[Snort-users] OpenBSD IPsec DoS signature

Kris Kennaway kris at ...593...
Fri Oct 6 23:23:06 EDT 2000


On Fri, Oct 06, 2000 at 03:37:57PM -0700, Dragos Ruiu wrote:

> I wanted to write a sig for it, but testing out which port causes the crash is
> err... painful.  The culprit is an IP packet with an empty payload, has anyone
> nailed down the port to narrower (pref single) value/range? My first guess
> is isakmp/500 but I happen to use OpenBSD for the boxes I like to keep 
> running and count on and I'm not up to more syscrashes just yet...

nmap -sO is an IP protocol scan..it doesn't use ports (except for the
special case of protocols 6 and 17 :)

The OpenBSD bug was a crash on whatever type of packet -sO likes to
send of protocol 50 or 51 (i.e. not a valid ESP/AH packet).

Kris



More information about the Snort-users mailing list