Re: Snort - DoS

From: Jem Berkes (jb_dontuse@pc9.org)
Date: 02/03/02


From: Jem Berkes <jb_dontuse@pc9.org>
Date: Sun, 03 Feb 2002 00:23:05 GMT


> I saw that Snort has a vulnerability in it that allows attackers to
> crash it. People need to get the patch and upgrade to fix it.

True. But I found the following at www.snort.org interesting:

"
Well, now that the news media have gotten into the act, I feel that it's
necessary to pour a little cold water on this "ICMP DOS" that is going
from molehill to mountain right now.

Here's the deal:
The ICMP problem only manifests itself on ICMP ping packets with
payloads smaller than 4 bytes, which is non-standard. Regular ICMP
ECHO traffic won't set it off.
The crash condition only occurrs if you're running the -d switch at
the command line and logging in ASCII mode. This is not a default
mode, you have to explicitly activate it and it's recommended specifically
that you don't in production environments due to performance impact.
The recommended run-time output mode has been anything but ASCII
mode for over two years, nobody should be running production sensors
with ASCII logging active on an u ...
"