[Snort-users] Sniffers Misbehaviors (MS Network Monitor & tcpdump)?

Martin Roesch roesch at ...421...
Tue Jan 2 14:24:11 EST 2001


Fyodor wrote:
> 
> On Tue, Jan 02, 2001 at 10:56:24AM -0800, Max Vision wrote:
> > On Wed, 3 Jan 2001, Fyodor wrote:
> > > So probably does your Network Monitor. Tcpdump just dumps whole 'caplen' data. (the
> > > same thing you will get with snort if use -v switch).
> > >
> > > Basically speaking it poses us a threat that someone could cause snort to
> > > coredump if specify huge ip_len field and send a packet with small data on the
> > > wire. I just committed a fix for this problem.
> > >
> > > Let me know if the version from cvs (or after midnight update
> > > http://snort.sourceforge.net/snort-daily.tar.gz ) will still not be able to
> > > 'detect' this type of 'abuse' when used with -v switch.
> > >
> >
> > I don't understand, it appears that this functionality has been present at
> > least since 1.6.3.. when I send a bogus packet like you describe, I see
> > the following:
> 
> Little bit different:
> 
> > 01/02-10:52:29.587677 1.1.1.1 -> 2.2.2.2
> > ICMP TTL:64 TOS:0x0 ID:23
> > ID:5888   Seq:0  ECHO REPLY
> > Got bogus buffer length (63992) for PrintNetData, defaulting to 16 bytes!
> > 00 00 00 00 80 18 7D 78 75 61 00 00 01 01 08 0A  ......}xua......
> > 09 B0 57 87 00 01 89 C8 ED C5 E7 28 84 57 AA 9B  ..W........(.W..
> > F0 @q'Y'.
> >
> 
> log.c(285):
> 
>     if(len > ETHERNET_MTU)
>     {
>         if(pv.verbose_flag)
>         {
>             printf("Got bogus buffer length (%d) for PrintNetData, defaulting to 16 bytes!\n", len);
>         }
> 
> so here complain if buffer length is bigger that ETHERNET_MTU which is 1500 bytes. This conclusion
> (IMHO) actually isn't fully correct, other datalinks may have different MTU (normally smaller, but
> maybe there's a one which is not?).

There's a little legacy code for you. :) Yes, back in the day when we only
supported one data link layer that was a good line.  Now it needs to be set on
the MTU for the current interface type.

     -Marty

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list