[Snort-users] screwy windows ICMP

Martin Roesch roesch at ...421...
Mon Mar 12 20:21:54 EST 2001


By the way, we implemented code to solve just this problem long before
1.7 shipped.  This may be a problem in the -X full packet printout code
though...

   -Marty

Doug White wrote:
> 
> Hello,
> 
> Please boot me in the head if this belongs elsewhere.
> 
> We have windows boxes that appear to be fond of generating illegal ICMP
> PING packets.  In particular, they send 56 bytes of data but list the
> lengh as 2056 bytes.
> 
> It appears that snort doesn't pay attention to this and ensure the payload
> is actually the proper length when it prints the packet contents.  So you
> end up with logged packets that look like this (translation provided by
> less(1)):
> 
> [**] IDS246/dos-large-icmp [**]
> 03/12-16:12:23.979130 0:10:83:FA:13:38 -> 0:D0:B7:90:3E:3A type:0x800
> len:0x83C
> 216.136.215.3 -> 64.41.130.11 ICMP TTL:128 TOS:0x0 ID:28464 IpLen:20
> DgmLen:2056
> Type:8  Code:0  ID:512   Seq:9228  ECHO
> 0x0000: 00 D0 B7 90 3E 3A 00 10 83 FA 13 38 08 00 45 00  ....>:.....8..E.
> 0x0010: 08 08 6F 30 00 00 80 01 56 FF D8 88 D7 03 40 29  ..o0....V.....@)
> 0x0020: 82
> O<A2>^A^X<A8>^Y0^W^B^A^W^B^B<FF>{^B^A<80>^B^A^C^B^A^A^B^A^X^B^B<FF>y
> ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@.
> 
> ^ that 0 up there is on the previous line; it doesn't wrap.
> 
> I fear there is a possible buffer overflow lurking here.  This is in snort
> 1.7 on FreeBSD 4.2-RELEASE.
> 
> Please tell me snort isn't vulnerable :-)  Thanks!
> 
> Doug White                    |  FreeBSD: The Power to Serve
> dwhite at ...1486...     |  www.FreeBSD.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list