[Snort-users] large UDP packets - very strange content

Fyodor fygrave at ...121...
Thu Oct 5 07:33:36 EDT 2000


~ :Yesterday, these entries were generated by my snort machine. Strange
~ :thing about this is that they seem to be DNS replies, but contain some
~ :very weir data (some of it is html). I initially thought this might be
~ :some very advanced attack, but now I rather suspect it might be a snort
~ :bug.
~ :
~ :If you look at the length of the payload, it logs "Len: 56", but the
~ :logged data is much longer than that. Could it be that snort might be
~ :dumping data from previous packets here?
~ :

well, if it is a snort bug, it's probably comming from libpcap then. Look
at my comments below:


~ :
~ :[**] IDS247 - MISC - Large UDP Packet [**]
~ :10/04-21:37:31.645971 0:B0:64:12:8F:60 -> 8:0:20:A0:11:63 type:0x800
~ :len:0x5CA

Corresponding line to this piece is (log.c):
   fprintf(fp, "type:0x%X len:0x%X\n", ntohs(p->eh->ether_type), p->pkth->len);


so the length 0x5cA is something that we got from libpcap which states the
length of received datagram. This field is set by libpcap and is not
altered in snort code. If you could actually add `caplen' here and see if
it would be the same.. 


~ :199.120.157.10:53 -> x.x.x.10:1037 UDP TTL:21 TOS:0x0 ID:52728 
~ :Len: 56

This `len' is taken from `length' field of a UDP datagram. Is it possible
that you store the data in tcpdump format for further analysis? Also your
platform/OS and libpcap version woild be helpful.




More information about the Snort-users mailing list