COMMAND

	snort bypass using fragroute

SYSTEMS AFFECTED

	All versions

PROBLEM

	0xcafebabe reported a post by Dug Song, which released  a  tool  on  the
	focus-ids list which totally blindsides Snort :
	

	http://www.monkey.org/~dugsong/fragroute/index.html

	

	

	His  README.snort  file  contains  several   fragroute   scripts   which
	blindside even the current Snort version in CVS, tested on  RedHat  7.2.
	For example, the latest  wu-ftpd  exploits  run  through  the  one  line
	\"tcp_seg 1 new\" don\'t trigger any Snort alerts at all.

SOLUTION

	 Update (25 April 2002)

	 ======

	

	Snort 1.8.7beta1 is available at :
	

	http://www.snort.org/dl/beta/snort-1.8.7beta1.tar.gz.

	

	This should correct the issues that fragroute induces.