[Snort-devel] SPADE fun

James Hoagland hoagland at ...60...
Thu Jan 25 17:47:25 EST 2001

Hello Marty,

>Oops, looks like 'l' is porked.  In fact, it looks like
>top_anom_list->next got stomped.  I haven't had time to dive into the
>code and take a look at what's going on around the crash, but I'll try
>to look a bit later.

I think I found where the problem is.  There is one spot in the 
threshold learning code where ->next was not initialized.  Sound 
familiar?  Well, the adapt3 code was based on the adapt code and the 
adapt code base based on the threshold learning code and now we have 
found out that each of those have a failure to initialize "next" on 
an originally created link.  So, I guess you could say it was 
inherited bugs that we found last week.  :)  And that this is the 
mother of those bugs.  (Fortunately adapt2 was spared this fate.)

Here's the fix.  Add:

	top_anom_list->next= NULL;

after the malloc in the function SpadeThreshlearnInit() (in spp_anomsensor.c).

Sorry to all for any inconvenience.  And let me know if this didn't 
solve the problem.

>Here's my snort.conf:
>preprocessor defrag
>preprocessor stream: timeout 10, ports 21 23 80, maxbytes 16384
>preprocessor http_decode: 80 8080
>preprocessor portscan: $HOME_NET 4 3 portscan.log
>var SPADEDIR ./log
>preprocessor spade: -1 $SPADEDIR/spade.rcv $SPADEDIR/log.txt 3 50000
>preprocessor spade-homenet: $HOME_NET
>preprocessor spade-adapt3: 0.01 60 168
>preprocessor spade-threshlearn: 200 24
>preprocessor spade-survey:  $SPADEDIR/survey.txt 60
>preprocessor spade-stats: entropy uncondprob condprob

My that's alot of spade lines.  I have never tried running threshold 
learning and adapting at the same time.  Shouldn't cause any problems 

Note that it might not be a good running spade-stats in a snort you 
are using for intrusion detection on a busy network.  While there is 
no penalty per-packet, it can take a while to write all the different 
conditional and unconditional probabilities out to the log file when 
it generates a report.  I should document this if I haven't already.


|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland at ...60...                *|
|*              http://www.silicondefense.com/              *|
|*  Voice: (530) 756-7317              Fax: (707) 445-4222  *|

More information about the Snort-devel mailing list