[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Fyodor fygrave at ...121...
Tue Jan 2 14:05:09 EST 2001


On Tue, Jan 02, 2001 at 10:56:24AM -0800, Max Vision wrote:
> On Wed, 3 Jan 2001, Fyodor wrote:
> > So probably does your Network Monitor. Tcpdump just dumps whole 'caplen' data. (the
> > same thing you will get with snort if use -v switch).
> >
> > Basically speaking it poses us a threat that someone could cause snort to
> > coredump if specify huge ip_len field and send a packet with small data on the
> > wire. I just committed a fix for this problem.
> >
> > Let me know if the version from cvs (or after midnight update
> > http://snort.sourceforge.net/snort-daily.tar.gz ) will still not be able to
> > 'detect' this type of 'abuse' when used with -v switch.
> >
> 
> I don't understand, it appears that this functionality has been present at
> least since 1.6.3.. when I send a bogus packet like you describe, I see
> the following:

Little bit different:

> 01/02-10:52:29.587677 1.1.1.1 -> 2.2.2.2
> ICMP TTL:64 TOS:0x0 ID:23
> ID:5888   Seq:0  ECHO REPLY
> Got bogus buffer length (63992) for PrintNetData, defaulting to 16 bytes!
> 00 00 00 00 80 18 7D 78 75 61 00 00 01 01 08 0A  ......}xua......
> 09 B0 57 87 00 01 89 C8 ED C5 E7 28 84 57 AA 9B  ..W........(.W..
> F0 @q'Y'.
> 

log.c(285): 

    if(len > ETHERNET_MTU)
    {
        if(pv.verbose_flag)
        {
            printf("Got bogus buffer length (%d) for PrintNetData, defaulting to 16 bytes!\n", len);
        }


so here complain if buffer length is bigger that ETHERNET_MTU which is 1500 bytes. This conclusion
(IMHO) actually isn't fully correct, other datalinks may have different MTU (normally smaller, but
maybe there's a one which is not?). 
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1




More information about the Snort-users mailing list