Bug#377946: `fragoffset: 0' doesn't catch some packets.

Dmitry Maksyoma Tue, 11 Jul 2006 22:21:56 -0700

Package: snort
Version: 2.3.2-3
Severity: normal


I'm running snort (snort -c /etc/snort/rules/local.rules -i lo -b -d -k
none) with the following rule and packets:

alert icmp any any -> any any ( fragoffset: 0; msg: "Fragoffset-bug"; )

16:48:28.272362 IP 75.181.66.92 > 64.186.253.227: icmp 36: host 0.28.54.118
unreachable
        0x0000:  4500 0038 4dea 0000 fc01 a42b 4bb5 425c  E..8M......+K.B\
        0x0010:  40ba fde3 0301 0239 0d48 3832 ac77 ddf0  @......9.H82.w..
        0x0020:  8010 c050 d9b6 0000 0101 080a 001c 3676  ...P..........6v
        0x0030:  422d 8afd 0103 0300                      B-......
16:48:28.323672 IP 75.181.66.92 > 64.186.253.227: icmp 36: host 1.3.3.0
unreachable
        0x0000:  4500 0038 4deb 0000 fc01 a42a 4bb5 425c  E..8M......*K.B\
        0x0010:  40ba fde3 0301 078f d7d6 fb5b 4686 228f  @..........[F.".
        0x0020:  5010 faf0 5882 0000 0204 0218 0103 0300  P...X...........
        0x0030:  0055 156b 01be f606                      .U.k....

Both packets have fragoffset of 0, but only the first packet matches the
rule. I'm attaching the packets as a pcap file as well.

-- System Information:
Debian Release: testing/unstable
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.4.27-2-k7
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages snort depends on:
ii  adduser               3.64               Add and remove users and groups
ii  debconf               1.4.51             Debian configuration management sy
ii  libc6                 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii  libpcap0.8            0.8.3-5            System interface for user-level pa
ii  libpcre3              5.0-1.1            Perl 5 Compatible Regular Expressi
ii  logrotate             3.7-5              Log rotation utility
ii  snort-common          2.3.2-3            Flexible Network Intrusion Detecti
ii  snort-rules-default   2.3.2-3            Flexible Network Intrusion Detecti
ii  sysklogd [system-log- 1.4.1-17           System Logging Daemon

Versions of packages snort recommends:
pn  snort-doc                     <none>     (no description available)

-- debconf information:
  snort/startup: boot
  snort/please_restart_manually:
  snort/stats_treshold: 1
* snort/address_range: 10.0.1.0/24
  snort/options:
* snort/interface: eth0
* snort/stats_rcpt: root
  snort/config_parameters:
  snort/config_error:
  snort/reverse_order: false
  snort/disable_promiscuous: false

fragoffset.pcap
Description: Binary data

Bug#377946: `fragoffset: 0' doesn't catch some packets.

Reply via email to