Hosting Provided By

[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap

From: SourceForge.net <noreply(at)sourceforge.net>
Date: Thu May 22 2003 - 22:08:28 EDT

Bugs item #741138, was opened at 2003-05-21 14:21 Message generated for change (Comment added) made by werrettt You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Jon Werrett (werrettt)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort-2.0.0: Crash on fragmented packets from Nmap

Initial Comment:
Nmap can crash snort by using fragmented portscans.

example:
nmap -f -sS <host>

In verbose mode snort spits out:
ERROR: OpenSessionFile() => fopen((null)) session file: File exists
Fatal Error, Quitting..

nmap version: 3.27

snort version: Version 2.0.0 (Build 72)

Ethernet dmesg:
eth0: Lite-On 82c168 PNIC rev 32 at 0xc800, 00:A0:CC:D0:F9:21, IRQ 9. uname -a:
Linux euler 2.4.20-gentoo-r2 #3 SMP Tue Apr 8 23:57:17 WST 2003 i686 Pentium III (Coppermine)

Do you need help?

gcc version: 2.95.3

I'm not using any aggressive compiler optimisations either (-03).

>Comment By: Jon Werrett (werrettt)
Date: 2003-05-23 02:08

Message:
Logged In: YES
user_id=783803

Nope I have plently of room on my HD (2.6G).

df -i:

Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/root            2861600  631799 2229801   23% /
none                   48219       1   48218    1% /dev/shm
/dev/hdb1                  0       0       0    -  /mnt/windows

df:
Filesystem           1K-blocks      Used Available Use%
Mounted on
/dev/root             22525360  18675996   2705136  88% /
none                    192876         0    192876   0% /dev/shm
/dev/hdb1             19999136   9051248  10947888  46%

/mnt/windows

I made a mistake in the original bug report however. Snort DOES NOT crash when scanning a single host, only an entire subnet.

So with nmap:
nmap -f -sS 10.0.0.0/24
will cause snort to crash.

Do you need more help?

nmap -f -sS 10.0.0.3 does NOT however.

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 15:50

Message:
Logged In: YES
user_id=429629

The problem is erroring in the code for session,printable.

Is your disk full perhaps include df -i and df

Comment By: Jon Werrett (werrettt)
Date: 2003-05-22 15:41

Message:
Logged In: YES
user_id=783803

snort command line:
snort -D -c snort.conf -l logs/ not dst host 10.0.0.3

Can we help you?

snort.conf (aimed at honeypots as provided by Project Honeynet):
# Last Updated by the Honeynet Project

var HOME_NET 10.0.0.0/24
var EXTERNAL_NET any
var AIM_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET

var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521

preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
#preprocessor asn1_decode

# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
# specific networks or hosts to reduce false alerts. It is
typical
# to see many false alerts from DNS servers so you may want to

####################################################################

#output database: log, mysql, user=sensor1 password=snort
dbname=snort host=db.honeynet.org sensor_name=sensor1 detail=fast
#output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: snort_full
output alert_fast: snort_fast
output log_tcpdump: snort.log

##### Log everything

log ip any any <> any any (msg: "Snort Unmatched"; session: printable;)

Can't find what you're looking for?

var RULE_PATH /etc/snort

# Include classification & priority settings

include $RULE_PATH/classification.config include $RULE_PATH/reference.config

####################################################################

include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related snort.org Links
snort-announce
snort-cvsinfo
snort-devel
snort-sigs
snort-users
Request more information about Pantek
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 13:09

Message:
Logged In: YES
user_id=429629

Key Piece of information left out:

What was your snort command line and associated snort.conf?

Confused? Frustrated?

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 12:39

Message:
Logged In: YES
user_id=429629

Key Piece of information left out:

What was your snort command line and associated snort.conf?

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue May 27 10:30:52 2003

This message: [ Message body ]
Next message: SourceForge.net: "[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap"
Previous message: SourceForge.net: "[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap"
In reply to SourceForge.net: "[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT