alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:23 UTC


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; classtype:bad-unknown; sid:2009243; rev:2;)

Added 2011-10-12 19:26:56 UTC


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; sid:2009243; rev:2;)

Added 2011-09-14 22:40:18 UTC


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HSRP_Change; sid:2009243; rev:2;)

Added 2011-02-04 17:28:32 UTC


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HSRP_Change; sid:2009243; rev:2;)

Added 2009-04-20 17:00:32 UTC

For packet format reference use http://www.networksorcery.com/enp/protocol/hsrp.htm . This rule fires off when the state of the conversation is "4", which implies (but does not necessarily prove) that the owner of the virtual ip has changed or is about to change.

04:17:05.053775 IP 10.255.166.252.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=speak group=1 addr=10.255.166.254
        0x0000:  00c0 0800 4500 0030 0000 0000 0111 27c0  ....E..0......'.
        0x0010:  0aff a6fc e000 0002 07c1 07c1 001c 7ce9  ..............|.
        0x0020:  0000 0403 0a64 0100 4321 7363 xxxx xxxx  .....d..C!scxxxx
        0x0030:  0aff a6fe                                ....
Normal traffic looks like this:
10:25:34.785212 IP 10.255.166.252.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=standby group=1 addr=10.255.166.254
10:25:34.785213 IP 10.255.166.252.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=standby group=1 addr=10.255.166.254
10:25:34.828720 IP 10.255.164.253.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=active group=1 addr=10.255.164.254
10:25:34.864681 IP 10.255.166.253.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=active group=1 addr=10.255.166.254
10:25:34.888692 IP 10.255.6.253.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=active group=1 addr=10.255.6.254
10:25:34.964415 IP 10.255.168.253.1985 > 224.0.0.2.1985: HSRPv0-hello 20: state=active group=3 addr=10.255.168.254

-- JackPepper - 17 Jun 2010


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; reference:url,doc.emergingthreats.net/2009243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HSRP_Change; sid:2009243; rev:2;)

Added 2009-04-20 17:00:32 UTC


alert udp any 1985 -> 224.0.0.2 1985 (msg:"ET POLICY HSRP Active Router Changed"; content:"|00 04|"; depth:3; classtype:bad-unknown; reference:url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/; sid:2009243; rev:1;)

Added 2009-04-20 09:21:47 UTC


Topic revision: r2 - 2010-06-17 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats