Snort mailing list archives
Re: Anyone got a rule for the latest Cisco bug?
From: Jon Hart <warchild () spoofed org>
Date: Thu, 17 Jul 2003 20:28:35 -0400
On Fri, Jul 18, 2003 at 10:12:09AM +1200, Jason Haar wrote:
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Apparently some hacked IPv4 packet sent at a Cisco router's actual IP address can cause a table to fill up - causing the router to become unusable. Anyone got a pattern match for it? Frankly the CERT alert about it was next to useless - they have some example ACLs that "may" help - but there's not enough to go on really (I mean, if I want to allow SSH access to a router from one IP address on the Internet, can I make an ACL to allow that, and block all other IP, or does this attack mean that if the baddie fakes the SYN packet to match my "good" address, then the attack still works???)
The advisory has been updated: <snip> "Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers." </snip> A situation like this was guessable based on their initial advisory which said, basically, that you could protect yourself if you blocked all unnecessary/unused protocols. Because they aren't very specific about what this "rare, specially crafted sequence" is, there is only so much you can do with snort signatures. Snort rules allow you to match based on IP protocol number, so all we can do for now is something like this: alert ip any any -> any any (msg:"DOS Cisco SWIPE Protocol"; ip_proto:53;) alert ip any any -> any any (msg:"DOS Cisco IP Mobility Protocol"; ip_proto:55;) alert ip any any -> any any (msg:"DOS Cisco Sun ND Protocol"; ip_proto:77;) alert ip any any -> any any (msg:"DOS Cisco PIM Protocol"; ip_proto:103;) Depending on what type of network you are on, those could be very noisy, so use at your own risk. Also, if you are using spp_conversation, it could be picking up rogue packets if its configured properly: preprocessor conversation: allowed_ip_protocols 1 6 17 47 89, timeout 180, max_conversations 65535, alert_odd_protocols That is what I'm currently using, and I haven't heard a peep yet. May the force be with you, -jon ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? james (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- <Possible follow-ups>
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
(Thread continues...)