[Snort-users] Snort Advisory - Security Bit Mitigation
bmc at ...950...
Tue Apr 1 05:21:33 EST 2003
Evil Packet Mitigation
Date: April 1, 2003
The Snort Research Team has learned of a flaw in the alerting mechanism in
the Snort IP decoder. The Snort IP decoder does not properly check the
Evil Bit as defined in RFC 3514. The Snort IP decoder incorrectly processes
traffic that does not have malicious intent and can cause false positives.
The Snort IP Decoder flaw may lead to a denial of service (DoS) attack
targeting the analysis by sending tons of alarms had the evil bit been
set would have been actual attacks but in actuality were normal traffic.
In its default configuration, Snort is vulnerable to this attack.
All versions of snort previous to 2.0
Adding the following BPF filter to the snort command-line will mitigate the
risk of a DoS of analysts:
ip & 0x80 != 0
This mitigation does not take into account the required random number
generator as defined in RFC 3514 that will decide holistically if the
packet in question is of malicious intent. Future versions of snort will
properly handle the evil bit and only generate alerts based on multiple
random number generators as defined in RFC 3514.
RFC 3514 - The Security Flag in the IPv4 Header
Snort Research Team
More information about the Snort-users