[Snort-devel] Re: [Snort-users] Snort DoS Fallacies

Steven Sturges steve.sturges at ...1935...
Mon Sep 19 09:04:16 EDT 2005

> Q5) Frag3 has the problem in the snapshot I downloaded, why 
> won't you admit it?
> A5) Because you're wrong.  The snapshot you're referring to 
> has the fixes in PrintTcpOptions(), so even with the call to 
> PrintIPPkt() in there the DoS doesn't work.  Version 2.4.0 
> did not have the code you are referring to.

I just grabbed the snapshot tarball from the website and it does
have the duplicate log Frag3 issues mentioned... It is correct in
CVS, so subsequent snapshot tarballs resolve this.

However, with the fixes to PrintTcpOptions being in the tarball,
it wouldn't be a DoS problem other than extra printfs.

> Q13) Justin Ferguson made a patch against 2.3.3 that fixes 
> this problem, should I use it?
> A13) I would not under any circumstances move back to 2.3.3 
> or use a patch from an untrusted 3rd party in a production 
> sensor, there were many bug fixes and new features 
> incorporated in 2.4.0 and reverting to an old version is a 
> step in the wrong direction.  It is far safer and advisable 
> to use the log.c in CVS or wait for the 2.4.1 release if 
> you're not running fast/full alerting or ASCII logging.

The changes made on August 23 by Sourcefire are the same as those
in the patch to 2.3.3.  Those changes have been in the 2.4 CVS
repository [and are in the snapshot tarball] for almost a month
(since the original poster brought this to our attention).

End of story.


More information about the Snort-users mailing list