[Snort-devel] Where does snort get the gateway IP for ICMP redirect?

Bruno G. San Alejo bgonzalez at ...3012...
Fri Feb 27 07:51:37 EST 2009


Hello, I'm going through the "decode.c" file to find out why ICMPs
redirect messages have weird gateway's IPs and have found:

        case ICMP_REDIRECT:
        case ICMP_SOURCE_QUENCH:
        case ICMP_TIME_EXCEEDED:
        case ICMP_PARAMETERPROB:
            /* account for extra 4 bytes in header */
            p->dsize -= 4;
            p->data += 4;

            DecodeICMPEmbeddedIP(p->data, p->dsize, p);

Lines 3451 through 3459 at the DecodeICMP() func.

The p->data +=4; should be where the gateway's IP in redirect packets
should be. But it looks like it just jumps over the 4 bytes. Am I wrong?
Is the gateway's IP extracted in some other place?

    I'm checking this out because I came across these packets that
showed one gateway's IP  in BASE and anoter different one when the same
packet was saved as pcap and shown through Wireshark. I think BASE gets
the wrong part of the packet to extract the IP because you can see it
goes past the bytes that make up the address, but the problem is that it
is SNORT who logs into the DB the payload for the packet from where BASE
extracts then the gateway's IP. I know that ICMP redirect have the IP
packet that made the problem go off as the payload, but in term of what
BASE gets, the IP is in the DB as a payload.

    Thanks.




More information about the Snort-devel mailing list