[Snort-users] Snort 1.7 and SPADE crash

Fyodor fygrave at ...121...
Mon Mar 12 11:41:33 EST 2001


On Mon, Mar 12, 2001 at 05:03:52PM +0100, Ralf Hildebrandt wrote:
> On Sat, Mar 10, 2001 at 09:06:00AM -0800, James Hoagland wrote:
> 
> > 
> > Do you have any other alert plugins running, besides syslog?  If so, 
> > can you check to see wether it successfully printed any alerts with 
> > the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"? 
> > (It would be the last before the core dump).  This should tell us if 
> > p->iph was NULL when it got to them.
> > 
> > If not, then I'll need to dig though the Spade code to figure how it 
> > came to accept a packet with p->iph NULL, or how p->iph got munged 
> > while it was running.
> 
> Fyodor's fix seems to have fixed the problem: snort has been running for
> over a day now, SPADE can save & load it's survey data, and no crashes.
> 


Since syslog uses IP packet headers to generate alerts, I added additional
'iph' NULL checks to make sure that a maliformed IP datagram will not crash snort.
I also quickly looked through other spo_* to check out similar problems
and fixed them where I found, but still there might be some twirks to be looked at
later, I guess.. :) (chances that I missed something :))




More information about the Snort-users mailing list