[Snort-devel] IP dgm len < IP Hdr len Alert question

John Weidley john at ...1961...
Thu May 1 05:40:36 EDT 2003


A couple of days ago I received the following Snort alerts.

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
04/22-10:15:45.540548 AAA.AAA.16.30 -> BBB.BBB.198.38
ICMP TTL:127 TOS:0x0 ID:12788 IpLen:20 DgmLen:6
ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
04/22-10:15:50.628152 AAA.AAA.16.30 -> BBB.BBB.198.38
ICMP TTL:127 TOS:0x0 ID:12867 IpLen:20 DgmLen:6
ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
04/22-10:15:55.635856 AAA.AAA.16.30 -> BBB.BBB.198.38
ICMP TTL:127 TOS:0x0 ID:12987 IpLen:20 DgmLen:6
ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
04/22-10:16:00.643454 AAA.AAA.16.30 -> BBB.BBB.198.38
ICMP TTL:127 TOS:0x0 ID:13056 IpLen:20 DgmLen:6
ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
04/22-10:16:05.651236 AAA.AAA.16.30 -> BBB.BBB.198.38
ICMP TTL:127 TOS:0x0 ID:13153 IpLen:20 DgmLen:6
ICMP header truncated


I went to a raw tcpdump capture file of all traffic on the network and
searched for all packets with a datagram length of 6 and got no output.
(tcpdump -xvvr <tcpdump_file> 'ip[2:2] = 6')


So I looked at all ICMP traffic between the 2 hosts. I found a 65K ICMP
ping from a trusted box going to an external destination. This is obviously
a seperate issue as to why this is happening and the wrong icmp checksum.
Here are the fragmented ICMP packets.

10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request (wrong
icmp csum)
 (frag 19019:1480 at ...475...+) (ttl 127, len 1500)

10:22:14.660093 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...575...+) (ttl
127, len 1500)
10:22:14.661324 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1292...+) (ttl
127, len 1500)
10:22:14.662558 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1293...+) (ttl
127, len 1500)
10:22:14.663787 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1294...+) (ttl
127, len 1500)
10:22:14.665018 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1295...+) (ttl
127, len 1500)
10:22:14.666253 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1296...+) (ttl
127, len 1500)
10:22:14.667483 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1297...+)
(ttl 127, len 1500)
10:22:14.668712 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1298...+)
(ttl 127, len 1500)
10:22:14.669943 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1299...+)
(ttl 127, len 1500)
10:22:14.671176 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1300...+)
(ttl 127, len 1500)
10:22:14.672404 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1301...+)
(ttl 127, len 1500)
10:22:14.673636 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1302...+)
(ttl 127, len 1500)
10:22:14.674866 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1303...+)
(ttl 127, len 1500)
10:22:14.676098 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1304...+)
(ttl 127, len 1500)
10:22:14.677331 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1305...+)
(ttl 127, len 1500)
10:22:14.678561 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1306...+)
(ttl 127, len 1500)
10:22:14.679795 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1307...+)
(ttl 127, len 1500)
10:22:14.681023 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1308...+)
(ttl 127, len 1500)
10:22:14.682256 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1309...+)
(ttl 127, len 1500)
10:22:14.683485 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1310...+)
(ttl 127, len 1500)
10:22:14.684716 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1311...+)
(ttl 127, len 1500)
10:22:14.685951 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1312...+)
(ttl 127, len 1500)
10:22:14.687179 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1313...+)
(ttl 127, len 1500)
10:22:14.688412 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1314...+)
(ttl 127, len 1500)
10:22:14.689641 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1315...+)
(ttl 127, len 1500)
10:22:14.690872 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1316...+)
(ttl 127, len 1500)
10:22:14.692104 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1317...+)
(ttl 127, len 1500)
10:22:14.693337 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1318...+)
(ttl 127, len 1500)
10:22:14.694566 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1319...+)
(ttl 127, len 1500)
10:22:14.695797 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1320...+)
(ttl 127, len 1500)
10:22:14.697030 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1321...+)
(ttl 127, len 1500)
10:22:14.698259 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1322...+)
(ttl 127, len 1500)
10:22:14.699492 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1323...+)
(ttl 127, len 1500)
10:22:14.700721 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1324...+)
(ttl 127, len 1500)
10:22:14.701955 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1325...+)
(ttl 127, len 1500)
10:22:14.703183 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1326...+)
(ttl 127, len 1500)
10:22:14.704414 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1327...+)
(ttl 127, len 1500)
10:22:14.705645 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1328...+)
(ttl 127, len 1500)
10:22:14.706877 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1329...+)
(ttl 127, len 1500)
10:22:14.708112 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1330...+)
(ttl 127, len 1500)
10:22:14.709340 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1331...+)
(ttl 127, len 1500)
10:22:14.710571 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1332...+)
(ttl 127, len 1500)
10:22:14.711804 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1333...+)
(ttl 127, len 1500)
10:22:14.712073 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:388 at ...1334...) (ttl
127, len 408)

When I show the hex output and calculate the IHL and the total packet
length, things just
dont add up.

10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request (wrong
icmp csum)
 (frag 19019:1480 at ...475...+) (ttl 127, len 1500)

4500 05dc 4a4b 2000 7f01 7c67 AAAA 101e
 ^   ^^^^
BBBB c626


IHL - (5 * 4) = 20
Total Length - 05dc = 1500

Where is Snort getting a datagram length of 6 bytes?


--------------------------------------------------------------------
System Architecture: x86
Operating System and version: Linux 2.2.19pre17
Version of Snort: Version 2.0.0 (Build 72)
What preprocessors you loaded:
	preprocessor frag2
	preprocessor stream4: detect_scans, disable_evasion_alerts
	preprocessor stream4_reassemble
	preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
	preprocessor rpc_decode: 111 32771
	preprocessor bo
	preprocessor telnet_decode
	preprocessor portscan: $HOME_NET 4 3 portscan.log
	preprocessor portscan-ignorehosts: $DNS_SERVERS

What rules (if any) you were using:
	include ./classification.config
	include ./reference.config
	include $RULE_PATH/bad-traffic.rules
	include $RULE_PATH/exploit.rules
	include $RULE_PATH/scan.rules
	include $RULE_PATH/finger.rules
	include $RULE_PATH/ftp.rules
	include $RULE_PATH/telnet.rules
	include $RULE_PATH/rservices.rules
	include $RULE_PATH/dos.rules
	include $RULE_PATH/ddos.rules
	include $RULE_PATH/dns.rules
	include $RULE_PATH/tftp.rules
	include $RULE_PATH/web-cgi.rules
	include $RULE_PATH/web-misc.rules
	include $RULE_PATH/web-client.rules
	include $RULE_PATH/web-php.rules
	include $RULE_PATH/sql.rules
	include $RULE_PATH/x11.rules
	include $RULE_PATH/netbios.rules
	include $RULE_PATH/misc.rules
	include $RULE_PATH/attack-responses.rules
	include $RULE_PATH/oracle.rules
	include $RULE_PATH/mysql.rules
	include $RULE_PATH/snmp.rules
	include $RULE_PATH/smtp.rules
	include $RULE_PATH/imap.rules
	include $RULE_PATH/pop3.rules
	include $RULE_PATH/nntp.rules
	include $RULE_PATH/other-ids.rules
	include $RULE_PATH/experimental.rules
	include $RULE_PATH/local.rules
	include $RULE_PATH/virus.rules

What output plug-ins you loaded:
	output log_tcpdump: tcpdump.log
	output database: log, mysql, user=user password=pwd dbname=snort
host=127.0.0.1 sensor_name=sen

What command line switches you were using:
	-i $INTERFACE
	-z
	-F /etc/snort/ignore-filter.bpf
	-c /etc/snort/rules/snort.conf
	-l /var/log/snort
	-o
	-D

Any Snort error messages: None









More information about the Snort-devel mailing list