Snort bypass vulnerability
Update: (2006-06-01 16:10 UTC) Sourcefiree/snort.org has issued their statement on the issue (patches coming Monday, 5 June):
http://www.snort.org/pub-bin/snortnews.cgi#431
Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Blake Hartstein for reporting this to us. Also, thanks to our friends at Sourcefire for info on the extent of the problem and about the upcoming patch.
Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531
http://www.snort.org/pub-bin/snortnews.cgi#431
Demarc just released a vulnerability alert on Snort. The vulnerability leads to evasion of URI content rules. When a carriage return is added to the end of a URL (before HTTP protocol declaration), Snort detection can be evaded. According to the alert, this vulnerability will affect thousands of detection rules in the standard rule base. No need to panic at the moment though, as the folks at Sourcefire have fixed this in version 2.6.0 and we haven't seen this kind of traffic in the wild yet. Thanks to Blake Hartstein for reporting this to us. Also, thanks to our friends at Sourcefire for info on the extent of the problem and about the upcoming patch.
Please refer to the vulnerability alert for more details,
http://www.demarc.com/support/downloads/patch_20060531
Keywords:
0 comment(s)
My next class:
Cloud Security for Leaders | Online | US Eastern | Feb 10th - Feb 14th 2025 |
×
Diary Archives
Comments