Snort mailing list archives
Snort SACK Option DoS clarifications
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 12 Sep 2005 22:26:20 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI, here are a few points about this issue.1) It's a DoS if you're running in verbose mode. If you're running Snort as a NIDS you shouldn't be running in verbose mode as it will torpedo your performance, this has been known for over 6 years now. If you're running in sniffer mode and someone DoS's you, go grab log.c from CVS, recompile and you're fine.
2) This is a NULL pointer dereference, so it won't turn into more than a DoS.
3) The guy who released the advisory for this relatively minor issue decided to do so without coordination with the Snort project or Sourcefire, even though we asked him to wait so we could coordinate. Rolling out a Snort release is a complex series of events and we have several other bug fixes that we're putting together for 2.4.1 (check out CVS if you want to see the fixes) plus docs and so on that need to go in there.
Fact of the matter is that this guy decided that responsible disclosure wasn't necessary in this case and then decided to make a big deal out of it (high risk my ass). Whatever. We'll get 2.4.1 out as soon as we can and that'll be that.
If anyone has any questions or comments feel free to drop me a mail. -Marty - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFDJjjNqj0FAQQ3KOARAvxYAJ0U/CmuOas9oIlorwAKCocbty+4vQCcDVXd VC1kZjKP+paig0sqylt/xPU= =guuk -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort SACK Option DoS clarifications Martin Roesch (Sep 12)