Re: syslog-ng stops listen to UDP after "nmap -sU"?
kent@unit.liu.se (Kent Engström) writes:
Everything worked fine until I decided to portscan the syslog server. When I did a UDP scan, syslog-ng stopped logging. This is what happens:
*) I execute "nmap -p 514 -sU xxx.yyy.zzz.www" on a Linux box
Using options "-v" and "-d", I catch the following: Read EOF on fd 3. Marking fd 3 for closing. Closing fd 3. It appears that libol is the culprit here. It assumes that a returned read length of 0 means end of file, as when reading from a file or a TCP connection. -- Kent Engström, Linköping University Incident Response Team kent@unit.liu.se abuse@liu.se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
Everything worked fine until I decided to portscan the syslog server. When I did a UDP scan, syslog-ng stopped logging. This is what happens:
*) I execute "nmap -p 514 -sU xxx.yyy.zzz.www" on a Linux box
Using options "-v" and "-d", I catch the following:
Read EOF on fd 3. Marking fd 3 for closing. Closing fd 3.
It appears that libol is the culprit here. It assumes that a returned read length of 0 means end of file, as when reading from a file or a TCP connection.
This should be fixed in libol 0.2.15 and syslog-ng 1.3.16. I didn't backport the fix to 1.2.4 (which I've just released), because it's not trivial. I've fixed a couple of build fixes, so syslog-ng should build cleanly on the following systems: Solaris 2.5.1 or lower (without door support) Solaris 2.6 or upper (with door support) Linux BSD I would be grateful if you could check this. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 url: http://www.balabit.hu/pgpkey.txt
participants (2)
-
Balazs Scheidler
-
kent@unit.liu.se