Home page logo

bugtraq logo Bugtraq mailing list archives

RE: [Snort-devel] Re: [Snort-users] Snort DoS Fallacies
From: "Steven Sturges" <steve.sturges () sourcefire com>
Date: Wed, 14 Sep 2005 14:03:33 -0400

Q5) Frag3 has the problem in the snapshot I downloaded, why 
won't you admit it?
A5) Because you're wrong.  The snapshot you're referring to 
has the fixes in PrintTcpOptions(), so even with the call to 
PrintIPPkt() in there the DoS doesn't work.  Version 2.4.0 
did not have the code you are referring to.

I just grabbed the snapshot tarball from the website and it does
have the duplicate log Frag3 issues mentioned... It is correct in
CVS, so subsequent snapshot tarballs resolve this.

However, with the fixes to PrintTcpOptions being in the tarball,
it wouldn't be a DoS problem other than extra printfs.

Q13) Justin Ferguson made a patch against 2.3.3 that fixes 
this problem, should I use it?
A13) I would not under any circumstances move back to 2.3.3 
or use a patch from an untrusted 3rd party in a production 
sensor, there were many bug fixes and new features 
incorporated in 2.4.0 and reverting to an old version is a 
step in the wrong direction.  It is far safer and advisable 
to use the log.c in CVS or wait for the 2.4.1 release if 
you're not running fast/full alerting or ASCII logging.

The changes made on August 23 by Sourcefire are the same as those
in the patch to 2.3.3.  Those changes have been in the 2.4 CVS
repository [and are in the snapshot tarball] for almost a month
(since the original poster brought this to our attention).

End of story.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]