Re: RV: Snort exploits

[Chris Green <cmg () sourcefire com>]

"Mike Arrison" <arrison () gnostech com> writes:

> I saw this recently on bugtraq too.  I thought "preprocessor frag2" would
> take care of fragmentation exploits like this.  Would someone smart please
> chime in? :)

Talked to Marty about it last night and most of the attacks should be
either configurable around or detected but since the post claimed that
one of them worked, I'm having people here generate the
attacks/captures for us to investigate sometime today.

I know the TTL evasion scenario 6 can be atleast somewhat configured
away by the min_ttl option and I had started work on a more robust TTL
evasion detection but its not done in 1.9.x

So the short of it is we're looking at it but its a lot of things to
investigate so please be patient why we do the full assesment of the
attacks and how snort responds.

Once we have a full assessment of the situation & what we can work
around quickly v. what will take a long time, we'll do an official
response.

I'll quit rambling and get back to work :-)
-- 
Chris Green <cmg () sourcefire com>
"I'm beginning to think that my router may be confused."


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users