Snort Rule Matching Complexity Lets Remote Users Deny Service via Backtracking Attacks
|
|
SecurityTracker Alert ID: 1017508
|
|
SecurityTracker URL: http://securitytracker.com/id?1017508
|
|
CVE Reference: CVE-2006-6931
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Jan 12 2007
|
Impact: Denial of service via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 2.6.1
|
Description: A vulnerability was reported in Snort. A remote user can cause denial of service conditions.
A remote user can send specially crafted packets that backtrack to invoke all possible string or regular expression matchs contained
in a Snort filter. Such a "worst case" backtracking attack can cause the target system to take an excessive amount of time to test
the rule against the packet. As a result, the system may be unable to keep up with incoming packets and a remote user can evade
detection.
Randy Smith, Christian Estan, and Somesh Jha of the University of Wisconsin-Madison discovered this vulnerability.
The
original advisory is available at:
http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
|
Impact: A remote user can cause denial of service conditions, which may allow the remote user to evade detection.
|
Solution: The vendor has issued a fixed version (2.6.1).
The Snort advisory is available at:
http://www.snort.org/pub-bin/snortnews.cgi#591
|
Vendor URL: www.snort.org/pub-bin/snortnews.cgi#591 (Links to External Site)
|
Cause: State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 11 Jan 2007 23:34:16 -0500
Subject: Snort
|
http://www.snort.org/pub-bin/snortnews.cgi#591
http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
|
|
