Snort mailing list archives
Ip_proto's 'lsrre' parameter
From: <Joshua.Kinard () us-cert gov>
Date: Mon, 18 Oct 2010 17:16:53 -0400
Hi -devel, I was looking at the ip_proto option in detail, and noticed that in the source code, an undocumented parameter, 'lsrre', exists. This is not only not referenced in the 2.9.0 manual, but per a thread[1] from ~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132 dec). The 'lsrr' parameter has an official IANA value of 0x83 (131 dec). Is there any clarification available on what 'ip_proto:lsrre;' would target? It's used in misc.rules 1:501:4, and references CVE-1999-0909 (which then refers to MS99-038)[3], so it looks to me to be a one-off option for a specific Windows flaw (much like the entire 'cvs' rule option). Can this parameter also get a mention in the next update of the 2.9.0 manual? Refs: 1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html 2. http://www.iana.org/assignments/ip-parameters 3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909 http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx Thanks!, --J ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 18)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 25)
- Re: Ip_proto's 'lsrre' parameter Joshua.Kinard (Oct 22)
- Re: Ip_proto's 'lsrre' parameter Steven Sturges (Oct 21)