[Snort-users] Anyone got a rule for the latest Cisco bug?
PDonahue at ...9678...
Fri Jul 18 09:52:06 EDT 2003
Speaking of which, has anyone been able to obtain a full packet capture? There's probably not too much to those 184 bytes, but I'd be interested in seeing the payload as well as the packet headers. Anyway, the simple fix seems to be as always keeping your IOS up to date with the 12.3 branch.
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, July 18, 2003 5:30 AM
To: Du Feu, Richard
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?
On Fri, 18 Jul 2003, Du Feu, Richard wrote:
> I'm fairly new to snort and am not yet good at writing rules for it,
> however I do have a packet capture of an attack against a cisco device.
> This is the exploit released on netssys. It looks roughly like this:
> 09:45:29.846575 184.108.40.206 > a.b.c.d: ip-proto-53 26 [ttl 1] (id
> 17168, len 46)
> 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d:
>  > 220.127.116.11 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
> 09:45:29.846770 18.104.22.168 > a.b.c.d: nd 26 [ttl 1] (id 38906, len 46)
> 09:45:29.846795 22.214.171.124 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)
> The ttl needs to be the number of hops to the target system. The source
> IPs are spoofed. Is this enough for someone who is clued up to write a
> rule for it?
It's something to start with, but it's not quite enough to get a really
good sig. A "full" packet capture of the entire packet would be the best
thing. Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!? :)
"When things get weird, the weird turn pro." H.S. Thompson
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users