[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Fyodor fygrave at ...121...
Tue Jan 2 12:53:55 EST 2001


On Tue, Jan 02, 2001 at 06:25:25PM -0800, Ofir Arkin wrote:
> When I have published my article about "Identifying ICMP Hackery Tools" a
> gentleman name Johan Augustsson have sent me an email about SuperScan 3.0, a
> tool by Foundstone.
> 
> Ok, I set down to examine it, and I was amazed to see the following results
> with the different sniffers I was using. I was using Network Monitor by
> Microsoft on my Windows 2000 Server machine, tcpdump on my Debian box, and
> Snort v1.7 beta 8. Look at the following:
> 
> This is the tcpdump trace:
> god:~# /usr/sbin/tcpdump -xnvv icmp
> tcpdump: listening on eth0
> 15:20:14.933525 192.168.1.5 > 192.168.1.15: icmp: echo request (ttl 128, id
> 6547)
>                          4500 0024 1993 0000 8001 9de1 c0a8 0105
>                          c0a8 010f 0800 d7fd 0200 1e02 0000 0000
>                          0000 0000 0000 0000 0000 0000 0000
> 15:20:14.933596 192.168.1.15 > 192.168.1.5: icmp: echo reply (ttl 255, id
> 4115)
>                          4500 0024 1013 0000 ff01 2861 c0a8 010f
>                          c0a8 0105 0000 dffd 0200 1e02 0000 0000
>                          0000 0000
> 
> 
> This is the Network Monitor results:
> ICMP Echo Request:
> 00000000  00 60 08 4C 9B 68 00 50 DA 4F DB 1A 08 00 45 00 .`.L.h.P.O....E.
> 00000010  00 24 19 93 00 00 80 01 9D E1 C0 A8 01 05 C0 A8 .$..............
> 00000020  01 0F 08 00 D7 FD 02 00 1E 02 00 00 00 00 00 00 ................
> 00000030  00 00                                           ..
> 

This packet is the same as the one dumped by snort, the difference it that this includes
ethernet headers as well. Now going to the difference ind dumps, I think the thing is that
probably the actual amount of bytes which is sent on the wire is different from the one
which is specified in IP header. when snort prints data, it uses ip_len header to count datalen
to be printed:

void DecodeIP(u_int8_t * pkt, const u_int32_t len, Packet * p)
{
    ...
       /* set the IP datagram length */
       ip_len = ntohs(p->iph->ip_len);

        if (ip_len < hlen) {
            errie...
        }
        ...
        ip_len -= hlen;
        ...
        Decode{TCP/UDP/ICMP}(...,ip_len,..);
}

So probably does your Network Monitor. Tcpdump just dumps whole 'caplen' data. (the
same thing you will get with snort if use -v switch).

Basically speaking it poses us a threat that someone could cause snort to
coredump if specify huge ip_len field and send a packet with small data on the
wire. I just committed a fix for this problem.


Let me know if the version from cvs (or after midnight update
http://snort.sourceforge.net/snort-daily.tar.gz ) will still not be able to
'detect' this type of 'abuse' when used with -v switch.


-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list