[Snort-devel] [ snort-Bugs-484299 ] False Truncated ICMP Header

noreply at ...12... noreply at ...12...
Mon Nov 26 20:47:04 EST 2001


Bugs item #484299, was opened at 2001-11-21 10:35
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=484299&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Allen M. Saunders (allens)
Assigned to: Nobody/Anonymous (nobody)
Summary: False Truncated ICMP Header

Initial Comment:
Whenever I send a forged ICMP packet (typically type 
8/0) with zero data size to Snort 1.8.2, it complains 
of a truncated ICMP header and dumps an arbitrarily 
large amount of memory as though it were packet data. 
I can confirm that these packets (except for having no 
data payload) are not malformed in any way -- 
imparticular, the are the correct 28 byte length you 
would expect. 

Packets with data (e.g.: from the ping utility) are 
read fine. 

There are many problems that result from this, one of 
which is that the rules to detect zero payload echo 
requests are not triggered -- the packets are 
DISCARDED instead.

I've tried this on three different Linux machines (2 
of which were 2.4 kernels), all with the same results.

Snort 1.8.1 does not exhibit this behavior.

The following represents packet captures from snort 
and tethereal for two hping, nmap, and ping. Tcpdumps 
were also done, but weren't included because they are 
the same as the tethereal dumps.


### From 'hping -C 8 -1 -c 1 10.0.0.88'

# tethereal:
 59.930000   10.0.0.182 -> 10.0.0.88    ICMP Echo 
(ping) request

0000  00 b0 d0 56 45 3f 00 b0 d0 58 5e e1 08 00 45 
00   ...VE?...X^...E.             
0010  00 1c 25 52 00 00 40 01 40 82 0a 00 00 b6 0a 
00   ..%R.. at ...300...@.......             
0020  00 58 08 00 29 f7 ce 08 00 00 00 00 00 00 00 
00   .X..)...........             
0030  00 00 00 00 00 00 00 00 00 00 00 
00               ............    

# snort:
[!] WARNING: Truncated ICMP header(8 bytes)
11/21-13:29:05.500940 10.0.0.88 -> 10.0.0.182
ICMP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:28 DF
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
...and so on for several hundred lines, with random 
memory garbage in the rest.



### From 'nmap 10.0.0.88 -sP -PI'

# tethereal:
142.370000   10.0.0.182 -> 10.0.0.88    ICMP Echo 
(ping) request

0000  00 b0 d0 56 45 3f 00 b0 d0 58 5e e1 08 00 45 
00   ...VE?...X^...E.             
0010  00 1c 00 00 40 00 40 01 25 d4 0a 00 00 b6 0a 
00   .... at ...300...@.%.......             
0020  00 58 08 00 fd 6a fa 94 00 00 00 00 00 00 00 
00   .X...j..........             
0030  00 00 00 00 00 00 00 00 00 00 00 
00               ............                 

# snort:

[!] WARNING: Truncated ICMP header(8 bytes)
11/21-13:27:30.680940 10.0.0.88 -> 10.0.0.182
ICMP TTL:255 TOS:0x0 ID:0 IpLen:20 DgmLen:28 DF
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00  ................
...and so on for several hundred lines, with random 
memory garbage in the rest.


### From 'ping -c 1 10.0.0.88' (for reference)

#snort:
11/21-12:48:47.620940 10.0.0.182 -> 10.0.0.88
ICMP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:84 DF
Type:8  Code:0  ID:2236   Seq:0  ECHO
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

#tethereal:

  0.000000   10.0.0.182 -> 10.0.0.88    ICMP Echo 
(ping) request

0000  00 b0 d0 56 45 3f 00 b0 d0 58 5e e1 08 00 45 
00   ...VE?...X^...E.             
0010  00 54 00 00 40 00 40 01 25 9c 0a 00 00 b6 0a 
00   .T.. at ...300...@.%.......             
0020  00 58 08 00 f6 ed cc 08 00 00 f0 f3 fb 3b 4f 
d6   .X...........;O.             
0030  0e 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 
15   ................             
0040  16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 
25   .......... !"#$%             
0050  26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 
35   &'()*+,-./012345             
0060  36 37    



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=484299&group_id=3357




More information about the Snort-devel mailing list