In association with heise online

20 February 2007, 10:06

Hole in Snort intrusion detector

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Sourcefire has announced the discovery of a hole in its Open Source intrusion detection system called Snort that allows code to be injected into a monitoring system and executed with the rights of Snort. In the process, attackers not only get past the intrusion detection but could also take complete control of systems.

The cause of the vulnerability is a buffer overflow in the preprocessor for processing the DCE/RPC protocol, which is used for distributed applications under Unix and Windows. Although the DCE/RPC preprocessor in Snort is activated by default, DCE-RPC traffic is usually blocked at the firewall. For most users, risks from the Internet will probably be slight.

Snort 2.6.1,, and are affected. The flaw also affects the commercial version. The update for remedies the problem. No update has yet been made available for Snort 2.7.0. As a workaround, users should disable the affected preprocessor. To do so, add the following to snort.conf:

#preprocessor dcerpc: \
# autodetect \
# max_frag_size 3000 \
# memcap 100000

Then restart Snort. Sourcefire says it will soon be releasing a rule pack to detect attacks on the DCE/RPC preprocessor.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit