defective log entries from pads in /var/log/messages
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pads (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: pads
In messages, I found discontiguous log entries like this:
Oct 12 22:43:27 xxxx Found: Port - 80 / Host - 209.67.233.146 / Service - www / Application - Apache 2.0.46 (CentOS) [*] Asset Found: Port - 80
/ Host - 38.98.19.125 / Service - www / Application - Apache 2.2.6 (Unix) [*] Asset Found: Port - 80 / Host - 209.67.233.140 / Service - www / A
pplication - Apache [*] Asset Found: Port - 80 / Host - 84.19.183.157 / Service - www / Application - Apache 1.3.33 (Debian GNU/Linux) [*] Asset
Found: Port - 80 / Host - 64.34.180.144 / Service - www / Application - lighttpd/1.5.0 [*] Asset Found: Port - 80 / Host - 80.157.151.28 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 208.245.211.8 / Service - www / Application - Apache 2.2.3 (Debian) [*] Asset Found: Port - 80 / Host - 80.157.151.17 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 80.157.151.42 / Service - www / Application - Apache [*] Asset Found: Port - 80 / Host - 80.157.151.9 / Service - www / Application - Apache 1.3.37 (Unix) [*] Asset Found: Port - 80 / Host - 8
These are produced while browsing websites. They are repeated on some irregular intervall seemingly depending on the frequency of browsing (e.g. discovering new assets, speaking pads terminology).
If you ever saw the assets.csv produced by package pads, it's obvious that these entries come from that package.
The worrying thing is the discontiguous, uncomplete and unexpected nature of the entries. They don't start/end in a sensible manner (e.g. aligned to field boundaries s of the "real" pads log entries into assets.csv), and entries following one another do not constitute a complete "log" because parts are missing. This kind of log should not exist anyway, I don't see any reason why this package produce any such kind of /var/log/messages log entry as the logged assets are correctly, simultaneously and appropriately (=expectedly) logged in said assets.csv as they should.
Conclusion: Something quite more disturbing than just some defect log entry might be going on, maybe memory corruption, some wrong function call or such.
Since this package is used in conjunction with networking auditing and runs on network capture files or promiscuous mode interfaces, it might be security relevant.
This is on a completely up to date hardy.
pads version = 1.2-7
Other people had memory problems with this program:
[ 1731419 ] Multiple bugs in PADS 1.2 in daemon mode under RHEL 4 (submitted 2007-06-05 14:21) sourceforge. net/tracker/ index.php? func=detail& aid=1731419& group_id= 116419& atid=674742
http://
[ 1974463 ] seg fault while running pads in 64 bit linux (other people had 2008-05-27 08:41) sourceforge. net/tracker/ index.php? func=detail& aid=1731419& group_id= 116419& atid=674742
http://