Re: Snort detection engine vulnerability

[Yoann Vandoorselaere <yoann () mandrakesoft com>]

Moritz Jodeit <moritz () jodeit org> writes:

> Hi,
>
> I think I found a design flaw in Snort's detection engine. 
> The detection engine checks each package and the first rule that matches,
> triggers the action specified in the rule. The problem is, that once an action
> was triggered, no more checks are done on the package. It is possible for
> someone to put a fake exploit at the beginning of a packet and put the real
> exploit after the fake one. This way, the fake exploit triggers the rule and
> the real exploit doesn't get detected.
>
> http://snort.protected.host.com/test-cgi/../[insert your favourite iis exploit]
>
> This sample triggers the "WEB-CGI test-cgi access" rule, while the real exploit 
> doesn't get logged.
>
> I sent two emails to roesch () clark net, but didn't get any response, so I send 
> it to the list...

This is exactly the problem I reported yesterday on focus IDS,
in the "Snort + (OpenBSD or Linux)" thread.

-- 
Yoann Vandoorselaere | The last time I saw him he was walking down Lover's Lane
MandrakeSoft         | holding his own hand.   -- Fred Allen

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users