[Snort-users] Anyone got a rule for the latest Cisco bug?

Donahue, Pat PDonahue at ...9678...
Fri Jul 18 09:52:06 EDT 2003

Speaking of which, has anyone been able to obtain a full packet capture? There's probably not too much to those 184 bytes, but I'd be interested in seeing the payload as well as the packet headers. Anyway, the simple fix seems to be as always keeping your IOS up to date with the 12.3 branch.

Patrick Donahue
Network/Systems Administrator
ACMI Corporation

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, July 18, 2003 5:30 AM
To: Du Feu, Richard
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?

On Fri, 18 Jul 2003, Du Feu, Richard wrote:

> I'm fairly new to snort and am not yet good at writing rules for it,
> however I do have a packet capture of an attack against a cisco device.
> This is the exploit released on netssys. It looks roughly like this:
> 09:45:29.846575 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id
> 17168, len 46)
> 09:45:29.846738 > a.b.c.d: mobile > a.b.c.d:
> [] > (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
> 09:45:29.846770 > a.b.c.d:  nd 26 [ttl 1] (id 38906, len 46)
> 09:45:29.846795 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)
> The ttl needs to be the number of hops to the target system. The source
> IPs are spoofed. Is this enough for someone who is clued up to write a
> rule for it?

It's something to start with, but it's not quite enough to get a really
good sig.  A "full" packet capture of the entire packet would be the best
thing.  Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!?  :)


Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list