[Snort-users] Cert Advisory and now no SNMP traps.
larosa_vjay at ...3331...
Thu Apr 17 11:45:07 EDT 2003
Well I have to say this sucks. Now those of us that rely on SNMP traps
are forced to upgrade to snort 2.0 and will lose our NMS integrations.
Anyway, I am going to write a program to select events of interest from
A Mysql database and will send SNMP traps to the NMS on behalf of snort.
I will post to the list in the next week or so when it is done. I will give
the perl Code to anybody who is interested in it.
From: James-lists [mailto:hackerwacker at ...3784...]
Sent: Thursday, April 17, 2003 1:50 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Fw: CERT Advisory CA-2003-13 Multiple Vulnerabilities
in Snort Preprocessors
----- Original Message -----
From: "CERT Advisory" <cert-advisory at ...241...>
To: <cert-advisory at ...241...>
Sent: Thursday, April 17, 2003 9:29 AM
Subject: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort
: -----BEGIN PGP SIGNED MESSAGE-----
: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors
: Original release date: April 17, 2003
: Last revised: --
: Source: CERT/CC
: A complete revision history can be found at the end of this file.
: Systems Affected
: * Snort IDS, versions 1.8 through 2.0 RC1
: There are two vulnerabilities in the Snort Intrusion Detection System,
: each in a separate preprocessor module. Both vulnerabilities allow
: remote attackers to execute arbitrary code with the privileges of the
: user running Snort, typically root.
: I. Description
: The Snort intrusion detection system ships with a variety of
: preprocessor modules that allow the user to selectively include
: additional functionality. Researchers from two independent
: organizations have discovered vulnerabilities in two of these modules,
: the RPC preprocessor and the "stream4" TCP fragment reassembly
: For additional information regarding Snort, please see
: VU#139129 - Heap overflow in Snort "stream4" preprocessor
: Researchers at CORE Security Technologies have discovered a remotely
: exploitable heap overflow in the Snort "stream4" preprocessor module.
: This module allows Snort to reassemble TCP packet fragments for
: further analysis.
: To exploit this vulnerability, an attacker must disrupt the state
: tracking mechanism of the preprocessor module by sending a series of
: packets with crafted sequence numbers. This causes the module to
: bypass a check for buffer overflow attempts and allows the attacker to
: insert arbitrary code into the heap.
: For additional information, please read the Core Security Technologies
: Advisory located at
: This vulnerability affects Snort versions 1.8.x, 1.9.x, and 2.0 prior
: to RC1. Snort has published an advisory regarding this vulnerability;
: it is available at
: VU#916785 - Buffer overflow in Snort RPC preprocessor (CAN-2003-0033)
: Researchers at Internet Security Systems (ISS) have discovered a
: remotely exploitable buffer overflow in the Snort RPC preprocessor
: module. Martin Roesch, primary developer for Snort, described the
: vulnerability as follows:
: When the RPC decoder normalizes fragmented RPC records, it
: incorrectly checks the lengths of what is being normalized against
: the current packet size, leading to an overflow condition. The RPC
: preprocessor is enabled by default.
: For additional information, please read the ISS X-Force advisory
: located at
: This vulnerability affects Snort versions 1.8.x through 1.9.1 and
: version 2.0 Beta.
: II. Impact
: Both VU#139129 and VU#916785 allow remote attackers to execute
: arbitrary code with the privileges of the user running Snort,
: typically root. In addition, it is not necessary for the attacker to
: know the IP address of the Snort device they wish to attack; merely
: sending malicious traffic where it can be observed by an affected
: Snort sensor is sufficient to exploit these vulnerabilities.
: III. Solution
: Upgrade to Snort 2.0
: Both VU#139129 and VU#916785 are addressed in Snort version 2.0, which
: is available at
: Binary-only versions of Snort are available from
: For information from other vendors that ship affected versions of
: Snort, please see Appendix A of this document.
: Disable affected preprocessor modules
: Sites that are unable to immediately upgrade affected Snort sensors
: may prevent exploitation of this vulnerability by commenting out the
: affected preprocessor modules in the "snort.conf" configuration file.
: To prevent exploitation of VU#139129, comment out the following line:
: preprocessor stream4_reassemble
: To prevent exploitation of VU#916785, comment out the following line:
: preprocessor rpc_decode: 111 32771
: After commenting out the affected modules, send a SIGHUP signal to the
: affected Snort process to update the configuration. Note that
: disabling these modules may have adverse affects on a sensor's ability
: to correctly process RPC record fragments and TCP packet fragments. In
: particular, disabling the "stream4" preprocessor module will prevent
: the Snort sensor from detecting a variety of IDS evasion attacks.
: Block outbound packets from Snort IDS systems
: You may be able limit an attacker's capabilities if the system is
: compromised by blocking all outbound traffic from the Snort sensor.
: While this workaround will not prevent exploitation of the
: vulnerability, it may make it more difficult for the attacker to
: create a useful exploit.
: Appendix A. - Vendor Information
: This appendix contains information provided by vendors for this
: advisory. As vendors report new information to the CERT/CC, we will
: update this section and note the changes in our revision history. If a
: particular vendor is not listed below, we have not received their
: Apple Computer, Inc.
: Snort is not shipped with Mac OS X or Mac OS X Server.
: Ingrian Networks
: Ingrian Networks products are not susceptible to VU#139129 and
: VU#916785 since they do not use Snort.
: Ingrian customers who are using the IDS Extender Service Engine to
: mirror cleartext data to a Snort-based IDS should upgrade their IDS
: NetBSD does not include snort in the base system.
: Snort is available from the 3rd party software system, pkgsrc. Users
: who have installed net/snort, net/snort-mysql or net/snort-pgsql
: should update to a fixed version. pkgsrc/security/audit-packages can
: be used to keep up to date with these types of issues.
: Red Hat Inc.
: Not vulnerable. Red Hat does not ship Snort in any of our supported
: SGI does not ship snort as part of IRIX.
: Snort 2.0 has undergone an external third party professional security
: audit funded by Sourcefire.
: The CERT/CC acknowledges Bruce Leidl, Juan Pablo Martinez Kuhn, and
: Alejandro David Weil of Core Security Technologies for their discovery
: of VU#139129. We also acknowledge Mark Dowd and Neel Mehta of ISS
: X-Force for their discovery of VU#916785.
: Authors: Jeffrey P. Lanza and Cory F. Cohen.
: This document is available from:
: CERT/CC Contact Information
: Email: cert at ...241...
: Phone: +1 412-268-7090 (24-hour hotline)
: Fax: +1 412-268-6989
: Postal address:
: CERT Coordination Center
: Software Engineering Institute
: Carnegie Mellon University
: Pittsburgh PA 15213-3890
: CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
: EDT(GMT-4) Monday through Friday; they are on call for emergencies
: during other hours, on U.S. holidays, and on weekends.
: Using encryption
: We strongly urge you to encrypt sensitive information sent by email.
: Our public PGP key is available from
: If you prefer to use DES, please call the CERT hotline for more
: Getting security information
: CERT publications and other security information are available from
: our web site
: To subscribe to the CERT mailing list for advisories and bulletins,
: send email to majordomo at ...7510... Please include in the body of your
: subscribe cert-advisory
: * "CERT" and "CERT Coordination Center" are registered in the U.S.
: Patent and Trademark Office.
: NO WARRANTY
: Any material furnished by Carnegie Mellon University and the Software
: Engineering Institute is furnished on an "as is" basis. Carnegie
: Mellon University makes no warranties of any kind, either expressed or
: implied as to any matter including, but not limited to, warranty of
: fitness for a particular purpose or merchantability, exclusivity or
: results obtained from use of the material. Carnegie Mellon University
: does not make any warranty of any kind with respect to freedom from
: patent, trademark, or copyright infringement.
: Conditions for use, disclaimers, and sponsorship information
: Copyright 2003 Carnegie Mellon University.
: Revision History
: April 17, 2003: Initial release
: -----BEGIN PGP SIGNATURE-----
: Version: PGP 6.5.8
: -----END PGP SIGNATURE-----
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users