• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Snort PrintTcpOptions Remote Denial Of Service Vulnerability

Snort is reported prone to a remote denial of service vulnerability. The vulnerability is reported to exist in the 'PrintTcpOptions()' function of 'log.c', and is a result of a failure to sufficiently handle malicious TCP packets.

A remote attacker may trigger this vulnerability to crash a remote Snort server and in doing so may prevent subsequent malicious attacks from being detected.

It should be noted that the vulnerable code path is only executed when Snort is run with the '-v' (verbose) flag. Due to the performance penalty of running the Snort application in verbose mode, it is likely that most production installations of the application are not vulnerable to this issue.

Update: Further messages have stated that other paths to the vulnerable code may be possible. Using the 'frag3' preprocessor, ASCII mode logging, the '-A fast' command-line option, and possibly other options may expose Snort to this vulnerability. Please see the referenced messages for further information.