[Snort-users] Snort 1.7 and SPADE crash
hoagland at ...47...
Sat Mar 10 12:06:00 EST 2001
At 11:16 AM +0100 3/10/01, Ralf Hildebrandt wrote:
>On Thu, Mar 08, 2001 at 01:11:25PM +0100, Ralf Hildebrandt wrote:
>> I've been trying that combination for 2 days now on HP-UX 10.20, and snort
>> crashes about once per day. For now, I only have a shitty coredump which
>> doesn't provide much data since snort was not compiled using -g, but alas:
>And today with -g and the latest CVS tarball:
>#0 0x1c920 in SyslogAlert (p=0x7b03a768, msg=0x7b03ac28 "spp_anomsensor:
>Anomaly threshold exceeded: 5.9123", arg=0x0)
> at log.c:930
>(gdb) inspect p
>$1 = (Packet *) 0x7b03a768
>(gdb) inspect p->iph
>$2 = (IPHdr *) 0x0
Interesting, there seems to be two problems here. The first is that
the SyslogAlert() didn't test to see if p->iph is NULL. The second
is that Spade should be ignoring the packet if it is, since it only
looks at TCP SYN packets.
skip_packet= p->iph == NULL || p->tcph == NULL || p->iph->ip_proto
!= IPPROTO_TCP || p->tcph->th_flags != 2; /* is this a TCP SYN? */
Do you have any other alert plugins running, besides syslog? If so,
can you check to see wether it successfully printed any alerts with
the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"?
(It would be the last before the core dump). This should tell us if
p->iph was NULL when it got to them.
If not, then I'll need to dig though the Spade code to figure how it
came to accept a packet with p->iph NULL, or how p->iph got munged
while it was running.
More information about the Snort-users