[Snort-admin] Fwd: [Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packetkills snort

Martin Roesch roesch at ...402...
Sat Nov 17 13:40:02 EST 2001


Using Linux?  It doesn't crash on FreeBSD...

     -Marty

Chris Green wrote:
> 
> duplicated ( will crash a running snort process ) with frag2 enabled.
> 
> Will not without frag2.
> 
>   ------------------------------------------------------------------------
> 
> Subject: [Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packet
>      kills snort
> Date: Fri, 16 Nov 2001 12:31:52 -0800
> From: noreply at ...12...
> To: noreply at ...12...
> 
> Bugs item #482609, was opened at 2001-11-16 12:31
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=103357&aid=482609&group_id=3357
> 
> Category: None
> Group: None
> Status: Open
> Resolution: None
> Priority: 5
> Submitted By: Nobody/Anonymous (nobody)
> Assigned to: Nobody/Anonymous (nobody)
> Summary: large ICMP type 0/8 packet kills snort
> 
> Initial Comment:
> >From a console on the snort sensor I issued the command:
> 
> # ping -s 65507 [host]
> 
> The snort process immediately dies.  The actual threshold
> seems to be 65279 (65307) bytes.
> 
> One would not usually issue such a command directly
> from a sensor.  If the echo reply is indeed killing the
> process, then theoretically you could crash a sensor with
> artificially created ICMP type 0 packets > 65307 bytes,
> assuming it is not operating in stealth mode.
> 
> System Architecture: x86
> 
> Operating System and version: Linux 2.2.16
> 
> rules:
> include exploit.rules
> include scan.rules
> include ftp.rules
> include telnet.rules
> include smtp.rules
> include rpc.rules
> include rservices.rules
> include backdoor.rules
> include dos.rules
> include ddos.rules
> include dns.rules
> include netbios.rules
> include web-iis.rules
> include web-misc.rules
> include sql.rules
> include icmp.rules
> include shellcode.rules
> include misc.rules
> include policy.rules
> 
> command line switches:
> -c /etc/snort/snort.conf -i eth2 -D
> 
> gdb:
> #0  0x100fffe in ?? () at eval.c:41
> #1  0x804cb0f in ProcessPacket (user=0x0,
> pkthdr=0x8146608, pkt=0x8146708 "") at snort.c:534
> #2  0x8079ab0 in RebuildFrag (ft=0x84c8b20,
> p=0xbffff440) at spp_frag2.c:752
> #3  0x80795ae in Frag2Defrag (p=0xbffff440) at
> spp_frag2.c:472
> #4  0x8057a46 in Preprocess (p=0xbffff440) at
> rules.c:3426
> #5  0x804cb0f in ProcessPacket (user=0x0,
> pkthdr=0xbffff900, pkt=0x81448b8 "") at snort.c:534
> #6  0x40031b23 in pcap_read_packet
> (handle=0x8144728, callback=0x804c9e8
> <ProcessPacket>, userdata=0x0)
>     at ./pcap-linux.c:445
> #7  0x40032b3f in pcap_loop (p=0x8144728, cnt=-1,
> callback=0x804c9e8 <ProcessPacket>, user=0x0)
>     at ./pcap.c:79
> #8  0x804dfa3 in InterfaceThread (arg=0x0) at snort.c:1561
> #9  0x804c9db in main (argc=5, argv=0xbffffab4) at
> snort.c:467
> #10 0x4012a5d7 in __libc_start_main () at eval.c:41
> 
> ----------------------------------------------------------------------
> 
> You can respond by visiting:
> http://sourceforge.net/tracker/?func=detail&atid=103357&aid=482609&group_id=3357
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
>   ------------------------------------------------------------------------
> 
> --
> Chris Green <cmg at ...81...>
> A watched process never cores.

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list