[Snort-devel] Barnyard seg faulting

Poppi, Sandro Sandro.Poppi at ...1204...
Tue Mar 19 08:14:04 EST 2002


> I'm trying to set up barnyard 0.1.0-beta4 (latest I found on snort.org)
> and snort-1.8.4 build 99 on RedHat Linux 7.2 (Intel), barnyard compiled
> with mysql support.
> 
> Snort is set up with the following unified output processors:
> output alert_unified: filename snort.alert, limit 128
> output log_unified: filename snort.log, limit 128
> 
> The barnyard configuration looks like this:
> processor dp_alert
> processor dp_stream_stat
> output alert_syslog: LOG_AUTH LOG_ALERT LOG_PID
> output alert_acid_db: mysql, sensor_id 9, database snort, server ids01,
> user snort, password xxxxx, detail full
> output log_acid_db: mysql, sensor_id 9, database snort, server ids01, user
> snort, password xxxxxx, detail full
> 
> When running barnyard with
> 
> barnyard  -c /etc/snort/barnyard.conf  -d /var/log/snort -g
> /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map  -f snort.alert
> 
> I get
> 
   --== Initializing Barnyard ==--

-*> Barnyard! <*-
Version 0.1.0-beta4 (Build 5)
By Martin Roesch (roesch at ...402..., www.snort.org)
and Andrew R. Baker (andrewb at ...81...)

Loading Data Processors...
dp_alert loaded
dp_log loaded
dp_stream_stat loaded
Loading Built-in Output Plugins...
Fast Alert plugin initialized
AlertSyslog initialized
Log Dump plugin initialized
LogPcap initialized
AcidDb output plugin initialized
Parsing Config file: /etc/snort/barnyard.conf
Args: mysql, sensor_id 9, database snort, server ids01, user snort, password
xxxx, detail full
Args: mysql, sensor_id 9, database snort, server ids01, user snort, password
xxxx, detail full

   --== Initialization Complete ==--

AcidDbOpStart
MysqlSelectAsUInt: Starting with parameters mysql = 0x80e1648, sql = SELECT
max(cid) FROM event WHERE sid='9'
MysqlSelectAsUInt: Call to mysql_query OK
MysqlSelectAsUInt: Call to mysql_store_result OK: 0x80e4490
cid == 193
AcidDbOpStart Complete
AcidDbOpAlert: Calling AcidDbGetSigId
AcidDbGetSigId: SELECT sig_id FROM signature WHERE sig_name='ICMP
Destination Unreachable (Port Unreachable)' AND sig_rev=0 AND sig_sid=402
MysqlSelectAsUInt: Starting with parameters mysql = 0x80e1648, sql = SELECT
sig_id FROM signature WHERE sig_name='ICMP Destination Unreachable (Port
Unreachable)' AND sig_rev=0 AND sig_sid=402
MysqlSelectAsUInt: Call to mysql_query OK
MysqlSelectAsUInt: Call to mysql_store_result OK: 0x80e7678
SelectAsUInt successful
SQL: INSERT INTO event(sid, cid, signature, timestamp) VALUES('9', '194',
'1', '2002-03-19 15:17:58')
SQL: INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto) VALUES('9',
'194', '3140162241', '103486145', '1')
SQL: INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) VALUES('9', '194',
'3', '3')
SQL: Inserting finished!
AcidDbOpAlert: Calling AcidDbGetSigId
AcidDbGetSigId: SELECT sig_id FROM signature WHERE sig_name='ICMP
Destination Unreachable (Port Unreachable)' AND sig_rev=0 AND sig_sid=402
MysqlSelectAsUInt: Starting with parameters mysql = 0x80e1648, sql = SELECT
sig_id FROM signature WHERE sig_name='ICMP Destination Unreachable (Port
Unreachable)' AND sig_rev=0 AND sig_sid=402
Segmentation fault

I added a couple of LogMessages to find out where the error comes from: When
barnyard is configured with alert_acid_db the seg fault occurs in
op_acid_db.c within the function MysqlSelectAsUInt when calling mysql_query:

    if(mysql_query(mysql, sql) != 0)
    {
        FatalError("Error (%s) executing query: %s\n", mysql_error(mysql),
sql);
        return -1;
    }


This was produced with mysql 3.23.41 shipped with RedHat 7.2.

> Any hint is greatly appreciated!
> 
> TIA,
> Sandro




More information about the Snort-devel mailing list