Re: Snort exploit in wild.
Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto:
> Noticed on vil.mcafee.com that a proof of concept exploit for Snort to
> exploit the vuln. found in v1.8 through to 1.9.1.
up to 2.0rc1 as reported by cert
> What's the status of a patch from Debian Security? No DSA yet either.
> I know this has been brought up a few times already but now an exploit
> exists in the wild.
don't know if the debian package is affected, however it should
> As a workaround, I could disable snort (granted) but also, how can I use
> /etc/apt/preferences to update /just/ snort to a non-vuln. version from
> another branch (unstable/testing)? What line do I need in
> /etc/apt/sources.list? And how easy is it to downgrade to the stable
> version if something goes wrong or a patch is released from Debian?
don't do it... unstable/snort depends on a libc version not available in
stable, and maybe there are some other unresolved dependencies...
instead get the deb-src and try to recompile... i think it's not so
linear, but it should work...
in the meantime (from the cert advisory):
> Disable affected preprocessor modules
>
> Sites that are unable to immediately upgrade affected Snort sensors
> may prevent exploitation of this vulnerability by commenting out the
> affected preprocessor modules in the "snort.conf" configuration file.
>
> To prevent exploitation of VU#139129, comment out the following line:
>
> preprocessor stream4_reassemble
>
> To prevent exploitation of VU#916785, comment out the following line:
>
> preprocessor rpc_decode: 111 32771
>
> After commenting out the affected modules, send a SIGHUP signal to the
> affected Snort process to update the configuration. Note that
> disabling these modules may have adverse affects on a sensor's ability
> to correctly process RPC record fragments and TCP packet fragments. In
> particular, disabling the "stream4" preprocessor module will prevent
> the Snort sensor from detecting a variety of IDS evasion attacks.
Regards,
Gian Piero.
PS: about the pinning question, please read the apt-howto
Reply to: