Re: Ip_proto's 'lsrre' parameter

[<Joshua.Kinard () us-cert gov>]

Hi Steven,

My bad on the wrong option, I was going back and forth between the two
and got them mixed up :)

As far as the numeric value goes, yeah, the code itself will work.  I
was commenting on the value of 0x84 not being on IANA's list for IP
Options, so I didn't know what it was for (I was hoping they'd have
something about it).

I'm curious to know what VRT says, as I searched google high and low for
a variety of keywords to try and turn something up, but didn't get
anything back outside of the 2007 mailing-list blurb, and Snort's own
source code.

Thanks!,

--J


-----Original Message-----
From: Steven Sturges [mailto:steve.sturges () sourcefire com] 
Sent: Thursday, October 21, 2010 9:11 AM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Ip_proto's 'lsrre' parameter

Hi Joshua--

First, for clarification, this is in ipots, not in ip_proto.

As for the code, the ipopts rule option is a striaght-up check against
the number, and 'lsrre' has been in there since revision 1.1 in 2000, so
it will match when there is an IP option with value of 0x84.

SID 501 is pretty old, so I'm not entirely sure how the rule covers the
vuln referenced .

VRT, perhaps you can shed some light on that part?

Cheers.
-steve

On 10/18/2010 5:16 PM, Joshua.Kinard () us-cert gov wrote:
> Hi -devel,
>
> I was looking at the ip_proto option in detail, and noticed that in 
> the source code, an undocumented parameter, 'lsrre', exists.  This is 
> not only not referenced in the 2.9.0 manual, but per a thread[1] from 
> ~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132
dec).
> The 'lsrr' parameter has an official IANA value of 0x83 (131 dec).
>
> Is there any clarification available on what 'ip_proto:lsrre;' would 
> target?  It's used in misc.rules 1:501:4, and references CVE-1999-0909

> (which then refers to MS99-038)[3], so it looks to me to be a one-off 
> option for a specific Windows flaw (much like the entire 'cvs' rule 
> option).
>
> Can this parameter also get a mention in the next update of the 2.9.0 
> manual?
>
> Refs:
> 1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html
>    http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html
>
> 2. http://www.iana.org/assignments/ip-parameters
>
> 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909
>    http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx
>
>
> Thanks!,
>
> --J
>
> ----------------------------------------------------------------------
> -------- Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R)

> Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
> Flex(R) Builder(TM)) enable the development of rich applications that 
> run across multiple browsers and platforms. Download your free trials
today!
> http://p.sf.net/sfu/adobe-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel