[Snort-devel] SPADE fun

John Kinsella jlk at ...222...
Thu Jan 25 17:02:25 EST 2001


For what it's worth...I started playing with SPADE last night and ran
into some segfault probs, too.  Took a working snort config and enabled
the SPADE preprocessor with the following lines:

preprocessor spade: 10.5 /var/log/snort/spade.rcv /var/log/snort/spade.log 3 50000
preprocessor spade-homenet: $HOME_NET
preprocessor spade-threshlearn: 100 24
preprocessor spade-survey: /var/log/snort/spade-survey

Thing is, it's not coring immediately, I'll try and capture a trace of
it tonight.  A pattern seems to be showing up, though, where it cores
after it's been up right around an hour, so I'm wondering if something
in the survey code was causing the prob...

John

On Thu, Jan 25, 2001 at 04:26:40PM -0500, Martin Roesch wrote:
> I decided that as the creator of Snort it behooved me to try out a
> little testing on the SPADE module if I was going to be shipping it with
> the distro, so test it I did.  I set it up on OpenBSD 2.7 (Celeron
> 300/128MB/3C905B NIC) and loaded up the standard rules file with SPADE
> activated.  Everything seemed to be running fine until I decided to ssh
> into the box to get some packet stats out of Snort (via SIGUSR1).  I
> ssh'd in and it seg faulted.  Here's the vitals:
> 
> [elric /home/roesch/snortdev/snort] {135} sudo gdb snort snort.core
> GNU gdb 4.16.1
> Copyright 1996 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you
> are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details.
> This GDB was configured as "i386-unknown-openbsd2.7"...
> Core was generated by `snort'.
> Program terminated with signal 11, Segmentation fault.
> Reading symbols from /usr/libexec/ld.so...done.
> Reading symbols from /usr/lib/libpcap.so.1.1...done.
> Reading symbols from /usr/lib/libm.so.0.1...done.
> Reading symbols from /usr/local/pgsql/lib/libpq.so.2.1...done.
> Reading symbols from /usr/local/lib/libssl.so.2.3...done.
> Reading symbols from /usr/local/lib/libcrypto.so.2.3...done.
> Reading symbols from /usr/lib/libc.so.25.0...done.
> #0  0x231f9 in PreprocSpadeThreshlearn (p=0xdfbfd2b8) at
> spp_anomsensor.c:526
> Source file is more recent than executable.
> 526             for (prev= top_anom_list, l=top_anom_list->next; l !=
> NULL && anom > l->val; prev=l,l=l->next);
> (gdb) bt
> #0  0x231f9 in PreprocSpadeThreshlearn (p=0xdfbfd2b8) at
> spp_anomsensor.c:526
> #1  0xe9ec in Preprocess (p=0xdfbfd2b8) at rules.c:3042
> #2  0x2035 in ProcessPacket (user=0x0, pkthdr=0x520a0, pkt=0x520b2 "")
>     at snort.c:478
> #3  0x40051151 in pcap_read ()
> #4  0x4006261b in pcap_loop ()
> #5  0x3f69 in InterfaceThread (arg=0x0) at snort.c:1301
> #6  0x1f21 in main (argc=5, argv=0xdfbfd7fc) at snort.c:412
> (gdb) print top_anom_list
> $1 = (ll_double *) 0x3fe20
> (gdb) print top_anom_list->next
> $2 = (struct _ll_double *) 0x54454e46
> (gdb) print l
> $3 = (ll_double *) 0x54454e46
> (gdb) print l->val
> Cannot access memory at address 0x54454e46.
> (gdb) print l->next
> Cannot access memory at address 0x54454e4e.
> 
> Oops, looks like 'l' is porked.  In fact, it looks like
> top_anom_list->next got stomped.  I haven't had time to dive into the
> code and take a look at what's going on around the crash, but I'll try
> to look a bit later.
> 
> Here's my snort.conf:
> 
> var HOME_NET 10.1.1.0/24
> var EXTERNAL_NET any
> preprocessor defrag
> preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
> preprocessor http_decode: 80 8080
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> var SPADEDIR ./log
> preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
> preprocessor spade-homenet: $HOME_NET
> preprocessor spade-adapt3: 0.01 60 168
> preprocessor spade-threshlearn: 200 24
> preprocessor spade-survey:  $SPADEDIR/survey.txt 60
> preprocessor spade-stats: entropy uncondprob condprob
> output alert_syslog: LOG_AUTH LOG_ALERT
> output log_tcpdump: snort.log
> include webcgi-lib
> include webcf-lib
> include webiis-lib
> include webfp-lib
> include webmisc-lib
> include overflow-lib
> include finger-lib
> include ftp-lib
> include smtp-lib
> include telnet-lib
> include misc-lib
> include netbios-lib
> include scan-lib
> include ddos-lib
> include backdoor-lib
> include ping-lib
> include rpc-lib
> 
> It's entirely possible that I've misconfigured something in SPADE, I
> haven't had time to exhaustively examine the docs.
> 
> The version of Snort I'm running was checked out of CVS about an hour
> ago, so it's up to date with the latest tweaks to the stream, defrag,
> portscan and spade preprocessors.  Any ideas?  (Yes, I still have the
> core file.)
> 
>    -Marty
> 
> --
> Martin Roesch
> roesch at ...48...
> http://www.snort.org
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list