[Snort-devel] Snort 2.0.5 hang/infinte loop

Lawrence Reed Lawrence.Reed at ...1489...
Wed Dec 10 05:18:03 EST 2003


Actually the patch came from Dan Roelker at SourceFire.  I believe he is 
testing it for inclusion in the upcoming 2.1 release.  It is related to 
some specific attribute of rules, in my case the following rule caused 
the loop:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow 
attempt"; flow:to_server,established; content:"CWD "; nocase; 
content:!"|0a|"; reference:cve,CAN-2000-1035; 
reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126; 
classtype:attempted-admin; sid:1919; rev:3; within:150; dsize:>150;)

First, I know the within parameter is in the wrong place ( don't ask how 
that happened).  However that was not the problem.  The problem was 
related to the dsize option. 

Any more details will have to come from Dan.


Jim Cervantes wrote:

>Lawrence,
>
>Thanks very much for the patch.  I have confirmed with gdb that my sensors
>are looping in the region of code modified by your patch, so I'm hopeful it
>will alleviate the problem.  Before I apply the patch I was hoping to get an
>understanding of just what caused my sensors to be vulnerable to this bug.
>Does the problem occur in response to a specific way a rule is constructed?
>
>Thanks again!
>
>Jim
>
>
>  
>


-- 
Larry Reed  Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-devel mailing list