[Snort-devel] NULL event

Joe McAlerney joey at ...60...
Thu Jul 19 14:20:52 EDT 2001


I ran into a seg fault in spo_database where it tries to reference
event->sig_rev where event is NULL.

(gdb) f
#0  0x805d6f3 in Database (p=0x0, 
    msg=0xbfffecf0 "spp_anomsensor: Threshold adjusted to 12.4086 after
0 alerts (of 803)", arg=0x81245a8, event=0x0) at spo_database.c:549
549	       if ( event->sig_rev == 0 ) 
(gdb) info args
p = (Packet *) 0x0
msg = 0xbfffecf0 "spp_anomsensor: Threshold adjusted to 12.4086 after 0
alerts (of 803)"
arg = (void *) 0x81245a8
event = (Event *) 0x0
(gdb) list 549
544	
545	       /* Write the signature information 
546	        *  - Determine the ID # of the signature of this alert 
547	        */
548	       select0 = (char *) malloc (MAX_QUERY_LENGTH+1);
549	       if ( event->sig_rev == 0 ) 
550	          snprintf(select0, MAX_QUERY_LENGTH, 
551	                   "SELECT sig_id FROM signature WHERE sig_name =
'%s' AND"
552	                   " sig_rev is NULL", msg);
553	       else

So, Spade is not sending an Event object, and this is not being
checked.  Should the function be returned if a preprocessor does not
pass an Event?  I'm not sure, so I'll leave it.

Attached are some diffs for Spade that adds Event support.  This is
taken from:

-*> Snort! <*-
Version 1.8-RELEASE (Build 43)

-Joe M.

-- 
|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+
-------------- next part --------------
--- ./snort/spp_anomsensor.c	Sun Jun 10 22:49:28 2001
+++ ./snort.blah/spp_anomsensor.c	Thu Jul 19 11:12:12 2001
@@ -236,6 +236,8 @@
 /* Spade core routine that is called with each packet */
 void PreprocSpade(Packet *p)
 {
+        Event event;
+
 	if (record_maybe_skip(p)) return;
 	/* accepted packets only past here; anom score is last_anom_score */
 	
@@ -244,7 +246,10 @@
 		alert_count++;
 		recent_alert_count++;
 		sprintf(logMessage,"spp_anomsensor: Anomaly threshold exceeded: %.4f",last_anom_score);
-		(*AlertFunc)(p, logMessage, NULL, NULL);
+                SetEvent(&event, GENERATOR_SPP_SPADE, 
+                                 SPADE_ANOM_THRESHOLD_EXCEEDED, 1, 0, 0, 0);
+                CallAlertFuncs(p , logMessage, NULL, &event);
+		/* (*AlertFunc)(p, logMessage, NULL, NULL); */
 	}
 }	
 
@@ -1638,10 +1643,14 @@
 
 void set_new_threshold(double t) {
 	char logMessage[85];
-	
+	Event event;
+
 	report_anom_thres= t;
 	sprintf(logMessage,"spp_anomsensor: Threshold adjusted to %.4f after %d alerts (of %d)",report_anom_thres,recent_alert_count,recent_packets);
-	(*AlertFunc)(NULL, logMessage, NULL, NULL);
+                SetEvent(&event, GENERATOR_SPP_SPADE, 
+                                 SPADE_ANOM_THRESHOLD_ADJUSTED, 1, 0, 0, 0);
+                CallAlertFuncs(NULL , logMessage, NULL, &event);
+		/* (*AlertFunc)(NULL, logMessage, NULL, NULL); */
 }
 
 /**********************************************************


More information about the Snort-devel mailing list