Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Snort 1.6 and nmap 2.54beta1

From: brian.d.mila () lmco com (Mila, Brian D)
Date: Thu, 15 Jun 2000 10:00:34 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
For the snort users in the group that don't read Bugtraq, this may be of
interest.

brian


-----Original Message-----
From: Martin Roesch [SMTP:roesch () HIVERWORLD COM]
Sent: Wednesday, June 14, 2000 7:51 PM
To:   BUGTRAQ () SECURITYFOCUS COM
Subject:      Re: Snort 1.6 and nmap 2.54beta1

From the BUGS file distributed with Snort:

-------------------------------------------------------------------------
Bug reports should be sent to roesch () clark net

Please include the following information with your report:

System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
What rules (if any) you were using
What command line switches you were using
Any Snort error messages
-------------------------------------------------------------------------

I recreated the problem on the "shipping" version of Snort 1.6 in
straight ASCII packet logging mode.  This will also effect snort running
in "IDS mode" if you select straight decoded ASCII packet logging.  The
problem is that the filename generator for the decoded packet dumps
doesn't know what to do with non-IP protocols that it doesn't know the
name of, so it shuts itself down rather than try to open a bad filename.

Work arounds:

1) BPF filtering
Run Snort to only accept/examine IP packets with command line BPF
filtering

snort <options> ip

2) Binary logging mode
Run Snort to log to a tcpdump-formatted binary log file

snort -b <options>

Fixes:

The latest version of Snort available from CVS fixes this problem as
well.  Go to http://www.snort.org for more information on downloading
the latest version of Snort from CVS.

Expect to see version 1.6.1 of Snort in the next week or so with this
(and other) bug fixes.

     -Marty

Galileo wrote:


I don't know if this has been reported before but here it goes.
snort 1.6 crashes when it's "hit" by a nmap protocol scan  ( nmap -sO);
It failes to write some packets to a file and ends whit a fopen ()

error.

I woud appriciate if someone can reproduce this.
Sorry for my bad English.


--
Martin Roesch                      <roesch () hiverworld com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management
Previous By Date Next
Previous By Thread Next

Current thread: