evilsocket/opensnitch

nmap syn packages drop with enabled opensnitch without notification

Open

#1,160 opened on Jul 26, 2024

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Python (9,354 stars) (483 forks)batch import
help wanted

Description

When preforming a syn network scan with nmap all the IP-packages get dropped without any notification from opensnitch. If opensnitch is disabled everything works fine.

In the log I see, that opensnitch doesn't find the nmap programm for this connection, maybe due to the raw socket and half open connection.

[2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):22 [2024-07-26 10:54:35] DBG new connection tcp => 48033:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG Searching for tcp6 netstat entry instead of tcp [2024-07-26 10:54:35] DBG <== no inodes found for this connection: &netstat.Entry{Proto:"tcp", SrcIP:net.IP{0xc0, 0xa8, 0x2a, 0xbd}, DstIP:net.IP{0x2d, 0x21, 0x20, 0x9c}, UserId:-1, INode:-1, SrcPort:0xbba1, DstPort:0x401}an't be read /proc/ -1 [2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):1025 [2024-07-26 10:54:36] DBG [ebpf] tcp map: 77 active items [2024-07-26 10:54:36] DBG [ebpf] tcp6 map: 325 active items [2024-07-26 10:54:36] DBG [ebpf] udp map: 480 active items [2024-07-26 10:54:36] DBG [ebpf] udp6 map: 0 active items [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19922, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19923, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19924, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/cat -> [cat /sys/class/net/enp2s0/statistics/rx_bytes /sys/class/net/enp2s0/statistics/tx_bytes /sys/class/net/l [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19926, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19927, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19927 [2024-07-26 10:54:37] DBG new connection tcp => 48035:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0

It would be great if opensnitch would allow create a rule that allows nmap to perform its work or at least show a notification that connections that where no process could be found happen.

  • opensnitch version 1.6.6
  • gentoo stable
  • Window Manager: awesomeWM
  • Kernel version 6.6.38

To reproduce the bug use start this command:

nmap -sS scanme.org

Thanks for your fantastic work.

Contributor guide

Tech stack
pythongoc
Domain
securitybackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
5
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Linux networkingeBPF basicsnetlink socket knowledgeprocess identification
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
15
Research direction
Investigate how OpenSnitch identifies processes for raw socket connections like nmap SYN scans. The logs show that FindProcess() returns 1 for these connections, leading to silent drops. Possible files to examine include pkg/findprocess/ and any code handling raw socket events in the eBPF or netlink components. Consider implementing a fallback notification for connections where no process is found, and potentially adding a rule to allow such connections. Check if there are existing rules or configs that could be extended.