Hosting Provided By

[Snort-devel] IP dgm len < IP Hdr len Alert question

From: John Weidley <john(at)packetshack.org>
Date: Wed Apr 30 2003 - 12:26:52 EDT

A couple of days ago I received the following Snort alerts.

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 04/22-10:15:45.540548 AAA.AAA.16.30 -> BBB.BBB.198.38 ICMP TTL:127 TOS:0x0 ID:12788 IpLen:20 DgmLen:6 ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 04/22-10:15:50.628152 AAA.AAA.16.30 -> BBB.BBB.198.38 ICMP TTL:127 TOS:0x0 ID:12867 IpLen:20 DgmLen:6 ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 04/22-10:15:55.635856 AAA.AAA.16.30 -> BBB.BBB.198.38 ICMP TTL:127 TOS:0x0 ID:12987 IpLen:20 DgmLen:6 ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 04/22-10:16:00.643454 AAA.AAA.16.30 -> BBB.BBB.198.38 ICMP TTL:127 TOS:0x0 ID:13056 IpLen:20 DgmLen:6 ICMP header truncated

[**] [116:3:1] (snort_decoder) WARNING: IP dgm len < IP Hdr len! [**] 04/22-10:16:05.651236 AAA.AAA.16.30 -> BBB.BBB.198.38 ICMP TTL:127 TOS:0x0 ID:13153 IpLen:20 DgmLen:6 ICMP header truncated

I went to a raw tcpdump capture file of all traffic on the network and searched for all packets with a datagram length of 6 and got no output.
(tcpdump -xvvr <tcpdump_file> 'ip[2:2] = 6')

So I looked at all ICMP traffic between the 2 hosts. I found a 65K ICMP ping from a trusted box going to an external destination. This is obviously a seperate issue as to why this is happening and the wrong icmp checksum. Here are the fragmented ICMP packets.

Do you need help?

10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request (wrong icmp csum)
(frag 19019:1480@0+) (ttl 127, len 1500)

10:22:14.660093 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@1480+) (ttl 127, len 1500)
10:22:14.661324 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@2960+) (ttl 127, len 1500)
10:22:14.662558 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@4440+) (ttl 127, len 1500)
10:22:14.663787 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@5920+) (ttl 127, len 1500)
10:22:14.665018 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@7400+) (ttl 127, len 1500)
10:22:14.666253 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@8880+) (ttl 127, len 1500)
10:22:14.667483 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@10360+)
(ttl 127, len 1500)

10:22:14.668712 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@11840+)
(ttl 127, len 1500)

10:22:14.669943 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@13320+)
(ttl 127, len 1500)

10:22:14.671176 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@14800+)
(ttl 127, len 1500)

10:22:14.672404 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@16280+)
(ttl 127, len 1500)

10:22:14.673636 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@17760+)
(ttl 127, len 1500)

10:22:14.674866 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@19240+)
(ttl 127, len 1500)

10:22:14.676098 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@20720+)
(ttl 127, len 1500)

10:22:14.677331 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@22200+)
(ttl 127, len 1500)

10:22:14.678561 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@23680+)
(ttl 127, len 1500)

10:22:14.679795 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@25160+)
(ttl 127, len 1500)

10:22:14.681023 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@26640+)
(ttl 127, len 1500)

10:22:14.682256 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@28120+)
(ttl 127, len 1500)

10:22:14.683485 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@29600+)
(ttl 127, len 1500)

10:22:14.684716 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@31080+)
(ttl 127, len 1500)

10:22:14.685951 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@32560+)
(ttl 127, len 1500)

10:22:14.687179 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@34040+)
(ttl 127, len 1500)

10:22:14.688412 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@35520+)
(ttl 127, len 1500)

10:22:14.689641 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@37000+)
(ttl 127, len 1500)

10:22:14.690872 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@38480+)
(ttl 127, len 1500)

10:22:14.692104 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@39960+)
(ttl 127, len 1500)

10:22:14.693337 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@41440+)
(ttl 127, len 1500)

10:22:14.694566 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@42920+)
(ttl 127, len 1500)

10:22:14.695797 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@44400+)
(ttl 127, len 1500)

10:22:14.697030 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@45880+)
(ttl 127, len 1500)

10:22:14.698259 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@47360+)
(ttl 127, len 1500)

10:22:14.699492 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@48840+)
(ttl 127, len 1500)

10:22:14.700721 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@50320+)
(ttl 127, len 1500)

10:22:14.701955 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@51800+)
(ttl 127, len 1500)

10:22:14.703183 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@53280+)
(ttl 127, len 1500)

10:22:14.704414 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@54760+)
(ttl 127, len 1500)

10:22:14.705645 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@56240+)
(ttl 127, len 1500)

10:22:14.706877 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@57720+)
(ttl 127, len 1500)

10:22:14.708112 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@59200+)
(ttl 127, len 1500)

10:22:14.709340 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@60680+)
(ttl 127, len 1500)

10:22:14.710571 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@62160+)
(ttl 127, len 1500)

10:22:14.711804 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:1480@63640+)
(ttl 127, len 1500)

10:22:14.712073 AAA.AAA.16.30 > BBB.BBB.198.38: (frag 19019:388@65120) (ttl 127, len 408)

When I show the hex output and calculate the IHL and the total packet length, things just
dont add up.

10:22:14.658918 AAA.AAA.16.30 > BBB.BBB.198.38: icmp: echo request (wrong icmp csum)
(frag 19019:1480@0+) (ttl 127, len 1500)

4500 05dc 4a4b 2000 7f01 7c67 AAAA 101e
^ ^^^^
BBBB c626

IHL - (5 * 4) = 20
Total Length - 05dc = 1500

Where is Snort getting a datagram length of 6 bytes?

System Architecture: x86
Operating System and version: Linux 2.2.19pre17 Version of Snort: Version 2.0.0 (Build 72) What preprocessors you loaded:

	preprocessor frag2
	preprocessor stream4: detect_scans, disable_evasion_alerts
	preprocessor stream4_reassemble
	preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace
	preprocessor rpc_decode: 111 32771
	preprocessor bo
	preprocessor telnet_decode
	preprocessor portscan: $HOME_NET 4 3 portscan.log
	preprocessor portscan-ignorehosts: $DNS_SERVERS

What rules (if any) you were using:
	include ./classification.config
	include ./reference.config
	include $RULE_PATH/bad-traffic.rules
	include $RULE_PATH/exploit.rules
	include $RULE_PATH/scan.rules
	include $RULE_PATH/finger.rules
	include $RULE_PATH/ftp.rules
	include $RULE_PATH/telnet.rules
	include $RULE_PATH/rservices.rules
	include $RULE_PATH/dos.rules
	include $RULE_PATH/ddos.rules
	include $RULE_PATH/dns.rules
	include $RULE_PATH/tftp.rules
	include $RULE_PATH/web-cgi.rules
	include $RULE_PATH/web-misc.rules
	include $RULE_PATH/web-client.rules
	include $RULE_PATH/web-php.rules
	include $RULE_PATH/sql.rules
	include $RULE_PATH/x11.rules
	include $RULE_PATH/netbios.rules
	include $RULE_PATH/misc.rules
	include $RULE_PATH/attack-responses.rules
	include $RULE_PATH/oracle.rules
	include $RULE_PATH/mysql.rules
	include $RULE_PATH/snmp.rules
	include $RULE_PATH/smtp.rules
	include $RULE_PATH/imap.rules
	include $RULE_PATH/pop3.rules
	include $RULE_PATH/nntp.rules
	include $RULE_PATH/other-ids.rules
	include $RULE_PATH/experimental.rules
	include $RULE_PATH/local.rules
	include $RULE_PATH/virus.rules

What output plug-ins you loaded:
	output log_tcpdump: tcpdump.log
	output database: log, mysql, user=user password=pwd dbname=snort

host=127.0.0.1 sensor_name=sen

What command line switches you were using:

	-i $INTERFACE
	-z
	-F /etc/snort/ignore-filter.bpf
	-c /etc/snort/rules/snort.conf
	-l /var/log/snort
	-o
	-D

Do you need more help?

Any Snort error messages: None

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu May 1 08:46:35 2003

This message: [ Message body ]
Next message: Ron Shuck: "[Snort-devel] Rule Order"
Previous message: Matthew Callaway: "[Snort-devel] stream4 vs. dsize: how to spot an overflow?"
Reply: John Weidley: "Re: [Snort-devel] IP dgm len < IP Hdr len Alert question"
Reply: SourceForge.net: "[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap"
Reply: Martin Roesch: "[Snort-devel] Re: Snort Hanging"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT