[Snort-devel] [bug] DecodeIPOnly ()

Guillaume Valadon doug at ...879...
Thu Oct 11 09:35:13 EDT 2001


While playing with snort, i found a little "bug" in icmp unreachable treatement.

When the IP header of the icmp packet as a fragment offset field different than 
zero and MF bit is not set, tcp ports will not be extract.

in decode.c line 1444 we have:
if (p->frag_offset || p->mf)

I think "&&" is better than "||" here. Ok it's a bogus IP header, but is it a 
snort problem and treatement should go on and not stop here.

When we just have 4 bytes left in IP data in the IP packet that triggers a icmp 
unreachable, tcp ports will not be extract

in decode.c line 1464 we have:
if (ip_len > 4)

">=" is ok here.

These two icmp packets where found in the wild and i reproduce them with 
Net::RawIP. I put pcap dump of these packets in attachements (just feed snort 
with this file).

Please don't blame me if you didn't understand what i am saying i have some 
difficulty with english :*)


ps: i use snort 1.8.1
mailto:doug at ...880...

ICQ uin : 1752110   PGP key id : 0x61BF5A03
Page ouebe : http://guedou.penguinpowered.com

     "Everybody be cool. You be cool" - Seth Gecko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort-bug-icmp-unr.log.gz
Type: application/x-gzip-compressed
Size: 155 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20011011/09cf484a/attachment.bin>

More information about the Snort-devel mailing list