[Snort-users] RE: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

Smith, Donald Donald.Smith at ...4852...
Tue Jul 22 08:55:00 EDT 2003


The exploit allows you to set the ttl from 0-255.


-----Original Message-----
From: Michael Scheidell
To: Jon Hart
Cc: Gary Morris; intrusions at ...2034...; snort-sigs at lists.sourceforge.net;
snort-users at lists.sourceforge.net
Sent: 7/20/2003 12:07 PM
Subject: Re: [Snort-sigs] Re: Fw: Cisco Vulnerability Testing Results

> > 
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
53
> > (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
55
> > (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
77
> > (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
> > alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto
103
> > (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)
> > 

A couple of thoughts:
1) as discussed on a couple of other lists, the ttl at the destination
device would be 0? or 1? (guess I need to attack myself and look)

2) I would expect that our snort boxes are NOT configured on the WAN
(serial/frame relay/fiber) side of our routers so we won't pick up
directed attacks against our correct router, however, any dual WAN
routers
that are used for our subnets will pick it up, as well as anyone doing
address sweeps.  Without snort listening on the OUTSIDE of your router,
you
won't pick up the attack.

3) The CISCO released ACL snipps may prove a better way to watch the
traffic (put the acl's on for the above protocols, even if you have
upgraded your firmware and use the 'log' or 'log-interface' option if
you
have multiple interfaces.  If you want to feed these logs to snort, you
can do it with one of several add-ons, or, make snort sig to watch the
syslog udp going from your router to your syslog server. 

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net




More information about the Snort-users mailing list