Q5) Frag3 has the problem in the snapshot I downloaded, why
won't you admit it?
A5) Because you're wrong. The snapshot you're referring to
has the fixes in PrintTcpOptions(), so even with the call to
PrintIPPkt() in there the DoS doesn't work. Version 2.4.0
did not have the code you are referring to.
I just grabbed the snapshot tarball from the website and it does
have the duplicate log Frag3 issues mentioned... It is correct in
CVS, so subsequent snapshot tarballs resolve this.
However, with the fixes to PrintTcpOptions being in the tarball,
it wouldn't be a DoS problem other than extra printfs.
Q13) Justin Ferguson made a patch against 2.3.3 that fixes
this problem, should I use it?
A13) I would not under any circumstances move back to 2.3.3
or use a patch from an untrusted 3rd party in a production
sensor, there were many bug fixes and new features
incorporated in 2.4.0 and reverting to an old version is a
step in the wrong direction. It is far safer and advisable
to use the log.c in CVS or wait for the 2.4.1 release if
you're not running fast/full alerting or ASCII logging.
The changes made on August 23 by Sourcefire are the same as those
in the patch to 2.3.3. Those changes have been in the 2.4 CVS
repository [and are in the snapshot tarball] for almost a month
(since the original poster brought this to our attention).
End of story.
Cheers.
-steve
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
