Snort mailing list archives
RE: Anyone got a rule for the latest Cisco bug?
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Fri, 18 Jul 2003 12:31:31 -0500
Here you go. Of note, the source IP addresses are spoofed, you have to specify the TTL on the commandline so that the TTL on the packet when it arrives at the target Cisco device is either 0 or 1. Also, I've noticed that the output is different on multiple runs of the tool in my lab, although I haven't taken the time yet to analyze what the differences are. Hope this helps. Jon ==== 10:40:33.196571 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 95.242.183.14 > 172.16.9.5: swipe 175 [ttl 1] (id 21315, len 195) 0x0000 4500 00c3 5343 0000 0135 99ad 5ff2 b70e E...SC...5.._... 0x0010 ac10 0905 0001 0203 0405 0607 0809 0a0b ................ 0x0020 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b ................ 0x0030 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b .....!"#$%&'()*+ 0x0040 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b ,-./0123456789:; 0x0050 3c3d 3e3f 4041 4243 4445 4647 4849 4a4b <=>?@ABCDEFGHIJK 0x0060 4c4d 4e4f 5051 5253 5455 5657 5859 5a5b LMNOPQRSTUVWXYZ[ 0x0070 5c5d 5e5f 6061 6263 6465 6667 6869 6a6b \]^_`abcdefghijk 0x0080 6c6d 6e6f 7071 7273 7475 7677 7879 7a7b lmnopqrstuvwxyz{ 0x0090 7c7d 7e7f 8081 8283 8485 8687 8889 8a8b |}~............. 0x00a0 8c8d 8e8f 9091 9293 9495 9697 9899 9a9b ................ 0x00b0 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab ................ 0x00c0 acad ae ... 10:40:33.196592 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 55.67.116.25 > 172.16.9.5: mobile: [] > 4.5.6.7 (oproto=0) (bad chec ksum 515) [ttl 1] (id 47186, len 195) 0x0000 4500 00c3 b852 0000 0137 a040 3743 7419 E....R...7.@7Ct. 0x0010 ac10 0905 0001 0203 0405 0607 0809 0a0b ................ 0x0020 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b ................ 0x0030 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b .....!"#$%&'()*+ 0x0040 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b ,-./0123456789:; 0x0050 3c3d 3e3f 4041 4243 4445 4647 4849 4a4b <=>?@ABCDEFGHIJK 0x0060 4c4d 4e4f 5051 5253 5455 5657 5859 5a5b LMNOPQRSTUVWXYZ[ 0x0070 5c5d 5e5f 6061 6263 6465 6667 6869 6a6b \]^_`abcdefghijk 0x0080 6c6d 6e6f 7071 7273 7475 7677 7879 7a7b lmnopqrstuvwxyz{ 0x0090 7c7d 7e7f 8081 8283 8485 8687 8889 8a8b |}~............. 0x00a0 8c8d 8e8f 9091 9293 9495 9697 9899 9a9b ................ 0x00b0 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab ................ 0x00c0 acad ae ... 10:40:33.196608 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 143.209.248.66 > 172.16.9.5: nd 175 [ttl 1] (id 10357, len 195) 0x0000 4500 00c3 2875 0000 014d 5350 8fd1 f842 E...(u...MSP...B 0x0010 ac10 0905 0001 0203 0405 0607 0809 0a0b ................ 0x0020 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b ................ 0x0030 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b .....!"#$%&'()*+ 0x0040 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b ,-./0123456789:; 0x0050 3c3d 3e3f 4041 4243 4445 4647 4849 4a4b <=>?@ABCDEFGHIJK 0x0060 4c4d 4e4f 5051 5253 5455 5657 5859 5a5b LMNOPQRSTUVWXYZ[ 0x0070 5c5d 5e5f 6061 6263 6465 6667 6869 6a6b \]^_`abcdefghijk 0x0080 6c6d 6e6f 7071 7273 7475 7677 7879 7a7b lmnopqrstuvwxyz{ 0x0090 7c7d 7e7f 8081 8283 8485 8687 8889 8a8b |}~............. 0x00a0 8c8d 8e8f 9091 9293 9495 9697 9899 9a9b ................ 0x00b0 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab ................ 0x00c0 acad ae ... 10:40:33.196623 0:50:8b:f2:2e:1e 0:b:cd:1c:fd:3c 0800 209: 234.82.250.92 > 172.16.9.5: pim v0 [ttl 1] (id 4681, len 195) 0x0000 4500 00c3 1249 0000 0167 0cc7 ea52 fa5c E....I...g...R.\ 0x0010 ac10 0905 0001 0203 0405 0607 0809 0a0b ................ 0x0020 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b ................ 0x0030 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b .....!"#$%&'()*+ 0x0040 2c2d 2e2f 3031 3233 3435 3637 3839 3a3b ,-./0123456789:; 0x0050 3c3d 3e3f 4041 4243 4445 4647 4849 4a4b <=>?@ABCDEFGHIJK 0x0060 4c4d 4e4f 5051 5253 5455 5657 5859 5a5b LMNOPQRSTUVWXYZ[ 0x0070 5c5d 5e5f 6061 6263 6465 6667 6869 6a6b \]^_`abcdefghijk 0x0080 6c6d 6e6f 7071 7273 7475 7677 7879 7a7b lmnopqrstuvwxyz{ 0x0090 7c7d 7e7f 8081 8283 8485 8687 8889 8a8b |}~............. 0x00a0 8c8d 8e8f 9091 9293 9495 9697 9899 9a9b ................ 0x00b0 9c9d 9e9f a0a1 a2a3 a4a5 a6a7 a8a9 aaab ................ 0x00c0 acad ae ... -----Original Message----- From: Donahue, Pat [mailto:PDonahue () acmicorp com] Sent: Friday, July 18, 2003 11:53 AM To: Erek Adams; Du Feu, Richard Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug? Speaking of which, has anyone been able to obtain a full packet capture? There's probably not too much to those 184 bytes, but I'd be interested in seeing the payload as well as the packet headers. Anyway, the simple fix seems to be as always keeping your IOS up to date with the 12.3 branch. -- Patrick Donahue Network/Systems Administrator ACMI Corporation -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Friday, July 18, 2003 5:30 AM To: Du Feu, Richard Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Anyone got a rule for the latest Cisco bug? On Fri, 18 Jul 2003, Du Feu, Richard wrote:
I'm fairly new to snort and am not yet good at writing rules for it, however I do have a packet capture of an attack against a cisco device. This is the exploit released on netssys. It looks roughly like this: 09:45:29.846575 8.145.50.78 > a.b.c.d: ip-proto-53 26 [ttl 1] (id 17168, len 46) 09:45:29.846738 0.246.255.32 > a.b.c.d: mobile 0.246.255.32 > a.b.c.d: [] > 4.5.6.7 (oproto=0) (bad checksum 515) [ttl 1] (id 6925, len 46) 09:45:29.846770 201.211.15.73 > a.b.c.d: nd 26 [ttl 1] (id 38906, len 46) 09:45:29.846795 61.81.217.4 > a.b.c.d: pim v0 [ttl 1] (id 8220, len 46) The ttl needs to be the number of hops to the target system. The source IPs are spoofed. Is this enough for someone who is clued up to write a rule for it?
It's something to start with, but it's not quite enough to get a really good sig. A "full" packet capture of the entire packet would be the best thing. Granted, these are small packets but it's still nice to have. Besides, who doesn't like to read hex?!? :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Anyone got a rule for the latest Cisco bug?, (continued)
- Re: Anyone got a rule for the latest Cisco bug? Jason Haar (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? twig les (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Jon Hart (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Stephen Dunn (Jul 17)
- Re: Anyone got a rule for the latest Cisco bug? Brian (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? McLaughlin, Andrew (Jul 17)
- RE: Anyone got a rule for the latest Cisco bug? Du Feu, Richard (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Erek Adams (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Donahue, Pat (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Jim Forster (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Williams Jon (Jul 18)
- RE: Anyone got a rule for the latest Cisco bug? Matt Ploessel (Jul 18)