[Snort-sigs] Rule documentation
alexander.s at ...1565...
Fri Jun 6 05:16:23 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$ 242
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; reference:cve,CAN-1999-0015;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;)
Teardrop is a denial of service attack.
Affected systems may hang or crash.
Teardrop exploits a vulnerability in some TCP/IP stack implementations.
The program sends a specially crafted fragmented packet where the first
fragment has offset 0 and data length N and the second fragment has an
offset less than N (The fragments overlap). The resulting packet cannot
be properly assembled.
Systems may hang or crash.
Windows NT 4.0 SP3 and earlier
HP HPUX 10.34 and earlier
Linux kernels 2.0.31 and earlier
FreeBSD 3.0 prior to October 27, 1998
The can be done remotely against any open UDP port using a spoofed
Ease of Attack:
Tools are readily available and require little knowledge on the part of
Patches are available from all affected vendors. Newer versions from
each vendor are not vulnerable.
Rule Documentation - Steven Alexander<alexanders at ...1565...>
More information about the Snort-sigs