Bugtraq mailing list archives
Re: Snort 1.6 and nmap 2.54beta1
From: roesch () HIVERWORLD COM (Martin Roesch)
Date: Wed, 14 Jun 2000 17:51:06 -0700
Fromthe BUGS file distributed with Snort:
------------------------------------------------------------------------- Bug reports should be sent to roesch () clark net Please include the following information with your report: System Architecture (Sparc, x86, etc) Operating System and version (Linux 2.0.22, IRIX 5.3, etc) What rules (if any) you were using What command line switches you were using Any Snort error messages ------------------------------------------------------------------------- I recreated the problem on the "shipping" version of Snort 1.6 in straight ASCII packet logging mode. This will also effect snort running in "IDS mode" if you select straight decoded ASCII packet logging. The problem is that the filename generator for the decoded packet dumps doesn't know what to do with non-IP protocols that it doesn't know the name of, so it shuts itself down rather than try to open a bad filename. Work arounds: 1) BPF filtering Run Snort to only accept/examine IP packets with command line BPF filtering snort <options> ip 2) Binary logging mode Run Snort to log to a tcpdump-formatted binary log file snort -b <options> Fixes: The latest version of Snort available from CVS fixes this problem as well. Go to http://www.snort.org for more information on downloading the latest version of Snort from CVS. Expect to see version 1.6.1 of Snort in the next week or so with this (and other) bug fixes. -Marty Galileo wrote:
I don't know if this has been reported before but here it goes. snort 1.6 crashes when it's "hit" by a nmap protocol scan ( nmap -sO); It failes to write some packets to a file and ends whit a fopen () error. I woud appriciate if someone can reproduce this. Sorry for my bad English.
-- Martin Roesch <roesch () hiverworld com> Director of Forensic Systems http://www.hiverworld.com Hiverworld, Inc. Continuous Adaptive Risk Management
Current thread:
- Sendmail local root exploit on linux 2.2.x Florian Heinz (Jun 08)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)
- Re: Snort 1.6 and nmap 2.54beta1 Simple Nomad (Jun 14)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Snort 1.6 and nmap 2.54beta1 Galileo (May 12)