Quoting Paul Schmehl <pauls@utdallas.edu>:
I'm trying to figure out what the exploit is for this rule, and the
FrSIRT "explanation" is a bit of a headscratcher.
Here's the rule:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPLOIT RSVP Protocol
zero length object DoS attempt"; content:"|01|"; depth:1; offset:11;
byte_test:1,<,4,13; pcre:"/^.{10}[\x14\x15]\x01.{1}[\x00-\x03]/sm";
reference:url,www.frsirt.com/english/advisories/2005/0411;
classtype:attempted-dos; sid:4638; rev:3; )
It seems to me that to exploit this flaw, the victim would have to be
running tcpdump on a router that is running RSVP or possibly sniffing
the traffic between two routers running RSVP.
Then by engineering some special RSVP traffic out one router interface
the aggressor could crash tcpdump on the other router or on the
network monitoring device.
It does seem like a bit of a stretch for a small payoff (crash the
tcpdump process). I suspect if I own one of your routers, you have a
way bigger problem than if I decide to crash your network monitor.
I would be included to call it a bad rule. Can you post the packet
traces that are causing it to fire off?
t
-------------------------------------------------
Email solutions, MS Exchange alternatives and extrication,
security services, systems integration.
Contact: services@doctorunix.com
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
