[Snort-devel] [ snort-Bugs-505448 ] IDMEF XML not well formed large packets

noreply at ...12... noreply at ...12...
Fri Jan 25 20:52:02 EST 2002


Bugs item #505448, was opened at 2002-01-18 09:13
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=505448&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: IDMEF XML not well formed large packets

Initial Comment:
I'm running 1.8.3 on Linux and OpenBSD, and I've
noticed that if I see a "Large ICMP packet", in this
case 7591 bytes, the <data> tag fails to close, along
with all other open tags except <event>. 

So, what I see is the end of the packet data, in hex,
followed by the </event>

So far, this is perfectly reproducable by just doing
and "nmap -sT addr" against the test Snort.

----------------------------------------------------------------------

Comment By: Roger Hand (rhand)
Date: 2002-01-25 12:33

Message:
Logged In: YES 
user_id=438914

We've seen the same problem with "MISC Large ICMP Packet" 
(signature id 499). Packets that report a length of 1478 
or 1500 bytes show fine, but packets with a reported "len" 
of 28 bytes spew out thousands of characters of "data". 

As the original poster mentioned, the <data> and other 
tags fail to close (although the event tag itself closes), 
resulting in malformed xml.

The data itself sometimes appears to be random junk from 
within snort itself.  Could this be related to the 
following post I found on Google from June, 2001?:

Phil Wood wrote: > "In my case the problem of trash icmp 
types and codes is the result of a problem with snort.  It 
appears related to the defrag preprocessor.  I have 
documented, using tcpdump and snort in parallel, that 
valid ICMP packets (as seen by tcpdump), end up in snort 
with some memory (not associated with any packet) appended 
to a perfectly valid IP header (with proto of ICMP). 
Tcpdump shows two fragments (out of order) which together 
make up an icmp packet.  Snort's defrag constructs the 
complete ICMP packet with the identical IP header, but 
crud from some place in snort's memory as ICMP header and 
DATA"

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=505448&group_id=3357




More information about the Snort-devel mailing list