[Snort-devel] [ snort-Bugs-741138 ] snort-2.0.0: Crash on fragmented packets from Nmap

SourceForge.net noreply at ...12...
Wed May 28 07:43:26 EDT 2003


Bugs item #741138, was opened at 2003-05-21 14:21
Message generated for change (Comment added) made by chrisgreen
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357

Category: None
Group: None
>Status: Closed
Resolution: None
Priority: 5
Submitted By: Jon Werrett (werrettt)
Assigned to: Nobody/Anonymous (nobody)
Summary: snort-2.0.0: Crash on fragmented packets from Nmap

Initial Comment:
Nmap can crash snort by using fragmented portscans.

example: 
nmap -f -sS <host>

In verbose mode snort spits out:
ERROR: OpenSessionFile() => fopen((null)) session file:
File exists
Fatal Error, Quitting..


nmap version: 3.27

snort version: Version 2.0.0 (Build 72)

Ethernet dmesg:
eth0: Lite-On 82c168 PNIC rev 32 at 0xc800,
00:A0:CC:D0:F9:21, IRQ 9.

uname -a:
Linux euler 2.4.20-gentoo-r2 #3 SMP Tue Apr 8 23:57:17
WST 2003 i686 Pentium III (Coppermine) 

gcc version: 2.95.3

I'm not using any aggressive compiler optimisations
either (-03).

----------------------------------------------------------------------

>Comment By: Chris Green (chrisgreen)
Date: 2003-05-27 18:41

Message:
Logged In: YES 
user_id=429629

fixed with current CVS.

It was crashing on any fragmented packet when the frag_flag
was set with the session printable keyword.

----------------------------------------------------------------------

Comment By: Jon Werrett (werrettt)
Date: 2003-05-23 02:08

Message:
Logged In: YES 
user_id=783803

Nope I have plently of room on my HD (2.6G).

df -i:
Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/root            2861600  631799 2229801   23% /
none                   48219       1   48218    1% /dev/shm
/dev/hdb1                  0       0       0    -  /mnt/windows

df:
Filesystem           1K-blocks      Used Available Use%
Mounted on
/dev/root             22525360  18675996   2705136  88% /
none                    192876         0    192876   0% /dev/shm
/dev/hdb1             19999136   9051248  10947888  46%
/mnt/windows

I made a mistake in the original bug report however. Snort
DOES NOT crash when scanning a single host, only an entire
subnet.

So with nmap:
nmap -f -sS 10.0.0.0/24
will cause snort to crash.

nmap -f -sS 10.0.0.3 does NOT however.


----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 15:50

Message:
Logged In: YES 
user_id=429629

The problem is erroring in the code for session,printable.

Is your disk full perhaps include df -i and df 

----------------------------------------------------------------------

Comment By: Jon Werrett (werrettt)
Date: 2003-05-22 15:41

Message:
Logged In: YES 
user_id=783803

snort command line:
snort -D -c snort.conf -l logs/  not dst host 10.0.0.3

snort.conf (aimed at honeypots as provided by Project Honeynet):
# Last Updated by the Honeynet Project
# 27 March, 2003
 
var HOME_NET 10.0.0.0/24
var EXTERNAL_NET any
var AIM_SERVERS $HOME_NET
var HTTP_SERVERS $HOME_NET
var SMTP_SERVERS $HOME_NET
var TELNET_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET
var DNS_SERVERS $HOME_NET
 
var HTTP_PORTS 80
var SHELLCODE_PORTS !80
var ORACLE_PORTS 1521
 
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 unicode iis_alt_unicode
double_encode iis_flip_slash full_whitespace
preprocessor rpc_decode: 111 32771
preprocessor telnet_decode
preprocessor bo: -nobrute
#preprocessor asn1_decode
 
# Use portscan-ignorehosts to ignore TCP SYN and UDP "scans"
from
# specific networks or hosts to reduce false alerts. It is
typical
# to see many false alerts from DNS servers so you may want to
# add your DNS servers here. You can all multiple hosts/networks
# in a whitespace-delimited list.
#
#preprocessor portscan-ignorehosts: $DNS_SERVERS
 
 
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use.
# General configuration for output plugins is of the form:
 
#output database: log, mysql, user=sensor1 password=snort
dbname=snort host=db.honeynet.org sensor_name=sensor1
detail=fast
#output alert_syslog: LOG_LOCAL1 LOG_INFO
output alert_full: snort_full
output alert_fast: snort_fast
output log_tcpdump: snort.log
 
##### Log everything
log ip any any <> any any (msg: "Snort Unmatched"; session:
printable;)
 
var RULE_PATH /etc/snort
 
# Include classification & priority settings
# Include reference config
 
include $RULE_PATH/classification.config
include $RULE_PATH/reference.config
 
 
####################################################################
# Step #4: Customize your rule set
 
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
include $RULE_PATH/web-attacks.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/shellcode.rules
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
include $RULE_PATH/info.rules
include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
include $RULE_PATH/chat.rules
include $RULE_PATH/multimedia.rules
include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
include $RULE_PATH/local.rules


----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 13:09

Message:
Logged In: YES 
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

----------------------------------------------------------------------

Comment By: Chris Green (chrisgreen)
Date: 2003-05-22 12:39

Message:
Logged In: YES 
user_id=429629

Key Piece of information left out:

    What was your snort command line and associated snort.conf?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=103357&aid=741138&group_id=3357




More information about the Snort-devel mailing list