mailing list archives
RE: [Snort-devel] Re: [Snort-users] Snort DoS Fallacies
From: "Steven Sturges" <steve.sturges () sourcefire com>
Date: Wed, 14 Sep 2005 14:03:33 -0400
Q5) Frag3 has the problem in the snapshot I downloaded, why
won't you admit it?
A5) Because you're wrong. The snapshot you're referring to
has the fixes in PrintTcpOptions(), so even with the call to
PrintIPPkt() in there the DoS doesn't work. Version 2.4.0
did not have the code you are referring to.
I just grabbed the snapshot tarball from the website and it does
have the duplicate log Frag3 issues mentioned... It is correct in
CVS, so subsequent snapshot tarballs resolve this.
However, with the fixes to PrintTcpOptions being in the tarball,
it wouldn't be a DoS problem other than extra printfs.
Q13) Justin Ferguson made a patch against 2.3.3 that fixes
this problem, should I use it?
A13) I would not under any circumstances move back to 2.3.3
or use a patch from an untrusted 3rd party in a production
sensor, there were many bug fixes and new features
incorporated in 2.4.0 and reverting to an old version is a
step in the wrong direction. It is far safer and advisable
to use the log.c in CVS or wait for the 2.4.1 release if
you're not running fast/full alerting or ASCII logging.
The changes made on August 23 by Sourcefire are the same as those
in the patch to 2.3.3. Those changes have been in the 2.4 CVS
repository [and are in the snapshot tarball] for almost a month
(since the original poster brought this to our attention).
End of story.
- RE: [Snort-devel] Re: [Snort-users] Snort DoS Fallacies Steven Sturges (Sep 15)