[Snort-devel] Réf. : Re: [Snort-devel] Réf. : Re: [Snort-devel] snort 1.8.6 core dump when receive lot of ping of the deathT

axel.letourneur at ...1289... axel.letourneur at ...1289...
Thu Apr 25 09:58:07 EDT 2002




>2.4.17 is giving me Oversized IP packet from 10.1.1.52 and not
>sending packets from that code.


It's strange , this code work fine on my linux 2.4.18, and I don't think that
      code can send nothing if it compile well.

But perhaps you have select a special option in the kernel configuration file
      which reassemble ip fragment before send them ?

otherwise you must see the first fragments

If when you use this prog you abtain "socket: Socket type not supported " it 's
      because you are not "#define LINUX" in the source code

I send you in attached files the tcpdump result of "./ping-of-death
      194.214.203.180" in the ping-of-death1.cap  and the source code in
      ping-of-death.c also a compiled version in ping-of-death1 with -Wall -g
      flag set



(See attached file: ping-of-death1.c)(See attached file: ping-of-death1)(See
      attached file: ping-of-death.cap)



Anybody could say me if that work fine








Chris Green <cmg at ...402...> sur 25/04/2002 18:02:51

Veuillez répondre à snort-devel at lists.sourceforge.net

Pour :    Axel LETOURNEUR/TLT/CHRONOPOST at ...1336...
cc :  snort-devel at lists.sourceforge.net
Objet :   Re: [Snort-devel] Réf. : Re: [Snort-devel] snort         1.8.6 core
      dump when receive lot of ping of the deathT



axel.letourneur at ...1289... writes:

> the computer where is snort is a kernel 2.2.X
>
> but the kernel where is start ping-of-death1 is a redhat 7.2 with kernel
2.4.18
>
> in the program ping of death I use a spoofed ip adresse 194.214.201.66 for the
> source of ip adress
>
> use:
>  tcpdump -nn -s0 -w ping-o-death "host 194.214.201.66 && proto ICMP"

2.4.17 is giving me Oversized IP packet from 10.1.1.52 and not
sending packets from that code.

I'm thinking its more related to the heavy fragmentation and deleting
nodes out from under ourself upon a fragmentation memcap fault and not
necessarily related to the size of the pings like we spent so much
time dealing with in stream4.

I thought I caught those but there may be a case I'm missing but it
woudl explain your wacky pointer
--
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx





      ____________________________________________________________________________________________

      Axel LETOURNEUR   ( axel.letourneur at ...1289... )
      TELINTRANS
      Direction Réseaux Etendus et Systèmes Centraux / Sécurité Systèmes et
      Réseaux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-of-death1.c
Type: application/octet-stream
Size: 7457 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020425/9ffbaed4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-of-death1
Type: application/octet-stream
Size: 36816 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020425/9ffbaed4/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ping-of-death.cap
Type: application/octet-stream
Size: 67344 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020425/9ffbaed4/attachment-0002.obj>


More information about the Snort-devel mailing list