|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: FWD: NetProwler 3.0- Disable Man-in-the-Middle signature
From: Jensenne Roculan (jroculan
SECURITYFOCUS.COM)Date: Wed May 24 2000 - 11:42:13 CDT
- Next message: Paul Rice: "Identifying scanning tools from ids logs"
- Previous message: Jensenne Roculan: "Intrusion Detection Authors Needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Return-Path: <owner-bugtraqsecurityfocus.com>
Delivered-To: bugtraqlists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
by lists.securityfocus.com (Postfix) with SMTP id C5A1C1F23C
for <bugtraqlists.securityfocus.com>; Tue, 23 May 2000 11:53:34
-0700 (PDT)
Received: (qmail 27653 invoked by alias); 23 May 2000 18:53:35 -0000
Delivered-To: bugtraqsecurityfocus.com
Received: (qmail 27649 invoked from network); 23 May 2000 18:53:35 -0000
Received: from wall-hq.rockville.axent.com (38.178.34.254)
by mail.securityfocus.com with SMTP; 23 May 2000 18:53:35 -0000
Received: from raven.axent.com by wall-hq.rockville.axent.com
via smtpd (for mail.securityfocus.com [207.126.127.78]) with
SMTP; 23 May 2000 18:53:33 UT
Received: from 127.0.0.1 by raven.rockville.axent.com (InterScan E-Mail
VirusWall NT); Tue, 23 May 2000 14:46:25 -0400
(Eastern Daylight Time)
Received: from localhost by raven.rockville.axent.com with SMTP (Microsoft
Exchange Internet Mail Service Version
5.0.1460.8)
id L2SBPFVR; Tue, 23 May 2000 14:46:25 -0400
Received: from 172.17.7.18 by raven.rockville.axent.com (InterScan E-Mail
VirusWall NT); Tue, 23 May 2000 14:46:24 -0400
(Eastern Daylight Time)
Message-ID: <392AD3B3.3E9BE3EAaxent.com>
Date: Tue, 23 May 2000 12:53:39 -0600
From: AXENT Security Team <securityteamaxent.com>
Organization: AXENT
X-Mailer: Mozilla 4.73 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: bugtraqsecurityfocus.com
Subject: RFP2K05 - NetProwler "Fragmentation" Issue
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
NetProwler 3.0 will crash if the Man-in-the-Middle signature encounters
a packet for which the following expression evaluates to true:
(IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH
This is not a packet fragmentation problem. It is an issue with
specific malformed packets.
This problem has been fixed in NetProwler 3.5, and the code has been
reviewed for other similar issues.
Solutions:
1. In NetProwler 3.0, disable the Man-in-the-Middle signature for
all monitored hosts.
2. Upgrade to NetProwler 3.5 (to be released in June 2000).
References:
Advisory RF2K05 by rain forest puppy.
- Next message: Paul Rice: "Identifying scanning tools from ids logs"
- Previous message: Jensenne Roculan: "Intrusion Detection Authors Needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]