[Snort-devel] Branyard crash

Andrew R. Baker andrewb at ...835...
Tue Nov 20 09:21:06 EST 2001


Steve Halligan wrote:
> 
> Below is barnyard output from a crash I have been getting alot lately.  I
> cut out a bunch of cruft and left a representive sample of the output,
> including the crash.  I can provide the unified snort log also, but it is
> ~7mb so I didn't want to send it to the list.
> 

Well, it's not a crash since it is exiting gracefully.  The problem here
is that the db code is not very fault tolerant yet and it will exit on
error.  In this particular case, it is trying to insert a packet payload
that is much too large to fit into the schema.  There are two choices
for the "correct" behaviour:  (a) do not store the payload into the db
if it is larger than the max column size, or (b) truncate the payload. 
The next version of the database code will be adding a lot of fault
tolerance and will also address this issue.

-Andrew




More information about the Snort-devel mailing list