Re: Large ICMP Packets with strange payload

[Russell Fulton <R.FULTON () auckland ac nz>]

On Thu, 2002-01-10 at 06:21, Eric Landuyt wrote:
> Hello Brennan,
>
> BB> I do not like seeing strings like "arpspoof", "frag/defrag",
> BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode"  in Large
> BB> ICMP Packets.
>
> BB> Is this a Loki style covert communication channel, or just normal traffic?
>
> Fortunately, I think that this is not the case here.
> If I remember some preceding browsing in Snort's source code ;),
> most of the strings we found at the END OF THE  DUMP (not the end of the
> packet... I'll explain further) are identifiers/function
> names/params/... from Snort's itself.
> For example, we can find "stream4_reassemble" (relative to stream
> reassembling engine), or "spade-homenet" (relative to Spade -
> Statistical Packet Anomaly Detection Engine, a Snort preprocessor
> plugin).

There are bugs in the stream4 reassembling whereby snort gets the lengths wrong
and this causes 'garbage' to be appended to the packets before they go
through the packet matching engine and logging.  Marty made some changes 
yesterday which are in the latest 1.8.3 branch of the CVS.  I have not yet tried out this
version as I can not figure out how to get the 1.8.3 branch from the CVS.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com