I just found from the securityfocus that a serious bug is present in the 1.9.1 version of snort. Maybe we should upgrade? I am sorry to say that this is not what I do best myselft so if anyone have the time! :) Reproducible: Always Steps to Reproduce: 1. 2. 3.
Hi, Well Snort 2 beeing out alone seems like a good reason to upgrade... ;-) FYI "Snort 2.0 has been released and is available at http://www.snort.org. Snort 2.0 is the result of many months of effort on the part of dozens of people and has a slew of new features: * Enhanced high-performance detection engine * Stateful Pattern Matching * New detection keywords: byte_test & byte_jump * The Snort code base has undergone an external third party professional security audit funded by Sourcefire (http://www.sourcefire.com) * Many new and updated rules * snort.conf has been updated * Enhancements to self preservation mechanisms in stream4 and frag2 * State tracking fixes in stream4 * New HTTP flow analyzer * Enhanced protocol decoding (TCP options, 802.1q, etc) * Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, etc) * Enhanced flexresp mode for real-time TCP session sniping * Better chroot()'ing * Tagging system updated * Several million bugs addressed.... * Updated FAQ (thanks to Erek Adams and Dragos Ruiu) "
fyi from the CERT advisory <http://www.cert.org/advisories/CA-2003-13.html> one solution if you do not want to upgrade to 2.x: Disable affected preprocessor modules Sites that are unable to immediately upgrade affected Snort sensors may prevent exploitation of this vulnerability by commenting out the affected preprocessor modules in the "snort.conf" configuration file. To prevent exploitation of VU#139129, comment out the following line: preprocessor stream4_reassemble To prevent exploitation of VU#916785, comment out the following line: preprocessor rpc_decode: 111 32771 After commenting out the affected modules, send a SIGHUP signal to the affected Snort process to update the configuration. Note that disabling these modules may have adverse affects on a sensor's ability to correctly process RPC record fragments and TCP packet fragments. In particular, disabling the "stream4" preprocessor module will prevent the Snort sensor from detecting a variety of IDS evasion attacks. *** This bug has been marked as a duplicate of 19379 ***