Re: Snort - DoSFrom: Jem Berkes (email@example.com)
- Next message: Marc Jordan: "Re: Blocking ping ?"
- Previous message: Ashok Aiyar: "Re: Blocking ping ?"
- In reply to: Tony Davis: "Snort - DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Jem Berkes <firstname.lastname@example.org> Date: Sun, 03 Feb 2002 00:23:05 GMT
> I saw that Snort has a vulnerability in it that allows attackers to
> crash it. People need to get the patch and upgrade to fix it.
True. But I found the following at www.snort.org interesting:
Well, now that the news media have gotten into the act, I feel that it's
necessary to pour a little cold water on this "ICMP DOS" that is going
from molehill to mountain right now.
Here's the deal:
The ICMP problem only manifests itself on ICMP ping packets with
payloads smaller than 4 bytes, which is non-standard. Regular ICMP
ECHO traffic won't set it off.
The crash condition only occurrs if you're running the -d switch at
the command line and logging in ASCII mode. This is not a default
mode, you have to explicitly activate it and it's recommended specifically
that you don't in production environments due to performance impact.
The recommended run-time output mode has been anything but ASCII
mode for over two years, nobody should be running production sensors
with ASCII logging active on an u ...