Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What Rule??

From: Ueli Kistler <iuk () gmx ch>
Date: Sun, 16 Feb 2003 11:49:06 +0100
orig_p->iph was NULL. The question is why... IP header information was printed, but the function PrintIPHeader takes it from p->iph field. In decode.c, somewhere before the code fragment below, DecodeIPOnly is called ( if(!DecodeIPOnly(pkt + 8, orig_p_caplen, p)) ) and p->orig_iph = (IPHdr *) pkt; should initialize p->orig_iph correctly, which is assigned later to orig_p->iph (orig_p->iph = p->orig_iph). 

Perhaps you've got another Snort version..? (Not enough memory? ..what OS?)

This is a part of Snort source code from file log.c:

void PrintICMPHeader(FILE * fp, Packet * p)

               <snip>

               Packet op;
               Packet *orig_p;
               int orig_iph_size;

               bzero((char *) &op, sizeof(Packet));
               orig_p = &op;
orig_p->iph = p->orig_iph; // from decode.h: IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */ // Decode.c: When ICMP Destination unreachable is the case, it calls DecodeIPOnly (before this code fragment) // int DecodeIPOnly(u_int8_t * pkt, const u_int32_t len, Packet * p) // is correctly initialized: p->orig_iph = (IPHdr *) pkt; /* lay the IP struct over the raw data */ 
               orig_p->tcph = p->orig_tcph;
               orig_p->udph = p->orig_udph;
               orig_p->sp = p->orig_sp;
               orig_p->dp = p->orig_dp;
if(orig_p->iph != NULL) // NULL? 
               {
                   orig_iph_size = IP_HLEN(orig_p->iph) << 2;

                   fprintf(fp, "\n** ORIGINAL DATAGRAM DUMP:\n");
                   PrintIPHeader(fp, orig_p);

                   switch(orig_p->iph->ip_proto)
                   {

                       <snip>

                   }       /* switch */

                   fprintf(fp, "** END OF DUMP");
               }
               else                                          // NULL
               {
                   fprintf(fp, "\nORIGINAL DATAGRAM TRUNCATED");
               }

Regards,
   Eclipse
   eclipse () packx net
   www.packx.net

--



Akerson, Jeff wrote:


Hi All

Can anyone tell me what is triggering this:

[**] [116:108:1] (snort_decoder) Unknown Datagram decoding problem! [**]
02/16-03:48:22.800777 10.67.8.137 -> 10.67.252.20
ICMP TTL:128 TOS:0x0 ID:32253 IpLen:20 DgmLen:31
Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
ORIGINAL DATAGRAM TRUNCATED

Is this coming from a rule or a preprocessor?

10.67.8.137 is a data collector for IP based security cameras 10.67.252.20
is a camera

Thanks!
Jeff




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: