[Snort-users] Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Marc Quibell mquibell at ...7759...
Tue Jul 22 06:38:02 EDT 2003


Message: 3
To: Jon Hart <warchild at ...8039...>
Date: Sun, 20 Jul 2003 12:07:06 -0400 (EDT)
From: Michael Scheidell <scheidell at ...5171...>
Cc: Gary Morris <gmorris at ...9682...>, intrusions at ...2034...,
     snort-sigs at lists.sourceforge.net, snort-users at lists.sourceforge.net
Subject: [Snort-users] Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing
Results

> >
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
> > (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
> > (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
> > (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
> > (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> >

>A couple of thoughts:
>1) as discussed on a couple of other lists, the ttl at the destination
>device would be 0? or 1? (guess I need to attack myself and look)

Why would that be? If it was ttl 1 it would never get past their own router.

>2) I would expect that our snort boxes are NOT configured on the WAN
>(serial/frame relay/fiber) side of our routers so we won't pick up
>directed attacks against our correct router, however, any dual WAN routers
>that are used for our subnets will pick it up, as well as anyone doing
>address sweeps.  Without snort listening on the OUTSIDE of your router, you
>won't pick up the attack.

Very true, but then, attackers don't necessarily have to attack the WAN router
only..

>3) The CISCO released ACL snipps may prove a better way to watch the
>traffic (put the acl's on for the above protocols, even if you have
>upgraded your firmware and use the 'log' or 'log-interface' option if you
>have multiple interfaces.  If you want to feed these logs to snort, you
>can do it with one of several add-ons, or, make snort sig to watch the
>syslog udp going from your router to your syslog server.

ACLs only show a count...

>--
>Michael Scheidell
>SECNAP Network Security, LLC
>Sales: 866-SECNAPNET / (1-866-732-6276)
>Main: 561-368-9561 / www.secnap.net






More information about the Snort-users mailing list