[Snort-users] Does ICMP detection work or what?

Dragos Ruiu dr at ...381...
Fri Jun 29 06:38:26 EDT 2001


The defragger has had several fixes since Snort 1.7 that could account for 
the behaviour you see (esp. on sparc boxen).  I posted a new one to snort-devel
this afternoon, since then another small problem has been fixed in this latest
version v1.4....

This should also be backwards compatible to snort 1.7 source trees.
(or 1.6 for that matter, but your really ought to think about upgrading if
you're there!)  Please replace spp_defrag.c with this latest v1.4 one and 
let me know if your problem still occurs.  Please contact me if it is still in
error, and further information may be gleaned by enbling more diagnostics  
by defining DEBUG in the defragger code.

Notes about the release from the snort-devel posting are attached
below with the code.

thanks,
--dr


 

On Fri, 29 Jun 2001, François Désarménien wrote:
> Thu, 28 Jun 2001 17:22:27 -0600 (MDT)
> Ryan Russell <ryan at ...35...> wrote:
> 
> > On Thu, 28 Jun 2001, Sheahan, Paul (PCLN-NW) wrote:
> > 
> > Ping and ICMP aren't the same thing, ping only accounts for two ICMP
> > types, and there are quite a few more (as evidenced by your examples.)
> > What kind of firewall do you have, and what exactly does the rule say?
> > 
> 
> Couldn't it be related to the problem Phil told us last night :
> 
> > Phil Wood wrote :
> >
> > In my case the problem of trash icmp types and codes is the result of a
> > problem with snort.  It appears related to the defrag preprocessor.  I have
> > documented, using tcpdump and snort in parallel, that valid ICMP packets
> > (as seen by tcpdump), end up in snort with some memory (not associated with
> > any packet) appended to a perfectly valid IP header (with proto of ICMP).
> > Tcpdump shows two fragments (out of order) which together make up an icmp
> > packet.  Snort's defrag constructs the complete ICMP packet with the identical
> > IP header, but crud from some place in snort's memory as ICMP header and DATA.
> 
> François
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



----------  Forwarded Message  ----------
Subject: new spp_defrag.c
Date: Thu, 28 Jun 2001 16:46:53 -0700
From: Dragos Ruiu <dr at ...381...>


defragger with memory hard-hard limits
and out of memory alert thresholding so nobody
gets any snotty ideas about sticking in defrag
noise.  :-)

Some tweaks that should help the sparc people...
And a new higher efficiency timeout checker
and garbage collector.

Backwards compatible with snort 1.7 and 1.8 releases.
just replace spp_defrag.c

I sent an earlier version out to a few and didn't receive 
any tracebacks yet so I assume it's ok. Here is a
slightly more aggresively defended version.

Send me your complaints... or cpu utilization benchmarks 
and the %of fragmented traffic you have as I am trying
to benchmark...

cheers,
--dr


-------------------------------------------------------

-- 
Dragos Ruiu / kyx.net - we're from the future 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_defrag.c
Type: text/english
Size: 31723 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010629/cd57d0ce/attachment.bin>


More information about the Snort-users mailing list