[Snort-users] Snort Advisory - Security Bit Mitigation

Brian bmc at ...950...
Tue Apr 1 05:21:33 EST 2003

Snort Advisory

Evil Packet Mitigation 

Date: April 1, 2003


The Snort Research Team has learned of a flaw in the alerting mechanism in
the Snort IP decoder.  The Snort IP decoder does not properly check the 
Evil Bit as defined in RFC 3514.  The Snort IP decoder incorrectly processes
traffic that does not have malicious intent and can cause false positives.


The Snort IP Decoder flaw may lead to a denial of service (DoS) attack 
targeting the analysis by sending tons of alarms had the evil bit been
set would have been actual attacks but in actuality were normal traffic.
In its default configuration, Snort is vulnerable to this attack.

Affected Versions:

All versions of snort previous to 2.0


Adding the following BPF filter to the snort command-line will mitigate the
risk of a DoS of analysts:

   ip[6] & 0x80 != 0

This mitigation does not take into account the required random number 
generator as defined in RFC 3514 that will decide holistically if the 
packet in question is of malicious intent.  Future versions of snort will
properly handle the evil bit and only generate alerts based on multiple
random number generators as defined in RFC 3514.


RFC 3514 - The Security Flag in the IPv4 Header


Snort Research Team

More information about the Snort-users mailing list