SecurityFocus

Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Jul 04 2008 04:03PM
Ravi Chunduru (ravi is chunduru gmail com) (2 replies)

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Jul 07 2008 04:09PM
Srinivasa Addepalli (srao intoto com) (1 replies)

You are right that these kinds of DoS attacks are difficult to detect
at Network IDS/IPS level due to the problems you mentioned - false
positives and false negatives.

I suggest that you consider "version" of cisco routers in your rules
to avoid false positives in deployment scnearios where CISCO routers
are not used.

Thanks
Srini

On Fri, Jul 4, 2008 at 9:03 AM, Ravi Chunduru
<ravi.is.chunduru (at) gmail (dot) com [email concealed]> wrote:
>
> Please see these links for more information on vulnerability:
>
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1151
> http://www.cisco.com/en/US/products/products_security_advisory09186a0080
969862.shtml
>
> According to this vulnerability report, PPTP process in CISCO routers
> leak memory upon every PPTP termination. Eventually memory is used up
> and no other PPTP connections are entertained.
>
> How does one go about writing signatures for detecting exploits
> targeting this vulnerability?
> Only possibility I can think of, based on capabilities of signature
> language, is to check for the rate at which these PPTP connections are
> made. If it checks for higher rate, there could be false negatives
> where attacker makes the connections at very slow rate. If it checks
> for lower rate, then there is possibility of false positives. What is
> the right way of writing signatures?
>
>
> thanks
> Ravi
>
> ------------------------------------------------------------------------

> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

[ reply ]

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Jul 09 2008 03:24AM
Secure Scorp (securescorp gmail com) (1 replies)

RE: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Jul 11 2008 06:52PM
Srinivasa Addepalli (srao intoto com)

Re: Signature for CVE ID: CVE-2008-1151 (CISCO PPTP memory leak - DoS) Jul 05 2008 07:49AM
Secure Scorp (securescorp gmail com)