Snort mailing list archives
Re: What Rule??
From: Ueli Kistler <iuk () gmx ch>
Date: Sun, 16 Feb 2003 11:49:06 +0100
orig_p->iph was NULL. The question is why... IP header information was printed, but the function PrintIPHeader takes it from p->iph field. In decode.c, somewhere before the code fragment below, DecodeIPOnly is called ( if(!DecodeIPOnly(pkt + 8, orig_p_caplen, p)) ) and p->orig_iph = (IPHdr *) pkt; should initialize p->orig_iph correctly, which is assigned later to orig_p->iph (orig_p->iph = p->orig_iph).
Perhaps you've got another Snort version..? (Not enough memory? ..what OS?)
This is a part of Snort source code from file log.c:
void PrintICMPHeader(FILE * fp, Packet * p)
<snip>
Packet op;
Packet *orig_p;
int orig_iph_size;
bzero((char *) &op, sizeof(Packet));
orig_p = &op;
orig_p->iph = p->orig_iph; // from decode.h:
IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */
//
Decode.c: When ICMP Destination unreachable is the case, it calls
DecodeIPOnly (before this code fragment)
//
int DecodeIPOnly(u_int8_t * pkt, const u_int32_t len, Packet * p)
// is
correctly initialized: p->orig_iph = (IPHdr *) pkt; /* lay the IP
struct over the raw data */
orig_p->tcph = p->orig_tcph;
orig_p->udph = p->orig_udph;
orig_p->sp = p->orig_sp;
orig_p->dp = p->orig_dp;
if(orig_p->iph != NULL) // NULL?
{
orig_iph_size = IP_HLEN(orig_p->iph) << 2;
fprintf(fp, "\n** ORIGINAL DATAGRAM DUMP:\n");
PrintIPHeader(fp, orig_p);
switch(orig_p->iph->ip_proto)
{
<snip>
} /* switch */
fprintf(fp, "** END OF DUMP");
}
else // NULL
{
fprintf(fp, "\nORIGINAL DATAGRAM TRUNCATED");
}
Regards,
Eclipse
eclipse () packx net
www.packx.net
--
Akerson, Jeff wrote:
Hi All Can anyone tell me what is triggering this: [**] [116:108:1] (snort_decoder) Unknown Datagram decoding problem! [**] 02/16-03:48:22.800777 10.67.8.137 -> 10.67.252.20 ICMP TTL:128 TOS:0x0 ID:32253 IpLen:20 DgmLen:31 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ORIGINAL DATAGRAM TRUNCATED Is this coming from a rule or a preprocessor? 10.67.8.137 is a data collector for IP based security cameras 10.67.252.20 is a camera Thanks! Jeff ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What Rule?? Akerson, Jeff (Feb 15)
- Re: What Rule?? Ueli Kistler (Feb 16)
- Re: What Rule?? Jeff Nathan (Feb 16)