[Snort-devel] snort bug (fwd)

Martin Roesch roesch at ...402...
Mon Jan 14 10:47:03 EST 2002


This is the rollover issue that we've been seeing reported almost
constantly for a week now, it's fixed in CVS.  Due to people constantly
reporting this bug that's been fixed over and over and over and over and
over and over and over and over and over, expect to see a 1.8.4 release
in the next few days.  

   -Marty


Akatosh wrote:
> 
> lost is 64.4.126.134
> hope is 64.4.126.200
> 
> [root at ...1062... akatosh]# cat /proc/version
> Linux version 2.4.2-2 (root at ...1063...) (gcc version 2.96
> 20000731 (Red Hat Linux 7.1 2.96-79)) #1 Sun Apr 8 19:37:14 EDT 2001
> [root at ...1062... akatosh]# snort -V
> -*> Snort! <*-
> Version 1.8.3 (Build 88)
> By Martin Roesch (roesch at ...402..., www.snort.org)
> [root at ...1062... akatosh]# ldd /usr/sbin/snort
>         libpcap.so.0.6.2 => /usr/lib/libpcap.so.0.6.2 (0x4001d000)
>         libm.so.6 => /lib/libm.so.6 (0x40038000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x4005b000)
>         libc.so.6 => /lib/libc.so.6 (0x40072000)
>         /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
> 
> snort is running all rules included with v1.8.3 except icmp-info.rules
> 
> snort starts like this:
> /usr/local/bin/snort -d -D -l /var/log/snort -c /etc/snort/snort.conf
> 
> [root at ...1062... 64.4.126.200]# pwd
> /var/log/snort/64.4.126.200
> [root at ...1062... 64.4.126.200]# rm ICMP_ECHO
> rm: remove `ICMP_ECHO'? y
> [root at ...1062... 64.4.126.200]# /etc/rc.d/init.d/snortd start
> Starting snort:                                            [  OK  ]
> 
> ]root at ...1064... akatosh[# hping -c 1 -1 64.4.126.134
> eth0 default routing interface selected (according to /proc)
> HPING 64.4.126.134 (eth0 64.4.126.134): icmp mode set, 28 headers + 0 data
> bytes
> 46 bytes from 64.4.126.134: icmp_seq=0 ttl=254 id=31408 rtt=1.4 ms
> 
> --- 64.4.126.134 hping statistic ---
> 1 packets tramitted, 1 packets received, 0% packet loss
> round-trip min/avg/max = 1.4/1.4/1.4 ms
> 
> Jan 14 12:01:47 lost snort: [1:499:1] MISC Large ICMP Packet
> [Classification: Potentially Bad Traffic] [Priority: 2]: {ICMP}
> 64.4.126.200 -> 64.4.126.134
> 
> [root at ...1062... 64.4.126.200]# ls -l ICMP_ECHO
> -rw-------    1 root     admin      270578 Jan 14 12:01 ICMP_ECHO
> 
> Note the file size compared to what hping said it sent.
> 
> I've attached that ICMP_ECHO file and a dump of the actual packet in
> libpcap (tcpdump) format. Take a look at the contents of the ICMP_ECHO
> file.
> 
>   ------------------------------------------------------------------------
>                 Name: ICMP_ECHO
>    ICMP_ECHO    Type: Plain Text (TEXT/PLAIN)
>             Encoding: BASE64
> 
>                             Name: snorthping.dat
>    snorthping.dat           Type: unspecified type (APPLICATION/OCTET-STREAM)
>                         Encoding: BASE64
>                  Download Status: Not downloaded with message

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list