Snort mailing list archives
Re: attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 11 Feb 2002 13:31:50 -0500
This sounds and looks like it might be the snort 1.8.3 stream 4 reassembly bug. See the "Re: Garbage in snort logs" thread. Quite frankly, I personally would not touch snort 1.8.3 with a ten foot pole after reading the problems reported on the list which seem specific to that version.. Go with 1.8.4 beta, or with 1.8.2 and check for the ICMP header size bug.
You might also check the 'snort 1.8.3 splicing packets" thread, Mandrake 8.0 may have inherited RedHat's bad libpcap:
Is one of the systems a RedHat linux box (and why are you reporting bugs without following the BUGS file...)? If so, that's probably your problem, RedHat in their infinite wisdom decided to change the pcap headers for their distro, breaking the cross-platform nature of the pcap format. Check out pcapedit that comes with Ethereal, it should be able to fix the problems.
At 09:18 AM 2/11/2002 -0800, Paul Keser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for the long post. I wanted to include the strange portion of the payload. Environment: Mandrake 8.0 hardened with bastille. masq internal net Snort Version 1.8.3 (Build 88) with most recent rules as of 01/26/2002 homenet is set to ext addr of firewall with /32 mask
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet Paul Keser (Feb 11)
- Re: attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet Matt Kettler (Feb 11)
- Re: attack hidden in path MTU discovery or snort 1.8.3 log weirdness? MISC Large ICMP Packet Chris Green (Feb 11)