[Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packetkills snort

Chris Green cmg at ...81...
Sat Nov 17 13:54:01 EST 2001


Martin Roesch <roesch at ...402...> writes:

> Using Linux?  It doesn't crash on FreeBSD...
>
>      -Marty

Yes - Linux sensor.  Ping didn't involve sensor ( local <-> remote
host ) directed at sensor.  Hrm using tcpdump to save the packets then
running snort on the binary capture doesn't crash snort.

>
> Chris Green wrote:
>> 
>> duplicated ( will crash a running snort process ) with frag2 enabled.
>> 
>> Will not without frag2.
>> 
>>   ------------------------------------------------------------------------
>> 
>> Subject: [Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packet
>>      kills snort
>> Date: Fri, 16 Nov 2001 12:31:52 -0800
>> From: noreply at ...12...
>> To: noreply at ...12...
>> 
>> Bugs item #482609, was opened at 2001-11-16 12:31
>> You can respond by visiting:
>> http://sourceforge.net/tracker/?func=detail&atid=103357&aid=482609&group_id=3357
>> 
>> Category: None
>> Group: None
>> Status: Open
>> Resolution: None
>> Priority: 5
>> Submitted By: Nobody/Anonymous (nobody)
>> Assigned to: Nobody/Anonymous (nobody)
>> Summary: large ICMP type 0/8 packet kills snort
>> 
>> Initial Comment:
>> >From a console on the snort sensor I issued the command:
>> 
>> # ping -s 65507 [host]
>> 
>> The snort process immediately dies.  The actual threshold
>> seems to be 65279 (65307) bytes.
>> 
>> One would not usually issue such a command directly
>> from a sensor.  If the echo reply is indeed killing the
>> process, then theoretically you could crash a sensor with
>> artificially created ICMP type 0 packets > 65307 bytes,
>> assuming it is not operating in stealth mode.
>> 
>> System Architecture: x86
>> 
>> Operating System and version: Linux 2.2.16
>> 
>> rules:
>> include exploit.rules
>> include scan.rules
>> include ftp.rules
>> include telnet.rules
>> include smtp.rules
>> include rpc.rules
>> include rservices.rules
>> include backdoor.rules
>> include dos.rules
>> include ddos.rules
>> include dns.rules
>> include netbios.rules
>> include web-iis.rules
>> include web-misc.rules
>> include sql.rules
>> include icmp.rules
>> include shellcode.rules
>> include misc.rules
>> include policy.rules
>> 
>> command line switches:
>> -c /etc/snort/snort.conf -i eth2 -D
>> 
>> gdb:
>> #0  0x100fffe in ?? () at eval.c:41
>> #1  0x804cb0f in ProcessPacket (user=0x0,
>> pkthdr=0x8146608, pkt=0x8146708 "") at snort.c:534
>> #2  0x8079ab0 in RebuildFrag (ft=0x84c8b20,
>> p=0xbffff440) at spp_frag2.c:752
>> #3  0x80795ae in Frag2Defrag (p=0xbffff440) at
>> spp_frag2.c:472
>> #4  0x8057a46 in Preprocess (p=0xbffff440) at
>> rules.c:3426
>> #5  0x804cb0f in ProcessPacket (user=0x0,
>> pkthdr=0xbffff900, pkt=0x81448b8 "") at snort.c:534
>> #6  0x40031b23 in pcap_read_packet
>> (handle=0x8144728, callback=0x804c9e8
>> <ProcessPacket>, userdata=0x0)
>>     at ./pcap-linux.c:445
>> #7  0x40032b3f in pcap_loop (p=0x8144728, cnt=-1,
>> callback=0x804c9e8 <ProcessPacket>, user=0x0)
>>     at ./pcap.c:79
>> #8  0x804dfa3 in InterfaceThread (arg=0x0) at snort.c:1561
>> #9  0x804c9db in main (argc=5, argv=0xbffffab4) at
>> snort.c:467
>> #10 0x4012a5d7 in __libc_start_main () at eval.c:41

-- 
Chris Green <cmg at ...81...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list