[Snort-devel] Snort bug report

Roman Danyliw roman at ...49...
Mon Oct 15 14:50:04 EDT 2001


As you had suggested, Snort failed to write to the database (given
a valid SQL statement) causing it die.  The SIGPIPE would indicate that
something happened to the socket over which Snort was communicating with
MySQL outside of the application logic.

Snort communication with the database is as follows: startup snort, get a
handle to the database, log alerts (repeat indefinitely), close handle
when snort is terminated. Any chance the socket between the two was
forcefully closed by some other application?  (If used) was the domain
socket file deleted?  Was the mysql server restarted while Snort was
connected?

Roman

On Mon, 15 Oct 2001, Jose Luis Araujo wrote:

[snip]

> Program received signal SIGPIPE, Broken pipe.
> 0x40110004 in write () from /lib/libc.so.6
> (gdb) bt
> #0  0x40110004 in write () from /lib/libc.so.6
> #1  0x4007a3e4 in __DTOR_END__ ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #2  0x40068b59 in net_real_write ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #3  0x400693f3 in net_write_command ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #4  0x40064e6b in simple_command ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #5  0x40067fbc in mysql_real_query ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #6  0x40067f38 in mysql_query ()
>    from /usr/local/mysql/lib/mysql/libmysqlclient.so.10
> #7  0x8060d9a in Select (
>     query=0x84eb998 "SELECT sig_id FROM signature WHERE sig_name =
> 'WEB-MISC readme.eml autoload attempt' AND  sig_rev = 3 ",
> data=0x80fba18)
>     at spo_database.c:1346
> #8  0x805fcc4 in Database (p=0xbffff0e8,
>     msg=0x8487838 "WEB-MISC readme.eml autoload attempt", arg=0x80fba18,
>
>     event=0x84875b4) at spo_database.c:627
> #9  0x8056f35 in CallAlertFuncs (p=0xbffff0e8,
>     message=0x8487838 "WEB-MISC readme.eml autoload attempt",
> head=0x80a1a98,
>     event=0x84875b4) at rules.c:3534
> #10 0x805801a in AlertAction (p=0xbffff0e8, otn=0x8486d90,
> event=0x84875b4)
>     at rules.c:4942
> #11 0x8057297 in EvalHeader (rtn_idx=0x8105358, p=0xbffff0e8) at
> rules.c:3798
> #12 0x805714c in EvalPacket (List=0x80a1a98, mode=2, p=0xbffff0e8)
>     at rules.c:3697
> #13 0x8056fd0 in Detect (p=0xbffff0e8) at rules.c:3590
> #14 0x8056db3 in Preprocess (p=0xbffff0e8) at rules.c:3432
> #15 0x804aa40 in ProcessPacket (user=0x0, pkthdr=0xbffff598,
> pkt=0x80d4f92 "")
>     at snort.c:534
> #16 0x807bfb2 in pcap_read ()
> #17 0x807c86c in pcap_loop ()
> #18 0x804c1ab in InterfaceThread (arg=0x0) at snort.c:1561
> #19 0x804a914 in main (argc=12, argv=0xbffff754) at snort.c:467
>
> **Notes
>
> It seems that it stopped because it couldn't write to mysql, but the
> mysql deamon is still working and snort restarted without problem.
>






More information about the Snort-devel mailing list