|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Neil Dickey (neil
geol.niu.edu)Date: Thu Jun 07 2001 - 12:56:54 CDT
Phil Wood <cpwlanl.gov> wrote to the IPFilter list:
>I've also seen problems with defrag, but have not gotten any confirmation.
>It is my experience that certain fragment sequences in conjunction with
>some unknown force cause the creation of mutant packets, that is:
>
> IP: proto=icmp (20 byte header)
> DATA from somewhere in snort memory (not another incoming packet)
>
>Makes for some real weird ICMP type / code packets if you are looking for
>that sort of thing.
I've been seeing alerts like these:
=====================================================
[**] PING-ICMP Destination Unreachable [**]
06/03-00:56:43.763294 12.127.237.65 -> xxx.yyy.zzz
ICMP TTL:241 TOS:0x0 ID:14290 IpLen:20 DgmLen:56
Type:3 Code:13 DESTINATION UNREACHABLE: PACKET FILTERED
** ORIGINAL DATAGRAM DUMP:
xxx.yyy.zzz:25 -> 128.138.77.15:38058
TCP TTL:246 TOS:0x0 ID:24527 IpLen:20 DgmLen:40
12U*PRS* Seq: 0xD1F97B19 Ack: 0x0 Win: 0x0 TcpLen: 0 UrgPtr: 0x0
** END OF DUMP
======================================================
What particularly interests me is the really unusual collection of flags
reported for the original datagram, viz., 12U*PRS* . Is this the sort of
thing you are referring to?
Best regards,
Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]