Re: Sudden surge of MISC IP Reserved bit set

[Phil Wood <cpw () lanl gov>]

By any chance have you upgraded snort recently?  %^)

I believe I saw a series of changes to decode.c which might have broke then
fixed a problem in area of checking the bits in the fragment offset field.

The broken version was Version 1.8.1-beta5 (Build 60) with problem code:

  p->rf = (u_int8_t)(p->frag_offset & 0x8000) >> 15;

I don't know what happens when you shift an 8 bit quantity 15 bits.  %^)

a correct version has something like:

  p->rf = (u_int8_t)((p->frag_offset & 0x8000) >> 15);

On Fri, Aug 10, 2001 at 09:44:23AM -0400, Tom Sevy wrote:
> This morning, for an unknown reason(s), I am seeing a deluge of MISC IP
> Reserved bit setup.
>
> Starting at 9:18, until 9:38 (about 20 minutes) I saw 53,152 of these show
> up.  77 Sources, 43 destinations.
>
> Any idea what would cause this?  We run a mix of MS & *nix systems.
>
> Here's a sample (minus payload):
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> ~~~~~
>
> #(2 - 74518) [2001-08-10 09:30:49]  MISC IP Reserved bit set
> IPv14: 192.168.12.249 -> 192.168.10.10
>       hlen=7 TOS=0 dlen=204 ID=32769 flags=0 offset=0 TTL=55 chksum=194
> Payload:  length = 164
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users