Skip to content

Instantly share code, notes, and snippets.

@fox-srt
Last active April 10, 2018 09:42
Show Gist options
  • Save fox-srt/09401dfdfc15652b22956b9cc59f71cb to your computer and use it in GitHub Desktop.
Save fox-srt/09401dfdfc15652b22956b9cc59f71cb to your computer and use it in GitHub Desktop.
Cisco ASA RCE / CVE-2018-0101 IDS Signatures
# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:
alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02|"; distance:1; within:1; fast_pattern; byte_test:4,>,5000,5,relative; byte_test:2,>,5000,11,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,53,relative; byte_test:4,=,fragment_match,137,relative; byte_test:4,=,fragment_match,237,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:5;)
alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment