Snort Advisory - Security Bit Mitigation

[Brian <bmc () snort org>]

Snort Advisory

Evil Packet Mitigation 

Date: April 1, 2003

Synopsis:

The Snort Research Team has learned of a flaw in the alerting mechanism in
the Snort IP decoder.  The Snort IP decoder does not properly check the 
Evil Bit as defined in RFC 3514.  The Snort IP decoder incorrectly processes
traffic that does not have malicious intent and can cause false positives.

Impact:

The Snort IP Decoder flaw may lead to a denial of service (DoS) attack 
targeting the analysis by sending tons of alarms had the evil bit been
set would have been actual attacks but in actuality were normal traffic.
In its default configuration, Snort is vulnerable to this attack.

Affected Versions:

All versions of snort previous to 2.0

Mitigation:

Adding the following BPF filter to the snort command-line will mitigate the
risk of a DoS of analysts:

   ip[6] & 0x80 != 0

This mitigation does not take into account the required random number 
generator as defined in RFC 3514 that will decide holistically if the 
packet in question is of malicious intent.  Future versions of snort will
properly handle the evil bit and only generate alerts based on multiple
random number generators as defined in RFC 3514.

References:

RFC 3514 - The Security Flag in the IPv4 Header

Credit:

Snort Research Team


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users