IP Option lsrre

["Jeffrey Denton" <dentonj () gmail com>]

I originally posted this on #snort on irc.freenode.org.  I'm posting
it here for more visibility.

I had a question about "ipopts:lsrre;".  A search on google turned up
several comments about lsrre being an undocumented option.  In
misc.rules, sid:501, there is a reference to a MS source routing
vulnerability, MS99-038.

In the file sf_snort_packet.h, the define statement sets IPOPTION_LSRR
to 0x83.  This corresponds to the decimal value of 131 for Loose
Source and Record Route as specified in RFC 791.  IPOPTION_SSRR is set
to 0x89, which corresponds to the decimal value of 137 for Strict
Source and Record Route as specified in RFC 791.  IPOPTION_LSRR_E is
set to 0x84, or decimal value 132.
http://iana.org/assignments/ip-parameters doesn't list  value 132 as a
valid IP option.

The vulnerability report for MS99-038 doesn't include enough details.
I wasn't able to find exploit code for MS99-038.  Either way, it looks
like ipopts:lsrre; will trigger when an invalid IP option value of 132
is detected.

Does anyone see something different?

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users