[Snort-devel] SPADE fun

Martin Roesch roesch at ...48...
Thu Jan 25 16:26:40 EST 2001

I decided that as the creator of Snort it behooved me to try out a
little testing on the SPADE module if I was going to be shipping it with
the distro, so test it I did.  I set it up on OpenBSD 2.7 (Celeron
300/128MB/3C905B NIC) and loaded up the standard rules file with SPADE
activated.  Everything seemed to be running fine until I decided to ssh
into the box to get some packet stats out of Snort (via SIGUSR1).  I
ssh'd in and it seg faulted.  Here's the vitals:

[elric /home/roesch/snortdev/snort] {135} sudo gdb snort snort.core
GNU gdb 4.16.1
Copyright 1996 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
welcome to change it and/or distribute copies of it under certain
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
This GDB was configured as "i386-unknown-openbsd2.7"...
Core was generated by `snort'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/libexec/ld.so...done.
Reading symbols from /usr/lib/libpcap.so.1.1...done.
Reading symbols from /usr/lib/libm.so.0.1...done.
Reading symbols from /usr/local/pgsql/lib/libpq.so.2.1...done.
Reading symbols from /usr/local/lib/libssl.so.2.3...done.
Reading symbols from /usr/local/lib/libcrypto.so.2.3...done.
Reading symbols from /usr/lib/libc.so.25.0...done.
#0  0x231f9 in PreprocSpadeThreshlearn (p=0xdfbfd2b8) at
Source file is more recent than executable.
526             for (prev= top_anom_list, l=top_anom_list->next; l !=
NULL && anom > l->val; prev=l,l=l->next);
(gdb) bt
#0  0x231f9 in PreprocSpadeThreshlearn (p=0xdfbfd2b8) at
#1  0xe9ec in Preprocess (p=0xdfbfd2b8) at rules.c:3042
#2  0x2035 in ProcessPacket (user=0x0, pkthdr=0x520a0, pkt=0x520b2 "")
    at snort.c:478
#3  0x40051151 in pcap_read ()
#4  0x4006261b in pcap_loop ()
#5  0x3f69 in InterfaceThread (arg=0x0) at snort.c:1301
#6  0x1f21 in main (argc=5, argv=0xdfbfd7fc) at snort.c:412
(gdb) print top_anom_list
$1 = (ll_double *) 0x3fe20
(gdb) print top_anom_list->next
$2 = (struct _ll_double *) 0x54454e46
(gdb) print l
$3 = (ll_double *) 0x54454e46
(gdb) print l->val
Cannot access memory at address 0x54454e46.
(gdb) print l->next
Cannot access memory at address 0x54454e4e.

Oops, looks like 'l' is porked.  In fact, it looks like
top_anom_list->next got stomped.  I haven't had time to dive into the
code and take a look at what's going on around the crash, but I'll try
to look a bit later.

Here's my snort.conf:

preprocessor defrag
preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
preprocessor http_decode: 80 8080
preprocessor portscan: $HOME_NET 4 3 portscan.log
var SPADEDIR ./log
preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
preprocessor spade-homenet: $HOME_NET
preprocessor spade-adapt3: 0.01 60 168
preprocessor spade-threshlearn: 200 24
preprocessor spade-survey:  $SPADEDIR/survey.txt 60
preprocessor spade-stats: entropy uncondprob condprob
output alert_syslog: LOG_AUTH LOG_ALERT
output log_tcpdump: snort.log
include webcgi-lib
include webcf-lib
include webiis-lib
include webfp-lib
include webmisc-lib
include overflow-lib
include finger-lib
include ftp-lib
include smtp-lib
include telnet-lib
include misc-lib
include netbios-lib
include scan-lib
include ddos-lib
include backdoor-lib
include ping-lib
include rpc-lib

It's entirely possible that I've misconfigured something in SPADE, I
haven't had time to exhaustively examine the docs.

The version of Snort I'm running was checked out of CVS about an hour
ago, so it's up to date with the latest tweaks to the stream, defrag,
portscan and spade preprocessors.  Any ideas?  (Yes, I still have the
core file.)


Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list