[Snort-devel] offset to fragment data (ip with options)
jeff at ...835...
Thu Feb 16 08:15:05 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Very interesting question. The IP_HLEN macro does return the length
of the entire IP header in 32-bit words which should include the
options length. So, at first glance I'm inclined to think that code
is incorrect and it should not add the options length.
Anyone else have any thoughts?
On Feb 16, 2006, at 6:59 AM, Vyacheslav V. Burdjanadze wrote:
> Hello, guys.
> While trying to tweak snort-2.4.3 sources I've found this -
> fragStart = ((char *)p->iph + IP_HLEN(p->iph) * 4) + (u_int16_t)p-
> Is it correct? Doesn't ip header length reflect options length?
> It seems we may send fragmented packets with ip options inside to
> evade ids.
> There are a few places with similar code.
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log files
> for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
http://cerberus.sourcefire.com/~jeff (DSA key id 6923D3FD)
"Problems cannot be solved at the same level of awareness that
created them." - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-devel