Snort Signature Mislabeling Weakness

Bugtraq ID:	9683
Class:	Failure to Handle Exceptional Conditions
CVE:
Remote:	Yes
Local:	No
Published:	Feb 17 2004 12:00AM
Updated:	Feb 17 2004 12:00AM
Credit:	The disclosure of this issue has been credited to Nicob <[email protected]>.
Vulnerable:	Snort Project Snort 2.1 .0 Snort Project Snort 2.0.6
Not Vulnerable:	Snort Project Snort 2.1.1 RC1

Snort Signature Mislabeling Weakness

It has been reported that Snort is prone to a weakness that may cause an analyst or the correlation engine to improperly identify a signature. It has been reported that due to unspecified circumstances, the application may incorrectly classify network traffic with a "MS-SQL Worm propagation attempt" label or other labels. Under some circumstances, misreported traffic may be incorrectly flagged as innocuous.

Snort versions 2.0.6 and 2.1.0 have been reported to be prone to this weakness.

Snort Signature Mislabeling Weakness

This weakness does not require an exploit as it is an inadvertent software bug that results in Snort mislabeling certain network events.

Snort Signature Mislabeling Weakness

Solution:
This issue has been addressed in Snort 2.1.1-RC1.


Snort Project Snort 2.0.6

• Snort Project snort-2.1.1-RC1.tar.gz
  http://www.snort.org/dl/snort-2.1.1-RC1.tar.gz

Snort Project Snort 2.1 .0

• Snort Project snort-2.1.1-RC1.tar.gz
  http://www.snort.org/dl/snort-2.1.1-RC1.tar.gz

Snort Signature Mislabeling Weakness

References:

• Snort Homepage (Snort Project)