[Snort-users] ICMP Echo Replies & Unknowns?

Phil Wood cpw at ...440...
Thu Jun 28 14:07:27 EDT 2001

In my case the problem of trash icmp types and codes is the result of a
problem with snort.  It appears related to the defrag preprocessor.  I have
documented, using tcpdump and snort in parallel, that valid ICMP packets
(as seen by tcpdump), end up in snort with some memory (not associated with
any packet) appended to a perfectly valid IP header (with proto of ICMP).
Tcpdump shows two fragments (out of order) which together make up an icmp
packet.  Snort's defrag constructs the complete ICMP packet with the identical
IP header, but crud from some place in snort's memory as ICMP header and DATA.

This is not the entire story.  I'm waiting for the rest of the story.  The
problem cannot be duplicated by sending snort the fragments from the tcpdump
file (-r).  So, there are other things going on.  It's entirely possible that
the defrag preprocessor is just doing its job, and some other module in snort
is making mincemeat out of defrag's control or data memory.  It's just a matter
of a memory pointer changing, prior to the construction of the packet to
be shipped into the rules processsor, or in the rules processor itself.

Has anyone else looked into this problem?

On Thu, Jun 28, 2001 at 10:43:28AM +0100, Matthew Collins wrote:
> I get all sorts of this stuff too, also ICMP destination unreachable messages for packets we haven't sent. Most of this is fallout from DOS attacks & people spoofing our IP addresses.
> >>> "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan at ...2218...> 28/06/01 05:59:48 >>>
> Every day, I see many "ICMP Echo Replies" and "ICMP unknowns" from random
> machines on the Internet.
> Some example traces are below...these packets came back to back three
> seconds apart (icmp unknown then icmp echo reply right afterward). Does
> anyone know why I would see so many of these? Could this come from a probing
> tool? I see so many, I'm trying to figure out what's going on! Thanks.
> ****************************************************************************************
> This message and any attachments are confidential to the ordinary user of
> the e-mail address to which it was addressed and may also be privileged.
> If you are not the addressee you may not copy, forward, disclose or use 
> any part of the message or its attachments and if you have received this
> message in error, please notify the sender immediately by return e-mail and
> delete it from your system.
> Internet communications cannot be guaranteed to be secure or error-free 
> as information could be intercepted, corrupted, lost, arrive late or contain 
> viruses. The sender therefore does not accept liability for any errors or
> omissions in the context of this message which arise as a result of Internet
> transmission.
> Northern Registrars Limited, Northern House, Woodsome Park, Fenay 
> Bridge, Huddersfield. HD8 0LA.
> Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
> For more information visit our web site: http://www.northernregistrars.co.uk
> ****************************************************************************************
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list