[Snort-devel] Snort 2.6.1.5 segfaults when hit with nmap OS detection scan

Matthew Watchinski mwatchinski at ...402...
Wed Jun 6 09:47:41 EDT 2007


Additionally what version of VMWare and type are you using?  IE 5.5,6.0,
Workstation,GSX,ESX,Vmware Player?  Also do you have VMWare tools
installed or not.

Thanks
-matt

Steven Sturges wrote:
> Hi David--
> 
> Is there any chance you can send us a tcpdump capture
> of the nmap scan that reliably causes the problem with
> that binary on VMWare?  I realize it might be pretty large,
> so if you can narrow it down to a particular set of ports
> or something please do so -- obfuscate the IPs as needed.
> 
> None of your command line options seem odd, so doubt that's
> it.  Perhaps you could try -dve -i eth0, dump that to an
> output file to narrow it down (and eliminate any conf related
> stuff).
> 
> Also, what preprocessors do you have enabled -- default
> from the snort.conf included in the tarball?
> 
> Cheers.
> -steve
> 
> David J. Bianco wrote:
>> Ok, this is a bit weird, but here goes.  I'm testing out Snort 2.6.1.5
>> in a VMWare virtual machine running RHEL 4WS.  I've got a fairly standard
>> set of rules (the last bundle released with Snort 2.4).  Snort runs and
>> detects events fine, but if I scan that box with "nmap -sS -O" (that is,
>> scanning the interface that snort is monitoring, which is also the main
>> network interface on this test system), snort just stops running without
>> giving any sort of error message or even a core file.
>>
>> I have verified that it's the "-O" nmap option that triggers the problem,
>> as other scan options by themselves or in concert don't seem to have any
>> effect.  I've also tried compiling my own libpcap (0.9.5) as well as using
>> the system-supplied pcap, both with the same result.  I've even got other
>> pcap-based apps monitoring the same traffic (SANCP and another copy of
>> snort that's just logging packets to disk) and they're still running.
>>
>> I compiled in the debugging support and ran with SNORT_DEBUG set to
>> 120 (DEBUG_DATALINK|DEBUG_IP|DEBUG_TCPUDP|DEBUG_DECODE) and the last
>> output I get is this:
>>
>> decode.c:90: Packet!
>> decode.c:90: caplen: 119    pktlen: 119
>> decode.c:111: 0   0
>> decode.c:127: IP datagram size calculated to be 105 bytes
>> decode.c:2159: Packet!
>> decode.c:2334: IP Checksum: OK
>> decode.c:2401: IP header length: 20
>> decode.c:2503: TCP th_off is 8, passed len is 85
>> decode.c:2590: TCP Checksum: OK
>> decode.c:2594: tcp header starts at: 0xc224ba4
>> decode.c:2603: 12 bytes of tcp options....
>> decode.c:90: Packet!
>> decode.c:90: caplen: 66    pktlen: 66
>> decode.c:111: 0   0
>> decode.c:127: IP datagram size calculated to be 52 bytes
>> decode.c:2159: Packet!
>> decode.c:2334: IP Checksum: OK
>> decode.c:2401: IP header length: 20
>> decode.c:2503: TCP th_off is 8, passed len is 32
>> decode.c:2590: TCP Checksum: OK
>> decode.c:2594: tcp header starts at: 0xc224ba4
>> decode.c:2603: 12 bytes of tcp options....
>> decode.c:90: Packet!
>> decode.c:90: caplen: 70    pktlen: 70
>> decode.c:
>>
>> This suggests that there's some problem in snort itself, since the packets
>> don't seem to make it out of the decoder.  However, I haven't a clue what
>> the real problem is, especially since the same binary works fine when I
>> bring it over onto another (non-VMWare) system.
>>
>> For reference, this is an x86 system.  I configured snort with the following
>> switches:
>>
>> 	./configure --prefix=/usr/local/snort-2.6.1.5 \
>> 	--with-libnet-includes=/usr/local/libnet/include \
>> 	--with-libnet-libraries=/usr/local/libnet/lib \
>> 	--enable-flexresp --enable-dynamicplugin \
>> 	--enable-debug
>>
>> I ran snort like this:
>>
>> 	sudo ~/build_temp/snort-2.6.1.5/src/snort -u sguil -g sguil \
>> 	-m 122 -l /var/log/snort-testsensor \
>> 	-c /usr/local/snortrules-testsensor/snort.conf \
>> 	-i eth0 -o -A none -U
>>
>>
> 





More information about the Snort-devel mailing list