systems on a single 
> > machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual 
> > machines at the same time. Free trial click here: 
> > http://www.vmware.com/wl/offer/345/0
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?listort-users
> 
> -- 
> 




More information about the Snort-users mailing list