[Tfug] Snort usage and security precautions
Adrian
choprboy at dakotacom.net
Tue Aug 15 11:03:07 MST 2006
On Monday 14 August 2006 18:16, Brian Murphy wrote:
> I just keep it relatively up to date. Where do you see new snort
> vulnerabilities every other week? I'm looking at the 2.4 series
> release dates and it doesn't seem that bad.
>
I keep an eye out on ISC-SANS for new trends and announcements. Earlier this
year and late last year I seem to remember a number of notes on Snort
vulnerabilities and bypasses at ISC-SANS. Looking back and collating them, a
lot of the entries seem to be rehashes of updates/information on the BO
exploit and the URI bypass.
Doing a quick search I come up with:
May 2006 - Bypass URI content/detection rules (about half a dozen entries,
May-Jun)
Oct 2005 - BO preprocessor exploit (more than a dozen entries, Sep-Nov)
Sep 2005 - PrintTcpOptions Denial of Service
Sep 2005 - SACK TCP Remote Denial of Service
So I must have been seeing the same thing, thinking it was different issues at
the time. I could have sworn there were a number of others earlier this year,
but I sure can't find them at the moment... So maybe it's not as bad as I
thought. The idea of throwing it out on the internet when I don't have a
sacrificial machine still gives me pause though.
Adrian
More information about the tfug
mailing list