Filter evasion vulnerability in Snort
Security service iDefense has released information about a vulnerability, already fixed in version 2.8.1 of Snort, that allowed attackers to bypass the Intrusion Detection System filter rules. It is unclear why iDefense has only now released details about the discovered flaw and why vendor Sourcefire didn't mention the vulnerability in its release notes of April 1.
iDefense states that the flaw was caused by the way Time To Live values (TTL) were processed in IP fragments. According to the advisory, Snort didn't further evaluate fragments if the difference between the last incoming fragment and the the initial packet was greater than a defined value. Attackers could use malformed TTL values to cause Snort not to apply its attack detection rule to the packet. The maximum difference in Snort is set to 5 by default. According to iDefense, only Snort 2.8 and 2.6 were affected. An alternative to installing the update is to increase the limit to 255 in the
snort.conf configuration file:
preprocessor frag3_engine: ttl_limit 255. However users who have not yet updated to the current version are advised to do so.
- Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability, advisory by iDefense