[Snort-users] Cert Advisory and now no SNMP traps.

larosa, vjay larosa_vjay at ...3331...
Thu Apr 17 11:45:07 EDT 2003

Well I have to say this sucks. Now those of us that rely on SNMP traps
are forced to upgrade to snort 2.0 and will lose our NMS integrations.

Anyway, I am going to write a program to select events of interest from
A Mysql database and will send SNMP traps to the NMS on behalf of snort.
I will post to the list in the next week or so when it is done. I will give
the perl Code to anybody who is interested in it.


-----Original Message-----
From: James-lists [mailto:hackerwacker at ...3784...] 
Sent: Thursday, April 17, 2003 1:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Fw: CERT Advisory CA-2003-13 Multiple Vulnerabilities
in Snort Preprocessors

----- Original Message ----- 
From: "CERT Advisory" <cert-advisory at ...241...>
To: <cert-advisory at ...241...>
Sent: Thursday, April 17, 2003 9:29 AM
Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort

: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
:    Original release date: April 17, 2003
:    Last revised: --
:    Source: CERT/CC
:    A complete revision history can be found at the end of this file.
: Systems Affected
:      * Snort IDS, versions 1.8 through 2.0 RC1
: Overview
:    There are two vulnerabilities in the Snort Intrusion Detection System,
:    each  in  a  separate  preprocessor module. Both vulnerabilities allow
:    remote  attackers to execute arbitrary code with the privileges of the
:    user running Snort, typically root.
: I. Description
:    The   Snort  intrusion  detection  system  ships  with  a  variety  of
:    preprocessor  modules  that  allow  the  user  to  selectively include
:    additional    functionality.    Researchers   from   two   independent
:    organizations have discovered vulnerabilities in two of these modules,
:    the  RPC  preprocessor  and  the  "stream4"  TCP  fragment  reassembly
:    preprocessor.
:    For additional information regarding Snort, please see
:      http://www.snort.org/.
:    VU#139129 - Heap overflow in Snort "stream4" preprocessor
:    Researchers  at  CORE Security Technologies have discovered a remotely
:    exploitable  heap overflow in the Snort "stream4" preprocessor module.
:    This  module  allows  Snort  to  reassemble  TCP  packet fragments for
:    further analysis.
:    To  exploit  this  vulnerability,  an  attacker must disrupt the state
:    tracking  mechanism  of the preprocessor module by sending a series of
:    packets  with  crafted  sequence  numbers.  This  causes the module to
:    bypass a check for buffer overflow attempts and allows the attacker to
:    insert arbitrary code into the heap.
:    For additional information, please read the Core Security Technologies
:    Advisory located at
:      http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10
:    This  vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
:    to  RC1. Snort has published an advisory regarding this vulnerability;
:    it is available at
:      http://www.snort.org/advisories/snort-2003-04-16-1.txt.
:    VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)
:    Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
:    remotely  exploitable  buffer  overflow  in the Snort RPC preprocessor
:    module.  Martin  Roesch,  primary  developer  for Snort, described the
:    vulnerability as follows:
:      When the RPC decoder normalizes fragmented RPC records, it
:      incorrectly checks the lengths of what is being normalized against
:      the current packet size, leading to an overflow condition. The RPC
:      preprocessor is enabled by default.
:    For  additional  information,  please  read  the  ISS X-Force advisory
:    located at
:      http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21951
:    This  vulnerability  affects  Snort  versions  1.8.x through 1.9.1 and
:    version 2.0 Beta.
: II. Impact
:    Both  VU#139129  and  VU#916785  allow  remote  attackers  to  execute
:    arbitrary  code  with  the  privileges  of  the  user  running  Snort,
:    typically  root.  In addition, it is not necessary for the attacker to
:    know  the  IP  address of the Snort device they wish to attack; merely
:    sending  malicious  traffic  where  it  can be observed by an affected
:    Snort sensor is sufficient to exploit these vulnerabilities.
: III. Solution
: Upgrade to Snort 2.0
:    Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
:    is available at
:      http://www.snort.org/dl/snort-2.0.0.tar.gz
:    Binary-only versions of Snort are available from
:      http://www.snort.org/dl/binaries
:    For  information  from  other  vendors  that ship affected versions of
:    Snort, please see Appendix A of this document.
: Disable affected preprocessor modules
:    Sites  that  are  unable to immediately upgrade affected Snort sensors
:    may  prevent  exploitation of this vulnerability by commenting out the
:    affected preprocessor modules in the "snort.conf" configuration file.
:    To prevent exploitation of VU#139129, comment out the following line:
:      preprocessor stream4_reassemble
:    To prevent exploitation of VU#916785, comment out the following line:
:      preprocessor rpc_decode: 111 32771
:    After commenting out the affected modules, send a SIGHUP signal to the
:    affected   Snort  process  to  update  the  configuration.  Note  that
:    disabling these modules may have adverse affects on a sensor's ability
:    to correctly process RPC record fragments and TCP packet fragments. In
:    particular,  disabling  the "stream4" preprocessor module will prevent
:    the Snort sensor from detecting a variety of IDS evasion attacks.
: Block outbound packets from Snort IDS systems
:    You  may  be  able  limit  an attacker's capabilities if the system is
:    compromised  by  blocking  all outbound traffic from the Snort sensor.
:    While   this   workaround   will   not  prevent  exploitation  of  the
:    vulnerability,  it  may  make  it  more  difficult for the attacker to
:    create a useful exploit.
: Appendix A. - Vendor Information
:    This  appendix  contains  information  provided  by  vendors  for this
:    advisory.  As  vendors  report new information to the CERT/CC, we will
:    update this section and note the changes in our revision history. If a
:    particular  vendor  is  not  listed  below, we have not received their
:    comments.
: Apple Computer, Inc.
:    Snort is not shipped with Mac OS X or Mac OS X Server.
: Ingrian Networks
:    Ingrian  Networks  products  are  not  susceptible  to  VU#139129  and
:    VU#916785 since they do not use Snort.
:    Ingrian  customers  who  are  using the IDS Extender Service Engine to
:    mirror  cleartext  data  to a Snort-based IDS should upgrade their IDS
:    software.
: NetBSD
:    NetBSD does not include snort in the base system.
:    Snort  is  available from the 3rd party software system, pkgsrc. Users
:    who  have  installed  net/snort,  net/snort-mysql  or  net/snort-pgsql
:    should  update  to a fixed version. pkgsrc/security/audit-packages can
:    be used to keep up to date with these types of issues.
: Red Hat Inc.
:    Not  vulnerable.  Red  Hat does not ship Snort in any of our supported
:    products.
:    SGI does not ship snort as part of IRIX.
: Snort
:    Snort  2.0 has undergone an external third party professional security
:    audit funded by Sourcefire.
:      _________________________________________________________________
:    The  CERT/CC  acknowledges  Bruce Leidl, Juan Pablo Martinez Kuhn, and
:    Alejandro David Weil of Core Security Technologies for their discovery
:    of  VU#139129.  We  also  acknowledge  Mark Dowd and Neel Mehta of ISS
:    X-Force for their discovery of VU#916785.
:      _________________________________________________________________
:    Authors: Jeffrey P. Lanza and Cory F. Cohen.
:    ______________________________________________________________________
:    This document is available from:
:    http://www.cert.org/advisories/CA-2003-13.html
:    ______________________________________________________________________
: CERT/CC Contact Information
:    Email: cert at ...241...
:           Phone: +1 412-268-7090 (24-hour hotline)
:           Fax: +1 412-268-6989
:           Postal address:
:           CERT Coordination Center
:           Software Engineering Institute
:           Carnegie Mellon University
:           Pittsburgh PA 15213-3890
:           U.S.A.
:    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
:    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
:    during other hours, on U.S. holidays, and on weekends.
: Using encryption
:    We  strongly  urge you to encrypt sensitive information sent by email.
:    Our public PGP key is available from
:    http://www.cert.org/CERT_PGP.key
:    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
:    information.
: Getting security information
:    CERT  publications  and  other security information are available from
:    our web site
:    http://www.cert.org/
:    To  subscribe  to  the CERT mailing list for advisories and bulletins,
:    send  email  to majordomo at ...7510... Please include in the body of your
:    message
:    subscribe cert-advisory
:    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
:    Patent and Trademark Office.
:    ______________________________________________________________________
:    Any  material furnished by Carnegie Mellon University and the Software
:    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
:    Mellon University makes no warranties of any kind, either expressed or
:    implied  as  to  any matter including, but not limited to, warranty of
:    fitness  for  a  particular purpose or merchantability, exclusivity or
:    results  obtained from use of the material. Carnegie Mellon University
:    does  not  make  any warranty of any kind with respect to freedom from
:    patent, trademark, or copyright infringement.
:      _________________________________________________________________
:    Conditions for use, disclaimers, and sponsorship information
:    Copyright 2003 Carnegie Mellon University.
:    Revision History
: April 17, 2003:  Initial release
: Version: PGP 6.5.8
: iQCVAwUBPp7GWGjtSoHZUTs5AQGmlAP+MWnegmA1Qft9AenH7xefffpEDVGDT+sl
: T4iljwl/ySozE962r40mL4KCszZDPdwRW/MyMA7ZcFaoWbiZc/QrEhTa4A/YYJWC
: A4kL1cEnM/LiQ7yYBSnJ6DIWDTo+M1PUS9so02M6a0f0e4jpzXZDJ5HmPDdo/aPq
: NW70cU8gbgs=
: =Vs2Q

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list