Snort mailing list archives
Re: Sudden surge of MISC IP Reserved bit set
From: Phil Wood <cpw () lanl gov>
Date: Fri, 10 Aug 2001 11:41:54 -0600
On Fri, Aug 10, 2001 at 01:25:28PM -0400, Tom Sevy wrote:
1.8 Release Build 43
I don't go back that far, but have a Build 59 with this code: p->rf = (p->frag_offset & 0x8000) >> 15; That ought to work correctly. So, it's probably something else. Either, a clobbered packet. Or, it's on the wire like that. You could go read the man page for tcpdump (which is what I would have to do), and figure out a filter to look for that bit being on in the IP header, and run a tcpdump sensor in parallel with your snort to see if it catches the packets also. Or, by the time you get this message, someone else has figured this one out!
- -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Friday, August 10, 2001 1:22 PM To: Tom Sevy Subject: Re: [Snort-users] Sudden surge of MISC IP Reserved bit set snort -V On Fri, Aug 10, 2001 at 01:13:12PM -0400, Tom Sevy wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, it was a recent version. Is there a way (read: easy way) to tell what build number it is? - -----Original Message----- From: Phil Wood [mailto:cpw () lanl gov] Sent: Friday, August 10, 2001 1:11 PM To: Tom Sevy Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Sudden surge of MISC IP Reserved bit set By any chance have you upgraded snort recently? %^) I believe I saw a series of changes to decode.c which might have broke then fixed a problem in area of checking the bits in the fragment offset field. The broken version was Version 1.8.1-beta5 (Build 60) with problem code: p->rf = (u_int8_t)(p->frag_offset & 0x8000) >> 15; I don't know what happens when you shift an 8 bit quantity 15 bits. %^) a correct version has something like: p->rf = (u_int8_t)((p->frag_offset & 0x8000) >> 15); On Fri, Aug 10, 2001 at 09:44:23AM -0400, Tom Sevy wrote:This morning, for an unknown reason(s), I am seeing a deluge of MISC IP Reserved bit setup. Starting at 9:18, until 9:38 (about 20 minutes) I saw 53,152 of these show up. 77 Sources, 43 destinations. Any idea what would cause this? We run a mix of MS & *nix systems. Here's a sample (minus payload): ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ ~~~~~~~~ ~~~~~ #(2 - 74518) [2001-08-10 09:30:49] MISC IP Reserved bit set IPv14: 192.168.12.249 -> 192.168.10.10 hlen=7 TOS=0 dlen=204 ID=32769 flags=0 offset=0 TTL=55 chksum=194 Payload: length = 164 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users- -- Phil Wood, cpw () lanl gov -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO3QWJ+7D48MxrkMGEQIgIQCg7X1E5a/jY0FbDv+fhYP6EcDmpIoAoKx2 +HC8ImeOpO63pyTEL87rzclN =ZV5M -----END PGP SIGNATURE------ -- Phil Wood, cpw () lanl gov
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sudden surge of MISC IP Reserved bit set Tom Sevy (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Martin Roesch (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set John Sage (Aug 10)
- <Possible follow-ups>
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)
- Re: Sudden surge of MISC IP Reserved bit set Phil Wood (Aug 10)