[Snort-sigs] SID 4638
pauls at ...1311...
Fri Jun 1 14:37:14 EDT 2007
I'm trying to figure out what the exploit is for this rule, and the FrSIRT
"explanation" is a bit of a headscratcher.
Here's the rule:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
classtype:attempted-dos; sid:4638; rev:3; )
Here's FrSIRT's explanation of the vulnerability:
"A new vulnerability was identified in tcpdump, which may be exploited by
attackers to conduct a denial of service. This flaw resides in the
"rsvp_print()" function and occurs when decoding specially crafted Resource
ReSerVation Protocol (RSVP) packets, which may be exploited to crash a
I don't have access to the exploit code, so I can't see exactly what it
does, but I'm thinking that for this to work remotely tcpdump must be
running on the target box, right? That seems like a bit of a crap shoot to
me, yet we're getting some alerts on this, meaning that it's being actively
launched on the internet. The src IPs and ports and dst IPs and ports are
all over the map, making it look like a botnet-generated attack against a
broad range of hosts.
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 3701 bytes
Desc: not available
More information about the Snort-sigs