evilsocket/opensnitch

nmap syn packages drop with enabled opensnitch without notification

Open

#1 160 ouverte le 26 juil. 2024

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)Python (483 forks)batch import
help wanted

Métriques du dépôt

Stars
 (9 354 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

When preforming a syn network scan with nmap all the IP-packages get dropped without any notification from opensnitch. If opensnitch is disabled everything works fine.

In the log I see, that opensnitch doesn't find the nmap programm for this connection, maybe due to the raw socket and half open connection.

[2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):22 [2024-07-26 10:54:35] DBG new connection tcp => 48033:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG Searching for tcp6 netstat entry instead of tcp [2024-07-26 10:54:35] DBG <== no inodes found for this connection: &netstat.Entry{Proto:"tcp", SrcIP:net.IP{0xc0, 0xa8, 0x2a, 0xbd}, DstIP:net.IP{0x2d, 0x21, 0x20, 0x9c}, UserId:-1, INode:-1, SrcPort:0xbba1, DstPort:0x401}an't be read /proc/ -1 [2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):1025 [2024-07-26 10:54:36] DBG [ebpf] tcp map: 77 active items [2024-07-26 10:54:36] DBG [ebpf] tcp6 map: 325 active items [2024-07-26 10:54:36] DBG [ebpf] udp map: 480 active items [2024-07-26 10:54:36] DBG [ebpf] udp6 map: 0 active items [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19922, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19923, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19924, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/cat -> [cat /sys/class/net/enp2s0/statistics/rx_bytes /sys/class/net/enp2s0/statistics/tx_bytes /sys/class/net/l [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19926, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19927, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19927 [2024-07-26 10:54:37] DBG new connection tcp => 48035:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0

It would be great if opensnitch would allow create a rule that allows nmap to perform its work or at least show a notification that connections that where no process could be found happen.

  • opensnitch version 1.6.6
  • gentoo stable
  • Window Manager: awesomeWM
  • Kernel version 6.6.38

To reproduce the bug use start this command:

nmap -sS scanme.org

Thanks for your fantastic work.

Guide contributeur

Direction de recherche
Enquêtez sur la recherche de processus pour les connexions socket brutes dans opensnitch. La fonction FindProcess échoue avec pid 1 pour le scan SYN de nmap. Tracez le chemin de gestion de la connexion et déterminez comment récupérer le PID correct pour les sockets bruts ou ajouter une règle pour autoriser ces connexions sans notification.
Stack technique
python
Domaine
backend
Type d'issue
Bug
DifficultéDifficulté estimée pour un nouveau contributeur, de 1 pour un très petit changement à 5 pour un travail expert.
3
Temps estiméFourchette de temps approximative pour investiguer, implémenter, tester et préparer une pull request.
1-2 jours
Statut d'activitéDisponibilité apparente de l'issue : fraîche, active, ancienne, bloquée ou en attente d'un mainteneur.
Active
ClartéClarté avec laquelle l'issue explique le changement attendu, les critères d'acceptation et la prochaine étape.
Claire
Prérequis
LinuxeBPFnmap
Accessibilité débutantScore de 1 à 100 estimant l'accessibilité de cette issue pour un premier contributeur.
35