[Snort-sigs] Rule Documentation - teardrop correction

Steven Alexander alexander.s at ...1565...
Thu Jun 5 13:29:07 EDT 2003

I was dumb enough to typo my email address at the bottom of the rule
documentation the first time I sent it.  It should have been
'alexander.s' not 'alexanders' and is corrected below.  Sorry.

-steven alexander

# This is a template for submitting snort signature descriptions to #
the snort.org website # # Ensure that your descriptions are your own #
and not the work of others.  References in the rules themselves # should
be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary #
and someone else perhaps will be able to fix it. # 
# $Id$ 242


alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; reference:cve,CAN-1999-0015;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;) 

Sid: 270


Teardrop is a denial of service attack.

Affected systems may hang or crash.

Detailed Information:  

Teardrop exploits a vulnerability  in some TCP/IP stack implementations.

The program sends a specially crafted fragmented packet where the first 
fragment has offset 0 and data length N and the second fragment has an
offset less than N (The fragments overlap).  The resulting packet cannot

be properly assembled.

Systems may hang or crash.

Affected Systems:

Windows 95
Windows NT 4.0 SP3 and earlier
HP HPUX 10.34 and earlier
Linux kernels 2.0.31 and earlier
FreeBSD 3.0 prior to October 27, 1998

Attack Scenarios:

The can be done remotely against any open UDP port using a spoofed
Ease of Attack:

Tools are readily available and require little knowledge on the part of
the attacker.
False Positives:

None known.
False Negatives:

None known.
Corrective Action:

Patches are available from all affected vendors.  Newer versions from
each vendor are not vulnerable.  
Rule Documentation - Steven Alexander<alexander.s at ...1565...>
Additional References:


More information about the Snort-sigs mailing list