Snort mailing list archives
Re: RV: Snort exploits
From: Chris Green <cmg () sourcefire com>
Date: Wed, 17 Apr 2002 11:06:34 -0400
"Mike Arrison" <arrison () gnostech com> writes:
I saw this recently on bugtraq too. I thought "preprocessor frag2" would take care of fragmentation exploits like this. Would someone smart please chime in? :)
Talked to Marty about it last night and most of the attacks should be either configurable around or detected but since the post claimed that one of them worked, I'm having people here generate the attacks/captures for us to investigate sometime today. I know the TTL evasion scenario 6 can be atleast somewhat configured away by the min_ttl option and I had started work on a more robust TTL evasion detection but its not done in 1.9.x So the short of it is we're looking at it but its a lot of things to investigate so please be patient why we do the full assesment of the attacks and how snort responds. Once we have a full assessment of the situation & what we can work around quickly v. what will take a long time, we'll do an official response. I'll quit rambling and get back to work :-) -- Chris Green <cmg () sourcefire com> "I'm beginning to think that my router may be confused." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RV: Snort exploits Petriz, Pablo (Apr 17)
- RE: RV: Snort exploits Mike Arrison (Apr 17)
- Re: RV: Snort exploits Chris Green (Apr 17)
- <Possible follow-ups>
- RE: RV: Snort exploits counter . spy (Apr 17)
- RE: RV: Snort exploits counter . spy (Apr 17)
- RE: RV: Snort exploits Mike Arrison (Apr 17)