[Snort-users] Remote Vulnerability in Snort - Fix and Workaround Available

Jennifer Steffens jennifer.steffens at ...1935...
Mon Sep 12 15:29:00 EDT 2005

Hey everyone,

A vulnerability was found in PrintTcpOptions() function located in 
snort-2.4.0/src/log.c that could allow an attacker to craft a malformed 
TCP/IP packet and potentially cause a DoS in Snort. This vulnerability 
is only present in the rare instances that Snort is run in verbose mode 
(using the switch -v).

An attacker can exploit this vulnerability with malicious TCP traffic 
containing a bad TCP SACK option causing the Snort engine to crash. 
Restarting Snort will cause the engine to return to normal functionality.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on 
August 23rd, 2005 and is available for download at 
http://www.snort.org/pub-bin/snapshots.cgi. This fix will also be 
included in the upcoming 2.4.1 release. Users who do not wish to upgrade 
can simply choose not to run Snort in verbose mode to avoid being 

Questions? Let us know at snort-team at ...3990...


Jennifer Steffens
Director, Product Management - Snort
Sourcefire, Inc

More information about the Snort-users mailing list