Snort mailing list archives
RE: Anyone got a rule for the latest Cisco bug?
From: Erek Adams <erek () snort org>
Date: Fri, 18 Jul 2003 05:29:34 -0400 (EDT)
On Fri, 18 Jul 2003, Du Feu, Richard wrote:
I'm fairly new to snort and am not yet good at writing rules for it, however I do have a packet capture of an attack against a cisco device. This is the exploit released on netssys. It looks roughly like this: 09:45:29.846575 8.145.50.78 > a.b.c.d: ip-proto-53 26 [ttl 1] (id 17168, len 46) 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d: [] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46) 09:45:29.846770 201.211.15.73 > a.b.c.d: nd 26 [ttl 1] (id 38906, len 46) 09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46) The ttl needs to be the number of hops to the target system. The source IPs are spoofed. Is this enough for someone who is clued up to write a rule for it?
It's something to start with, but it's not quite enough to get a really good sig. A "full" packet capture of the entire packet would be the best thing. Granted, these are small packets but it's still nice to have. Besides, who doesn't like to read hex?!? :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? james (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- <Possible follow-ups>
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)