Red Hat Bugzilla – Bug 193809
CVE-2006-2769 Snort URIContent Rules Detection Evasion Vulnerability
Last modified: 2007-11-30 17:11:34 EST
Snort is reportedly prone to a vulnerability that may allow malicious packets
to bypass detection.
A successful attack can allow attackers to bypass intrusion detection and to
carry out attacks against computers protected by Snort.
This vulnerability affects Snort 2.4.4. Other versions may be vulnerable as
there is no CVE yet
I've applied the supplied patch.
Fixed in 2.4.4-4
Hans would you mind doing an audit of the snort code? this is the second
similar vulnerability this year
turns out that the patch is incomplete.
FYI: due to rawhide libpcap packaging issues, libpcap may have been statically
linked in in the current devel snort package, see bug 193189 comment 2
One possible workaround: BuildRequire both libpcap and libpcap-devel
Ping, status update?
I was looking at thins last night. I have updated to 2.6.0 since and
according to snort.org its fixed there
Sourcefire is aware of a possible Snort evasion that exists in the
http_inspect preprocessor. This evasion case only applies to protected Apache
web servers. We have prepared fixes for both the 2.4 and 2.6 branches and will
have fully tested releases, including binaries, available for both on Monday,
The Apache web server supports special characters in HTTP requests that do
not affect the processing of the particular request. The current target-based
profiles for Apache in the http_inspect preprocessor do not properly handle
these requests, resulting in the possibility that an attacker can bypass
detection of rules that use the "uricontent" keyword by embedding special
characters in a HTTP request.
It is important to note that this is an evasion and not a vulnerability. This
means that while it is possible for an attacker to bypass detection, Snort
sensors and the networks they protect are not at a heightened risk of other
Sourcefire has prepared fixes and is currently finalizing a complete round of
testing to ensure that the fixes not only solve the issue at hand but do not
create new bugs as well. The following releases, including binaries for Linux
and Windows deployments, will be available on Monday, June 5th:
* Snort v2.4.5
* Snort v2.6.0 final
Any questions regarding these releases can be sent to