[Snort-users] attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet

Matt Kettler mkettler at ...4108...
Mon Feb 11 10:31:05 EST 2002


This sounds and looks like it might be the snort 1.8.3 stream 4 reassembly 
bug. See the "Re:  Garbage in snort logs" thread. Quite frankly, I 
personally would not touch snort 1.8.3 with a ten foot pole after reading 
the problems reported on the list which seem specific to that version.. Go 
with 1.8.4 beta, or with 1.8.2 and check for the ICMP header size bug.


You might also check the  'snort 1.8.3 splicing packets" thread, Mandrake 
8.0 may have inherited RedHat's bad libpcap:


>Is one of the systems a RedHat linux box (and why are you reporting bugs
>without following the BUGS file...)?  If so, that's probably your
>problem, RedHat in their infinite wisdom decided to change the pcap
>headers for their distro, breaking the cross-platform nature of the pcap
>format.  Check out pcapedit that comes with Ethereal, it should be able
>to fix the problems.


At 09:18 AM 2/11/2002 -0800, Paul Keser wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Sorry for the long post.  I wanted to include the strange portion of the
>payload.
>
>Environment:
>Mandrake 8.0 hardened with bastille. masq internal net
>Snort Version 1.8.3 (Build 88) with most recent rules as of 01/26/2002
>         homenet is set to ext addr of firewall with /32 mask
>





More information about the Snort-users mailing list