[Dshield] SNORT 1.8 vulnerability

Johannes Ullrich jullrich at euclidian.com
Mon Mar 3 18:18:31 GMT 2003

  once you are done patching sendmail, move on to Snort...
Snort 1.8 has a critical vulnerability in its RPC preprocessor.
I don't have the text of the advisory. But here is the digest
from iss.net:

Snort: Snort is an open source and freely available IDS product. In Snort 1.8, support was added to detect attacks that used RPC fragmentation as an IDS evasion technique. When processing fragmented RPC traffic, Snort does not properly check fragment sizes against the amount of space remaining in the preprocessing buffer, creating a buffer overflow condition that can lead to remote compromise of Snort sensors.
Snort: For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the Snort vulnerability. Employ the following protection techniques through ISS Dynamic Threat Protection platform. For manual protection, Snort users may disable the RPC preprocessor. However, this workaround will disable all RPC-based detection. The vulnerable preprocessor can be disabled by commenting out the following line within the snort.conf configuration file. For further details, pelase review the  advisory.

(the link to the advisory is broken right now)

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list