[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?
vision at ...4...
Tue Jan 2 13:56:24 EST 2001
On Wed, 3 Jan 2001, Fyodor wrote:
> So probably does your Network Monitor. Tcpdump just dumps whole 'caplen' data. (the
> same thing you will get with snort if use -v switch).
> Basically speaking it poses us a threat that someone could cause snort to
> coredump if specify huge ip_len field and send a packet with small data on the
> wire. I just committed a fix for this problem.
> Let me know if the version from cvs (or after midnight update
> http://snort.sourceforge.net/snort-daily.tar.gz ) will still not be able to
> 'detect' this type of 'abuse' when used with -v switch.
I don't understand, it appears that this functionality has been present at
least since 1.6.3.. when I send a bogus packet like you describe, I see
01/02-10:52:29.587677 126.96.36.199 -> 188.8.131.52
ICMP TTL:64 TOS:0x0 ID:23
ID:5888 Seq:0 ECHO REPLY
Got bogus buffer length (63992) for PrintNetData, defaulting to 16 bytes!
00 00 00 00 80 18 7D 78 75 61 00 00 01 01 08 0A ......}xua......
09 B0 57 87 00 01 89 C8 ED C5 E7 28 84 57 AA 9B ..W........(.W..
The icmp packet in question had a null payload.. the same packet was
reported by tcpdump as:
10:54:06.980028 truncated-ip - 63988 bytes missing!184.108.40.206 > 220.127.116.11:
icmp: echo reply
More information about the Snort-users