[Snort-devel] CID re-use in database output plugin

Christopher Schwerdt Chris.Schwerdt at ...3049...
Fri Jun 19 12:37:13 EDT 2009


Hello,

It appears there is a bug in the database output plugin where CID ID
values will get reused, which causes a problem for me since I use BASE
and an alert archive database.  It looks like there was an attempt to
fix this by saving the last CID value into the sensor table, but this
last CID value is never actually used when snort initializes the output
plugin.  Instead, a query is run that runs a MAX(cid) in the event
table.  I'm currently running Snort v2.8.4.1 built from source on Ubuntu
8.04.2 LTS x86, but I've confirmed this bug exists in HEAD by looking at
the source.

-Chris Schwerdt

Steps to reproduce:
	Start snort with the database output plugin and a clean
database.
	Log a few alerts to the database.  This should generate events
with CID values of 1, 2, 3, etc.
	Shutdown snort.
	Clear the alerts from all relevant tables (event, etc.)
	View the last_cid column in the sensor table, the value will be
set to the last cid used by Snort.
	Start snort.
	The next alert that gets logged should have a cid of last_cid+1
from the sensors table, but it actually uses a cid of 1.

Cause:
	The bug is caused by the fact that Snort only uses the result of
a MAX(cid) on the event table, instead of also checking the value of the
last_cid and using whichever is larger.

Simple patch (against CVS HEAD):
--- spo_database.c 2009-06-18 12:17:16.000000000 -0600
+++ spo_database.c 2009-06-18 12:27:46.000000000 -0600
@@ -676,9 +676,12 @@
                         data->shared->sid);
            ErrorMessage("          Recovering by rolling forward the
cid=%u\n",
                         event_cid);
+
+           data->shared->cid = event_cid;
+        } else {
+           data->shared->cid = sensor_cid;
         }

-        data->shared->cid = event_cid;
         ++(data->shared->cid);
     }
     else




More information about the Snort-devel mailing list