Snort mailing list archives
Re: BO preproc exploit published
From: Murali Raju <protocoljunkie () gmail com>
Date: Thu, 27 Oct 2005 07:42:45 -0400
95% of the snort sensors I build use OpenBSD and the rest are a mix or Linux(PAX/GrSecurity)/FreeBSD (for in-line). The exploit did not work on any of these. _Raju On 10/26/05, byte_jump <bytejump () gmail com> wrote:
On 10/26/05, Paul Melson <pmelson () gmail com> wrote:I saw that in the release notes. To date, my sensors have not detectedanyattempts to exploit the bo preproc. I suppose that now that there's publicly available code that I ought to test it. ;) PaulMI didn't spend a ton of time on it, but I used the exploit code against a Snort 2.4.0 Snort box with the BO preprocessor enabled. Snort had been compiled with the SPP gcc (formerly ProPolice) and was on a 2.4 kernel with grsecurity/PaX. It wasn't a scientific test by any means, but the exploit did not work and seemed to fail due to ProPolice (this is a stack-based buffer overflow). The exploit did work against a similar server without ProPolice and grsecurity. Honestly, I'm very disappointed that 1) Sourcefire doesn't use ProPolice and grsecurity on their sensors, and 2) that Snort.org<http://Snort.org>does not encourage folks to use those security mechanisms, too. Those security measures certainly seemed to work in my less-than-scientific test. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?listsnort-users
-- May the packets be with you.
Current thread:
- BO preproc exploit published Paul Melson (Oct 25)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Murali Raju (Oct 27)
- RE: BO preproc exploit published Paul Melson (Oct 26)
- Re: BO preproc exploit published Matthew Watchinski (Oct 26)
- <Possible follow-ups>
- Re: BO preproc exploit published byte_jump (Oct 26)
- Re: BO preproc exploit published Richard Harman (Oct 26)
- RE: BO preproc exploit published Ron Jenkins (Oct 26)
- BO preproc exploit published Paul . Melson (Nov 01)