[Snort-devel] Re: [Snort-users] Snort DoS Fallacies

Ferguson, Justin (IARC) FergusonJ at ...13492...
Wed Sep 14 07:12:19 EDT 2005

> good lord you fame mongering whores really need to get some skill. 

Aren't you just capitalizing on it yourself?

>Personally I try to make sure I am actually looking at the right code
>before I spout off. Then I take the time to verify what I believe.
>This shit is simply foolish. Of course I never disclose what I find so
>it doesn't matter for me.

Blackhat has just become another term for 'hasn't done anything'

>A DOS in a non critical component without any chance of remote code
>execution is hardly worth this intellectual fart.

Non-critical to who? You? Believe it or not, some people, gasp, actually do
use ASCII logging.

>Maybe I got my CVS checkout from the wrong server or something but I
>can't find more than one call in the snapshot I have
>...snort-2.4.0/src/preprocessors $ grep PrintIPPkt spp_frag3.c 
>        PrintIPPkt(stdout, defrag_pkt->iph->ip_proto, defrag_pkt);

Maybe, I grabbed my snapshot from snort.org, and as of my last email you
could find it there to. 

>Ultimately It seems that he was right and you were wrong so perhaps
>you need to check your attitude and code at the door.

Oops, mistake on your part, its okay though I understand that we can't all
be so bright as to get our sources from snort.org, and I'm used to dealing
with ignorant and rude people, I do after all live in Vegas.

The rest really isn't worth replying to, PHC spawned a million idiots like
you running around pretending to be blackhats with cool netmasks like
'whiteh8.net', never actually doing anything and hiding behind the guise
that you don't believe in disclosure to cover the fact that you haven't
written nor found any exploits, and in the end you end up being just as bad
as (most of) the whitehats, useless and ignorant.

J. Ferguson
Intrusion Analyst
NNSA Information Assurance Response Center 
fergusonj at ...13492...

> >BTW, you missed that we also call PrintTCPHeader in spo_alert_full.c,
> >which is actually done in the default config case, so this is
> >something you might want to worry about if you're using full alerting
> >for whatever reason.  For the record, the recommended alerting modes
> >for a production sensor are unified, syslog or database.
> Thank you for adding to my point. This makes what 3 possible routes of
> execution + the -v route for a total of 4 without debugging, and 6 if
> debugging was to be enabled. Still quite a long ways from the 'only if you
> are using -v'.

So basically your point is you don't have a clue, are a superfluous
twit, incompetent fame whore, and chump?

Perhaps you just sit in your chair masturbating to captured porn all
day and that is why you didn't have time to verify your specious shit.
Give me your address and I will send you the lapjuicer so you can at
least make a profit when you and your buddies get together.


Just my personal grumpy thoughts of the moment.

SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-users mailing list