[Snort-devel] Weird snort output - probably arpspoof output

Bill Marquette wlmarque at ...10...
Thu Jul 12 11:43:47 EDT 2001


Alright...looks like I may have found a possible cause for the wierd log
messages.  I'm guessing the code was just never filled in (yeah, I know it's
experimental, and yes I know that it was proof of concept :)).  Anyways, from
ARPspoofPreprocFunction(), we init logMessage but never seem to actually fill it
before it's used.
    char logMessage[180];
.
.
.
        switch(ntohs(p->ah->ea_hdr.ar_op))
        {
            case ARPOP_REQUEST:
                if (check_directed_arp)
                                {
                    if (memcmp((u_char *)p->eh->ether_dst, (u_char *)bcast, 6)
!= 0)
                    {
                        SetEvent(&event, GENERATOR_SPP_ARPSPOOF,
ARPSPOOF_DIRECTED_ARP_REQUEST, 1, 0, 0, 0);
                        CallAlertFuncs(NULL , logMessage, NULL, &event);
                        #ifdef DEBUG
                        fprintf(stderr, "directed ARP request\n");
                        #endif
                    }
                }

(and yes, I have -directed turned on right now).

and from log.c (AlertFast())
        if(pv.alert_interface_flag)
        {
            fprintf(file, " <%s> ", pv.interfaces[0]);
            fwrite(msg, strlen(msg), 1, file);
        }
        else
        {
            fwrite(msg, strlen(msg), 1, file);
        }

looks like we are probably passing a NULL string of length 0 (hopefully assuming
that the original allocation did what we expected it to) to fwrite().  My best
guess is that on Solaris this isn't a happy thing.  Unfortunately, I haven't
been able to reproduce this (or get any other output out of the ARPspoof
preprocessor :-/)  Any one else???

--Bill



|--------+------------------------------->
|        |          "Bill Marquette"     |
|        |          <wlmarque at ...10...>|
|        |                               |
|        |          07/12/2001 10:08 AM  |
|        |                               |
|--------+------------------------------->
  >-------------------------------------------------------------------------|
  |                                                                         |
  |      To:   snort-devel at lists.sourceforge.net                            |
  |      cc:                                                                |
  |      Client:                                                            |
  |      Subject:   [Snort-devel] Weird snort output - probably arpspoof    |
  |       output                                                            |
  >-------------------------------------------------------------------------|







(had to cut and paste from vi to get the hex values for this garbage)

07/11-07:33:55.030018  [**] [112:1:1] \241\350\367\300\200 [**]
07/11-07:56:11.275110  [**] [112:1:1] \357\377\362 \374^B\233\200 [**]

I'm using -Afast but based on the AlertFast() function, it looks like this is an
error in the message that gets passed into it.  I'll try and dig into this a
little more today.

--Bill



_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel







More information about the Snort-devel mailing list