Home page logo

snort logo Snort mailing list archives

Re: Ip_proto's 'lsrre' parameter
From: <Joshua.Kinard () us-cert gov>
Date: Fri, 22 Oct 2010 21:59:39 -0400

Hi Steven,

My bad on the wrong option, I was going back and forth between the two
and got them mixed up :)

As far as the numeric value goes, yeah, the code itself will work.  I
was commenting on the value of 0x84 not being on IANA's list for IP
Options, so I didn't know what it was for (I was hoping they'd have
something about it).

I'm curious to know what VRT says, as I searched google high and low for
a variety of keywords to try and turn something up, but didn't get
anything back outside of the 2007 mailing-list blurb, and Snort's own
source code.



-----Original Message-----
From: Steven Sturges [mailto:steve.sturges () sourcefire com] 
Sent: Thursday, October 21, 2010 9:11 AM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Ip_proto's 'lsrre' parameter

Hi Joshua--

First, for clarification, this is in ipots, not in ip_proto.

As for the code, the ipopts rule option is a striaght-up check against
the number, and 'lsrre' has been in there since revision 1.1 in 2000, so
it will match when there is an IP option with value of 0x84.

SID 501 is pretty old, so I'm not entirely sure how the rule covers the
vuln referenced .

VRT, perhaps you can shed some light on that part?


On 10/18/2010 5:16 PM, Joshua.Kinard () us-cert gov wrote:

Hi -devel,

I was looking at the ip_proto option in detail, and noticed that in 
the source code, an undocumented parameter, 'lsrre', exists.  This is 
not only not referenced in the 2.9.0 manual, but per a thread[1] from 
~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132
The 'lsrr' parameter has an official IANA value of 0x83 (131 dec).

Is there any clarification available on what 'ip_proto:lsrre;' would 
target?  It's used in misc.rules 1:501:4, and references CVE-1999-0909

(which then refers to MS99-038)[3], so it looks to me to be a one-off 
option for a specific Windows flaw (much like the entire 'cvs' rule 

Can this parameter also get a mention in the next update of the 2.9.0 

1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html

2. http://www.iana.org/assignments/ip-parameters

3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909



-------- Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R)

Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that 
run across multiple browsers and platforms. Download your free trials
Snort-devel mailing list
Snort-devel () lists sourceforge net

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
Snort-devel mailing list
Snort-devel () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]