[Dshield] Cisco 0wn3d??

Rob PacketHunter at comcast.net
Fri Aug 5 18:24:55 GMT 2005


This (like anything else) is not going to catch everything.  However, it
will detect any "logon" activity regardless of the method used (assuming it
is not encrypted). 


--Rob 


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Frank Knobbe
Sent: Friday, August 05, 2005 11:22 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Cisco 0wn3d??

On Fri, 2005-08-05 at 05:16 -0400, Rob wrote:
> The best way I've found to write signatures for Cisco exploits is to 
> create a login banner and watch for that banner to be returned.

uhm... that's a signature for the banner, not the exploit :)

There are probably exploits that don't require anyone to log into the
router, so you won't see a banner. Exploits that require a login should be
contained by using proper ACLs and access restrictions in the first place.

Or am I missing something here? How is a TCP Option Flag Buffer Overflow
generating a banner?


Curious,
Frank


--
Ciscogate: Shame on Cisco. Double-Shame on ISS.



More information about the list mailing list