[Snort-users] Catching Snort DOS
joao at ...13547...
Mon Oct 3 05:40:28 EDT 2005
I was trying to write a rule to match the exploit code that targets the
vulnerability discribed in:
(exploit at http://www.frsirt.com/exploits/20050912.snortsackdos.c.php)
I can't seem to do it becouse the packets aren't "seen" by snort. I've
tried the 2.3.3 (Build 14) and 2.4.2 (build 25) versions of snort with
the same result.
I'm guessing that the bug is still there and leads to the discarding of
the packet (doesn't show as discarded in the snort exit status though).
But isn't snort suppose to sniff all the packets, including corrupt ones?
Can anyone else confirm this, or am I doing something wrong?
I'm running ethereal in the same machine and the packets are shown
(default src ip = 22.214.171.124) and the rule:
alert tcp 126.96.36.199 any -> any any (msg: "whatever";)
isn't triggered. Even tried using ip for protocol and still no alert.
This rule isn't suppose to catch the exploit, it's just a test I've used
to see if the exploit packets were beeing tested. Even tried "any any ->
any any" and browsed the results and no exploit packets were logged.
More information about the Snort-users