[Dshield] Cisco exploit

Johannes Ullrich jullrich at euclidian.com
Fri Jul 18 19:10:13 GMT 2003


The vulnerability is triggered by packets with odd protocols.
Some routers (Linksys for example) do not log protocols. For snort,
someone posted these rules to the intrusions list:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 53
 (Swipe) detected"; ip_proto: 53; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 55
 (IP Mobility) detected"; ip_proto: 55; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 77
 (SUN ND) detected"; ip_proto: 77; classtype:denial-of-service;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "CISCO: IP Proto 103
 (PIM) detected"; ip_proto: 103; classtype:denial-of-service;)


On Fri, 2003-07-18 at 13:46, Paul Marsh wrote:
>   The exploit is in the wild now, what kind of signatures should we 
> be on the lookout for in our logs?  Also it only took a few days 
> for the exploit to be published how long before we start seeing large 
> amounts of activity scanning for open port 135's due to the new Win 
> exploit.  Looks like it could be a busy weekend.


I very much agree. The Windows exploit has the potential to be much more
severe. Most of the critical Cisco equipment is patched now. But who
knows about Windows machines, which are usually not as well
administered.



> 
> Thanx, Paul
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
-------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS




More information about the list mailing list