[Snort-users] screwy windows ICMP

Doug White dwhite at ...1486...
Mon Mar 12 19:32:50 EST 2001


Hello,

Please boot me in the head if this belongs elsewhere.

We have windows boxes that appear to be fond of generating illegal ICMP
PING packets.  In particular, they send 56 bytes of data but list the
lengh as 2056 bytes.  

It appears that snort doesn't pay attention to this and ensure the payload
is actually the proper length when it prints the packet contents.  So you
end up with logged packets that look like this (translation provided by
less(1)):

[**] IDS246/dos-large-icmp [**]
03/12-16:12:23.979130 0:10:83:FA:13:38 -> 0:D0:B7:90:3E:3A type:0x800
len:0x83C
216.136.215.3 -> 64.41.130.11 ICMP TTL:128 TOS:0x0 ID:28464 IpLen:20
DgmLen:2056
Type:8  Code:0  ID:512   Seq:9228  ECHO
0x0000: 00 D0 B7 90 3E 3A 00 10 83 FA 13 38 08 00 45 00  ....>:.....8..E.
0x0010: 08 08 6F 30 00 00 80 01 56 FF D8 88 D7 03 40 29  ..o0....V.....@)
0x0020: 82
O<A2>^A^X<A8>^Y0^W^B^A^W^B^B<FF>{^B^A<80>^B^A^C^B^A^A^B^A^X^B^B<FF>y
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@.

^ that 0 up there is on the previous line; it doesn't wrap.

I fear there is a possible buffer overflow lurking here.  This is in snort
1.7 on FreeBSD 4.2-RELEASE.

Please tell me snort isn't vulnerable :-)  Thanks!

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org





More information about the Snort-users mailing list