No subject


Thu Nov 23 16:31:58 EST 2017


# ping -s 65507 [host]

The snort process immediately dies.  The actual threshold 
seems to be 65279 (65307) bytes.

One would not usually issue such a command directly 
from a sensor.  If the echo reply is indeed killing the 
process, then theoretically you could crash a sensor with 
artificially created ICMP type 0 packets > 65307 bytes, 
assuming it is not operating in stealth mode.

System Architecture: x86

Operating System and version: Linux 2.2.16

rules:
include exploit.rules
include scan.rules
include ftp.rules
include telnet.rules
include smtp.rules
include rpc.rules
include rservices.rules
include backdoor.rules
include dos.rules
include ddos.rules
include dns.rules
include netbios.rules
include web-iis.rules
include web-misc.rules
include sql.rules
include icmp.rules
include shellcode.rules
include misc.rules
include policy.rules

command line switches:
-c /etc/snort/snort.conf -i eth2 -D

gdb:
#0  0x100fffe in ?? () at eval.c:41
#1  0x804cb0f in ProcessPacket (user=0x0, 
pkthdr=0x8146608, pkt=0x8146708 "") at snort.c:534
#2  0x8079ab0 in RebuildFrag (ft=0x84c8b20, 
p=0xbffff440) at spp_frag2.c:752
#3  0x80795ae in Frag2Defrag (p=0xbffff440) at 
spp_frag2.c:472
#4  0x8057a46 in Preprocess (p=0xbffff440) at 
rules.c:3426
#5  0x804cb0f in ProcessPacket (user=0x0, 
pkthdr=0xbffff900, pkt=0x81448b8 "") at snort.c:534
#6  0x40031b23 in pcap_read_packet 
(handle=0x8144728, callback=0x804c9e8 
<ProcessPacket>, userdata=0x0)
    at ./pcap-linux.c:445
#7  0x40032b3f in pcap_loop (p=0x8144728, cnt=-1, 
callback=0x804c9e8 <ProcessPacket>, user=0x0)
    at ./pcap.c:79
#8  0x804dfa3 in InterfaceThread (arg=0x0) at snort.c:1561
#9  0x804c9db in main (argc=5, argv=0xbffffab4) at 
snort.c:467
#10 0x4012a5d7 in __libc_start_main () at eval.c:41


----------------------------------------------------------------------

>Comment By: Martin Roesch (roesch)
Date: 2001-12-14 08:30

Message:
Logged In: YES 
user_id=18573

Fixed in 1.8.3

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=482609&group_id=3357




More information about the Snort-devel mailing list