Snort mailing list archives
Snort Advisory - Security Bit Mitigation
From: Brian <bmc () snort org>
Date: Tue, 1 Apr 2003 08:26:20 -0500
Snort Advisory Evil Packet Mitigation Date: April 1, 2003 Synopsis: The Snort Research Team has learned of a flaw in the alerting mechanism in the Snort IP decoder. The Snort IP decoder does not properly check the Evil Bit as defined in RFC 3514. The Snort IP decoder incorrectly processes traffic that does not have malicious intent and can cause false positives. Impact: The Snort IP Decoder flaw may lead to a denial of service (DoS) attack targeting the analysis by sending tons of alarms had the evil bit been set would have been actual attacks but in actuality were normal traffic. In its default configuration, Snort is vulnerable to this attack. Affected Versions: All versions of snort previous to 2.0 Mitigation: Adding the following BPF filter to the snort command-line will mitigate the risk of a DoS of analysts: ip[6] & 0x80 != 0 This mitigation does not take into account the required random number generator as defined in RFC 3514 that will decide holistically if the packet in question is of malicious intent. Future versions of snort will properly handle the evil bit and only generate alerts based on multiple random number generators as defined in RFC 3514. References: RFC 3514 - The Security Flag in the IPv4 Header Credit: Snort Research Team ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Advisory - Security Bit Mitigation Brian (Apr 01)
- Re: ./setup.sh Jim Burwell (Apr 04)