[Dshield] Cisco 0wn3d??
PacketHunter at comcast.net
Fri Aug 5 18:24:55 GMT 2005
This (like anything else) is not going to catch everything. However, it
will detect any "logon" activity regardless of the method used (assuming it
is not encrypted).
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Frank Knobbe
Sent: Friday, August 05, 2005 11:22 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Cisco 0wn3d??
On Fri, 2005-08-05 at 05:16 -0400, Rob wrote:
> The best way I've found to write signatures for Cisco exploits is to
> create a login banner and watch for that banner to be returned.
uhm... that's a signature for the banner, not the exploit :)
There are probably exploits that don't require anyone to log into the
router, so you won't see a banner. Exploits that require a login should be
contained by using proper ACLs and access restrictions in the first place.
Or am I missing something here? How is a TCP Option Flag Buffer Overflow
generating a banner?
Ciscogate: Shame on Cisco. Double-Shame on ISS.
More information about the list