[Snort-users] Snort dumps core on Solaris 8

Neil Dickey neil at ...1633...
Thu Jun 7 13:56:54 EDT 2001


Phil Wood <cpw at ...440...> wrote to the IPFilter list:

>I've also seen problems with defrag, but have not gotten any confirmation.
>It is my experience that certain fragment sequences in conjunction with
>some unknown force cause the creation of mutant packets, that is:
>
>   IP: proto=icmp (20 byte header)
>   DATA from somewhere in snort memory (not another incoming packet)
>
>Makes for some real weird ICMP type / code packets if you are looking for
>that sort of thing.

I've been seeing alerts like these:

=====================================================
[**] PING-ICMP Destination Unreachable [**]
06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz
ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.yyy.zzz:25 -> 128.138.77.15:38058
TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
12U*PRS* Seq: 0xD1F97B19  Ack: 0x0  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP
======================================================

What particularly interests me is the really unusual collection of flags
reported for the original datagram, viz., 12U*PRS* .  Is this the sort of
thing you are referring to?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115






More information about the Snort-users mailing list