[Snort-devel] Two problems with checksums in 1.9

Del Armstrong del_armstrong at ...398...
Mon Nov 18 07:08:01 EST 2002


It looks to me like the ICMP checksum calculation is
broken in snort 1.9.0.  All ICMP packets are flagged
as having a bad checksum, even when the checksum is in
fact good.

To observe this problem, build snort with the
--enable-debug configure option. Then set the
SNORT_DEBUG environment variable to 64 (DEBUG_DECODE),
 and watch some ICMP traffic (e.g.  "snort -v icmp").
You can verify the checksums are correct by observing
the same traffic with tcpdump or ethereal.

I've observed this problem under both OpenBSD and
Linux.  The problem appears to be with the function
in_chksum_icmp.  Snort 1.8.7, which uses a completely
different checksum routine, doesn't have this problem.
 Oddly, the other checksum routines, which should be
very similar, work correctly.

Another problem lies with the way Snort handles UDP
checksums.  The function in_chksum_udp calculates the
UDP checksum correctly.  But in the case where the UDP
checksum isn't supplied, Snort calculates the checksum
anyway, and then says the UDP checksum is bad. Since
supplying a checksum is optional for UDP packets,
flagging a missing UDP checksum as bad is arguably the
wrong thing to do.  

The attached patch to decode.c adds a check to see if
a checksum is supplied before calculating the UDP
checksum.  The patch has been tested against 1.9
snort-stable distribution, dated 11/16.  

 -- Del Armstrong



__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: decode.patch
Type: application/x-unknown
Size: 1971 bytes
Desc: decode.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20021118/d125451b/attachment.bin>


More information about the Snort-devel mailing list