[Snort-users] Snort 1.7 and SPADE crash

Ralf Hildebrandt Ralf.Hildebrandt at ...821...
Mon Mar 12 11:03:52 EST 2001

On Sat, Mar 10, 2001 at 09:06:00AM -0800, James Hoagland wrote:

> Interesting, there seems to be two problems here.  The first is that 
> the SyslogAlert() didn't test to see if p->iph is NULL.  The second 
> is that Spade should be ignoring the packet if it is, since it only 
> looks at TCP SYN packets.
>    skip_packet= p->iph == NULL || p->tcph == NULL || p->iph->ip_proto 
> != IPPROTO_TCP || p->tcph->th_flags != 2;  /* is this a TCP SYN? */
> Do you have any other alert plugins running, besides syslog?  If so, 
> can you check to see wether it successfully printed any alerts with 
> the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"? 
> (It would be the last before the core dump).  This should tell us if 
> p->iph was NULL when it got to them.
> If not, then I'll need to dig though the Spade code to figure how it 
> came to accept a packet with p->iph NULL, or how p->iph got munged 
> while it was running.

Fyodor's fix seems to have fixed the problem: snort has been running for
over a day now, SPADE can save & load it's survey data, and no crashes.

ralf.hildebrandt at ...821...
System Engineer                                            innominate AG
Diplom-Informatiker                                 the linux architects
tel: +49.30.308806-62  fax: -698                      www.innominate.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010312/448658e6/attachment.sig>

More information about the Snort-users mailing list