[Snort-devel] [Snort-users] Snort 2.20 Denial Of Service Exploit

nnposter nnposter at ...64...
Thu Dec 23 18:35:01 EST 2004


"M. Shirk" <shirkdog_list at ...445...> wrote
> I have not verified this, but saw it before leaving the house this morning. 
> This is from http://isc.incidents.org
> 
> Snort 2.20 Denial of Service exploit posted
> 
> K-OTik notified us of this exploit for Snort 2.2 and 
> earlier:http://www.k-otik.com/exploits/20041222.angelDust.c.php
> 
> It will core dump a running Snort process with a specially crafted packed. 
> The recommended fix is to upgrade to Snort 2.3 RC1 or better which various 
> handlers have reported is stable. This particular exploit works with 
> Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and 
> OpenBSD).

FWIW, my experience is that the exploit packet with TCP options 0x0600ffff will crash snort 2.1.3 in the sniffer mode (-v) but not in the IDS mode (at least with my configuration file). The logged event is 116:55:1 (snort_decoder): Truncated Tcp Options.

Cheers,
nnposter




More information about the Snort-devel mailing list