[Snort-users] [Fwd: Re: [Snort-devel] IP Option Router Alert Wrong

This is a discussion on [Snort-users] [Fwd: Re: [Snort-devel] IP Option Router Alert Wrong within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --------------050606070008090706090907 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] [Fwd: Re: [Snort-devel] IP Option Router Alert Wrong

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-09-2007
Todd Wease
 
Posts: n/a
Default [Snort-users] [Fwd: Re: [Snort-devel] IP Option Router Alert Wrong
This is a multi-part message in MIME format.
--------------050606070008090706090907
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit



--------------050606070008090706090907
Content-Type: message/rfc822;
name="Re: [Snort-devel] IP Option Router Alert Wrong Value"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename*0="Re: [Snort-devel] IP Option Router Alert Wrong Value"

Return-Path: <snort-devel-bounces@lists.sourceforge.net>
X-Original-To: twease@sourcefire.com
Delivered-To: twease@sourcefire.com
Received: from localhost (localhost.localdomain [127.0.0.1])
by sourcefire.com (Postfix) with ESMTP id 5C2951CC0D5;
Mon, 9 Jul 2007 12:32:59 -0400 (EDT)
Received: from sourcefire.com ([127.0.0.1])
by localhost (mail.it.sourcefire.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 30167-02; Mon, 9 Jul 2007 12:32:58 -0400 (EDT)
Received: from rg01.sourcefire.com (rg01.sourcefire.com [10.1.2.9])
(using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by sourcefire.com (Postfix) with ESMTP id D28AA1CC051;
Mon, 9 Jul 2007 12:32:58 -0400 (EDT)
Received: from lists-outbound.sourceforge.net (lists-outbound.sourceforge.net
[66.35.250.225]) by rg01.sourcefire.com (MOS 3.7.2-GA)
with ESMTP id AFP05889; Mon, 9 Jul 2007 12:32:52 -0400 (EDT)
Received: from sc8-sf-list1-new.sourceforge.net
(sc8-sf-list1-new-b.sourceforge.net [10.3.1.93])
by sc8-sf-spam2.sourceforge.net (Postfix) with ESMTP
id 9AD1B12B6D; Mon, 9 Jul 2007 09:32:50 -0700 (PDT)
Received: from sc8-sf-mx1-b.sourceforge.net ([10.3.1.91]
helo=mail.sourceforge.net)
by sc8-sf-list1-new.sourceforge.net with esmtp (Exim 4.43)
id 1I7wAG-0008TJ-4v
for snort-devel@lists.sourceforge.net; Mon, 09 Jul 2007 09:32:44 -0700
Received: from gi.sourcefire.com ([65.202.215.10] helo=sourcefire.com)
by mail.sourceforge.net with esmtp (Exim 4.44) id 1I7wAE-00023v-E0
for snort-devel@lists.sourceforge.net; Mon, 09 Jul 2007 09:32:44 -0700
Received: from localhost (localhost.localdomain [127.0.0.1])
by sourcefire.com (Postfix) with ESMTP id 6029E1CC0C9;
Mon, 9 Jul 2007 12:32:40 -0400 (EDT)
Received: from sourcefire.com ([127.0.0.1])
by localhost (mail.it.sourcefire.com [127.0.0.1]) (amavisd-new,
port 10024)
with ESMTP id 29896-04; Mon, 9 Jul 2007 12:32:39 -0400 (EDT)
Received: from [10.4.10.12] (dhcp10-12.sfeng.sourcefire.com [10.4.10.12])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by sourcefire.com (Postfix) with ESMTP id A30291CC051;
Mon, 9 Jul 2007 12:32:39 -0400 (EDT)
Message-ID: <4692625B.1070801@sourcefire.com>
Date: Mon, 09 Jul 2007 12:29:15 -0400
From: Todd Wease <twease@sourcefire.com>
User-Agent: Thunderbird 1.5.0.8 (X11/20061107)
MIME-Version: 1.0
To: Jeffrey Denton <dentonj@gmail.com>
References: <8ebbd7f50707071323l277d333va0a5e5ba89862f70@mail. gmail.com>
<8ebbd7f50707071736x6f28d3fau674e5c916482ca4@mail. gmail.com>
In-Reply-To: <8ebbd7f50707071736x6f28d3fau674e5c916482ca4@mail. gmail.com>
X-Enigmail-Version: 0.94.2.0
Content-Type: multipart/mixed; boundary="------------010109090403090304010506"
X-Virus-Scanned: Sourcefire AV 1.3.2
Cc: snort-devel@lists.sourceforge.net
Subject: Re: [Snort-devel] IP Option Router Alert Wrong Value
X-BeenThere: snort-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.8
Precedence: list
List-Id: Gathering place for Snort developers
<snort-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-devel>,
<mailto:snort-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel>
List-Post: <mailto:snort-devel@lists.sourceforge.net>
List-Help: <mailto:snort-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/snort-devel>,
<mailto:snort-devel-request@lists.sourceforge.net?subject=subscribe>
Sender: snort-devel-bounces@lists.sourceforge.net
Errors-To: snort-devel-bounces@lists.sourceforge.net
X-Junkmail-Whitelist: YES (by domain whitelist at rg01.sourcefire.com)
X-Virus-Scanned: Sourcefire AV 1.3.2

This is a multi-part message in MIME format.
--------------010109090403090304010506
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Jeffrey Denton wrote:
> In snort-2.7.0.RC2/src/decode.h:
>
> #ifndef IPOPT_RTRALT
> #define IPOPT_RTRALT 0x14
>
> This is equivalent to decimal value 20. However at
> http://www.iana.org/assignments/ip-parameters, RTRALT is listed as
> having a decimal value of 148. The confusion starts with RFC 2113:
>
> http://www.ietf.org/rfc/rfc2113.txt:
>
> The Router Alert option has the following format:
>
> +--------+--------+--------+--------+
> |10010100|00000100| 2 octet value |
> +--------+--------+--------+--------+
>
> Type:
> Copied flag: 1 (all fragments must carry the option)
> Option class: 0 (control)
> Option number: 20 (decimal)
>
> It would appear that the value for the Router Alert option is 20.
> However in RFC 791:
>
> http://www.ietf.org/rfc/rfc0791.txt
>
> The option-type octet is viewed as having 3 fields:
>
> 1 bit copied flag,
> 2 bits option class,
> 5 bits option number.
>
> All 8 bits are used to determine the IP option type value. Examples
> from RFC 791:
>
> Loose Source and Record Route
>
> +--------+--------+--------+---------//--------+
> |10000011| length | pointer| route data |
> +--------+--------+--------+---------//--------+
> Type=131
>
> Strict Source and Record Route
>
> +--------+--------+--------+---------//--------+
> |10001001| length | pointer| route data |
> +--------+--------+--------+---------//--------+
> Type=137
>
> The IP option type value for Router Alert (RTRALT) should be 148
> decimal. The fix is to change decode.h to:
>
> #ifndef IPOPT_RTRALT
> #define IPOPT_RTRALT 0x94
>
> This bug also affects snort-2.6.1.5.
>

Thanks for pointing this out Jeffrey. A bug has been created. Not sure
yet what release this fix will be in, but attached is a patch to change
that option to the correct value.

Thanks
Todd


--------------010109090403090304010506
Content-Type: text/x-patch;
name="ipopt_rtralt.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ipopt_rtralt.diff"

Index: src/decode.h
================================================== =================
RCS file: /usr/cvsroot-snort/snort/src/decode.h,v
retrieving revision 1.94.2.10
diff -p -u -r1.94.2.10 decode.h
--- src/decode.h 26 Apr 2007 20:45:20 -0000 1.94.2.10
+++ src/decode.h 9 Jul 2007 16:30:45 -0000
@@ -457,7 +457,7 @@ struct enc_header {
#endif

#ifndef IPOPT_RTRALT
- #define IPOPT_RTRALT 0x14
+ #define IPOPT_RTRALT 0x94
#endif

#ifndef IPOPT_TS

--------------010109090403090304010506
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
--------------010109090403090304010506
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/snort-devel

--------------010109090403090304010506--


--------------050606070008090706090907
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
--------------050606070008090706090907
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
--------------050606070008090706090907--

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 03:44 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0