[Snort-sigs] SID 4638

trains trains at ...2395...
Fri Jun 1 15:36:45 EDT 2007

Quoting Paul Schmehl <pauls at ...1311...>:

> I'm trying to figure out what the exploit is for this rule, and the
> FrSIRT "explanation" is a bit of a headscratcher.
> Here's the rule:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
> zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
> byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
> reference:url,www.frsirt.com/english/advisories/2005/0411;
> classtype:attempted-dos; sid:4638; rev:3; )

It seems to me that to exploit this flaw, the victim would have to be  
running tcpdump on a router that is running RSVP or possibly sniffing  
the traffic between two routers running RSVP.

Then by engineering some special RSVP traffic out one router interface  
the aggressor could crash tcpdump on the other router or on the  
network monitoring device.

It does seem like a bit of a stretch for a small payoff (crash the  
tcpdump process).  I suspect if I own one of your routers, you have a  
way bigger problem than if I decide to crash your network monitor.

I would be included to call it a bad rule.  Can you post the packet  
traces that are causing it to fire off?


Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact:    services at ...2395...

More information about the Snort-sigs mailing list