[Snort-users] Re: Wierd Packets, ICMP Dest Unreachable

Phil Wood cpw at ...440...
Thu Jun 14 18:02:52 EDT 2001


On Thu, Jun 14, 2001 at 03:09:33PM -0400, Matt Scarborough wrote:
> Phil,
> 
> It really is not a problem per se. I think it would only be a problem if

The problem to me is, that snort code in log.c does not know where the
packet ends and decodes trash and prints the results as real stuff.

As far as being a problem in the ids sense, or sense of possibly causing a
recipient of the trashed header to go into limbo, that's another story.

In the past, specially crafted ip headers caused some serious problems for
Microsoft hosts here at lanl.  Every single windows box that was not behind
a serious firewall that reassembled ip fragments before passing them on
ended up with the blue screen of death.  It was pretty eery for some of
our groups to enter their room in the early morning and find 30 systems all
with that microsoft blue screen.

In this case, it appears that any recipient of these packets did not get
bent out of shape.

Thanks,

Phil

> 

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list