[Snort-users] IP Option lsrre

Jeffrey Denton dentonj at ...11827...
Sat Jul 7 06:52:29 EDT 2007


I originally posted this on #snort on irc.freenode.org.  I'm posting
it here for more visibility.

I had a question about "ipopts:lsrre;".  A search on google turned up
several comments about lsrre being an undocumented option.  In
misc.rules, sid:501, there is a reference to a MS source routing
vulnerability, MS99-038.

In the file sf_snort_packet.h, the define statement sets IPOPTION_LSRR
to 0x83.  This corresponds to the decimal value of 131 for Loose
Source and Record Route as specified in RFC 791.  IPOPTION_SSRR is set
to 0x89, which corresponds to the decimal value of 137 for Strict
Source and Record Route as specified in RFC 791.  IPOPTION_LSRR_E is
set to 0x84, or decimal value 132.
http://iana.org/assignments/ip-parameters doesn't list  value 132 as a
valid IP option.

The vulnerability report for MS99-038 doesn't include enough details.
I wasn't able to find exploit code for MS99-038.  Either way, it looks
like ipopts:lsrre; will trigger when an invalid IP option value of 132
is detected.

Does anyone see something different?




More information about the Snort-users mailing list