[Snort-users] Weird fragmentation plugin error

Martin Roesch roesch at ...421...
Thu Apr 19 00:30:03 EDT 2001


Wozz wrote:
> 
> On Thu, Apr 19, 2001 at 01:32:14AM +0700, Fyodor wrote:
> > On Wed, Apr 18, 2001 at 12:06:29AM -0500, H D Moore wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I bitched about it and was told to run the CVS copy or disable the stream
> > > preprocessor.  I am running 1.8build11 now and it hasnt crashed on me yet,
> > > although the table updates were a PITA.
> > >
> >
> > Well, due to obvious reasons (lack of resouces) we can not issue a patch for
> > every version of snort. We fix bugs in CVS and that's the way development goes :)
> >
> > Even OpenBSD (with a larger team) didn't issue any fixes for past releases until
> > 2.7 or something :)
> >
> 
> Yes, but I'm running the latest stable version of snort.  I would assume a
> showstopper like this would get a patch.  But, if not, I'll just have to disable
> the frag processor.  Dragon's getting installed next week anyhow ;)

Ouch. :)  Here's a quick fix (these messages shouldn't be logged as
alerts anyway, they should be log messages).  I hope you aren't
replacing Snort 100% with Dragon, we've got some fun stuff coming up...
:)

    -Marty

--- spp_defragorig.c    Thu Apr 19 00:25:48 2001
+++ spp_defrag.c        Thu Apr 19 00:29:25 2001
@@ -705,7 +705,8 @@
             printf("Overflow attack in rebuild!\n");
 #endif                        
             /*(*AlertFunc)(p, "Fragmentation Overflow Attack");*/
-            CallAlertFuncs(p, "Fragmentation Overflow Attack", NULL);
+            LogMessage("Possible Fragmentation Overflow Attack");
+            
         }
 
         /* clear the fragment store of the frag that was just put into
the
@@ -764,7 +765,7 @@
         else
         {
             /*(*AlertFunc)(p, "Mostly Empty Fragmented Packet
Discarded!");*/
-            CallAlertFuncs(p, "Incomplete Packet Fragments Discarded",
NULL);
+            LogMessage("Incomplete Packet Fragments Discarded");
         }
     }
     else




More information about the Snort-users mailing list