Snort mailing list archives
Re: Ip_proto's 'lsrre' parameter
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Thu, 21 Oct 2010 09:11:03 -0400
Hi Joshua-- First, for clarification, this is in ipots, not in ip_proto. As for the code, the ipopts rule option is a striaght-up check against the number, and 'lsrre' has been in there since revision 1.1 in 2000, so it will match when there is an IP option with value of 0x84. SID 501 is pretty old, so I'm not entirely sure how the rule covers the vuln referenced . VRT, perhaps you can shed some light on that part? Cheers. -steve On 10/18/2010 5:16 PM, Joshua.Kinard () us-cert gov wrote:
Hi -devel, I was looking at the ip_proto option in detail, and noticed that in the source code, an undocumented parameter, 'lsrre', exists. This is not only not referenced in the 2.9.0 manual, but per a thread[1] from ~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132 dec). The 'lsrr' parameter has an official IANA value of 0x83 (131 dec). Is there any clarification available on what 'ip_proto:lsrre;' would target? It's used in misc.rules 1:501:4, and references CVE-1999-0909 (which then refers to MS99-038)[3], so it looks to me to be a one-off option for a specific Windows flaw (much like the entire 'cvs' rule option). Can this parameter also get a mention in the next update of the 2.9.0 manual? Refs: 1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html 2. http://www.iana.org/assignments/ip-parameters 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909 http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx Thanks!, --J ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 18)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 25)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)