Last active
April 10, 2018 09:42
-
-
Save fox-srt/09401dfdfc15652b22956b9cc59f71cb to your computer and use it in GitHub Desktop.
Cisco ASA RCE / CVE-2018-0101 IDS Signatures
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1: | |
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;) | |
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment