Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sudden surge of MISC IP Reserved bit set

From: Phil Wood <cpw () lanl gov>
Date: Fri, 10 Aug 2001 11:41:54 -0600
On Fri, Aug 10, 2001 at 01:25:28PM -0400, Tom Sevy wrote:

 

1.8 Release Build 43


I don't go back that far, but have a Build 59 with this code:

  p->rf = (p->frag_offset & 0x8000) >> 15;

That ought to work correctly.  So, it's probably something else.  Either,
a clobbered packet.  Or, it's on the wire like that.  You could go read
the man page for tcpdump (which is what I would have to do), and figure
out a filter to look for that bit being on in the IP header, and run
a tcpdump sensor in parallel with your snort to see if it catches the
packets also.  Or, by the time you get this message, someone else has
figured this one out!
 


- -----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov] 
Sent: Friday, August 10, 2001 1:22 PM
To: Tom Sevy
Subject: Re: [Snort-users] Sudden surge of MISC IP Reserved bit set


snort -V

On Fri, Aug 10, 2001 at 01:13:12PM -0400, Tom Sevy wrote:

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, it was a recent version.  Is there a way (read: easy way) to
tell what build number it is?

- -----Original Message-----
From: Phil Wood [mailto:cpw () lanl gov] 
Sent: Friday, August 10, 2001 1:11 PM
To: Tom Sevy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Sudden surge of MISC IP Reserved bit set


By any chance have you upgraded snort recently?  %^)

I believe I saw a series of changes to decode.c which might have
broke then
fixed a problem in area of checking the bits in the fragment offset
field.

The broken version was Version 1.8.1-beta5 (Build 60) with problem
code:

  p->rf = (u_int8_t)(p->frag_offset & 0x8000) >> 15;

I don't know what happens when you shift an 8 bit quantity 15 bits.
 %^)

a correct version has something like:

  p->rf = (u_int8_t)((p->frag_offset & 0x8000) >> 15);

On Fri, Aug 10, 2001 at 09:44:23AM -0400, Tom Sevy wrote:

This morning, for an unknown reason(s), I am seeing a deluge of
MISC IP Reserved bit setup.

Starting at 9:18, until 9:38 (about 20 minutes) I saw 53,152 of
these show up.  77 Sources, 43 destinations.

Any idea what would cause this?  We run a mix of MS & *nix
systems.  

Here's a sample (minus payload):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ ~~~~~~~~ ~~~~~

#(2 - 74518) [2001-08-10 09:30:49]  MISC IP Reserved bit set
IPv14: 192.168.12.249 -> 192.168.10.10
      hlen=7 TOS=0 dlen=204 ID=32769 flags=0 offset=0 TTL=55
chksum=194 Payload:  length = 164


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


- -- 
Phil Wood, cpw () lanl gov

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO3QWJ+7D48MxrkMGEQIgIQCg7X1E5a/jY0FbDv+fhYP6EcDmpIoAoKx2
+HC8ImeOpO63pyTEL87rzclN
=ZV5M
-----END PGP SIGNATURE-----


- -- 
Phil Wood, cpw () lanl gov



-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: