[Snort-users] Snort 1.7 and SPADE crash
fygrave at ...121...
Mon Mar 12 11:41:33 EST 2001
On Mon, Mar 12, 2001 at 05:03:52PM +0100, Ralf Hildebrandt wrote:
> On Sat, Mar 10, 2001 at 09:06:00AM -0800, James Hoagland wrote:
> > Do you have any other alert plugins running, besides syslog? If so,
> > can you check to see wether it successfully printed any alerts with
> > the message "spp_anomsensor: Anomaly threshold exceeded: 5.9123"?
> > (It would be the last before the core dump). This should tell us if
> > p->iph was NULL when it got to them.
> > If not, then I'll need to dig though the Spade code to figure how it
> > came to accept a packet with p->iph NULL, or how p->iph got munged
> > while it was running.
> Fyodor's fix seems to have fixed the problem: snort has been running for
> over a day now, SPADE can save & load it's survey data, and no crashes.
Since syslog uses IP packet headers to generate alerts, I added additional
'iph' NULL checks to make sure that a maliformed IP datagram will not crash snort.
I also quickly looked through other spo_* to check out similar problems
and fixed them where I found, but still there might be some twirks to be looked at
later, I guess.. :) (chances that I missed something :))
More information about the Snort-users