[Snort-users] ACID: Bug in decoding of ICMP packets payload?

Jesus Couto jesus.couto at ...3830...
Wed Jan 9 07:46:04 EST 2002


As we are getting a lot of ICMP destination unreachable messages, I was 
looking at them, but the decoding of the payload was very weird... 
protocol 164, origin IP on payload not match the destination of the ICMP 
packet, very weird destination IP ( etc... I was suspecting 
some very strange activity but somebody pointed out that the machine 
recieven the ICMP is the NTP server, and as NTP uses port 123...

It seems that there is a bug in the decoding of ICMP packets payloads... 
see in acid_qry_alert.php :

     PrintPacketPayload($myrow2[0], $myrow3[0], 1);

     if ( $layer4_proto == "1" )
      if ( $ICMPitype == "3" || $ICMPitype == "11" )
          if ( $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode == 
"3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13" )
              $work = str_replace("\n","",$myrow2[0]);
              $ICMPIP0 = hexdec($work[32].$work[33]);
              $ICMPIP1 = hexdec($work[34].$work[35]);
              $ICMPIP2 = hexdec($work[36].$work[37]);
              $ICMPIP3 = hexdec($work[38].$work[39]);
              $ICMPIP4 = hexdec($work[40].$work[41]);
              $ICMPIP5 = hexdec($work[42].$work[43]);
              $ICMPIP6 = hexdec($work[44].$work[45]);
              $ICMPIP7 = hexdec($work[46].$work[47]);


Now $ICMPIP0 its meant to hold the first 8 bits of the IP address, 
$ICMPIP1 the second, and so on, so all this vars add to the origin and 
destination IP on the payload... but the offset is wrong. Assuming that 
$work has the payload as string of hexadecimal digits, the offset for 
the source ip would be at character 24 of the string (the source IP is 
after the 96 bits that compose the rest of the header, and thats 24 hex 

I changed the offsets and now it its displaying the correct information 
(not taking to account that the original code doesnt allow for options 
in the ip header, in that case source and destination ports wouldnt be 
correctly displayed).

Im using MySQL as the backend.

Its this correct? I'm overlooking something? Does the original code 
doesnt work cause have something misconfigured or is really a bug?

Thanks in advance.

Jesús Couto F.

More information about the Snort-users mailing list