Recent changes to bugs

Back Orifice

Anonymous — Sat, 22 Oct 2005 21:25:19 -0000

Hi,

What exactly is this Back Orifice Traffic and how to
detect Back Orifice traffic thru rules. If so can you
specify the rules to detect the same.

Is it advisable to upgarade to 2.4.3 just because of
this Back Orifice Vulnerability alone which has fixed
in 2.4.3.

From where I can get the differences between version
2.3 and 2.4.3.

Rgds,
Surya

no PID File

Anonymous — Mon, 22 Mar 2004 12:59:10 -0000

calling snort-inline

/usr/sbin/snort -c /etc/snort/snort.conf -D -u snort -g
snort -d -e -o -p -A fast -m 022 -i eth0

snort is running but there is no PID file in /var/run

tested with 2.1.1 and 2.1.0a

chris_______@hotmail.com

After a lot of tries, a packet can pass through snort-inline

Federico Petronio — Tue, 13 Jan 2004 21:45:44 -0000

I have snort-inline 2.0.1 installed. I change the rule
2077 acction to drop.

Then I try to access, using Mozilla 1.5 and IE6.0, the URL:
http://server_name/admin/fileman/upload.php?dir=

the snort-inline log start showing lines like this:

[**] [1:2077:2] WEB-PHP Mambo upload.php access [**]
[Classification: access to a potentially vulnerable web
application] [Priority: 2]
01/13-18:31:06.944124 200.43.81.205:1586 -> 10.2.0.10:80
TCP TTL:117 TOS:0x0 ID:3095 IpLen:20 DgmLen:578 DF
***AP*** Seq: 0x45A19C2C Ack: 0x425899A4 Win: 0xFFFF
TcpLen: 20
[Xref => http://www.securityfocus.com/bid/6572\]

but after 5 minutes of that, the webserver get the
query and answed. That means that snort-inline let pass
through the packet that should drop.

After a lot of tries, a packet can pass through snort-inline

Anonymous — Tue, 13 Jan 2004 21:39:39 -0000

I have snort-inline 2.0.1 installed. I change the rule
2077 acction to drop.

Then I try to access, using Mozilla 1.5 and IE6.0, the URL:
http://<server>/admin/fileman/upload.php?dir=

the snort-inline log start showing lines like this:

but after 5 minutes of that, the webserver get the
query and answed. That means that snort-inline let pass
through the packet that should drop.

mail: fpetronio@petrus.agro.uba.ar

new libnet 1.1.0 suse 9.0 doesn't support snort inline calls

Anonymous — Tue, 02 Dec 2003 17:53:48 -0000

When compiling snort inline code on a SuSE 9.0 distro
with libnet 1.1.0 (I think) installed over RPM, I
received the following make messages: (after running
./configure ; make)

inline.c: In function `InitInline':
inline.c:95: warning: implicit declaration of function
`libnet_open_raw_sock'
inline.c:103: error: `IP_H' undeclared (first use in
this function)
inline.c:103: error: (Each undeclared identifier is
reported only once
inline.c:103: error: for each function it appears in.)
inline.c:103: error: `TCP_H' undeclared (first use in
this function)
inline.c:118: warning: implicit declaration of function
`libnet_build_ip'
inline.c:118: error: `PRu16' undeclared (first use in
this function)
inline.c:122: warning: passing arg 8 of
`libnet_build_tcp' makes integer from pointer without a
cast
inline.c:122: error: too few arguments to function
`libnet_build_tcp'
inline.c:125: error: `ICMP_UNREACH_H' undeclared (first
use in this function)
inline.c:127: warning: implicit declaration of function
`libnet_build_icmp_unreach'
inline.c: In function `HandlePacket':
inline.c:214: error: `IP_H' undeclared (first use in
this function)
inline.c:214: error: `TCP_H' undeclared (first use in
this function)
inline.c:225: warning: passing arg 1 of
`libnet_do_checksum' from incompatible pointer type
inline.c:225: warning: passing arg 2 of
`libnet_do_checksum' makes pointer from integer without
a cast
inline.c:225: error: too few arguments to function
`libnet_do_checksum'
inline.c:226: warning: implicit declaration of function
`libnet_write_ip'
inline.c:228: warning: implicit declaration of function
`libnet_error'
inline.c:228: error: `LIBNET_ERR_CRITICAL' undeclared
(first use in this function)
inline.c:249: error: `ICMP_UNREACH_H' undeclared (first
use in this function)
inline.c:256: warning: passing arg 1 of
`libnet_do_checksum' from incompatible pointer type
inline.c:256: warning: passing arg 2 of
`libnet_do_checksum' makes pointer from integer without
a cast
inline.c:256: error: too few arguments to function
`libnet_do_checksum'

Hope this helps. By the way, installing libnet from
suse 8.2 (through rpm again), the source compiled fine.

--with-libipq-includes has no effect

Dennis Henriksen — Tue, 07 Oct 2003 13:30:34 -0000

The configure script does not allow overriding default
placement of libipq includes despite the presence of
'--with-libipq-includes'.

The user specified path is correctly set prior to
testing for the presence of the library, but the
manually coded test for include files does not honor
this, thus alway failing the test.

Please consider using the following code instead:

AC_ARG_WITH(libipq_includes,
[ --with-libipq-includes=DIR
libipq include directory],

[with_libipq_includes="$withval"],[with_libipq_includes=no])

AC_ARG_WITH(libipq_libraries,
[ --with-libipq-libraries=DIR
libipq library directory],

[with_libipq_libraries="$withval"],[with_libipq_libraries=no]

if test "$with_libipq_includes" != "no"; then
CPPFLAGS="${CPPFLAGS}
-I${with_libipq_includes}"
fi

AC_CHECK_HEADER(libipq.h, , [AC_ERROR(libipq.h
not found ...)])

if test "$with_libipq_libraries" != "no"; then
LDFLAGS="${LDFLAGS}
-L${with_libipq_libraries}"
fi

AC_CHECK_LIB(ipq, ipq_set_mode,, AC_ERROR(
Libipq library/headers not found, go get
it from www.netfilter.org
or use the --with-libipq-* options, if you
have it installed\ in unusual place))

configure --enable-inline disables inline support

Dennis Henriksen — Tue, 07 Oct 2003 13:23:30 -0000

The configure script in its present form, will ALWAYS
disable inline support in response to either
'--enable-inline' or '--disable-inline'.

The following replacement fixes this problem:
------[ Begin snippet ] ------------------
AC_ARG_ENABLE(inline,
[ --disable-inline Do not use the libipq
interface for inline snort],
[enable_inline="enableval"],
enable_inline="yes")

if test "$enable_inline" != "no"; then
if test "$enable_inline" = "yes"; then
CFLAGS="$CFLAGS -DGIDS"
---------[ end snippet]---------------------