Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sourcefire addresses Snort vulnerability

Published: 2007-02-19
Last Updated: 2007-02-20 23:59:40 UTC
by Joel Esler (Version: 3)
0 comment(s)
The Sourcefire Vulnerability Research Team (VRT) today announced a vulnerability found in the DCE/RPC preprocessor in Snort and Sourcefire Intrusion Sensors.  The DCE/RPC preprocessor is vulnerable to a stack-based buffer overflow that could potentially allow an attacker to execute code with the same privileges as the Snort binary.
There are no publicly available exploits for this vulnerability at this time.
Mitigation for Snort:  If, for some reason, you can’t upgrade your version of Snort to v2.6.1.3, you can turn off the DCE/RPC preprocessor in your snort.conf file by commenting it out and restarting Snort.  Upgrading to the new version of Snort is highly recommended as soon as possible.  The new version of Snort is available here.
Your snort.conf will have an entry like:
preprocessor dcerpc: \
    autodetect \
    max_frag_size 3000 \
    memcap 100000
Just comment out these lines like:
#preprocessor dcerpc: \
#    autodetect \
#   max_frag_size 3000 \
#    memcap 100000
and restart Snort.  Then upgrade to v2.6.1.3.
If you have a Sourcefire Intrusion Sensor, Sourcefire released SEU 64 today that patches this vulnerability, and this update can be downloaded from the Sourcefire Customer Support Web Site.  After downloading and installing SEU 64, you will need to re-push your policies out from your Defense Center.
Mitigation for Sourcefire customers:  If, for some reason, you can’t update your SEU, edit your policies, uncheck the DCE/RPC “Enabled” check box, and re-push your policy until you can upgrade.
This vulnerability has been identified as CVE-2006-5276.
The versions of Snort that are affected:

* Snort 2.6.1,, and
* Snort 2.7.0 beta 1

Update:  Sourcefire has released SEU 65 as well as a ruleset for both registered users and VRT subscribers that detect attempts to exploit this vulnerability.  These rules are available at

Joel Esler
(Yes, I am a Sourcefire employee)
0 comment(s)
Diary Archives