[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Max Vision vision at ...4...
Tue Jan 2 13:56:24 EST 2001


On Wed, 3 Jan 2001, Fyodor wrote:
> So probably does your Network Monitor. Tcpdump just dumps whole 'caplen' data. (the
> same thing you will get with snort if use -v switch).
>
> Basically speaking it poses us a threat that someone could cause snort to
> coredump if specify huge ip_len field and send a packet with small data on the
> wire. I just committed a fix for this problem.
>
> Let me know if the version from cvs (or after midnight update
> http://snort.sourceforge.net/snort-daily.tar.gz ) will still not be able to
> 'detect' this type of 'abuse' when used with -v switch.
>

I don't understand, it appears that this functionality has been present at
least since 1.6.3.. when I send a bogus packet like you describe, I see
the following:

01/02-10:52:29.587677 1.1.1.1 -> 2.2.2.2
ICMP TTL:64 TOS:0x0 ID:23
ID:5888   Seq:0  ECHO REPLY
Got bogus buffer length (63992) for PrintNetData, defaulting to 16 bytes!
00 00 00 00 80 18 7D 78 75 61 00 00 01 01 08 0A  ......}xua......
09 B0 57 87 00 01 89 C8 ED C5 E7 28 84 57 AA 9B  ..W........(.W..
F0 @q'Y'.

The icmp packet in question had a null payload.. the same packet was
reported by tcpdump as:

10:54:06.980028 truncated-ip - 63988 bytes missing!1.1.1.1 > 2.2.2.2:
icmp: echo reply

Max





More information about the Snort-users mailing list