Re: SID 1545: DOS Cisco attempt

[twig les <twigles () yahoo com>]

I'm not 100% but it's probably regarding that old DoS on a Cisco
box running Cisco's Satanic(TM) web server.  Check Cisco's site
for more info, but basically you can send a router a simple url
that will make it hang for a minute or so and then reboot.  I've
tried it myself (on private equipment) and I must admit it's
funny.

It sounds like you're fine, but I implore anyone reading this
... hunt down and turn off any web server that Cisco touched,
this isn't the only vuln and there are no patches.

--- D PH <flying_triguy () hotmail com> wrote:
> Hey all, running into a bit of a wall, I can't find out what
> vulnerability 
> this rule applies to. There is no CVE, CERT or Bugtraq
> information in it.
>
> I am seeing a few of these every now and then on my external
> interface of a 
> class C and before I comment it out as being not applicable to
> me, I would 
> like to know what vulnerability it is. I can't figure it out
> unless it is 
> mis-named. It is looking for a 1 byte packet destined for a
> web port with 
> 0x13 as the only byte.
>
> The rule was promoted out of Experimental rules and into
> dos.rules, but I am 
> at a loss as to what it means.
>
> dos.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
> (msg:"DOS cisco 
> attempt"; flow:to_server,established; content:"|13|"; dsize:1;
>
> classtype:web-application-attack; sid:1545; rev:4;)
>
> Any ideas? Any hints? I can't even tell if I should be looking
> for CISCO DoS 
> information or web-app vulnerabilities.
>
> DP
_________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*   
> http://join.msn.com/?page=features/junkmail
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:Crypto Challenge is now
> open! 
> Get cracking and register here for some mind boggling fun and 
> the chance of winning an Apple iPod:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users