[Snort-users] Snort 1.7 and SPADE crash
Ralf.Hildebrandt at ...821...
Mon Mar 12 11:03:52 EST 2001
On Sat, Mar 10, 2001 at 09:06:00AM -0800, James Hoagland wrote:
> Interesting, there seems to be two problems here. The first is that
> the SyslogAlert() didn't test to see if p->iph is NULL. The second
> is that Spade should be ignoring the packet if it is, since it only
> looks at TCP SYN packets.
> skip_packet= p->iph == NULL || p->tcph == NULL || p->iph->ip_proto
> != IPPROTO_TCP || p->tcph->th_flags != 2; /* is this a TCP SYN? */
> Do you have any other alert plugins running, besides syslog? If so,
> can you check to see wether it successfully printed any alerts with
> the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"?
> (It would be the last before the core dump). This should tell us if
> p->iph was NULL when it got to them.
> If not, then I'll need to dig though the Spade code to figure how it
> came to accept a packet with p->iph NULL, or how p->iph got munged
> while it was running.
Fyodor's fix seems to have fixed the problem: snort has been running for
over a day now, SPADE can save & load it's survey data, and no crashes.
ralf.hildebrandt at ...821...
System Engineer innominate AG
Diplom-Informatiker the linux architects
tel: +49.30.308806-62 fax: -698 www.innominate.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 240 bytes
Desc: not available
More information about the Snort-users