Re: Snort 1.6 and nmap 2.54beta1

2000-06-15T00:00:00
ID SECURITYVULNS:DOC:346
Type securityvulns
Reporter Securityvulns
Modified 2000-06-15T00:00:00

Description

>From the BUGS file distributed with Snort:


Bug reports should be sent to roesch@clark.net

Please include the following information with your report:

System Architecture (Sparc, x86, etc) Operating System and version (Linux 2.0.22, IRIX 5.3, etc) What rules (if any) you were using What command line switches you were using Any Snort error messages


I recreated the problem on the "shipping" version of Snort 1.6 in straight ASCII packet logging mode. This will also effect snort running in "IDS mode" if you select straight decoded ASCII packet logging. The problem is that the filename generator for the decoded packet dumps doesn't know what to do with non-IP protocols that it doesn't know the name of, so it shuts itself down rather than try to open a bad filename.

Work arounds:

1) BPF filtering Run Snort to only accept/examine IP packets with command line BPF filtering

snort <options> ip

2) Binary logging mode Run Snort to log to a tcpdump-formatted binary log file

snort -b <options>

Fixes:

The latest version of Snort available from CVS fixes this problem as well. Go to http://www.snort.org for more information on downloading the latest version of Snort from CVS.

Expect to see version 1.6.1 of Snort in the next week or so with this (and other) bug fixes.

 -Marty

Galileo wrote: > > I don't know if this has been reported before but here it goes. > snort 1.6 crashes when it's "hit" by a nmap protocol scan ( nmap -sO); > It failes to write some packets to a file and ends whit a fopen () error. > I woud appriciate if someone can reproduce this. > Sorry for my bad English.

-- Martin Roesch <roesch@hiverworld.com> Director of Forensic Systems http://www.hiverworld.com Hiverworld, Inc. Continuous Adaptive Risk Management