[Snort-devel] Snort 2.0.5 hang/infinte loop
Lawrence.Reed at ...1489...
Wed Dec 10 05:18:03 EST 2003
Actually the patch came from Dan Roelker at SourceFire. I believe he is
testing it for inclusion in the upcoming 2.1 release. It is related to
some specific attribute of rules, in my case the following rule caused
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow
attempt"; flow:to_server,established; content:"CWD "; nocase;
classtype:attempted-admin; sid:1919; rev:3; within:150; dsize:>150;)
First, I know the within parameter is in the wrong place ( don't ask how
that happened). However that was not the problem. The problem was
related to the dsize option.
Any more details will have to come from Dan.
Jim Cervantes wrote:
>Thanks very much for the patch. I have confirmed with gdb that my sensors
>are looping in the region of code modified by your patch, so I'm hopeful it
>will alleviate the problem. Before I apply the patch I was hoping to get an
>understanding of just what caused my sensors to be vulnerable to this bug.
>Does the problem occur in response to a specific way a rule is constructed?
Larry Reed Lawrence.Reed at ...1489...
NOAA IT Security Office
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772
More information about the Snort-devel