Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Evasion in http_inspect

From: Jennifer Steffens <jennifer.steffens () sourcefire com>
Date: Wed, 31 May 2006 18:28:23 -0400
Sourcefire is aware of a possible Snort evasion that exists in the
http_inspect preprocessor.  This evasion case only applies to protected
Apache web servers. We have prepared fixes for both the 2.4 and 2.6
branches and will have fully tested releases, including binaries,
available for both on Monday, June 5th.


Evasion Details:

The Apache web server supports special characters in HTTP requests that
do not affect the processing of the particular request.  The current
target-based profiles for Apache in the http_inspect preprocessor do not
properly handle these requests, resulting in the possibility that an
attacker can bypass detection of rules that use the "uricontent" keyword
by embedding special characters in a HTTP request.


Background Information:

It is important to note that this is an evasion and not a vulnerability.
This means that while it is possible for an attacker to bypass
detection, Snort sensors and the networks they protect are not at a
heightened risk of other attacks.


Timeline:

Sourcefire has prepared fixes and is currently finalizing a complete
round of testing to ensure that the fixes not only solve the issue at
hand but do not create new bugs as well. The following releases,
including binaries for Linux and Windows deployments, will be available
on Monday, June 5th:

* Snort v2.4.5
* Snort v2.6.0 final


Questions:

Any questions regarding these releases can be sent to
snort-team () sourcefire com.

Thanks,
Jennifer


-- 
Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org




-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: