[Snort-devel] [bug] DecodeIPOnly ()
doug at ...879...
Thu Oct 11 09:35:13 EDT 2001
While playing with snort, i found a little "bug" in icmp unreachable treatement.
When the IP header of the icmp packet as a fragment offset field different than
zero and MF bit is not set, tcp ports will not be extract.
in decode.c line 1444 we have:
if (p->frag_offset || p->mf)
I think "&&" is better than "||" here. Ok it's a bogus IP header, but is it a
snort problem and treatement should go on and not stop here.
When we just have 4 bytes left in IP data in the IP packet that triggers a icmp
unreachable, tcp ports will not be extract
in decode.c line 1464 we have:
if (ip_len > 4)
">=" is ok here.
These two icmp packets where found in the wild and i reproduce them with
Net::RawIP. I put pcap dump of these packets in attachements (just feed snort
with this file).
Please don't blame me if you didn't understand what i am saying i have some
difficulty with english :*)
ps: i use snort 1.8.1
mailto:doug at ...880...
ICQ uin : 1752110 PGP key id : 0x61BF5A03
Page ouebe : http://guedou.penguinpowered.com
"Everybody be cool. You be cool" - Seth Gecko
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 155 bytes
Desc: not available
More information about the Snort-devel