[Snort-devel] ICMP id/seq bug in spo_database/ICMPHdr

Jon Hart jhart at ...1775...
Mon Feb 5 00:44:36 EST 2007


I've been working on some additions to BASE, and came across a potential
bug that I've tracked back to snort.

When reading entries from a snort database and you encounter an ICMP
packet, the ICMP id and sequence number are always set to 0, regardless
of whether or not the original packet actually had an ICMP id or
sequence number.

According to the RFC, only ICMP echo, information request and timestamp
request/reply will ever have a ICMP id or sequence number.  I believe
0 is a valid ID or sequence number, so putting a 0 for the ICMP packet
even if it didn't have one in the first place is wrong, IMO.  

The database schemas look to allow this field to be NULL, so it would
probably be best to only insert an ICMP id or sequence number of the
original ICMP packet actually had them.


More information about the Snort-devel mailing list