Snort mailing list archives
Re: Ip_proto's 'lsrre' parameter
From: <Joshua.Kinard () us-cert gov>
Date: Fri, 22 Oct 2010 21:59:39 -0400
Hi Steven, My bad on the wrong option, I was going back and forth between the two and got them mixed up :) As far as the numeric value goes, yeah, the code itself will work. I was commenting on the value of 0x84 not being on IANA's list for IP Options, so I didn't know what it was for (I was hoping they'd have something about it). I'm curious to know what VRT says, as I searched google high and low for a variety of keywords to try and turn something up, but didn't get anything back outside of the 2007 mailing-list blurb, and Snort's own source code. Thanks!, --J -----Original Message----- From: Steven Sturges [mailto:steve.sturges () sourcefire com] Sent: Thursday, October 21, 2010 9:11 AM To: Kinard, Joshua A Cc: snort-devel () lists sourceforge net Subject: Re: [Snort-devel] Ip_proto's 'lsrre' parameter Hi Joshua-- First, for clarification, this is in ipots, not in ip_proto. As for the code, the ipopts rule option is a striaght-up check against the number, and 'lsrre' has been in there since revision 1.1 in 2000, so it will match when there is an IP option with value of 0x84. SID 501 is pretty old, so I'm not entirely sure how the rule covers the vuln referenced . VRT, perhaps you can shed some light on that part? Cheers. -steve On 10/18/2010 5:16 PM, Joshua.Kinard () us-cert gov wrote:
Hi -devel, I was looking at the ip_proto option in detail, and noticed that in the source code, an undocumented parameter, 'lsrre', exists. This is not only not referenced in the 2.9.0 manual, but per a thread[1] from ~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132
dec).
The 'lsrr' parameter has an official IANA value of 0x83 (131 dec). Is there any clarification available on what 'ip_proto:lsrre;' would target? It's used in misc.rules 1:501:4, and references CVE-1999-0909
(which then refers to MS99-038)[3], so it looks to me to be a one-off option for a specific Windows flaw (much like the entire 'cvs' rule option). Can this parameter also get a mention in the next update of the 2.9.0 manual? Refs: 1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html 2. http://www.iana.org/assignments/ip-parameters 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909 http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx Thanks!, --J ---------------------------------------------------------------------- -------- Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R)
Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials
today!
http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 18)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 25)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)