[Snort-users] Snort 1.7 and SPADE crash

James Hoagland hoagland at ...47...
Sat Mar 10 12:06:00 EST 2001


At 11:16 AM +0100 3/10/01, Ralf Hildebrandt wrote:
>On Thu, Mar 08, 2001 at 01:11:25PM +0100, Ralf Hildebrandt wrote:
>>  I've been trying that combination for 2 days now on HP-UX 10.20, and snort
>>  crashes about once per day. For now, I only have a shitty coredump which
>>  doesn't provide much data since snort was not compiled using -g, but alas:
>
>And today with -g and the latest CVS tarball:
>...
>#0  0x1c920 in SyslogAlert (p=0x7b03a768, msg=0x7b03ac28 "spp_anomsensor:
>Anomaly threshold exceeded: 5.9123", arg=0x0)
>     at log.c:930
...
>(gdb) inspect p
>$1 = (Packet *) 0x7b03a768
>(gdb) inspect p->iph
>$2 = (IPHdr *) 0x0

Interesting, there seems to be two problems here.  The first is that 
the SyslogAlert() didn't test to see if p->iph is NULL.  The second 
is that Spade should be ignoring the packet if it is, since it only 
looks at TCP SYN packets.

   skip_packet= p->iph == NULL || p->tcph == NULL || p->iph->ip_proto 
!= IPPROTO_TCP || p->tcph->th_flags != 2;  /* is this a TCP SYN? */


Do you have any other alert plugins running, besides syslog?  If so, 
can you check to see wether it successfully printed any alerts with 
the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"? 
(It would be the last before the core dump).  This should tell us if 
p->iph was NULL when it got to them.

If not, then I'll need to dig though the Spade code to figure how it 
came to accept a packet with p->iph NULL, or how p->iph got munged 
while it was running.

Thanks,

   Jim






More information about the Snort-users mailing list