[Snort-users] Does ICMP detection work or what?

François Désarménien francois at ...1754...
Fri Jun 29 03:56:38 EDT 2001


Thu, 28 Jun 2001 17:22:27 -0600 (MDT)
Ryan Russell <ryan at ...35...> wrote:

> On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
> 
> Ping and ICMP aren't the same thing, ping only accounts for two ICMP
> types, and there are quite a few more (as evidenced by your examples.)
> What kind of firewall do you have, and what exactly does the rule say?
> 

Couldn't it be related to the problem Phil told us last night :

> Phil Wood wrote :
>
> In my case the problem of trash icmp types and codes is the result of a
> problem with snort.  It appears related to the defrag preprocessor.  I have
> documented, using tcpdump and snort in parallel, that valid ICMP packets
> (as seen by tcpdump), end up in snort with some memory (not associated with
> any packet) appended to a perfectly valid IP header (with proto of ICMP).
> Tcpdump shows two fragments (out of order) which together make up an icmp
> packet.  Snort's defrag constructs the complete ICMP packet with the identical
> IP header, but crud from some place in snort's memory as ICMP header and DATA.

François




More information about the Snort-users mailing list