Snort mailing list archives
Snort detection engine vulnerability
From: Moritz Jodeit <moritz () jodeit org>
Date: Tue, 31 Jul 2001 02:08:59 +0200
Hi, I think I found a design flaw in Snort's detection engine. The detection engine checks each package and the first rule that matches, triggers the action specified in the rule. The problem is, that once an action was triggered, no more checks are done on the package. It is possible for someone to put a fake exploit at the beginning of a packet and put the real exploit after the fake one. This way, the fake exploit triggers the rule and the real exploit doesn't get detected. http://snort.protected.host.com/test-cgi/../[insert your favourite iis exploit] This sample triggers the "WEB-CGI test-cgi access" rule, while the real exploit doesn't get logged. I sent two emails to roesch () clark net, but didn't get any response, so I send it to the list... -- Moritz Jodeit http://www.jodeit.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort detection engine vulnerability Moritz Jodeit (Jul 30)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- Re: Snort detection engine vulnerability Dragos Ruiu (Jul 30)
- RE: Snort detection engine vulnerability Jason Lewis (Jul 30)
- Re: Snort detection engine vulnerability Yoann Vandoorselaere (Jul 31)
- Re: Snort detection engine vulnerability James Hoagland (Jul 30)