[Snort-devel] RE: [snort-cvs] CVS: snort - chrisgreen

Russell Fulton r.fulton at ...1343...
Mon Mar 3 13:26:16 EST 2003


On Tue, 2003-03-04 at 07:46, Kreimendahl, Chad J wrote:
> 
> On another note, It also appears that you've removed changed made
> previously.
> for: (MAIN)
>  rpc_decode
>   you killed the HAVE_CONFIG stuff that was added in 1.21
>   and broke the $Id:$ cvs stuff that was fixed in 1.19

Umm.... I've just installed 1.9.1 and I am seeing lots of

[**] [106:2:1] (spp_rpc_decode) Fragmented RPC Records [**]
03/03-21:00:44.160190 202.49.254.2:143 -> 130.216.4.143:32771
TCP TTL:58 TOS:0x20 ID:59199 IpLen:20 DgmLen:109 DF
***AP*** Seq: 0xB08CB228  Ack: 0x642146ED  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 84057616 520563 

[**] [106:2:1] (spp_rpc_decode) Fragmented RPC Records [**]
03/03-21:01:26.715737 204.153.51.29:80 -> 130.216.191.5:32771
TCP TTL:44 TOS:0x0 ID:17200 IpLen:20 DgmLen:177 DF
***AP*** Seq: 0xC62E3372  Ack: 0xD9FCE95B  Win: 0x60F4  TcpLen: 20

[**] [106:2:1] (spp_rpc_decode) Fragmented RPC Records [**]
03/03-21:01:44.173033 202.49.254.2:143 -> 130.216.4.143:32771
TCP TTL:58 TOS:0x20 ID:59201 IpLen:20 DgmLen:109 DF
***AP*** Seq: 0xB08CB27B  Ack: 0x64214713  Win: 0x16A0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 84063618 526564 

Is this what you are referring to?

Clearly the preprocessor is lacking a check on the traffic direction...

Cheers, Russell

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list