[Snort-devel] IP dgm len < IP Hdr len Alert question

John Weidley john at ...1961...
Thu May 1 14:46:22 EDT 2003


As requested, the tcpdump has been ran through snort to hide the true IP
addresses (snort -r <file> -O -b).

Please let me know if there is anything else.

John



----- Original Message -----
From: "rmkml" <rmkml at ...1042...>
To: "John Weidley" <john at ...1961...>
Sent: Thursday, May 01, 2003 9:12 AM
Subject: Re: [Snort-devel] IP dgm len < IP Hdr len Alert question


> please send tcpdump file to the list ?
> Regard.
>
>
>
> John Weidley wrote:
>
> > A couple of days ago I received the following Snort alerts.
> >
> > [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
> > 04/22-10:15:45.540548 AAA.AAA.16.30 -> BBB.BBB.198.38
> > ICMP TTL:127 TOS:0x0 ID:12788 IpLen:20 DgmLen:6
> > ICMP header truncated
> >
> > [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
> > 04/22-10:15:50.628152 AAA.AAA.16.30 -> BBB.BBB.198.38
> > ICMP TTL:127 TOS:0x0 ID:12867 IpLen:20 DgmLen:6
> > ICMP header truncated
> >
> > [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
> > 04/22-10:15:55.635856 AAA.AAA.16.30 -> BBB.BBB.198.38
> > ICMP TTL:127 TOS:0x0 ID:12987 IpLen:20 DgmLen:6
> > ICMP header truncated
> >
> > [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
> > 04/22-10:16:00.643454 AAA.AAA.16.30 -> BBB.BBB.198.38
> > ICMP TTL:127 TOS:0x0 ID:13056 IpLen:20 DgmLen:6
> > ICMP header truncated
> >
> > [**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**]
> > 04/22-10:16:05.651236 AAA.AAA.16.30 -> BBB.BBB.198.38
> > ICMP TTL:127 TOS:0x0 ID:13153 IpLen:20 DgmLen:6
> > ICMP header truncated
> >
> > I went to a raw tcpdump capture file of all traffic on the network and
> > searched for all packets with a datagram length of 6 and got no output.
> > (tcpdump -xvvr <tcpdump_file> 'ip[2:2] = 6')
> >
> > So I looked at all ICMP traffic between the 2 hosts. I found a 65K ICMP
> > ping from a trusted box going to an external destination. This is
obviously
> > a seperate issue as to why this is happening and the wrong icmp
checksum.
> > Here are the fragmented ICMP packets.
> >
> > 10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request
(wrong
> > icmp csum)
> >  (frag 19019:1480 at ...475...+) (ttl 127, len 1500)
> >
> > 10:22:14.660093 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...575...+)
(ttl
> > 127, len 1500)
> > 10:22:14.661324 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1292...+)
(ttl
> > 127, len 1500)
> > 10:22:14.662558 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1293...+)
(ttl
> > 127, len 1500)
> > 10:22:14.663787 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1294...+)
(ttl
> > 127, len 1500)
> > 10:22:14.665018 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1295...+)
(ttl
> > 127, len 1500)
> > 10:22:14.666253 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1296...+)
(ttl
> > 127, len 1500)
> > 10:22:14.667483 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1297...+)
> > (ttl 127, len 1500)
> > 10:22:14.668712 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1298...+)
> > (ttl 127, len 1500)
> > 10:22:14.669943 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1299...+)
> > (ttl 127, len 1500)
> > 10:22:14.671176 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1300...+)
> > (ttl 127, len 1500)
> > 10:22:14.672404 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1301...+)
> > (ttl 127, len 1500)
> > 10:22:14.673636 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1302...+)
> > (ttl 127, len 1500)
> > 10:22:14.674866 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1303...+)
> > (ttl 127, len 1500)
> > 10:22:14.676098 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1304...+)
> > (ttl 127, len 1500)
> > 10:22:14.677331 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1305...+)
> > (ttl 127, len 1500)
> > 10:22:14.678561 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1306...+)
> > (ttl 127, len 1500)
> > 10:22:14.679795 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1307...+)
> > (ttl 127, len 1500)
> > 10:22:14.681023 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1308...+)
> > (ttl 127, len 1500)
> > 10:22:14.682256 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1309...+)
> > (ttl 127, len 1500)
> > 10:22:14.683485 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1310...+)
> > (ttl 127, len 1500)
> > 10:22:14.684716 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1311...+)
> > (ttl 127, len 1500)
> > 10:22:14.685951 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1312...+)
> > (ttl 127, len 1500)
> > 10:22:14.687179 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1313...+)
> > (ttl 127, len 1500)
> > 10:22:14.688412 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1314...+)
> > (ttl 127, len 1500)
> > 10:22:14.689641 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1315...+)
> > (ttl 127, len 1500)
> > 10:22:14.690872 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1316...+)
> > (ttl 127, len 1500)
> > 10:22:14.692104 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1317...+)
> > (ttl 127, len 1500)
> > 10:22:14.693337 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1318...+)
> > (ttl 127, len 1500)
> > 10:22:14.694566 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1319...+)
> > (ttl 127, len 1500)
> > 10:22:14.695797 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1320...+)
> > (ttl 127, len 1500)
> > 10:22:14.697030 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1321...+)
> > (ttl 127, len 1500)
> > 10:22:14.698259 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1322...+)
> > (ttl 127, len 1500)
> > 10:22:14.699492 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1323...+)
> > (ttl 127, len 1500)
> > 10:22:14.700721 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1324...+)
> > (ttl 127, len 1500)
> > 10:22:14.701955 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1325...+)
> > (ttl 127, len 1500)
> > 10:22:14.703183 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1326...+)
> > (ttl 127, len 1500)
> > 10:22:14.704414 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1327...+)
> > (ttl 127, len 1500)
> > 10:22:14.705645 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1328...+)
> > (ttl 127, len 1500)
> > 10:22:14.706877 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1329...+)
> > (ttl 127, len 1500)
> > 10:22:14.708112 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1330...+)
> > (ttl 127, len 1500)
> > 10:22:14.709340 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1331...+)
> > (ttl 127, len 1500)
> > 10:22:14.710571 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1332...+)
> > (ttl 127, len 1500)
> > 10:22:14.711804 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480 at ...1333...+)
> > (ttl 127, len 1500)
> > 10:22:14.712073 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:388 at ...1334...)
(ttl
> > 127, len 408)
> >
> > When I show the hex output and calculate the IHL and the total packet
> > length, things just
> > dont add up.
> >
> > 10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request
(wrong
> > icmp csum)
> >  (frag 19019:1480 at ...475...+) (ttl 127, len 1500)
> >
> > 4500 05dc 4a4b 2000 7f01 7c67 AAAA 101e
> >  ^   ^^^^
> > BBBB c626
> >
> > IHL - (5 * 4) = 20
> > Total Length - 05dc = 1500
> >
> > Where is Snort getting a datagram length of 6 bytes?
> >
> > --------------------------------------------------------------------
> > System Architecture: x86
> > Operating System and version: Linux 2.2.19pre17
> > Version of Snort: Version 2.0.0 (Build 72)
> > What preprocessors you loaded:
> >         preprocessor frag2
> >         preprocessor stream4: detect_scans, disable_evasion_alerts
> >         preprocessor stream4_reassemble
> >         preprocessor http_decode: 80 unicode iis_alt_unicode
double_encode
> > iis_flip_slash full_whitespace
> >         preprocessor rpc_decode: 111 32771
> >         preprocessor bo
> >         preprocessor telnet_decode
> >         preprocessor portscan: $HOME_NET 4 3 portscan.log
> >         preprocessor portscan-ignorehosts: $DNS_SERVERS
> >
> > What rules (if any) you were using:
> >         include ./classification.config
> >         include ./reference.config
> >         include $RULE_PATH/bad-traffic.rules
> >         include $RULE_PATH/exploit.rules
> >         include $RULE_PATH/scan.rules
> >         include $RULE_PATH/finger.rules
> >         include $RULE_PATH/ftp.rules
> >         include $RULE_PATH/telnet.rules
> >         include $RULE_PATH/rservices.rules
> >         include $RULE_PATH/dos.rules
> >         include $RULE_PATH/ddos.rules
> >         include $RULE_PATH/dns.rules
> >         include $RULE_PATH/tftp.rules
> >         include $RULE_PATH/web-cgi.rules
> >         include $RULE_PATH/web-misc.rules
> >         include $RULE_PATH/web-client.rules
> >         include $RULE_PATH/web-php.rules
> >         include $RULE_PATH/sql.rules
> >         include $RULE_PATH/x11.rules
> >         include $RULE_PATH/netbios.rules
> >         include $RULE_PATH/misc.rules
> >         include $RULE_PATH/attack-responses.rules
> >         include $RULE_PATH/oracle.rules
> >         include $RULE_PATH/mysql.rules
> >         include $RULE_PATH/snmp.rules
> >         include $RULE_PATH/smtp.rules
> >         include $RULE_PATH/imap.rules
> >         include $RULE_PATH/pop3.rules
> >         include $RULE_PATH/nntp.rules
> >         include $RULE_PATH/other-ids.rules
> >         include $RULE_PATH/experimental.rules
> >         include $RULE_PATH/local.rules
> >         include $RULE_PATH/virus.rules
> >
> > What output plug-ins you loaded:
> >         output log_tcpdump: tcpdump.log
> >         output database: log, mysql, user=user password=pwd dbname=snort
> > host=127.0.0.1 sensor_name=sen
> >
> > What command line switches you were using:
> >         -i $INTERFACE
> >         -z
> >         -F /etc/snort/ignore-filter.bpf
> >         -c /etc/snort/rules/snort.conf
> >         -l /var/log/snort
> >         -o
> >         -D
> >
> > Any Snort error messages: None
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: large_icmp_obfuscated.bin
Type: application/octet-stream
Size: 67781 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030501/151159c9/attachment.bin>


More information about the Snort-devel mailing list