Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort dumps core on Solaris 8

From: Neil Dickey <neil () geol niu edu>
Date: Thu, 7 Jun 2001 12:56:54 -0500 (CDT)

Phil Wood <cpw () lanl gov> wrote to the IPFilter list:


I've also seen problems with defrag, but have not gotten any confirmation.
It is my experience that certain fragment sequences in conjunction with
some unknown force cause the creation of mutant packets, that is:

  IP: proto=icmp (20 byte header)
  DATA from somewhere in snort memory (not another incoming packet)

Makes for some real weird ICMP type / code packets if you are looking for
that sort of thing.


I've been seeing alerts like these:

=====================================================
[**] PING-ICMP Destination Unreachable [**]
06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz
ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
Type:3  Code:13  DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.yyy.zzz:25 -> 128.138.77.15:38058
TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
12U*PRS* Seq: 0xD1F97B19  Ack: 0x0  Win: 0x0  TcpLen: 0  UrgPtr: 0x0
** END OF DUMP
======================================================

What particularly interests me is the really unusual collection of flags
reported for the original datagram, viz., 12U*PRS* .  Is this the sort of
thing you are referring to?

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: