[Snort-devel] offset to fragment data (ip with options)

Jeff Nathan jeff at ...835...
Thu Feb 16 08:15:05 EST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Very interesting question.  The IP_HLEN macro does return the length  
of the entire IP header in 32-bit words which should include the  
options length.  So, at first glance I'm inclined to think that code  
is incorrect and it should not add the options length.

Anyone else have any thoughts?

- -Jeff

On Feb 16, 2006, at 6:59 AM, Vyacheslav V. Burdjanadze wrote:

> Hello, guys.
>
> While trying to tweak snort-2.4.3 sources I've found this -
>
> fragStart = ((char *)p->iph + IP_HLEN(p->iph) * 4) + (u_int16_t)p- 
> >ip_options_len;
>
> Is it correct? Doesn't ip header length reflect options length?
> It seems we may send fragmented packets with ip options inside to  
> evade ids.
> There are a few places with similar code.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
> log files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD  
> SPLUNK!
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel


- --
http://cerberus.sourcefire.com/~jeff       (DSA key id 6923D3FD)
"Problems cannot be solved at the same level of awareness that
created them."   - Albert Einstein


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)

iD8DBQFD9KTsEqr8+Gkj0/0RAmC/AJ9vGL6jNKvopD4vXz/6BhpEySAQGgCff8Lb
QxkNwglL6Plv29FoLZdObCo=
=MgV4
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list