[Snort-users] screwy windows ICMP

Doug White dwhite at ...1486...
Mon Mar 12 19:32:50 EST 2001


Please boot me in the head if this belongs elsewhere.

We have windows boxes that appear to be fond of generating illegal ICMP
PING packets.  In particular, they send 56 bytes of data but list the
lengh as 2056 bytes.  

It appears that snort doesn't pay attention to this and ensure the payload
is actually the proper length when it prints the packet contents.  So you
end up with logged packets that look like this (translation provided by

[**] IDS246/dos-large-icmp [**]
03/12-16:12:23.979130 0:10:83:FA:13:38 -> 0:D0:B7:90:3E:3A type:0x800
len:0x83C -> ICMP TTL:128 TOS:0x0 ID:28464 IpLen:20
Type:8  Code:0  ID:512   Seq:9228  ECHO
0x0000: 00 D0 B7 90 3E 3A 00 10 83 FA 13 38 08 00 45 00  ....>:.....8..E.
0x0010: 08 08 6F 30 00 00 80 01 56 FF D8 88 D7 03 40 29  ..o0....V.....@)
0x0020: 82

^ that 0 up there is on the previous line; it doesn't wrap.

I fear there is a possible buffer overflow lurking here.  This is in snort
1.7 on FreeBSD 4.2-RELEASE.

Please tell me snort isn't vulnerable :-)  Thanks!

Doug White                    |  FreeBSD: The Power to Serve
dwhite at ...1486...     |  www.FreeBSD.org

More information about the Snort-users mailing list