Snort mailing list archives

Previous By Date Next
Previous By Thread Next

flow_depth and WMF exploit

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 04 Jan 2006 12:33:27 +1300
I have seen no-one (hi Frank!) mention this yet, but the current
Bleeding snort rule for detecting the WMF exploit won't work with
default http_inspect_server settings, as by default snort only reads the
first 300 bytes of returned HTTP traffic - thereby missing the exploit?

The "fix" is to set flow_depth to zero - which apparently will/might
effectively DoS your IDS on a busy network. So it's not much of a fix.
Also, I get the impression flow_depth only ever looks at the first packet?

Is that the case, and if so, are there better ways of doing it? Reading
returned HTTP data seems to me to be rather a necessary act for an IDS...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: