[Snort-devel] Snort 2.6.1.5 segfaults when hit with nmap OS detection scan

Steven Sturges steve.sturges at ...402...
Mon Jun 11 20:24:48 EDT 2007


David--

Thanks for the output... To help us track down the problem a
bit easier, can you send us a pcap format of the TCP dump --
so that we can use that to try to reproduce the problem.

To obfuscate the addresses (understandable that you want to),
use -B 192.168.1.1/24 (or similar as needed, that will
obfuscate everything but the last byte of the IP address).

Try a snort command line similar to this:

snort -c snort.conf -d -b -B 10.10.10.1/24 -i eth0 -l ./

Thanks.
-steve

David J. Bianco wrote:
> Steven Sturges wrote:
>> Hi David--
>>
>> Is there any chance you can send us a tcpdump capture
>> of the nmap scan that reliably causes the problem with
>> that binary on VMWare?  I realize it might be pretty large,
>> so if you can narrow it down to a particular set of ports
>> or something please do so -- obfuscate the IPs as needed.
> 
> I've attached it as the file "tcpdump_output.txt".  "x.x.x.x" is the nmap
> system, and "y.y.y.y" is the system running snort.
> 
>> None of your command line options seem odd, so doubt that's
>> it.  Perhaps you could try -dve -i eth0, dump that to an
>> output file to narrow it down (and eliminate any conf related
>> stuff).
> 
> I added -dve to the previous command line (since the bug only seems to
> occur when -c is also used).  Here's the last bit of the output:
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/06-14:11:56.180307 Y:YY:YY:YY:YY:YY -> X:XX:XX:XX:XX:XX type:0x800 len:0xC0
> y.y.y.y -> x.x.x.x ICMP TTL:64 TOS:0x4 ID:2136 IpLen:20 DgmLen:178
> Type:0  Code:0  ID:36180  Seq:296  ECHO REPLY
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> 00 00 00 00 00 00                                ......
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/06-14:11:56.205792 X:XX:XX:XX:XX:XX -> Y:Y:YY:YY:YY:YY type:0x800 len:0x156
> x.x.x.x:36284 -> y.y.y.y:39563 UDP TTL:60 TOS:0x0 ID:16912 IpLen:20 DgmLen:328
> Len: 300
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43              CCCCCCCCCCCC
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 06/06-14:11:56.205850 Y:YY:YY:YY:YY:YY -> X:X:XX:XX:XX:XX type:0x800 len:0x172
> 129.57.55.42 -> 129.57.55.8 ICMP TTL:64 TOS:0xC0 ID:2137 IpLen:20 DgmLen:356
> Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
> ** ORIGINAL DATAGRAM DUMP:
> x.x.x.x:36284 -> y.y.y.y:39563 UDP TTL:60 TOS:0x0 ID:16912 IpLen:20 DgmLen:328
> Len: 300  Csum: 64303
> (300 more bytes of original packet)
> ** END OF DUMP
> 45 00 01 48 42 10 00 00 3C 11 CA F0 81 39 37 08  E..HB...<....97.
> 81 39 37 2A 8D BC 9A 8B 01 34 FB 2F 43 43 43 43  .97*.....4./CCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
> 43 43 43 43 43 43 43 43                          CCCCCCCC
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 
>> Also, what preprocessors do you have enabled -- default
>> from the snort.conf included in the tarball?
>>
> 
> Yeah, it's mostly the default.  I've also enabled perfmonitor, but the
> problem still occurs when that's turned off.
> 
> Also, to answer the other question, I'm using VMWare Workstation 5.5.
> VMWare tools are not installed on this VM.
> 
> 	David





More information about the Snort-devel mailing list