[Snort-devel] CID re-use in database output plugin

Joel Esler eslerj at ...2499...
Fri Jun 19 14:31:08 EDT 2009


Top posting AND unified wars? Might as well start an os debate in the  
same thread and get it all out of our systems now.

--
Sent from my iPhone

On Jun 19, 2009, at 2:01 PM, Jason Brvenik <jasonb at ...402...>  
wrote:

> /me adds vote while top posting. Last time I did this it turned into a
> religious debate so where does this one go?
>
> On Fri, Jun 19, 2009 at 1:33 PM, Nigel Houghton<nhoughton at ...402... 
> > wrote:
>> On Fri, Jun 19, 2009 at 12:37 PM, Christopher
>> Schwerdt<Chris.Schwerdt at ...3049...> wrote:
>>> Hello,
>>>
>>> It appears there is a bug in the database output plugin where CID ID
>>> values will get reused, which causes a problem for me since I use  
>>> BASE
>>> and an alert archive database.  It looks like there was an attempt  
>>> to
>>> fix this by saving the last CID value into the sensor table, but  
>>> this
>>> last CID value is never actually used when snort initializes the  
>>> output
>>> plugin.  Instead, a query is run that runs a MAX(cid) in the event
>>> table.  I'm currently running Snort v2.8.4.1 built from source on  
>>> Ubuntu
>>> 8.04.2 LTS x86, but I've confirmed this bug exists in HEAD by  
>>> looking at
>>> the source.
>>>
>>> -Chris Schwerdt
>>>
>>> Steps to reproduce:
>>>        Start snort with the database output plugin and a clean
>>> database.
>>>        Log a few alerts to the database.  This should generate  
>>> events
>>> with CID values of 1, 2, 3, etc.
>>>        Shutdown snort.
>>>        Clear the alerts from all relevant tables (event, etc.)
>>>        View the last_cid column in the sensor table, the value  
>>> will be
>>> set to the last cid used by Snort.
>>>        Start snort.
>>>        The next alert that gets logged should have a cid of  
>>> last_cid+1
>>> from the sensors table, but it actually uses a cid of 1.
>>>
>>> Cause:
>>>        The bug is caused by the fact that Snort only uses the  
>>> result of
>>> a MAX(cid) on the event table, instead of also checking the value  
>>> of the
>>> last_cid and using whichever is larger.
>>>
>>> Simple patch (against CVS HEAD):
>>> --- spo_database.c 2009-06-18 12:17:16.000000000 -0600
>>> +++ spo_database.c 2009-06-18 12:27:46.000000000 -0600
>>> @@ -676,9 +676,12 @@
>>>                         data->shared->sid);
>>>            ErrorMessage("          Recovering by rolling forward the
>>> cid=%u\n",
>>>                         event_cid);
>>> +
>>> +           data->shared->cid = event_cid;
>>> +        } else {
>>> +           data->shared->cid = sensor_cid;
>>>         }
>>>
>>> -        data->shared->cid = event_cid;
>>>         ++(data->shared->cid);
>>>     }
>>>     else
>>
>> I would like to see all output mechanisms other than unified, taken
>> out of snort completely.
>>
>> --
>> Nigel Houghton
>> Head Mentalist
>> SF VRT
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
>>
>> --- 
>> --- 
>> --- 
>> ---------------------------------------------------------------------
>> Are you an open source citizen? Join us for the Open Source Bridge  
>> conference!
>> Portland, OR, June 17-19. Two days of sessions, one day of  
>> unconference: $250.
>> Need another reason to go? 24-hour hacker lounge. Register today!
>> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Are you an open source citizen? Join us for the Open Source Bridge  
> conference!
> Portland, OR, June 17-19. Two days of sessions, one day of  
> unconference: $250.
> Need another reason to go? 24-hour hacker lounge. Register today!
> http://ad.doubleclick.net/clk;215844324;13503038;v?http://opensourcebridge.org
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list