[Snort-devel] [ snort-Bugs-558167 ] Checksum and MYSQL

Marc Norton marc.norton at ...402...
Mon Sep 16 11:37:05 EDT 2002

Zeroing the check sum field is only necessary for the sender.  Checksums
are 2's complements, so if we include the original checksum value in the
calculation we expect to get zero for the resulting checksum, if the
packet is valid.  Hence, you'll notice in snort we use a construct like:

 Csum = chksum(ip...)

 If( Csum )
     /* Bogus checksum */

Hope this clarifies the issue.

-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of
noreply at ...12...
Sent: Friday, September 13, 2002 11:37 AM
To: noreply at ...12...
Subject: [Snort-devel] [ snort-Bugs-558167 ] Checksum and MYSQL

Bugs item #558167, was opened at 2002-05-20 01:56
You can respond by visiting: 

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Checksum and MYSQL

Initial Comment:
Hi Snort. I'm running:
Linux Redhat 7.1 on a
Dell 4300s, Pentium 1.6 gigahertz,
512 meg of ram and 40 gig hard drive
The command line isn't really relevant to the 
1) The first problem isn't really snorts, but 
concerns the support for mysql. Any Ip addresses that 
come in over 31 bits in size are being corrupted. Jed 
Pickels table should work correctly, but doesn't for 
this reason. The UNSIGNED keyword in mysql is 
apparrently at fault. I get negative numbers 
sometimes for variables that are marked in the table 
as UNSIGNED. I fixed these kind of problems by 
increasing the data size for all numeric variables. 
I've already submitted a bug report to the people at 
2) I've modified code in the spo_database.c file to 
handle using one table that has everything in it. 
That way I can use any combination of search params 
to cross reference entries. While I was doing this I 
also decide to modify the checksum procedures in 
decode.c. I'm not really sure if you've got a bug 
there, Snort likes to do checksumming differently 
than I do. However, I can say that if you DON'T 
initialize the checksum value to 0 before doing the 
checksum, you'll get a bad value. Like you've got the 
ip header and your about to pass it to the checksum 
procedure. You have to set the check sum to 0 first. 
Think about if your constructing a packet to send, 
you checksum it and then write the checksum to the 
header. So the checksum was 0 when the checksum was 
done. Same difference if your on the receiving end. 
Ditto for all the tcp, udp and icmp headers. Hope 
this was some help to you.
Tommy Pylant
tpylant at ...1382...


>Comment By: Roman Danyliw (danyliw)
Date: 2002-09-13 11:36

Logged In: YES 


What version of MySQL are you running?



You can respond by visiting: 

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list