[Snort-users] BO preproc exploit published

Murali Raju protocoljunkie at ...11827...
Thu Oct 27 04:44:32 EDT 2005


95% of the snort sensors I build use OpenBSD and the rest are a mix or
Linux(PAX/GrSecurity)/FreeBSD (for in-line). The exploit did not work on any
of these.

_Raju


On 10/26/05, byte_jump <bytejump at ...11827...> wrote:
>
> On 10/26/05, Paul Melson <pmelson at ...11827...> wrote:
> >
> > I saw that in the release notes. To date, my sensors have not detected
> any
> > attempts to exploit the bo preproc. I suppose that now that there's
> > publicly available code that I ought to test it. ;)
> >
> > PaulM
>
>
> I didn't spend a ton of time on it, but I used the exploit code
> against a Snort 2.4.0 Snort box with the BO preprocessor enabled.
> Snort had been compiled with the SPP gcc (formerly ProPolice) and was
> on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by
> any means, but the exploit did not work and seemed to fail due to
> ProPolice (this is a stack-based buffer overflow). The exploit did
> work against a similar server without ProPolice and grsecurity.
>
> Honestly, I'm very disappointed that 1) Sourcefire doesn't use
> ProPolice and grsecurity on their sensors, and 2) that Snort.org<http://Snort.org>does
> not encourage folks to use those security mechanisms, too. Those
> security measures certainly seemed to work in my less-than-scientific
> test.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by the JBoss Inc.
> Get Certified Today * Register for a JBoss Training Course
> Free Certification Exam for All Training Attendees Through End of 2005
> Visit http://www.jboss.com/services/certification for more information
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>



--
May the packets be with you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051027/09aed06c/attachment.html>


More information about the Snort-users mailing list