[Snort-devel] CID re-use in database output plugin

Nigel Houghton nhoughton at ...402...
Fri Jun 19 13:33:19 EDT 2009


On Fri, Jun 19, 2009 at 12:37 PM, Christopher
Schwerdt<Chris.Schwerdt at ...3049...> wrote:
> Hello,
>
> It appears there is a bug in the database output plugin where CID ID
> values will get reused, which causes a problem for me since I use BASE
> and an alert archive database.  It looks like there was an attempt to
> fix this by saving the last CID value into the sensor table, but this
> last CID value is never actually used when snort initializes the output
> plugin.  Instead, a query is run that runs a MAX(cid) in the event
> table.  I'm currently running Snort v2.8.4.1 built from source on Ubuntu
> 8.04.2 LTS x86, but I've confirmed this bug exists in HEAD by looking at
> the source.
>
> -Chris Schwerdt
>
> Steps to reproduce:
>        Start snort with the database output plugin and a clean
> database.
>        Log a few alerts to the database.  This should generate events
> with CID values of 1, 2, 3, etc.
>        Shutdown snort.
>        Clear the alerts from all relevant tables (event, etc.)
>        View the last_cid column in the sensor table, the value will be
> set to the last cid used by Snort.
>        Start snort.
>        The next alert that gets logged should have a cid of last_cid+1
> from the sensors table, but it actually uses a cid of 1.
>
> Cause:
>        The bug is caused by the fact that Snort only uses the result of
> a MAX(cid) on the event table, instead of also checking the value of the
> last_cid and using whichever is larger.
>
> Simple patch (against CVS HEAD):
> --- spo_database.c 2009-06-18 12:17:16.000000000 -0600
> +++ spo_database.c 2009-06-18 12:27:46.000000000 -0600
> @@ -676,9 +676,12 @@
>                         data->shared->sid);
>            ErrorMessage("          Recovering by rolling forward the
> cid=%u\n",
>                         event_cid);
> +
> +           data->shared->cid = event_cid;
> +        } else {
> +           data->shared->cid = sensor_cid;
>         }
>
> -        data->shared->cid = event_cid;
>         ++(data->shared->cid);
>     }
>     else

I would like to see all output mechanisms other than unified, taken
out of snort completely.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-devel mailing list