Snort mailing list archives
Re: What Rule??
From: Ueli Kistler <iuk () gmx ch>
Date: Sun, 16 Feb 2003 11:49:06 +0100
orig_p->iph was NULL. The question is why... IP header information was printed, but the function PrintIPHeader takes it from p->iph field. In decode.c, somewhere before the code fragment below, DecodeIPOnly is called ( if(!DecodeIPOnly(pkt + 8, orig_p_caplen, p)) ) and p->orig_iph = (IPHdr *) pkt; should initialize p->orig_iph correctly, which is assigned later to orig_p->iph (orig_p->iph = p->orig_iph).
Perhaps you've got another Snort version..? (Not enough memory? ..what OS?) This is a part of Snort source code from file log.c: void PrintICMPHeader(FILE * fp, Packet * p) <snip> Packet op; Packet *orig_p; int orig_iph_size; bzero((char *) &op, sizeof(Packet)); orig_p = &op;orig_p->iph = p->orig_iph; // from decode.h: IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */ // Decode.c: When ICMP Destination unreachable is the case, it calls DecodeIPOnly (before this code fragment) // int DecodeIPOnly(u_int8_t * pkt, const u_int32_t len, Packet * p) // is correctly initialized: p->orig_iph = (IPHdr *) pkt; /* lay the IP struct over the raw data */
orig_p->tcph = p->orig_tcph; orig_p->udph = p->orig_udph; orig_p->sp = p->orig_sp; orig_p->dp = p->orig_dp;if(orig_p->iph != NULL) // NULL?
{ orig_iph_size = IP_HLEN(orig_p->iph) << 2; fprintf(fp, "\n** ORIGINAL DATAGRAM DUMP:\n"); PrintIPHeader(fp, orig_p); switch(orig_p->iph->ip_proto) { <snip> } /* switch */ fprintf(fp, "** END OF DUMP"); } else // NULL { fprintf(fp, "\nORIGINAL DATAGRAM TRUNCATED"); } Regards, Eclipse eclipse () packx net www.packx.net -- Akerson, Jeff wrote:
Hi All Can anyone tell me what is triggering this: [**] [116:108:1] (snort_decoder) Unknown Datagram decoding problem! [**] 02/16-03:48:22.800777 10.67.8.137 -> 10.67.252.20 ICMP TTL:128 TOS:0x0 ID:32253 IpLen:20 DgmLen:31 Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE ORIGINAL DATAGRAM TRUNCATED Is this coming from a rule or a preprocessor? 10.67.8.137 is a data collector for IP based security cameras 10.67.252.20 is a camera Thanks! Jeff ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What Rule?? Akerson, Jeff (Feb 15)
- Re: What Rule?? Ueli Kistler (Feb 16)
- Re: What Rule?? Jeff Nathan (Feb 16)