[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap

SourceForge.net noreply at ...12...
Tue May 27 07:19:11 EDT 2003


Bugs item #741138, was opened at 2003-05-21 14:21
Message generated for change (Comment added) made by werrettt
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Jon Werrett (werrettt)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort-2.0.0: Crash on fragmented packets from Nmap

Initial Comment:
Nmap can crash snort by using fragmented portscans.

example: 
nmap -f -sS <host>

In verbose mode snort spits out:
ERROR: OpenSessionFile() => fopen((null)) session file:
File exists
Fatal Error, Quitting..


nmap version: 3.27

snort version: Version 2.0.0 (Build 72)

Ethernet dmesg:
eth0: Lite-On 82c168 PNIC rev 32 at 0xc800,
00:A0:CC:D0:F9:21, IRQ 9.

uname -a:
Linux euler 2.4.20-gentoo-r2 #3 SMP Tue Apr 8 23:57:17
WST 2003 i686 Pentium III (Coppermine) 

gcc version: 2.95.3

I'm not using any aggressive compiler optimisations
either (-03).

----------------------------------------------------------------------

>Comment By: Jon Werrett (werrettt)
Date: 2003-05-22 15:41

Message:
Logged In: YES 
user_id=783803

snort command line:
snort -D -c snort.conf -l logs/  not dst host 10.0.0.3

snort.conf (aimed at honeypots as provided by Project Honeynet):
# Last Updated by the Honeynet Project
# 27 March, 2003
 
var HOME_NET 10.0.0.0/24
var EXTERNAL_NET any
var AIM_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
 
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
 
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
#preprocessor asn1_decode
 
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
# specific networks or hosts to reduce false alerts. It is
typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS
 
 
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
 
#output database: log, mysql, user=sensor1 password=snort
dbname=snort host=db.honeynet.org sensor_name=sensor1
detail=fast
#output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: snort_full
output alert_fast: snort_fast
output log_tcpdump: snort.log
 
##### Log everything
log ip any any <> any any (msg: "Snort Unmatched"; session:
printable;)
 
var RULE_PATH /etc/snort
 
# Include classification & priority settings
# Include reference config
 
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
 
 
####################################################################
# Step #4: Customize your rule set
 
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 13:09

Message:
Logged In: YES 
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 12:39

Message:
Logged In: YES 
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357




More information about the Snort-devel mailing list