[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap

From: SourceForge.net <noreply(at)sourceforge.net>
Date: Thu May 22 2003 - 11:50:46 EDT

Bugs item #741138, was opened at 2003-05-21 14:21 Message generated for change (Comment added) made by chrisgreen You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Jon Werrett (werrettt)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort-2.0.0: Crash on fragmented packets from Nmap

Initial Comment:
Nmap can crash snort by using fragmented portscans.

example:
nmap -f -sS <host>

In verbose mode snort spits out:
ERROR: OpenSessionFile() => fopen((null)) session file: File exists
Fatal Error, Quitting..

nmap version: 3.27

snort version: Version 2.0.0 (Build 72)

Ethernet dmesg:
eth0: Lite-On 82c168 PNIC rev 32 at 0xc800, 00:A0:CC:D0:F9:21, IRQ 9. uname -a:
Linux euler 2.4.20-gentoo-r2 #3 SMP Tue Apr 8 23:57:17 WST 2003 i686 Pentium III (Coppermine)

gcc version: 2.95.3

I'm not using any aggressive compiler optimisations either (-03).

---

>Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 15:50

Message:
Logged In: YES
user_id=429629

The problem is erroring in the code for session,printable.

Is your disk full perhaps include df -i and df

---

Comment By: Jon Werrett (werrettt)
Date: 2003-05-22 15:41

Message:
Logged In: YES
user_id=783803

snort command line:
snort -D -c snort.conf -l logs/ not dst host 10.0.0.3

snort.conf (aimed at honeypots as provided by Project Honeynet):
# Last Updated by the Honeynet Project
# 27 March, 2003
 

var HOME_NET 10.0.0.0/24
var EXTERNAL_NET any
var AIM_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET  

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521  

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
#preprocessor asn1_decode
 

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
# specific networks or hosts to reduce false alerts. It is
typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS
   

####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
 

#output database: log, mysql, user=sensor1 password=snort
dbname=snort host=db.honeynet.org sensor_name=sensor1 detail=fast
#output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: snort_full
output alert_fast: snort_fast
output log_tcpdump: snort.log  

##### Log everything

log ip any any <> any any (msg: "Snort Unmatched"; session: printable;)  

var RULE_PATH /etc/snort  

# Include classification & priority settings
# Include reference config
 

include $RULE_PATH/classification.config include $RULE_PATH/reference.config    

####################################################################
# Step #4: Customize your rule set
 

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 13:09

Message:
Logged In: YES
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

---

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 12:39

Message:
Logged In: YES
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

---

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue May 27 10:30:14 2003