[Snort-devel] Two problems with checksums in 1.9

Marc Norton marc.norton at ...402...
Tue Nov 26 11:17:04 EST 2002


Good catch,

The UDP checksum was being done even when the UDP checksum field was
zero, since UDP checksums are optional this should not be done unless
the field is non-zero.   The ICMP checksum was not returning the 2's
compelement, the checksum calculation was otherwise correct.  BTW - the
ICMP checksum field is mandatory, and should never be zero.  The 1.9 and
head branch will updated today.

Thanks again, sorry for the delayed response.

Marc Norton

> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net [mailto:snort-devel-
> admin at lists.sourceforge.net] On Behalf Of Del Armstrong
> Sent: Sunday, November 17, 2002 1:06 AM
> To: snort-devel at ...12...
> Subject: [Snort-devel] Two problems with checksums in 1.9
> 
> It looks to me like the ICMP checksum calculation is
> broken in snort 1.9.0.  All ICMP packets are flagged
> as having a bad checksum, even when the checksum is in
> fact good.
> 
> To observe this problem, build snort with the
> --enable-debug configure option. Then set the
> SNORT_DEBUG environment variable to 64 (DEBUG_DECODE),
>  and watch some ICMP traffic (e.g.  "snort -v icmp").
> You can verify the checksums are correct by observing
> the same traffic with tcpdump or ethereal.
> 
> I've observed this problem under both OpenBSD and
> Linux.  The problem appears to be with the function
> in_chksum_icmp.  Snort 1.8.7, which uses a completely
> different checksum routine, doesn't have this problem.
>  Oddly, the other checksum routines, which should be
> very similar, work correctly.
> 
> Another problem lies with the way Snort handles UDP
> checksums.  The function in_chksum_udp calculates the
> UDP checksum correctly.  But in the case where the UDP
> checksum isn't supplied, Snort calculates the checksum
> anyway, and then says the UDP checksum is bad. Since
> supplying a checksum is optional for UDP packets,
> flagging a missing UDP checksum as bad is arguably the
> wrong thing to do.
> 
> The attached patch to decode.c adds a check to see if
> a checksum is supplied before calculating the UDP
> checksum.  The patch has been tested against 1.9
> snort-stable distribution, dated 11/16.
> 
>  -- Del Armstrong
> 
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - Let the expert host your site
> http://webhosting.yahoo.com





More information about the Snort-devel mailing list