Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IPv6 Teredo tunneling crashing snort?

From: Ufi <ufii6rai () gmail com>
Date: Mon, 13 Dec 2010 12:15:58 -0700
Greetings.  Snort segfaulted this morning on one of my sensors at 09:02:43:

Dec 13 09:02:43 localhost kernel: snort[4893]: segfault at 0000000000000000
rip 0000000000438ce8 rsp 00007fffb9c65c60 error 4

So I started digging around and found that @ 09:02:41 and 09:02:43, some
IPv6 Teredo tunneling traffic was picked up.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/13-09:02:41.520296 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800
len:0x66
172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:22485
IpLen:20 DgmLen:88
2002:aafc:6483:8001:0000:0000:0a0a:2204 ->
2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0 ID:29051
IpLen:40 DgmLen:60
Frag Offset: 0x0000   Frag Size: 0x0014
00 00 00 00                                      ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
12/13-09:02:43.328929 00:15:17:C8:A4:F2 -> 00:50:73:F3:35:00 type:0x800
len:0x66
172.16.100.131:3544 -> 10.1.191.3:50752 UDP TTL:112 TOS:0x0 ID:27293
IpLen:20 DgmLen:88
2002:aafc:6483:8001:0000:0000:0a0a:2204 ->
2001:0000:aafc:6483:2066:59b0:5504:9707 IPV6-ICMP TTL:114 TOS:0x0 ID:29054
IpLen:40 DgmLen:60
Frag Offset: 0x0000   Frag Size: 0x0014
00 00 00 00                                      ....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

This looks like very common traffic for that segment and from subsequent
pcaps taken, nothing seems to be out of the ordinary.

I saw this in the Changelog for 2.9.0 RC on 2010-09-03 so I wonder if it's
related?

* Teredo packets with another layer of UDP on top will now display the
correct port numbers in console output.
* Reduced false positives on decoder alerts when "config
deep_teredo_inspection" is enabled.
* Fixed a problem with evaulating UDP rules on Teredo traffic, where the
result of rule evaluation on the outer UDP

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: