Ip_proto's 'lsrre' parameter

[<Joshua.Kinard () us-cert gov>]

Hi -devel,

I was looking at the ip_proto option in detail, and noticed that in the
source code, an undocumented parameter, 'lsrre', exists.  This is not
only not referenced in the 2.9.0 manual, but per a thread[1] from ~July
2007, it also refers to an unofficial IANA number[2], 0x84 (132 dec).
The 'lsrr' parameter has an official IANA value of 0x83 (131 dec).

Is there any clarification available on what 'ip_proto:lsrre;' would
target?  It's used in misc.rules 1:501:4, and references CVE-1999-0909
(which then refers to MS99-038)[3], so it looks to me to be a one-off
option for a specific Windows flaw (much like the entire 'cvs' rule
option).

Can this parameter also get a mention in the next update of the 2.9.0
manual?

Refs:
1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html
   http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html

2. http://www.iana.org/assignments/ip-parameters

3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909
   http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx


Thanks!,

--J

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel