[Snort-users] Serious Snort Bug Could Lead To Next Slammer

Jeff Nathan jeff at ...950...
Thu Oct 20 12:02:11 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael, et. al,

Several reverse engineering and exploit development websites already  
have discussions of details surrounding this vulnerability, a bit of  
creating searching using Google will be helpful in your quest.  Since  
it's by no means a secret at this point, I'll mention that the  
metasploit project has already developed some intelligence on the  
vulnerability.

I'll remind the readers that this vulnerability is more similar to  
the vulnerability leading to the Witty worm than the vulnerability  
that  lead to the Slammer worm.  If a worm is developed to attack  
vulnerable systems (i.e. if this vulnerability is 'wormable'), it  
will likely be similar to Witty insofar as the Witty worm exploited a  
protocol decoder bug.

Recall that the Witty worm exploited a vulnerability in the ICQ PAM  
module of ISS's Black Ice sensor....

- -Jeff

P.S. Please don't hijack threads by replying to a message and  
changing the subject.  It confuses threading in some e-mail clients.

On Oct 20, 2005, at 7:39 AM, Michael Steele wrote:

> I found this:
>
> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml? 
> articleId=17230
> 2520
>
> No mention on Snort.org or in the list.
>
> Kindest regards,
> Michael...
>
> WINSNORT.com Management Team Member
> --
> Pick up your FREE Windows or UNIX Snort installation guides
> mailto:support at ...9077...
> Website: http://www.winsnort.com
> Snort: Open Source Network IDS - http://www.snort.org
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Igor  
> Belikov
> Sent: Thursday, October 20, 2005 12:18 AM
> To: snort-users at lists.sourceforge.net
> Subject: Re[2]: [Snort-users] need help configuring snort + barnyard
>
> Hello Chris,
>
> Wednesday, October 19, 2005, 7:31:05 PM, you wrote:
>
> CE> |   I configured snort to write both alert and log files in  
> unified
> CE> |   format. But I can't configure barnyard properly to store in DB
> CE> |   detailed info about alerts.
> CE> |
> CE> |   Barnyard "watch" alert files and stores info about alerts,  
> but I
> CE> |   need also store whole packets caused alert.
>
> CE> It seems you don't need to have snort write both unified  
> files.  All the
> CE> required info seems to be in the unified "log" file, so this is  
> what you
> CE> want barnyard to read.  It's not at all clear to us what info  
> is in the
> CE> unified "alert" file that's not *also* in the unified "log"  
> file.  So we
> CE> don't write a unified "alert" file at all.
>
> It's sounds good, but I still can't configure snort + barnyard.
>
> Last configs:
>
>   - snort:
>
> output log_unified: filename snort.log, limit 128
>
>   - barnyard:
>
> output log_acid_db: mysql, sensor_id 1, database snort, server  
> x.x.x.x, user
> xxxxx, password xxxxx, detail full
>
> In /log directory I see "snort.log.<timestamp>", "barnyard.waldo"
> (with correct link to snort.log) and "alert" (with alerts produced by
> snort).
>
> Watching log files I see that barnyard works (link in waldo file
> follows growing snort.log), but I don't get any new alerts in DB.
>
> Using previous variant of configs (using unified alert) barnyard put
> all alerts in DB.
>
> Please, point me where I make mistake.
>
> -- 
> Best regards,
>  Igor                            mailto:ivb at ...13431...
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


- --
Custom packets with little to no money down.
http://nemesis.sourceforge.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFDV+lIEqr8+Gkj0/0RAr4TAJ4vvadnq5Dsa/W2n2CtKHquSVdZCQCgnIBY
zgJcaXK2rWTq0/mmq3kBMOQ=
=2/0G
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list