[Snort-sigs] Rule documentation

Steven Alexander alexander.s at ...1565...
Fri Jun 6 05:16:23 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$ 242


alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack";
id:242; fragbits:M; reference:cve,CAN-1999-0015;
reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;) 

Sid: 270


Teardrop is a denial of service attack.

Affected systems may hang or crash.

Detailed Information:  

Teardrop exploits a vulnerability  in some TCP/IP stack implementations.

The program sends a specially crafted fragmented packet where the first 
fragment has offset 0 and data length N and the second fragment has an
offset less than N (The fragments overlap).  The resulting packet cannot

be properly assembled.

Systems may hang or crash.

Affected Systems:

Windows 95
Windows NT 4.0 SP3 and earlier
HP HPUX 10.34 and earlier
Linux kernels 2.0.31 and earlier
FreeBSD 3.0 prior to October 27, 1998

Attack Scenarios:

The can be done remotely against any open UDP port using a spoofed
Ease of Attack:

Tools are readily available and require little knowledge on the part of
the attacker.
False Positives:

None known.
False Negatives:

None known.
Corrective Action:

Patches are available from all affected vendors.  Newer versions from
each vendor are not vulnerable.  
Rule Documentation - Steven Alexander<alexanders at ...1565...>
Additional References:


More information about the Snort-sigs mailing list