'[Snort-devel] barnyard core dump'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    [Snort-devel] barnyard core dump
From:       Craig J Constantine <craig () ot ! com>
Date:       2002-02-28 22:49:30
[Download RAW message or body]

...I hope I'm posting this in the right place. This is a barnyard 
question. :)

Linux 7.2 (with working pcap installed), MySQL 3.23, snort 1.8.4 logging 
spo_unified...

Trying to suck the /var/logs/snort/snort.log.TIME file through barnyard 
into MySQL. Running barnyard 0.1.0 beta 4 (build 5) as:

barnyard -o -c /etc/barnyard/barnyard.conf -f 
/var/logs/snort/snort.log.TIME -g /etc/barnyard/gen-msg.map -s 
/etc/barnyard/sid-msg.map

The gen-msg.map and sid-msg.map I copied from the 'etc' directory in the 
barnyard source tarball. My barnyard.conf is (sans comments and blank 
lines):

--barnyard.conf--

processor dp_log
output log_acid_db: mysql, sensor_id 1, database snort, server localhost, 
user snort, detail full

-----

MySQL schema was created following the README.databases that I found in 
the barnyard dist. (ie, I think I did that correctly. :)

barnyard cores on me, GDB gives me:

(gdb) where
#0  GetAcidDbClassId (op_data=0x807f4e0, class_type=0x0) at 
op_acid_db.c:577
#1  0x0804fd25 in AcidDbGetSigId (op_data=0x807f4e0, sid=0x80a7210,
    class_type=0x0, priority=3) at op_acid_db.c:558
#2  0x0804f6da in AcidDbOpLog (context=0x807f4e0, data=0x80ffd18)
    at op_acid_db.c:312
#3  0x0804d4be in CallOutputPlugins (list=0x807f4d0, data=0x80ffd18)
    at op_plugbase.c:120
#4  0x080525a3 in LogDpProcessRecord (data=0x80ffd18, dp=0x807e630)
    at dp_log.c:227
#5  0x0804c15d in ProcessSpool (spool_directory=0x807f468 
"/var/log/snort",
    base_filename=0x807e568 "snort.log.1014764717", first_record=0, 
timet=0)
    at spool.c:157
#6  0x08049fc9 in main (argc=10, argv=0xbffffaf4) at barnyard.c:113
#7  0x4005f507 in __libc_start_main (main=0x8049eb0 <main>, argc=10,
    ubp_av=0xbffffaf4, init=0x8049688 <_init>, fini=0x805f4c0 <_fini>,
    rtld_fini=0x4000dc14 <_dl_fini>, stack_end=0xbffffaec)
    at ../sysdeps/generic/libc-start.c:129

which is on this code:

---snip----
/* looks up the acid class_id since it does not use the standard snort 
ids */
unsigned int GetAcidDbClassId(AcidDbOpData *op_data, ClassType 
*class_type)
{
    unsigned int class_id = 0;
=>  snprintf(sql_buffer, MAX_QUERY_SIZE,
            "SELECT sig_class_id FROM sig_class WHERE 
sig_class_name='%s'",
            class_type->type);
---snip----

(gdb) print class_type
$1 = (ClassType *) 0x0

Stems from a call in op_acid_db.c (L311) to AcidDbGetSigId() where var 
class_type is passed in NULL. The case isn't caught internally though so 
instead of return an error (op_acid_db.c has err handling at L311), it 
chokes.

class_type is supposed to be set by GetClassType()  (imagine that. :) 
which is called thusly:

--snip--
    class_type = GetClassType(record->log.event.classification);
--snip--

GDB claims there's no "record" in the current context when I try to peak 
at it though.

Am I pining for assistance in the right place? :)
...did I do something stupid with a config file?
...would more information be helpful -- I can run barnyard in GDB and get 
more information before the SEGV.

-Craig

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic