[Snort-devel] [ snort-Bugs-536322 ] Fragmented packets crash snort

noreply at ...12... noreply at ...12...
Tue Apr 2 05:02:29 EST 2002


Bugs item #536322, was opened at 2002-03-28 08:18
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=536322&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: Fragmented packets crash snort

Initial Comment:
The following will crash snort and not leave any trace
on the system.

Nmap Version: 2.54BETA22
Command to crash: nmap -f -P0 sX <host>

Snort Startup (via rc script):

daemon /usr/local/snort/snort -A full -l
/usr/local/logs -d -D -i eth1 -c
/usr/local/snort/snort.conf

Ethernet dmesg (intel): 

eth1: OEM i82557/i82558 10/100 Ethernet,
00:06:5B:1A:0E:58, IRQ 10.
  Board assembly 02d484-000, Physical connectors
present: RJ45
  Primary interface chip i82555 PHY #1.
  General self-test: passed.
  Serial sub-system self-test: passed.
  Internal registers self-test: passed.
  ROM checksum self-test: passed (0x04f4518b).

OS: Linux localhost.localdomain 2.4.17-0.18 #1 Mon Feb
18 07:51:01 EST 2002 i686 unknown
Snort Version: Version 1.8.4 (Build 99)
By Martin Roesch (roesch at ...402..., www.snort.org)
Compiler: gcc version 2.96 20000731 (Red Hat Linux 7.1
2.96-96)

Snort.conf:

var HTTP_SERVERS [0/0]
var DNS_HOSTS [0/0]
var HOME_NET [0/0]
var SMTP [0/0]
var SQL_SERVERS [0/0]
var EXTERNAL_NET [0/0]
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $EXTERNAL_NET 30 1
preprocessor portscan-ignorehosts: $DNS_HOSTS
preprocessor unidecode: 80 -unicode -cginull
preprocessor rpc_decode: 111

output xml: alert, protocol=tcp host=127.0.0.1 port=1977

include /usr/local/snort/rules/classification.config
include /usr/local/snort/rules/bad-traffic.rules
include /usr/local/snort/rules/exploit.rules
include /usr/local/snort/rules/scan.rules
include /usr/local/snort/rules/finger.rules
include /usr/local/snort/rules/ftp.rules
#include /usr/local/snort/rules/telnet.rules
include /usr/local/snort/rules/smtp.rules
include /usr/local/snort/rules/rpc.rules
include /usr/local/snort/rules/rservices.rules
include /usr/local/snort/rules/dos.rules
include /usr/local/snort/rules/ddos.rules
include /usr/local/snort/rules/dns.rules
include /usr/local/snort/rules/tftp.rules
include /usr/local/snort/rules/web-cgi.rules
include /usr/local/snort/rules/web-coldfusion.rules
include /usr/local/snort/rules/web-iis.rules
include /usr/local/snort/rules/web-frontpage.rules
include /usr/local/snort/rules/web-misc.rules
include /usr/local/snort/rules/web-attacks.rules
include /usr/local/snort/rules/sql.rules
include /usr/local/snort/rules/x11.rules
#include /usr/local/snort/rules/icmp.rules
include /usr/local/snort/rules/netbios.rules
include /usr/local/snort/rules/misc.rules
include /usr/local/snort/rules/attack-responses.rules
include /usr/local/snort/rules/backdoor.rules
#include /usr/local/snort/rules/shellcode.rules
include /usr/local/snort/rules/policy.rules
include /usr/local/snort/rules/porn.rules
include /usr/local/snort/rules/info.rules
#include /usr/local/snort/rules/icmp-info.rules
include /usr/local/snort/rules/virus.rules
include /usr/local/snort/rules/experimental.rules
include /usr/local/snort/rules/local.rules



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=536322&group_id=3357




More information about the Snort-devel mailing list