Snort mailing list archives
Re: Snort detection engine vulnerability
From: Yoann Vandoorselaere <yoann () mandrakesoft com>
Date: 31 Jul 2001 09:48:07 +0200
Moritz Jodeit <moritz () jodeit org> writes:
Hi, I think I found a design flaw in Snort's detection engine. The detection engine checks each package and the first rule that matches, triggers the action specified in the rule. The problem is, that once an action was triggered, no more checks are done on the package. It is possible for someone to put a fake exploit at the beginning of a packet and put the real exploit after the fake one. This way, the fake exploit triggers the rule and the real exploit doesn't get detected. http://snort.protected.host.com/test-cgi/../[insert your favourite iis exploit] This sample triggers the "WEB-CGI test-cgi access" rule, while the real exploit doesn't get logged. I sent two emails to roesch () clark net, but didn't get any response, so I send it to the list...
This is exactly the problem I reported yesterday on focus IDS, in the "Snort + (OpenBSD or Linux)" thread. -- Yoann Vandoorselaere | The last time I saw him he was walking down Lover's Lane MandrakeSoft | holding his own hand. -- Fred Allen _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort detection engine vulnerability Moritz Jodeit (Jul 30)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- RE: Snort detection engine vulnerability Jason Lewis (Jul 30)
- Re: Snort detection engine vulnerability Yoann Vandoorselaere (Jul 31)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)