Snort mailing list archives
Re: flexresp3: Reset with TTL of 0
From: Jim Hranicky <jfh () ufl edu>
Date: Tue, 26 Oct 2010 17:27:09 -0400
On Tue, 26 Oct 2010 14:32:01 -0400 Jim Hranicky <jfh () ufl edu> wrote:
Has anyone else seen this behavior? I've likely missed a step somewhere. I'll be glad to supply more info if needed.
Sorry for the double post. I forgot to mention the OS: 2.6.32-24-server #39-Ubuntu SMP Wed Jul 28 06:21:40 UTC 2010 x86_64 GNU/Linux The sniff interface is an Intel X520 and I've compiled PF_RING support into libpcap. I went ahead and attached a gdb to one of the running snorts. I set it to break in active.c:Active_SendReset() and then triggered the reset: #0 Active_SendReset (p=0x7ffffaf9f980, ef=2147483648) at active.c:214 #1 0x000000000046ab51 in Resp3_Send (p=0x7ffffaf9f980, pv=0x362bf30) at sp_respond3.c:306 #2 0x000000000040d971 in Active_SendResponses (p=0x7ffffaf9f980) at active.c:121 #3 0x000000000042a6f8 in ProcessPacket (user=0x0, pkthdr=0x7ffffafa07b0, pkt=0x3aac070 "", ft=0x0) at snort.c:1484 #4 0x000000000042a3cd in PacketCallback (user=0x0, pkthdr=0x7ffffafa07b0, pkt=0x3aac070 "") at snort.c:1382 #5 0x00000000004d6f6a in pcap_process_loop () #6 0x00007f904e5cb514 in pcap_read_linux () from /opt/local/lib/libpcap.so.1 #7 0x00000000004d7026 in pcap_daq_acquire () #8 0x00000000004d4342 in daq_acquire () #9 0x00000000004494a8 in DAQ_Acquire (max=-1, callback=0x42a307 <PacketCallback>, user=0x0) at sfdaq.c:453 #10 0x000000000042cb29 in PacketLoop () at snort.c:2757 #11 0x000000000042957a in SnortMain (argc=9, argv=0x7ffffafa0b68) at snort.c:717 #12 0x000000000042948d in main (argc=9, argv=0x7ffffafa0b68) at snort.c:660 Then stepped into this function rej = Encode_Reject(ENC_TCP_RST, flags|value, p, &len); which took me here: #0 Eth_Encode (enc=0x7ffffaf9f860, in=0x7ffffaf9f7f0, out=0x7ffffaf9f7d0) at encode.c:502 #1 0x000000000040c357 in Encode_Packet (enc=0x7ffffaf9f860, p=0x7ffffaf9f980, len=0x7ffffaf9f8d0) at encode.c:355 #2 0x000000000040bdd5 in Encode_Reject (type=ENC_TCP_RST, flags=2684354560, p=0x7ffffaf9f980, len=0x7ffffaf9f8d0) at encode.c:175 after coming out I printed the value of rej in hex: (gdb) x/64x rej 0x739b20 <s_pkt>: 0x00 0x0e 0x83 0xc6 0xa3 0x40 0x00 0xd0 0x739b28 <s_pkt+8>: 0x02 0x1c 0xf0 0x00 0x08 0x00 0x45 0x00 0x739b30 <s_pkt+16>: 0x00 0x28 0x33 0xfd 0x00 0x00 0x00 0x06 0x739b38 <s_pkt+24>: 0x24 0x4a [ ... ] If I'm not mistaken, the ttl should be at byte 22 and is 0 in this case. At one point I appeared to trip a Heisenbug and actually got a ttl of 64 shown in tcpdump, but that only happened once or twice in the call of Active_SendReset() . Also, stepping through the code it looks like rej is actually a pointer to a static variable, so the next line if ( !rej ) return; will never trigger a return unless I'm mistaken. I don't know if that's a factor here or not. Is this enough to file a bug report? I can send pcaps & whatnot. OTOH, it's entirely possible I'm wildly wrong :-) -- Jim Hranicky IT Security Engineer Office of Information Security and Compliance University of Florida ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Russ Combs (Oct 26)
- Re: flexresp3: Reset with TTL of 0 Jim Hranicky (Oct 26)