Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Snort bypass vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Snort bypass vulnerability
Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Ben McDougall for reporting this to us and our friends at Sourcefire for info on the extent of the problem.

Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531
Jason

93 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!