lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 14 Sep 2005 14:03:33 -0400
From: "Steven Sturges" <steve.sturges@...rcefire.com>
To: "'Martin Roesch'" <roesch@...rcefire.com>,
	"'Ferguson, Justin (IARC)'" <FergusonJ@...doe.gov>
Cc: <snort-devel@...ts.sourceforge.net>,
	<snort-users@...ts.sourceforge.net>, <bugtraq@...urityfocus.com>
Subject: RE: Re: [Snort-users] Snort DoS Fallacies


> Q5) Frag3 has the problem in the snapshot I downloaded, why 
> won't you admit it?
> A5) Because you're wrong.  The snapshot you're referring to 
> has the fixes in PrintTcpOptions(), so even with the call to 
> PrintIPPkt() in there the DoS doesn't work.  Version 2.4.0 
> did not have the code you are referring to.

I just grabbed the snapshot tarball from the website and it does
have the duplicate log Frag3 issues mentioned... It is correct in
CVS, so subsequent snapshot tarballs resolve this.

However, with the fixes to PrintTcpOptions being in the tarball,
it wouldn't be a DoS problem other than extra printfs.

> Q13) Justin Ferguson made a patch against 2.3.3 that fixes 
> this problem, should I use it?
> A13) I would not under any circumstances move back to 2.3.3 
> or use a patch from an untrusted 3rd party in a production 
> sensor, there were many bug fixes and new features 
> incorporated in 2.4.0 and reverting to an old version is a 
> step in the wrong direction.  It is far safer and advisable 
> to use the log.c in CVS or wait for the 2.4.1 release if 
> you're not running fast/full alerting or ASCII logging.

The changes made on August 23 by Sourcefire are the same as those
in the patch to 2.3.3.  Those changes have been in the 2.4 CVS
repository [and are in the snapshot tarball] for almost a month
(since the original poster brought this to our attention).

End of story.

Cheers.
-steve



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ