Catching Snort DOS

[João Mota <joao () 3gnt net>]

Hello,

I was trying to write a rule to match the exploit code that targets the 
vulnerability discribed in:
http://www.snort.org/pub-bin/snortnews.cgi#58
(exploit at http://www.frsirt.com/exploits/20050912.snortsackdos.c.php)

I can't seem to do it becouse the packets aren't "seen" by snort. I've 
tried the 2.3.3 (Build 14) and 2.4.2 (build 25) versions of snort with 
the same result.
I'm guessing that the bug is still there and leads to the discarding of 
the packet (doesn't show as discarded in the snort exit status though).
But isn't snort suppose to sniff all the packets, including corrupt ones?
Can anyone else confirm this, or am I doing something wrong?
I'm running ethereal in the same machine and the packets are shown 
(default src ip = 200.31.33.70) and the rule:
alert tcp 200.31.33.70 any -> any any (msg: "whatever";)
isn't triggered. Even tried using ip for protocol and still no alert.
This rule isn't suppose to catch the exploit, it's just a test I've used 
to see if the exploit packets were beeing tested. Even tried "any any -> 
any any" and browsed the results and no exploit packets were logged.

Any clues/hints?

Thanks,
João




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users