[Snort-devel] Snort 2.6.1.5 segfaults when hit with nmap OS detection scan

Steven Sturges steve.sturges at ...402...
Wed Jun 6 09:12:14 EDT 2007


Hi David--

Is there any chance you can send us a tcpdump capture
of the nmap scan that reliably causes the problem with
that binary on VMWare?  I realize it might be pretty large,
so if you can narrow it down to a particular set of ports
or something please do so -- obfuscate the IPs as needed.

None of your command line options seem odd, so doubt that's
it.  Perhaps you could try -dve -i eth0, dump that to an
output file to narrow it down (and eliminate any conf related
stuff).

Also, what preprocessors do you have enabled -- default
from the snort.conf included in the tarball?

Cheers.
-steve

David J. Bianco wrote:
> Ok, this is a bit weird, but here goes.  I'm testing out Snort 2.6.1.5
> in a VMWare virtual machine running RHEL 4WS.  I've got a fairly standard
> set of rules (the last bundle released with Snort 2.4).  Snort runs and
> detects events fine, but if I scan that box with "nmap -sS -O" (that is,
> scanning the interface that snort is monitoring, which is also the main
> network interface on this test system), snort just stops running without
> giving any sort of error message or even a core file.
> 
> I have verified that it's the "-O" nmap option that triggers the problem,
> as other scan options by themselves or in concert don't seem to have any
> effect.  I've also tried compiling my own libpcap (0.9.5) as well as using
> the system-supplied pcap, both with the same result.  I've even got other
> pcap-based apps monitoring the same traffic (SANCP and another copy of
> snort that's just logging packets to disk) and they're still running.
> 
> I compiled in the debugging support and ran with SNORT_DEBUG set to
> 120 (DEBUG_DATALINK|DEBUG_IP|DEBUG_TCPUDP|DEBUG_DECODE) and the last
> output I get is this:
> 
> decode.c:90: Packet!
> decode.c:90: caplen: 119    pktlen: 119
> decode.c:111: 0   0
> decode.c:127: IP datagram size calculated to be 105 bytes
> decode.c:2159: Packet!
> decode.c:2334: IP Checksum: OK
> decode.c:2401: IP header length: 20
> decode.c:2503: TCP th_off is 8, passed len is 85
> decode.c:2590: TCP Checksum: OK
> decode.c:2594: tcp header starts at: 0xc224ba4
> decode.c:2603: 12 bytes of tcp options....
> decode.c:90: Packet!
> decode.c:90: caplen: 66    pktlen: 66
> decode.c:111: 0   0
> decode.c:127: IP datagram size calculated to be 52 bytes
> decode.c:2159: Packet!
> decode.c:2334: IP Checksum: OK
> decode.c:2401: IP header length: 20
> decode.c:2503: TCP th_off is 8, passed len is 32
> decode.c:2590: TCP Checksum: OK
> decode.c:2594: tcp header starts at: 0xc224ba4
> decode.c:2603: 12 bytes of tcp options....
> decode.c:90: Packet!
> decode.c:90: caplen: 70    pktlen: 70
> decode.c:
> 
> This suggests that there's some problem in snort itself, since the packets
> don't seem to make it out of the decoder.  However, I haven't a clue what
> the real problem is, especially since the same binary works fine when I
> bring it over onto another (non-VMWare) system.
> 
> For reference, this is an x86 system.  I configured snort with the following
> switches:
> 
> 	./configure --prefix=/usr/local/snort-2.6.1.5 \
> 	--with-libnet-includes=/usr/local/libnet/include \
> 	--with-libnet-libraries=/usr/local/libnet/lib \
> 	--enable-flexresp --enable-dynamicplugin \
> 	--enable-debug
> 
> I ran snort like this:
> 
> 	sudo ~/build_temp/snort-2.6.1.5/src/snort -u sguil -g sguil \
> 	-m 122 -l /var/log/snort-testsensor \
> 	-c /usr/local/snortrules-testsensor/snort.conf \
> 	-i eth0 -o -A none -U
> 
> 




More information about the Snort-devel mailing list