18737 – Snort security update. 1.9.1 vulnerable, must update to 2.x series.

Bug 18737 - Snort security update. 1.9.1 vulnerable, must update to 2.x series.

Summary: Snort security update. 1.9.1 vulnerable, must update to 2.x series.

Status:	RESOLVED DUPLICATE of bug 19379

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Bugzilla (show other bugs)
Hardware:	x86 Linux

Importance:	High normal (vote)
Assignee:	John Davis (zhen) (RETIRED)

URL:	http://www.securityfocus.com/bid/7220
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-04-04 02:56 UTC by Stian B. Barmen
Modified:	2011-10-30 23:15 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stian B. Barmen 2003-04-04 02:56:06 UTC

I just found from the securityfocus that a serious bug is present in the 1.9.1 
version of snort. Maybe we should upgrade? I am sorry to say that this is not 
what I do best myselft so if anyone have the time! :) 

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Daniel Seyffer 2003-04-15 05:41:07 UTC

Hi,

Well Snort 2 beeing out alone seems like a good reason to upgrade... ;-)

FYI
"Snort 2.0 has been released and is available at http://www.snort.org.  
Snort 2.0 is the result of many months of effort on the part of dozens 
of people and has a slew of new features:

* Enhanced high-performance detection engine
* Stateful Pattern Matching
* New detection keywords: byte_test & byte_jump
* The Snort code base has undergone an external third party  
professional security audit funded by Sourcefire
   (http://www.sourcefire.com)
* Many new and updated rules
* snort.conf has been updated
* Enhancements to self preservation mechanisms in stream4 and frag2
* State tracking fixes in stream4
* New HTTP flow analyzer
* Enhanced protocol decoding (TCP options, 802.1q, etc)
* Enhanced protocol anomaly detection (IP, TCP, UDP, ICMP, RPC, HTTP, 
etc)
* Enhanced flexresp mode for real-time TCP session sniping
* Better chroot()'ing
* Tagging system updated
* Several million bugs addressed....
* Updated FAQ (thanks to Erek Adams and Dragos Ruiu)
"

Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2003-04-19 22:07:26 UTC

fyi from the CERT advisory <http://www.cert.org/advisories/CA-2003-13.html> one solution if you do not want to upgrade to 2.x:

Disable affected preprocessor modules

   Sites  that  are  unable to immediately upgrade affected Snort sensors
   may  prevent  exploitation of this vulnerability by commenting out the
   affected preprocessor modules in the "snort.conf" configuration file.

   To prevent exploitation of VU#139129, comment out the following line:

     preprocessor stream4_reassemble

   To prevent exploitation of VU#916785, comment out the following line:

     preprocessor rpc_decode: 111 32771

   After commenting out the affected modules, send a SIGHUP signal to the
   affected   Snort  process  to  update  the  configuration.  Note  that
   disabling these modules may have adverse affects on a sensor's ability
   to correctly process RPC record fragments and TCP packet fragments. In
   particular,  disabling  the "stream4" preprocessor module will prevent
   the Snort sensor from detecting a variety of IDS evasion attacks.



*** This bug has been marked as a duplicate of 19379 ***