[Snort-users] IP Option lsrre
dentonj at ...11827...
Sat Jul 7 06:52:29 EDT 2007
I originally posted this on #snort on irc.freenode.org. I'm posting
it here for more visibility.
I had a question about "ipopts:lsrre;". A search on google turned up
several comments about lsrre being an undocumented option. In
misc.rules, sid:501, there is a reference to a MS source routing
In the file sf_snort_packet.h, the define statement sets IPOPTION_LSRR
to 0x83. This corresponds to the decimal value of 131 for Loose
Source and Record Route as specified in RFC 791. IPOPTION_SSRR is set
to 0x89, which corresponds to the decimal value of 137 for Strict
Source and Record Route as specified in RFC 791. IPOPTION_LSRR_E is
set to 0x84, or decimal value 132.
http://iana.org/assignments/ip-parameters doesn't list value 132 as a
valid IP option.
The vulnerability report for MS99-038 doesn't include enough details.
I wasn't able to find exploit code for MS99-038. Either way, it looks
like ipopts:lsrre; will trigger when an invalid IP option value of 132
Does anyone see something different?
More information about the Snort-users