[Snort-devel] Signature Error?

Chris Keladis chris at ...2315...
Sat Jan 3 06:36:10 EST 2004


Hi Andreas,

[Firstly sorry for the new thread. I read your message on the web-archives 
and only recently subscribed to snort-dev so i didn't have a local copy of 
your message to reply to..]

I've also noticed this in Snort 2.1.0 and have been looking at the code in gdb.

To add some information to the pot, i found when in fpAddEvent() (just 
before the final return) and examining pmi->MatchArray[], i noticed there 
are 2 matched events, one an ICMP message and the other an "MS-SQL Worm 
propagation attempt" alert.

An example:

(gdb) print pmi->MatchArray[0]->otn->sigInfo->message
$18 = 0x85d1888 "ICMP Destination Unreachable (Communication 
Administratively Prohibited)"
(gdb) print pmi->MatchArray[1]->otn->sigInfo->message
$19 = 0x85c7cc0 "MS-SQL Worm propagation attempt"

Examining the 'Packet * p' structure the packet is definitely an ICMP message.

I don't have a pcap capture of the problem (but could make one if 
necessary). It's reproducible just by watching regular traffic in my case.

I see "MS-SQL Worm propagation attempt" alerts for TCP and ICMP packets 
when the rule clearly should only match UDP packets.

Hope it helps shed some light..




Cheers,

Chris.





More information about the Snort-devel mailing list