Snort mailing list archives

RE: Anyone got a rule for the latest Cisco bug?

From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 18 Jul 2003 12:31:31 -0500

Here you go.  Of note, the source IP addresses are spoofed, you have to
specify the TTL on the commandline so that the TTL on the packet when it
arrives at the target Cisco device is either 0 or 1.  Also, I've noticed
that the output is different on multiple runs of the tool in my lab,
although I haven't taken the time yet to analyze what the differences are.

Hope this helps.

Jon

====
10:40:33.196571 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 95.242.183.14 >
172.16.9.5:  swipe 175 [ttl 1] (id 21315, len 195)
0x0000   4500 00c3 5343 0000 0135 99ad 5ff2 b70e        E...SC...5.._...
0x0010   ac10 0905 0001 0203 0405 0607 0809 0a0b        ................
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad ae                                        ...
10:40:33.196592 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 55.67.116.25 >
172.16.9.5: mobile: [] > 4.5.6.7 (oproto=0) (bad chec
ksum 515) [ttl 1] (id 47186, len 195)
0x0000   4500 00c3 b852 0000 0137 a040 3743 7419        E....R...7.@7Ct.
0x0010   ac10 0905 0001 0203 0405 0607 0809 0a0b        ................
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad ae                                        ...
10:40:33.196608 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 143.209.248.66 >
172.16.9.5:  nd 175 [ttl 1] (id 10357, len 195)
0x0000   4500 00c3 2875 0000 014d 5350 8fd1 f842        E...(u...MSP...B
0x0010   ac10 0905 0001 0203 0405 0607 0809 0a0b        ................
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad ae                                        ...
10:40:33.196623 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 234.82.250.92 >
172.16.9.5: pim v0 [ttl 1] (id 4681, len 195)
0x0000   4500 00c3 1249 0000 0167 0cc7 ea52 fa5c        E....I...g...R.\
0x0010   ac10 0905 0001 0203 0405 0607 0809 0a0b        ................
0x0020   0c0d 0e0f 1011 1213 1415 1617 1819 1a1b        ................
0x0030   1c1d 1e1f 2021 2223 2425 2627 2829 2a2b        .....!"#$%&'()*+
0x0040   2c2d 2e2f 3031 3233 3435 3637 3839 3a3b        ,-./0123456789:;
0x0050   3c3d 3e3f 4041 4243 4445 4647 4849 4a4b        <=>?@ABCDEFGHIJK
0x0060   4c4d 4e4f 5051 5253 5455 5657 5859 5a5b        LMNOPQRSTUVWXYZ[
0x0070   5c5d 5e5f 6061 6263 6465 6667 6869 6a6b        \]^_`abcdefghijk
0x0080   6c6d 6e6f 7071 7273 7475 7677 7879 7a7b        lmnopqrstuvwxyz{
0x0090   7c7d 7e7f 8081 8283 8485 8687 8889 8a8b        |}~.............
0x00a0   8c8d 8e8f 9091 9293 9495 9697 9899 9a9b        ................
0x00b0   9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab        ................
0x00c0   acad ae                                        ...

-----Original Message-----
From: Donahue, Pat [mailto:PDonahue () acmicorp com]
Sent: Friday, July 18, 2003 11:53 AM
To: Erek Adams; Du Feu, Richard
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?


Speaking of which, has anyone been able to obtain a full packet capture?
There's probably not too much to those 184 bytes, but I'd be interested in
seeing the payload as well as the packet headers. Anyway, the simple fix
seems to be as always keeping your IOS up to date with the 12.3 branch.

--
Patrick Donahue
Network/Systems Administrator
ACMI Corporation

-----Original Message-----
From: Erek Adams [mailto:erek () snort org]
Sent: Friday, July 18, 2003 5:30 AM
To: Du Feu, Richard
Cc: snort-users () lists sourceforge net
Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug?


On Fri, 18 Jul 2003, Du Feu, Richard wrote:

I'm fairly new to snort and am not yet good at writing rules for it,
however I do have a packet capture of an attack against a cisco device.
This is the exploit released on netssys. It looks roughly like this:

09:45:29.846575 8.145.50.78 > a.b.c.d:  ip-proto-53 26 [ttl 1] (id
17168, len 46)
09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d:
[] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46)
09:45:29.846770 201.211.15.73 > a.b.c.d:  nd 26 [ttl 1] (id 38906, len 46)
09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46)

The ttl needs to be the number of hops to the target system. The source
IPs are spoofed. Is this enough for someone who is clued up to write a
rule for it?


It's something to start with, but it's not quite enough to get a really
good sig.  A "full" packet capture of the entire packet would be the best
thing.  Granted, these are small packets but it's still nice to have.
Besides, who doesn't like to read hex?!?  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Anyone got a rule for the latest Cisco bug?, (continued)
- - Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
  - Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
    - Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
  - RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
  - RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)