Snort mailing list archives
Re: Anyone got a rule for the latest Cisco bug?
From: "Stephen Dunn" <sdunn () stephendunn com>
Date: Thu, 17 Jul 2003 17:52:02 -0700 (PDT)
http://www.cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml "Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A rare, specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device may force the device to incorrectly flag the input queue on an interface as full, which will cause the router to stop processing inbound traffic on that interface. This can cause routing protocols to drop due to dead timers" Unless you use ip protocols 53, 55, 77, and 103 on your network (Not too likely in most environments), you may want to setup a rule(s) like: alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 53;) alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 55;) alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 77;) alert ip any any <> any any (msg:"Cisco Input Queue DOS"; ip_proto: 103;) I imagine there is a bit more mischief in the ip header than just the non-standard protocol, but this may tide you over until Brian or someone else gets better details on the exploit to create a more distinct signature. Meanwhile, ingress/egress filters on your Cisco routers should protect you while you wait to upgrade your IOS. Details for the ACL implementation are in the above-mentioned link. Stephen Dunn
Cisco Security Advisory: Cisco IOS Interface Blocked by IPv4 Packet Apparently some hacked IPv4 packet sent at a Cisco router's actual IP address can cause a table to fill up - causing the router to become unusable. Anyone got a pattern match for it? Frankly the CERT alert about it was next to useless - they have some example ACLs that "may" help - but there's not enough to go on really (I mean, if I want to allow SSH access to a router from one IP address on the Internet, can I make an ACL to allow that, and block all other IP, or does this attack mean that if the baddie fakes the SYN packet to match my "good" address, then the attack still works???) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? james (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- <Possible follow-ups>
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)