Package: snort Version: 2.3.2-3 Severity: normal
I'm running snort (snort -c /etc/snort/rules/local.rules -i lo -b -d -k none) with the following rule and packets: alert icmp any any -> any any ( fragoffset: 0; msg: "Fragoffset-bug"; ) 16:48:28.272362 IP 75.181.66.92 > 64.186.253.227: icmp 36: host 0.28.54.118 unreachable 0x0000: 4500 0038 4dea 0000 fc01 a42b 4bb5 425c E..8M......+K.B\ 0x0010: 40ba fde3 0301 0239 0d48 3832 ac77 ddf0 @......9.H82.w.. 0x0020: 8010 c050 d9b6 0000 0101 080a 001c 3676 ...P..........6v 0x0030: 422d 8afd 0103 0300 B-...... 16:48:28.323672 IP 75.181.66.92 > 64.186.253.227: icmp 36: host 1.3.3.0 unreachable 0x0000: 4500 0038 4deb 0000 fc01 a42a 4bb5 425c E..8M......*K.B\ 0x0010: 40ba fde3 0301 078f d7d6 fb5b 4686 228f @..........[F.". 0x0020: 5010 faf0 5882 0000 0204 0218 0103 0300 P...X........... 0x0030: 0055 156b 01be f606 .U.k.... Both packets have fragoffset of 0, but only the first packet matches the rule. I'm attaching the packets as a pcap file as well. -- System Information: Debian Release: testing/unstable APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27-2-k7 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages snort depends on: ii adduser 3.64 Add and remove users and groups ii debconf 1.4.51 Debian configuration management sy ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an ii libpcap0.8 0.8.3-5 System interface for user-level pa ii libpcre3 5.0-1.1 Perl 5 Compatible Regular Expressi ii logrotate 3.7-5 Log rotation utility ii snort-common 2.3.2-3 Flexible Network Intrusion Detecti ii snort-rules-default 2.3.2-3 Flexible Network Intrusion Detecti ii sysklogd [system-log- 1.4.1-17 System Logging Daemon Versions of packages snort recommends: pn snort-doc <none> (no description available) -- debconf information: snort/startup: boot snort/please_restart_manually: snort/stats_treshold: 1 * snort/address_range: 10.0.1.0/24 snort/options: * snort/interface: eth0 * snort/stats_rcpt: root snort/config_parameters: snort/config_error: snort/reverse_order: false snort/disable_promiscuous: false
fragoffset.pcap
Description: Binary data