iDefense writes: Remote exploitation of a design error vulnerability in Snort, as included in various vendors' operating system distributions, could allow an attacker to bypass filter rules. Due to a design error vulnerability, Snort does not properly reassemble fragmented IP packets. When receiving incoming fragments, Snort checks the Time To Live (TTL) value of the fragment, and compares it to the TTL of the initial fragment. If the difference between the initial fragment and the following fragments is more than a configured amount, the fragments will be silently discard. This results in valid traffic not being examined and/or filtered by Snort. III. ANALYSIS Exploitation of this vulnerability allows an attacker to bypass all Snort rules. In order to exploit this vulnerability, an attacker would have to fragment IP packets destined for a targeted host, ensuring that the TTL difference is greater than the configured maximum. By default, the maximum difference is 5. If an attacker is successful, all fragments with invalid TTL differences will be dropped. No rules will be applied to them. IV. DETECTION iDefense has confirmed the existence of this vulnerability in Snort 2.8 and 2.6. Snort 2.4 is not vulnerable. V. WORKAROUND In the snort.conf file, set the ttl_limit configuration value to 255 as shown below. preprocessor frag3_engine: ttl_limit 255 This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped. VI. VENDOR RESPONSE Sourcefire has addressed this vulnerability by releasing version 2.8.1 of Snort. For more information consult their change log and source differences at the following URLs. http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=1.534.2.11 http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=text&tr1=1.46.2.4&r2=text&tr2=1.46.2.5&diff_format=h
RedHat has patches linked in their BZ, http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog.diff?r1=1.544&r2=1.545 (part) http://cvs.snort.org/viewcvs.cgi/snort/src/preprocessors/spp_frag3.c.diff?r1=1.50&r2=1.51 http://cvs.snort.org/viewcvs.cgi/snort/src/generators.h.diff?r1=1.63&r2=1.64 http://cvs.snort.org/viewcvs.cgi/snort/etc/gen-msg.map.diff?r1=1.43&r2=1.44 http://cvs.snort.org/viewcvs.cgi/snort/doc/README.frag3.diff?r1=1.7&r2=1.8 http://cvs.snort.org/viewcvs.cgi/snort/doc/snort_manual.tex.diff?r1=1.98&r2=1.99 + updated version of snort_manual.pdf
see Bug #198205 , that snort-version (2.8.2) works for me Cheers
bug #245752 should resolve this issue
There is a new ebuild for snort-2.8.4 at the following bug... bug#266288 This also fixes this bug. Please close this bug and.. Bug#198205 Bug#245752
(In reply to comment #4) > Please close this bug... > Please note that Security bugs are needed for more than just bumping purposes and are _not_ closed in cases such as this.
Ready to vote, I vote: NO.
NO too. Closing noglsa.