Home page logo
/

snort logo Snort mailing list archives

Re: Ip_proto's 'lsrre' parameter
From: Steven Sturges <steve.sturges () sourcefire com>
Date: Mon, 25 Oct 2010 21:14:40 -0400

Joshua--

Matt sent me this in regards to the detection....

http://web.archive.org/web/20041117050353/www.whitehats.com/cgi/arachNIDS/Show?_id=ids420&view=event

For MS99-038 its about spoofing lsrre, so the rule looks for the use
of the option.  Sid 500 and Sid 501 cover both ways to do that, lsrr,
and lsrre.

Hope this helps.

Cheers
-steve

On 10/22/2010 9:59 PM, Joshua.Kinard () us-cert gov wrote:

Hi Steven,

My bad on the wrong option, I was going back and forth between the two
and got them mixed up :)

As far as the numeric value goes, yeah, the code itself will work.  I
was commenting on the value of 0x84 not being on IANA's list for IP
Options, so I didn't know what it was for (I was hoping they'd have
something about it).

I'm curious to know what VRT says, as I searched google high and low for
a variety of keywords to try and turn something up, but didn't get
anything back outside of the 2007 mailing-list blurb, and Snort's own
source code.

Thanks!,

--J


-----Original Message-----
From: Steven Sturges [mailto:steve.sturges () sourcefire com] 
Sent: Thursday, October 21, 2010 9:11 AM
To: Kinard, Joshua A
Cc: snort-devel () lists sourceforge net
Subject: Re: [Snort-devel] Ip_proto's 'lsrre' parameter

Hi Joshua--

First, for clarification, this is in ipots, not in ip_proto.

As for the code, the ipopts rule option is a striaght-up check against
the number, and 'lsrre' has been in there since revision 1.1 in 2000, so
it will match when there is an IP option with value of 0x84.

SID 501 is pretty old, so I'm not entirely sure how the rule covers the
vuln referenced .

VRT, perhaps you can shed some light on that part?

Cheers.
-steve

On 10/18/2010 5:16 PM, Joshua.Kinard () us-cert gov wrote:

Hi -devel,

I was looking at the ip_proto option in detail, and noticed that in 
the source code, an undocumented parameter, 'lsrre', exists.  This is 
not only not referenced in the 2.9.0 manual, but per a thread[1] from 
~July 2007, it also refers to an unofficial IANA number[2], 0x84 (132
dec).
The 'lsrr' parameter has an official IANA value of 0x83 (131 dec).

Is there any clarification available on what 'ip_proto:lsrre;' would 
target?  It's used in misc.rules 1:501:4, and references CVE-1999-0909

(which then refers to MS99-038)[3], so it looks to me to be a one-off 
option for a specific Windows flaw (much like the entire 'cvs' rule 
option).

Can this parameter also get a mention in the next update of the 2.9.0 
manual?

Refs:
1. http://www.mcabee.org/lists/snort-users/Jul-07/msg00010.html
   http://www.mcabee.org/lists/snort-users/Jul-07/msg00011.html

2. http://www.iana.org/assignments/ip-parameters

3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-1999-0909
   http://www.microsoft.com/technet/security/bulletin/ms99-038.mspx


Thanks!,

--J

----------------------------------------------------------------------
-------- Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R)

Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that 
run across multiple browsers and platforms. Download your free trials
today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault