[Snort-users] defrag preprocessor oddity on HP-UX

Martin Roesch roesch at ...421...
Fri Oct 6 12:40:30 EDT 2000


Looks like ntohl() isn't being called someplace it should be....

     -Marty

Dragos Ruiu wrote:
> 
> On Thu, 05 Oct 2000, Ralf Hildebrandt wrote:
> >
> > I just recently installed snort-1.6.3 beta 2 -- and AT LAST the defrag
> > preprocessor seems to worg (e.g. snort doesn't crash after 5 minutes)
> >
> > Nevertheless I noticed some oddities: I use snort to monitor a small subset
> > of the 134.169/16 subnet; the preprocessor reports:
> >
> > Oct  5 14:19:58 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> > Discarded!: 217.143.134.169 -> 79.157.134.169
> > Oct  5 14:24:54 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> > Discarded!: 163.53.134.169 -> 41.195.134.169
> >
> > These Addresses make no sense -- but if you swap bytes 1&2 with 3&4, the
> > addresses might just be ok?!
> > 79.157.134.169 becomes 134.169.79.157
> >
> 
> That alert is from the jolt2 protection code....
> 
> If the packet is huge and most of the fragments for it
> are missing when the tail segment is received(such as
> in a jolt2 attack) it discards it and should give that
> message. (Not that a bug could be out of the question. :-)
> 
> Monstergrams in the presence of heavy packet loss
> could false this... but it seems _very_ unlikely to occur
> naturally to me...
> 
> cheers,
> --dr
> 
> --
> Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future
> gpg/pgp key on file at wwwkeys.pgp.net
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list