#156 IP fragments (base_qry_alert.php)

closed-fixed
Interface (166)
9
2006-11-28
2006-11-24
No

Hello,

sorry for bothering again about IP fragments.
The fragment fields are still not correct.
There are three issues:

1. myrow2[7] does NOT contain any information
about which flags are set or not set.
It just reflects whether or not a particular
packet is fragmented.

Cf. base-1.2.7/base_qry_alert.php:353
Cf. snort-2.6.1/src/output-plugins/spo_database.c:1609 and 1621
Cf. snort-2.6.1/src/decode.c:2375:

if(p->frag_offset || p->mf)
{
/* set the packet fragment flag */
p->frag_flag = 1;
pc.frags++;
}

The flags can neither be gained out of
ip_flags nor ip_off nor
out of any other field of the current
database schema (107).

Cf. snort-2.6.1/src/decode.c:2373

p->frag_offset &= 0x1FFF

2. myrow2[8] is provided by snort with data
that have a byteorder issue: The value is
still in network byteorder, as the value
has undergone ntohs() twice, rather than
just once, as it should have. This can
be fixed by base.

Cf. base-1.2.7/base_qry_alert.php:353
Cf. snort-2.6.1/src/output-plugins/spo_database.c:1607
Cf. snort-2.6.1/src/decode.c:2362

3. myrow2[8] is a value in units of 8 octets
(= 64 bits). In order to achieve results
that are consistent with what is usual
under tcpdump or ethereal, base
should convert the result to a value
in units of bytes rather than 8 octets.

Cf. RFC 791, 3.1 (= p. 14):
"The fragment offset is measured in units of 8 octets (64 bits)."

I attach the following patch (against base-1.2.7):
diff -Nurp base_qry_alert.php.orig base_qry_alert.php >
base_qry_alert.php.diff

Bye, bye

Juergen

Discussion

  • Kevin Johnson

    Kevin Johnson - 2006-11-26

    Logged In: YES
    user_id=836228
    Originator: NO

    I will check this in later today....

     
  • Kevin Johnson

    Kevin Johnson - 2006-11-28
    • labels: --> Interface
    • priority: 5 --> 9
    • assigned_to: nobody --> secureideas
    • status: open --> closed-fixed
     
  • Kevin Johnson

    Kevin Johnson - 2006-11-28

    Logged In: YES
    user_id=836228
    Originator: NO

    Applied patch and things seems to work well.... THANKS!

    This will be part of the next release which should be 1.3.5 (marie). It is in CVS now.

    Kevin