[Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packetkills snort
cmg at ...81...
Sat Nov 17 13:54:01 EST 2001
Martin Roesch <roesch at ...402...> writes:
> Using Linux? It doesn't crash on FreeBSD...
Yes - Linux sensor. Ping didn't involve sensor ( local <-> remote
host ) directed at sensor. Hrm using tcpdump to save the packets then
running snort on the binary capture doesn't crash snort.
> Chris Green wrote:
>> duplicated ( will crash a running snort process ) with frag2 enabled.
>> Will not without frag2.
>> Subject: [Snort-devel] [ snort-Bugs-482609 ] large ICMP type 0/8 packet
>> kills snort
>> Date: Fri, 16 Nov 2001 12:31:52 -0800
>> From: noreply at ...12...
>> To: noreply at ...12...
>> Bugs item #482609, was opened at 2001-11-16 12:31
>> You can respond by visiting:
>> Category: None
>> Group: None
>> Status: Open
>> Resolution: None
>> Priority: 5
>> Submitted By: Nobody/Anonymous (nobody)
>> Assigned to: Nobody/Anonymous (nobody)
>> Summary: large ICMP type 0/8 packet kills snort
>> Initial Comment:
>> >From a console on the snort sensor I issued the command:
>> # ping -s 65507 [host]
>> The snort process immediately dies. The actual threshold
>> seems to be 65279 (65307) bytes.
>> One would not usually issue such a command directly
>> from a sensor. If the echo reply is indeed killing the
>> process, then theoretically you could crash a sensor with
>> artificially created ICMP type 0 packets > 65307 bytes,
>> assuming it is not operating in stealth mode.
>> System Architecture: x86
>> Operating System and version: Linux 2.2.16
>> include exploit.rules
>> include scan.rules
>> include ftp.rules
>> include telnet.rules
>> include smtp.rules
>> include rpc.rules
>> include rservices.rules
>> include backdoor.rules
>> include dos.rules
>> include ddos.rules
>> include dns.rules
>> include netbios.rules
>> include web-iis.rules
>> include web-misc.rules
>> include sql.rules
>> include icmp.rules
>> include shellcode.rules
>> include misc.rules
>> include policy.rules
>> command line switches:
>> -c /etc/snort/snort.conf -i eth2 -D
>> #0 0x100fffe in ?? () at eval.c:41
>> #1 0x804cb0f in ProcessPacket (user=0x0,
>> pkthdr=0x8146608, pkt=0x8146708 "") at snort.c:534
>> #2 0x8079ab0 in RebuildFrag (ft=0x84c8b20,
>> p=0xbffff440) at spp_frag2.c:752
>> #3 0x80795ae in Frag2Defrag (p=0xbffff440) at
>> #4 0x8057a46 in Preprocess (p=0xbffff440) at
>> #5 0x804cb0f in ProcessPacket (user=0x0,
>> pkthdr=0xbffff900, pkt=0x81448b8 "") at snort.c:534
>> #6 0x40031b23 in pcap_read_packet
>> (handle=0x8144728, callback=0x804c9e8
>> <ProcessPacket>, userdata=0x0)
>> at ./pcap-linux.c:445
>> #7 0x40032b3f in pcap_loop (p=0x8144728, cnt=-1,
>> callback=0x804c9e8 <ProcessPacket>, user=0x0)
>> at ./pcap.c:79
>> #8 0x804dfa3 in InterfaceThread (arg=0x0) at snort.c:1561
>> #9 0x804c9db in main (argc=5, argv=0xbffffab4) at
>> #10 0x4012a5d7 in __libc_start_main () at eval.c:41
Chris Green <cmg at ...81...>
To err is human, to moo bovine.
More information about the Snort-devel