[Snort-sigs] Rule Documentation - teardrop correction

Steven Alexander alexander.s at ...1565...
Thu Jun 5 13:29:07 EDT 2003


I was dumb enough to typo my email address at the bottom of the rule
documentation the first time I sent it.  It should have been
'alexander.s' not 'alexanders' and is corrected below.  Sorry.

-steven alexander

# This is a template for submitting snort signature descriptions to #
the snort.org website # # Ensure that your descriptions are your own #
and not the work of others.  References in the rules themselves # should
be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary #
and someone else perhaps will be able to fix it. # 
# $Id$ 242
#
# 

Rule:  

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; reference:cve,CAN-1999-0015;
reference:url,www.cert.org/advisories/CA-1997-28.html;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;) 

--
Sid: 270

--
Summary: 

Teardrop is a denial of service attack.

--
Impact:  
Affected systems may hang or crash.

--
Detailed Information:  

Teardrop exploits a vulnerability  in some TCP/IP stack implementations.

The program sends a specially crafted fragmented packet where the first 
fragment has offset 0 and data length N and the second fragment has an
offset less than N (The fragments overlap).  The resulting packet cannot

be properly assembled.

Systems may hang or crash.

--
Affected Systems:

Windows 95
Windows NT 4.0 SP3 and earlier
HP HPUX 10.34 and earlier
Linux kernels 2.0.31 and earlier
FreeBSD 3.0 prior to October 27, 1998

--
Attack Scenarios:

The can be done remotely against any open UDP port using a spoofed
address.
--
Ease of Attack:

Tools are readily available and require little knowledge on the part of
the attacker.
--
False Positives:

None known.
--
False Negatives:

None known.
--
Corrective Action:

Patches are available from all affected vendors.  Newer versions from
each vendor are not vulnerable.  
--
Contributors:
Rule Documentation - Steven Alexander<alexander.s at ...1565...>
-- 
Additional References:

http://www.securityfocus.com/bid/124/info/
http://www.cert.org/advisories/CA-1997-28.html
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-98:08.f
ragment.asc




More information about the Snort-sigs mailing list