[Snort-users] attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet
mkettler at ...4108...
Mon Feb 11 10:31:05 EST 2002
This sounds and looks like it might be the snort 1.8.3 stream 4 reassembly
bug. See the "Re: Garbage in snort logs" thread. Quite frankly, I
personally would not touch snort 1.8.3 with a ten foot pole after reading
the problems reported on the list which seem specific to that version.. Go
with 1.8.4 beta, or with 1.8.2 and check for the ICMP header size bug.
You might also check the 'snort 1.8.3 splicing packets" thread, Mandrake
8.0 may have inherited RedHat's bad libpcap:
>Is one of the systems a RedHat linux box (and why are you reporting bugs
>without following the BUGS file...)? If so, that's probably your
>problem, RedHat in their infinite wisdom decided to change the pcap
>headers for their distro, breaking the cross-platform nature of the pcap
>format. Check out pcapedit that comes with Ethereal, it should be able
>to fix the problems.
At 09:18 AM 2/11/2002 -0800, Paul Keser wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Sorry for the long post. I wanted to include the strange portion of the
>Mandrake 8.0 hardened with bastille. masq internal net
>Snort Version 1.8.3 (Build 88) with most recent rules as of 01/26/2002
> homenet is set to ext addr of firewall with /32 mask
More information about the Snort-users