nmap syn packages drop with enabled opensnitch without notification

[wofwofwof]

When preforming a syn network scan with nmap all the IP-packages get dropped without any notification from opensnitch.
If opensnitch is disabled everything works fine.

In the log I see, that opensnitch doesn't find the nmap programm for this connection, maybe due to the raw socket and half open connection.

[2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):22 [2024-07-26 10:54:35] DBG new connection tcp => 48033:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG netlink socket error: Warning, no message nor error from netlink, or no connections found - 48033:192.168.42.189 -> 45.33.32.156:1025 [2024-07-26 10:54:35] DBG Searching for tcp6 netstat entry instead of tcp [2024-07-26 10:54:35] DBG <== no inodes found for this connection: &netstat.Entry{Proto:"tcp", SrcIP:net.IP{0xc0, 0xa8, 0x2a, 0xbd}, DstIP:net.IP{0x2d, 0x21, 0x20, 0x9c}, UserId:-1, INode:-1, SrcPort:0xbba1, DstPort:0x401}an't be read /proc/ -1 [2024-07-26 10:54:35] DBG [-1] FindProcess() error: Unable to get process information [2024-07-26 10:54:35] DBG Could not find process by its pid -1 for: 48033:192.168.42.189 (uid:0) ->(tcp)-> scanme.org (45.33.32.156):1025 [2024-07-26 10:54:36] DBG [ebpf] tcp map: 77 active items [2024-07-26 10:54:36] DBG [ebpf] tcp6 map: 325 active items [2024-07-26 10:54:36] DBG [ebpf] udp map: 480 active items [2024-07-26 10:54:36] DBG [ebpf] udp6 map: 0 active items [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19922, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19922 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19923, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19923 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19924, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19924 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19925, /usr/bin/cat -> [cat /sys/class/net/enp2s0/statistics/rx_bytes /sys/class/net/enp2s0/statistics/tx_bytes /sys/class/net/l [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19925 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19926, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19926 [2024-07-26 10:54:36] DBG [eBPF exec event] ppid: 3748, pid: 19927, /usr/bin/sh -> [sh -c cat /sys/class/net/*/statistics/*_bytes] [2024-07-26 10:54:36] DBG [eBPF event inCache] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event] -> 19927 [2024-07-26 10:54:36] DBG [eBPF exit event inCache] -> 19927 [2024-07-26 10:54:37] DBG new connection tcp => 48035:192.168.42.189 -> 45.33.32.156 (scanme.org):1025 uid: 0, mark: 0

It would be great if opensnitch would allow create a rule that allows nmap to perform its work or at least show a notification that connections that where no process could be found happen.

• opensnitch version 1.6.6
• gentoo stable
• Window Manager: awesomeWM
• Kernel version 6.6.38

To reproduce the bug use start this command:

nmap -sS scanme.org

Thanks for your fantastic work.

[gustavo-iniguez-goya]

hi @wofwofwof !

Yeah, this is a known old problem. For now, disable the interception or use nmap -sT ... , or well, enable [x] Debug invalid connections under the Preferences -> Nodes tab, and filter by dest port, address, etc.

The problem is that nmap -sS crafts RAW TCP packets, instead of use connect():

nmap -sS -p1-4 ...

76866 socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = 4
(...)
76866 sendto(4, "..."..., 44, 0, {sa_family=AF_INET, **sin_port=htons(1)**, sin_a|sddr=inet_addr("45.33.32.156")}, 16) = 44
76866 sendto(4, "..."..., 44, 0, {sa_family=AF_INET, **sin_port=htons(2)**, sin_a|sddr=inet_addr("45.33.32.156")}, 16) = 44
76866 sendto(4, "..."..., 44, 0, {sa_family=AF_INET, **sin_port=htons(3)**, sin_a|sddr=inet_addr("45.33.32.156")}, 16) = 44

nmap -sT -p1-4 ...

76852 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
76852 connect(6, {sa_family=AF_INET, sin_port=htons(1), sin_addr=inet_addr("45.33.32.156")}, 16)
76852 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 7
76852 connect(7, {sa_family=AF_INET, sin_port=htons(2), sin_addr=inet_addr("45.33.32.156")}, 16)
76852 socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 8
76852 connect(8, {sa_family=AF_INET, sin_port=htons(3), sin_addr=inet_addr("45.33.32.156")}, 16)

We could hook sys_enter_sendto, but the sockaddr struct does not report the source port:address and we need it to match it against the connection received via nfqueue(s).
As far as I can tell, hooking security_socket_sendmsg() or inet_sendmsg() does not catch these packets.