![[LWN Logo]](/images/lc.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 14 Jun 2000 17:51:06 -0700
From: Martin Roesch <roesch@HIVERWORLD.COM>
Subject: Re: Snort 1.6 and nmap 2.54beta1
To: BUGTRAQ@SECURITYFOCUS.COM
From the BUGS file distributed with Snort:
-------------------------------------------------------------------------
Bug reports should be sent to roesch@clark.net
Please include the following information with your report:
System Architecture (Sparc, x86, etc)
Operating System and version (Linux 2.0.22, IRIX 5.3, etc)
What rules (if any) you were using
What command line switches you were using
Any Snort error messages
-------------------------------------------------------------------------
I recreated the problem on the "shipping" version of Snort 1.6 in
straight ASCII packet logging mode. This will also effect snort running
in "IDS mode" if you select straight decoded ASCII packet logging. The
problem is that the filename generator for the decoded packet dumps
doesn't know what to do with non-IP protocols that it doesn't know the
name of, so it shuts itself down rather than try to open a bad filename.
Work arounds:
1) BPF filtering
Run Snort to only accept/examine IP packets with command line BPF
filtering
snort <options> ip
2) Binary logging mode
Run Snort to log to a tcpdump-formatted binary log file
snort -b <options>
Fixes:
The latest version of Snort available from CVS fixes this problem as
well. Go to http://www.snort.org for more information on downloading
the latest version of Snort from CVS.
Expect to see version 1.6.1 of Snort in the next week or so with this
(and other) bug fixes.
-Marty
Galileo wrote:
>
> I don't know if this has been reported before but here it goes.
> snort 1.6 crashes when it's "hit" by a nmap protocol scan ( nmap -sO);
> It failes to write some packets to a file and ends whit a fopen () error.
> I woud appriciate if someone can reproduce this.
> Sorry for my bad English.
--
Martin Roesch <roesch@hiverworld.com>
Director of Forensic Systems http://www.hiverworld.com
Hiverworld, Inc. Continuous Adaptive Risk Management