Snort mailing list archives

RE: bug in snort 2.0.1?

From: Erek Adams <erek () snort org>
Date: Sat, 9 Aug 2003 23:33:25 -0400 (EDT)


[Sorry for the delay, but I had to do some RTFM'ing]

On Thu, 7 Aug 2003, Luo, Philip wrote:

Here is the actual alert.

[**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload
length [**]
08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0
UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675
Len: 1647

The IP length is 1675, the UDP length is 1655, but the payload length is
none.


Ok, from that packet you'll see that alert.  1675 > 0 :)

I am using ibm token ring connection which also have many
[**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**]
08/06-15:15:06.924570

Token Ring! MR Header?


Ok, this one took some research since I know nothing about Token
Ring.  According to RFC 1042, Token Ring has a "Multi Ring" header.
Looking at the code in src/decode.c lines 623 - 636 (current CVS), from
what I can tell, the reason that this alert is firing is that the length
of the capture is longer than the token ring header length, then fire the
alert.

Here's the section of code that deals with it.

623          if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr)
623  ))
624          {
625              if(pv.verbose_flag)
626                  ErrorMessage("Captured data length < Token Ring header l
626  ength! "
627                               "(%d < %d bytes)\n", cap_len,
628                               (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof
628  (Trh_mr)));
629
630              if((runMode == MODE_IDS) && pv.decoder_flags.decode_alerts)
631              {
632                  SetEvent(&event, GENERATOR_SNORT_DECODE,
633                           DECODE_BAD_TRHMR, 1, DECODE_CLASS, 5, 0);
634                  CallAlertFuncs(p, DECODE_BAD_TRHMR_STR, NULL, &event);
635                  CallLogFuncs(p, DECODE_BAD_TRHMR_STR, NULL, &event);
636              }

So basically, it's the same thing.  Packet size == What it should be.  Are
you sure you don't have some NICs doing something odd or traffic that's a
bit strange?

If you could get a pcap of this in parallel with the snort alerts, that
would really help.  Make sure that the snaplen is "maxed" out.  Set
snaplen to 0.

        tcpdump -s 0 <options>

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

bug in snort 2.0.1? Luo, Philip (Aug 07)
- Re: bug in snort 2.0.1? Erek Adams (Aug 07)
- Re: bug in snort 2.0.1? Andrew R. Baker (Aug 07)
- <Possible follow-ups>
- RE: bug in snort 2.0.1? Luo, Philip (Aug 07)
  - RE: bug in snort 2.0.1? Erek Adams (Aug 09)