[Snort-users] Catching Snort DOS

João Mota joao at ...13547...
Mon Oct 3 05:40:28 EDT 2005


Hello,

I was trying to write a rule to match the exploit code that targets the 
vulnerability discribed in:
http://www.snort.org/pub-bin/snortnews.cgi#58
(exploit at http://www.frsirt.com/exploits/20050912.snortsackdos.c.php)

I can't seem to do it becouse the packets aren't "seen" by snort. I've 
tried the 2.3.3 (Build 14) and 2.4.2 (build 25) versions of snort with 
the same result.
I'm guessing that the bug is still there and leads to the discarding of 
the packet (doesn't show as discarded in the snort exit status though).
But isn't snort suppose to sniff all the packets, including corrupt ones?
Can anyone else confirm this, or am I doing something wrong?
I'm running ethereal in the same machine and the packets are shown 
(default src ip = 200.31.33.70) and the rule:
alert tcp 200.31.33.70 any -> any any (msg: "whatever";)
isn't triggered. Even tried using ip for protocol and still no alert.
This rule isn't suppose to catch the exploit, it's just a test I've used 
to see if the exploit packets were beeing tested. Even tried "any any -> 
any any" and browsed the results and no exploit packets were logged.

Any clues/hints?

Thanks,
João






More information about the Snort-users mailing list