[Snort-devel] CID re-use in database output plugin

Jason Brvenik jasonb at ...402...
Fri Jun 19 14:01:39 EDT 2009


/me adds vote while top posting. Last time I did this it turned into a
religious debate so where does this one go?

On Fri, Jun 19, 2009 at 1:33 PM, Nigel Houghton<nhoughton at ...402...> wrote:
> On Fri, Jun 19, 2009 at 12:37 PM, Christopher
> Schwerdt<Chris.Schwerdt at ...3049...> wrote:
>> Hello,
>>
>> It appears there is a bug in the database output plugin where CID ID
>> values will get reused, which causes a problem for me since I use BASE
>> and an alert archive database.  It looks like there was an attempt to
>> fix this by saving the last CID value into the sensor table, but this
>> last CID value is never actually used when snort initializes the output
>> plugin.  Instead, a query is run that runs a MAX(cid) in the event
>> table.  I'm currently running Snort v2.8.4.1 built from source on Ubuntu
>> 8.04.2 LTS x86, but I've confirmed this bug exists in HEAD by looking at
>> the source.
>>
>> -Chris Schwerdt
>>
>> Steps to reproduce:
>>        Start snort with the database output plugin and a clean
>> database.
>>        Log a few alerts to the database.  This should generate events
>> with CID values of 1, 2, 3, etc.
>>        Shutdown snort.
>>        Clear the alerts from all relevant tables (event, etc.)
>>        View the last_cid column in the sensor table, the value will be
>> set to the last cid used by Snort.
>>        Start snort.
>>        The next alert that gets logged should have a cid of last_cid+1
>> from the sensors table, but it actually uses a cid of 1.
>>
>> Cause:
>>        The bug is caused by the fact that Snort only uses the result of
>> a MAX(cid) on the event table, instead of also checking the value of the
>> last_cid and using whichever is larger.
>>
>> Simple patch (against CVS HEAD):
>> --- spo_database.c 2009-06-18 12:17:16.000000000 -0600
>> +++ spo_database.c 2009-06-18 12:27:46.000000000 -0600
>> @@ -676,9 +676,12 @@
>>                         data->shared->sid);
>>            ErrorMessage("          Recovering by rolling forward the
>> cid=%u\n",
>>                         event_cid);
>> +
>> +           data->shared->cid = event_cid;
>> +        } else {
>> +           data->shared->cid = sensor_cid;
>>         }
>>
>> -        data->shared->cid = event_cid;
>>         ++(data->shared->cid);
>>     }
>>     else
>
> I would like to see all output mechanisms other than unified, taken
> out of snort completely.
>
> --
> Nigel Houghton
> Head Mentalist
> SF VRT
> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>
> ------------------------------------------------------------------------------
> Are you an open source citizen? Join us for the Open Source Bridge conference!
> Portland, OR, June 17-19. Two days of sessions, one day of unconference: $250.
> Need another reason to go? 24-hour hacker lounge. Register today!
> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list