Snort mailing list archives
ACID: Bug in decoding of ICMP packets payload?
From: Jesus Couto <jesus.couto () satec es>
Date: Wed, 09 Jan 2002 16:42:57 +0100
Hi,As we are getting a lot of ICMP destination unreachable messages, I was looking at them, but the decoding of the payload was very weird... protocol 164, origin IP on payload not match the destination of the ICMP packet, very weird destination IP (0.123.0.123) etc... I was suspecting some very strange activity but somebody pointed out that the machine recieven the ICMP is the NTP server, and as NTP uses port 123...
It seems that there is a bug in the decoding of ICMP packets payloads... see in acid_qry_alert.php :
...
PrintPacketPayload($myrow2[0], $myrow3[0], 1);
if ( $layer4_proto == "1" )
{
if ( $ICMPitype == "3" || $ICMPitype == "11" )
{
if ( $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode ==
"3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13" )
{
$work = str_replace("\n","",$myrow2[0]);
$ICMPIP0 = hexdec($work[32].$work[33]);
$ICMPIP1 = hexdec($work[34].$work[35]);
$ICMPIP2 = hexdec($work[36].$work[37]);
$ICMPIP3 = hexdec($work[38].$work[39]);
$ICMPIP4 = hexdec($work[40].$work[41]);
$ICMPIP5 = hexdec($work[42].$work[43]);
$ICMPIP6 = hexdec($work[44].$work[45]);
$ICMPIP7 = hexdec($work[46].$work[47]);
...
Now $ICMPIP0 its meant to hold the first 8 bits of the IP address,
$ICMPIP1 the second, and so on, so all this vars add to the origin and
destination IP on the payload... but the offset is wrong. Assuming that
$work has the payload as string of hexadecimal digits, the offset for
the source ip would be at character 24 of the string (the source IP is
after the 96 bits that compose the rest of the header, and thats 24 hex
digits).
I changed the offsets and now it its displaying the correct information (not taking to account that the original code doesnt allow for options in the ip header, in that case source and destination ports wouldnt be correctly displayed).
Im using MySQL as the backend.Its this correct? I'm overlooking something? Does the original code doesnt work cause have something misconfigured or is really a bug?
Thanks in advance. Jesús Couto F. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ACID: Bug in decoding of ICMP packets payload? Jesus Couto (Jan 09)
- <Possible follow-ups>
- Re: ACID: Bug in decoding of ICMP packets payload? Roman Danyliw (Jan 09)
- Re: ACID: Bug in decoding of ICMP packets payload? Jesus Couto (Jan 10)
- Re: ACID: Bug in decoding of ICMP packets payload? roman (Jan 10)