[Snort-users] Snort dumps core on Solaris 8
neil at ...1633...
Thu Jun 7 13:56:54 EDT 2001
Phil Wood <cpw at ...440...> wrote to the IPFilter list:
>I've also seen problems with defrag, but have not gotten any confirmation.
>It is my experience that certain fragment sequences in conjunction with
>some unknown force cause the creation of mutant packets, that is:
> IP: proto=icmp (20 byte header)
> DATA from somewhere in snort memory (not another incoming packet)
>Makes for some real weird ICMP type / code packets if you are looking for
>that sort of thing.
I've been seeing alerts like these:
[**] PING-ICMP Destination Unreachable [**]
06/03-00:56:43.763294 22.214.171.124 -> xxx.yyy.zzz
ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.yyy.zzz:25 -> 126.96.36.199:38058
TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
12U*PRS* Seq: 0xD1F97B19 Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0
** END OF DUMP
What particularly interests me is the really unusual collection of flags
reported for the original datagram, viz., 12U*PRS* . Is this the sort of
thing you are referring to?
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users