[Snort-devel] offset to fragment data (ip with options)

Steven Sturges steve.sturges at ...402...
Thu Feb 16 08:31:02 EST 2006


Yes, agreed.  Will get that fixed in the next few days...

-steve

Jeff Nathan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Very interesting question.  The IP_HLEN macro does return the length  of 
> the entire IP header in 32-bit words which should include the  options 
> length.  So, at first glance I'm inclined to think that code  is 
> incorrect and it should not add the options length.
> 
> Anyone else have any thoughts?
> 
> - -Jeff
> 
> On Feb 16, 2006, at 6:59 AM, Vyacheslav V. Burdjanadze wrote:
> 
>> Hello, guys.
>>
>> While trying to tweak snort-2.4.3 sources I've found this -
>>
>> fragStart = ((char *)p->iph + IP_HLEN(p->iph) * 4) + (u_int16_t)p- 
>> >ip_options_len;
>>
>> Is it correct? Doesn't ip header length reflect options length?
>> It seems we may send fragmented packets with ip options inside to  
>> evade ids.
>> There are a few places with similar code.
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through  
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD  SPLUNK!
>> http://sel.as-us.falkag.net/sel? cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 
> 
> 
> - --
> http://cerberus.sourcefire.com/~jeff       (DSA key id 6923D3FD)
> "Problems cannot be solved at the same level of awareness that
> created them."   - Albert Einstein
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> 
> iD8DBQFD9KTsEqr8+Gkj0/0RAmC/AJ9vGL6jNKvopD4vXz/6BhpEySAQGgCff8Lb
> QxkNwglL6Plv29FoLZdObCo=
> =MgV4
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 





More information about the Snort-devel mailing list