Snort mailing list archives
IPv6 Teredo tunneling crashing snort?
From: Ufi <ufii6rai () gmail com>
Date: Mon, 13 Dec 2010 12:15:58 -0700
Greetings. Snort segfaulted this morning on one of my sensors at 09:02:43: Dec 13 09:02:43 localhost kernel: snort[4893]: segfault at 0000000000000000 rip 0000000000438ce8 rsp 00007fffb9c65c60 error 4 So I started digging around and found that @ 09:02:41 and 09:02:43, some IPv6 Teredo tunneling traffic was picked up. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/13-09:02:41.520296 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800 len:0x66 172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:22485 IpLen:20 DgmLen:88 2002:aafc:6483:8001:0000:0000:0a0a:2204 -> 2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0 ID:29051 IpLen:40 DgmLen:60 Frag Offset: 0x0000 Frag Size: 0x0014 00 00 00 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 12/13-09:02:43.328929 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800 len:0x66 172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:27293 IpLen:20 DgmLen:88 2002:aafc:6483:8001:0000:0000:0a0a:2204 -> 2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0 ID:29054 IpLen:40 DgmLen:60 Frag Offset: 0x0000 Frag Size: 0x0014 00 00 00 00 .... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ This looks like very common traffic for that segment and from subsequent pcaps taken, nothing seems to be out of the ordinary. I saw this in the Changelog for 2.9.0 RC on 2010-09-03 so I wonder if it's related? * Teredo packets with another layer of UDP on top will now display the correct port numbers in console output. * Reduced false positives on decoder alerts when "config deep_teredo_inspection" is enabled. * Fixed a problem with evaulating UDP rules on Teredo traffic, where the result of rule evaluation on the outer UDP
------------------------------------------------------------------------------ Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ryan Jordan (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Russ Combs (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ufi (Dec 13)
- Re: IPv6 Teredo tunneling crashing snort? Ryan Jordan (Dec 13)