[Snort-users] Anyone got a rule for the latest Cisco bug?

Jim Forster jforster at ...176...
Fri Jul 18 10:57:30 EDT 2003


These are confirmed to work.  We've compiled and dropped a local router in testing.
Interesting side note - In testing, all source addresses were random.

alert ip any any -> any any (msg:"DOS Cisco SWIPE Protocol"; ip_proto:53; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;)
alert ip any any -> any any (msg:"DOS Cisco IP Mobility Protocol"; ip_proto:55; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml; rev:2;)
alert ip any any -> any any (msg:"DOS Cisco Sun ND Protocol"; ip_proto:77; classtype:attempted-dos; reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;rev:2;)
alert ip any any -> any any (msg:"DOS Cisco PIM Protocol"; ip_proto:103; classtype:attempted-dos;reference:url,www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml;rev:2;)


---==On Fri, 18 Jul 2003 12:52:54 -0400, Donahue, Pat wrote==---
Speaking of which, has anyone been able to obtain a full packet capture? There's probably not too much to those 184 bytes, but I'd be interested in seeing the payload as well as the packet headers. Anyway, the simple fix seems to be as always keeping your IOS up to date with the 12.3 branch.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...]
Sent: Friday, July 18, 2003 5:30 AM
To: Du Feu, Richard
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?


On Fri, 18 Jul 2003, Du Feu, Richard wrote:

> I'm fairly new to snort and am not yet good at writing rules for it,
> however I do have a packet capture of an attack against a cisco device.
> This is the exploit released on netssys. It looks roughly like this:
>
> 09:45:29.846575 8.145.50.78 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id
> 17168, len 46)
> 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d:
> [] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
> 09:45:29.846770 201.211.15.73 > a.b.c.d:  nd 26 [ttl 1] (id 38906, len 46)
> 09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)
>
> The ttl needs to be the number of hops to the target system. The source
> IPs are spoofed. Is this enough for someone who is clued up to write a
> rule for it?

It's something to start with, but it's not quite enough to get a really
good sig.  A "full" packet capture of the entire packet would be the best
thing.  Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!?  :)

Cheers!

-----
Erek Adams

  "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


--------------------------------------------------------------------
"Today's mighty oak is just yesterday's nut, that held its ground."
-Unknown

Jim Forster, jforster at ...176... on 07/18/2003
Network Administrator
RapidNet, A Golden West Company






More information about the Snort-users mailing list