[Snort-devel] Signature Error?

Chris Keladis chris at ...2315...
Sat Jan 3 06:36:10 EST 2004

Hi Andreas,

[Firstly sorry for the new thread. I read your message on the web-archives 
and only recently subscribed to snort-dev so i didn't have a local copy of 
your message to reply to..]

I've also noticed this in Snort 2.1.0 and have been looking at the code in gdb.

To add some information to the pot, i found when in fpAddEvent() (just 
before the final return) and examining pmi->MatchArray[], i noticed there 
are 2 matched events, one an ICMP message and the other an "MS-SQL Worm 
propagation attempt" alert.

An example:

(gdb) print pmi->MatchArray[0]->otn->sigInfo->message
$18 = 0x85d1888 "ICMP Destination Unreachable (Communication 
Administratively Prohibited)"
(gdb) print pmi->MatchArray[1]->otn->sigInfo->message
$19 = 0x85c7cc0 "MS-SQL Worm propagation attempt"

Examining the 'Packet * p' structure the packet is definitely an ICMP message.

I don't have a pcap capture of the problem (but could make one if 
necessary). It's reproducible just by watching regular traffic in my case.

I see "MS-SQL Worm propagation attempt" alerts for TCP and ICMP packets 
when the rule clearly should only match UDP packets.

Hope it helps shed some light..



More information about the Snort-devel mailing list