Re: attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet

[Matt Kettler <mkettler () evi-inc com>]

This sounds and looks like it might be the snort 1.8.3 stream 4 reassembly 
bug. See the "Re:  Garbage in snort logs" thread. Quite frankly, I 
personally would not touch snort 1.8.3 with a ten foot pole after reading 
the problems reported on the list which seem specific to that version.. Go 
with 1.8.4 beta, or with 1.8.2 and check for the ICMP header size bug.


You might also check the  'snort 1.8.3 splicing packets" thread, Mandrake 
8.0 may have inherited RedHat's bad libpcap:


> Is one of the systems a RedHat linux box (and why are you reporting bugs
> without following the BUGS file...)?  If so, that's probably your
> problem, RedHat in their infinite wisdom decided to change the pcap
> headers for their distro, breaking the cross-platform nature of the pcap
> format.  Check out pcapedit that comes with Ethereal, it should be able
> to fix the problems.


At 09:18 AM 2/11/2002 -0800, Paul Keser wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sorry for the long post.  I wanted to include the strange portion of the
> payload.
>
> Environment:
> Mandrake 8.0 hardened with bastille. masq internal net
> Snort Version 1.8.3 (Build 88) with most recent rules as of 01/26/2002
>         homenet is set to ext addr of firewall with /32 mask


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users