Date: Wed, 14 Jun 2000 17:51:06 -0700 From: Martin Roesch <roesch@HIVERWORLD.COM> Subject: Re: Snort 1.6 and nmap 2.54beta1 To: BUGTRAQ@SECURITYFOCUS.COM From the BUGS file distributed with Snort: ------------------------------------------------------------------------- Bug reports should be sent to roesch@clark.net Please include the following information with your report: System Architecture (Sparc, x86, etc) Operating System and version (Linux 2.0.22, IRIX 5.3, etc) What rules (if any) you were using What command line switches you were using Any Snort error messages ------------------------------------------------------------------------- I recreated the problem on the "shipping" version of Snort 1.6 in straight ASCII packet logging mode. This will also effect snort running in "IDS mode" if you select straight decoded ASCII packet logging. The problem is that the filename generator for the decoded packet dumps doesn't know what to do with non-IP protocols that it doesn't know the name of, so it shuts itself down rather than try to open a bad filename. Work arounds: 1) BPF filtering Run Snort to only accept/examine IP packets with command line BPF filtering snort <options> ip 2) Binary logging mode Run Snort to log to a tcpdump-formatted binary log file snort -b <options> Fixes: The latest version of Snort available from CVS fixes this problem as well. Go to http://www.snort.org for more information on downloading the latest version of Snort from CVS. Expect to see version 1.6.1 of Snort in the next week or so with this (and other) bug fixes. -Marty Galileo wrote: > > I don't know if this has been reported before but here it goes. > snort 1.6 crashes when it's "hit" by a nmap protocol scan ( nmap -sO); > It failes to write some packets to a file and ends whit a fopen () error. > I woud appriciate if someone can reproduce this. > Sorry for my bad English. -- Martin Roesch <roesch@hiverworld.com> Director of Forensic Systems http://www.hiverworld.com Hiverworld, Inc. Continuous Adaptive Risk Management