diff -uNr snort-2.2.0/src/decode.c snort-2.2.0-resets/src/decode.c --- snort-2.2.0/src/decode.c Thu Jun 3 15:11:05 2004 +++ snort-2.2.0-resets/src/decode.c Wed Sep 8 16:41:38 2004 @@ -1720,6 +1720,7 @@ u_int32_t ip_len; /* length from the start of the ip hdr to the pkt end */ u_int32_t hlen; /* ip header length */ u_int16_t csum; /* checksum */ + Event event; /* for checksum alerts */ /* lay the IP struct over the raw data */ p->iph = (IPHdr *) pkt; @@ -1847,6 +1848,11 @@ { p->csum_flags |= CSE_IP; DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad IP checksum\n");); + + SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_IP_CHKSUM, + 1, DECODE_CLASS, 3, 0); + CallAlertFuncs(p, DECODE_BAD_IP_CHKSUM_STR, NULL, &event); + } #ifdef DEBUG else @@ -2105,6 +2111,7 @@ u_int32_t hlen; /* TCP header length */ u_short csum; /* checksum */ struct pseudoheader ph; /* pseudo header declaration */ + Event event; /* event for checksum alerts */ if(len < 20) { @@ -2197,6 +2204,11 @@ DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad TCP checksum\n", "0x%x versus 0x%x\n", csum, ntohs(p->tcph->th_sum));); + + SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_TCP_CHKSUM, + 1, DECODE_CLASS, 3, 0); + CallAlertFuncs(p, DECODE_BAD_TCP_CHKSUM_STR, NULL, &event); + } else { @@ -2264,6 +2276,7 @@ u_short csum; u_int16_t uhlen; struct pseudoheader ph; + Event event; /* for checksum alerts */ if(len < sizeof(UDPHdr)) { @@ -2352,6 +2365,11 @@ { p->csum_flags |= CSE_UDP; DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad UDP Checksum\n");); + + SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_UDP_CHKSUM, + 1, DECODE_CLASS, 3, 0); + CallAlertFuncs(p, DECODE_BAD_UDP_CHKSUM_STR, NULL, &event); + } else { @@ -2390,6 +2408,7 @@ { u_int16_t csum; u_int16_t orig_p_caplen; + Event event; /* for checksum alerts */ if(len < ICMP_HEADER_LEN) { @@ -2503,6 +2522,11 @@ p->csum_flags |= CSE_ICMP; DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Bad ICMP Checksum\n");); + + SetEvent(&event, GENERATOR_SNORT_DECODE, DECODE_BAD_ICMP_CHKSUM, + 1, DECODE_CLASS, 3, 0); + CallAlertFuncs(p, DECODE_BAD_ICMP_CHKSUM_STR, NULL, &event); + } else { diff -uNr snort-2.2.0/src/generators.h snort-2.2.0-resets/src/generators.h --- snort-2.2.0/src/generators.h Thu Mar 11 16:25:52 2004 +++ snort-2.2.0-resets/src/generators.h Wed Sep 8 16:41:38 2004 @@ -164,6 +164,12 @@ #define DECODE_BAD_TR_MR_LEN 142 #define DECODE_BAD_TRHMR 143 +#define DECODE_BAD_IP_CHKSUM 150 +#define DECODE_BAD_TCP_CHKSUM 151 +#define DECODE_BAD_UDP_CHKSUM 152 +#define DECODE_BAD_ICMP_CHKSUM 153 + + #define GENERATOR_SPP_SCAN2 117 #define SCAN_TYPE 1 @@ -315,6 +321,11 @@ #define DECODE_BAD_TR_ETHLLC_STR "(snort_decoder) WARNING: Bad Token Ring ETHLLC Header!" #define DECODE_BAD_TR_MR_LEN_STR "(snort_decoder) WARNING: Bad Token Ring MRLENHeader!" #define DECODE_BAD_TRHMR_STR "(snort_decoder) WARNING: Bad Token Ring MR Header!" + +#define DECODE_BAD_IP_CHKSUM_STR "(snort_decoder) WARNING: Bad IP Checksum!" +#define DECODE_BAD_TCP_CHKSUM_STR "(snort_decoder) WARNING: Bad TCP Checksum!" +#define DECODE_BAD_UDP_CHKSUM_STR "(snort_decoder) WARNING: Bad UDP Checksum!" +#define DECODE_BAD_ICMP_CHKSUM_STR "(snort_decoder) WARNING: Bad ICMP Checksum!" #define SCAN2_PREFIX_STR "(spp_portscan2) Portscan detected from "