Re: OpenFPC Daemonlogger Segfault Through OpenFPC

[Kevin Ross <kevross33 () googlemail com>]

Hi,

Interesting stuff; glad to see things still happening with it. Thank you
for your work in providing this to the community; I personally find it very
useful.


Kind Regards,
Kevin Ross


On 28 August 2014 00:37, Leon Ward (leonward) <leonward () cisco com> wrote:

>  Hi.
>
>  In fact I've put a load of effort into ofpc recently. After a couple of
> requests I've moved the code to GitHub, that's one of the reasons why you
> won't have seen any commits to the google code svn repo.
>
>  It's working really well for my needs right now and I've added some new
> cool features like searching flow data from the cli. Once I've finished off
> distributed flow searching (via openfpc proxy to multiple session databases
> on remote nodes) I'll wrap another release and package it up again.
>
>  There is a load of other stuff I could talk about, but I'll wait until
> it's ready to release and out together a blog post/install video etc.
>
>  It's good to hear people are using it.
>
>  -L
>
>
> Sent from a mobile device. Apologies for any typos but they happen.
>
> On 27 Aug 2014, at 03:45, "Kevin Ross" <kevross33 () googlemail com> wrote:
>
>   Hi,
>
> I seem to have it now, reinstall openfpc, daemonlogger etc on both boxes
> and it was fine. On one of the boxes I did find bro files taking up to much
> space in the tmp and not being cleaned so the disk was going "oh time to
> roll over" right away so cleaned that up to and that one also started
> working so it might have been a combination or different issues just coming
> up at same time. So everything looking fine again :).
>
> Thanks for the help and I look forward to seeing more stuff with
> daemonlogger :). Between this and openfpc it does this job very nicely for
> my needs & requirements right now.
>
>
> Thanks,
> Kevin
>
>
> On 26 August 2014 16:55, Jeremy Hoel <jthoel () gmail com> wrote:
>
> >   So we run OpenFPC on CentOS (now at 6.5) and when we've had problems,
> > a reinstall of the package has helped.  Have you gotten any of the
> > recentish changes that had gotten made in the scripts?  He moved the code
> > tree to Google and there have been some fixes since the last zip on the old
> > website.
> >
> > https://code.google.com/p/openfpc/source/list
> >
> >  the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs
> > daemonlogger like this:
> >
> > /usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l
> > /var/log/snort/fpc -M 75 -s 256M -p openfpc-daemonlogger-<sensor name>.pid
> > -P /var/run -u snort -g snort -n <sensor name>.pcap
> >
> >  Try that manually.. if that works, then it's a openfpc/perl/library
> > issue.
> >
> >  On fedora we had to roll back perl-Filters due to some new changes that
> > broke the client, but it has seemed stable on our servers
> >
> >
> >  On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <
> > maroesch () cisco com> wrote:
> >
> > >    What’s the command line that’s being fed to DaemonLogger?  That’d
> > > probably be the first place to start looking.  That’s a pretty weird error,
> > > is there a core dump?
> > >
> > >  --
> > >  Martin Roesch - maroesch () cisco com
> > > VP/Chief Architect, Security Business Group
> > >    ,,_
> > >   o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
> > >    ''''
> > >
> > >   From: Kevin Ross <kevross33 () googlemail com>
> > > Date: Tuesday, August 26, 2014 at 5:09 AM
> > > To: "leon.ward () sourcefire com" <leon.ward () sourcefire com>, "
> > > snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
> > > Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC
> > >
> > >   Hi,
> > >
> > > I know this is an older tool which isn't supported but I use it for ease
> > > of integration into snorby & also that it stores onto disk and then fetches
> > > on request making it better for my sensors as PCAP solutions like moloch
> > > are just too resource intensive so I would appreciate any help kindly given
> > > (or suggestions for another suitable maintained PCAP option similar in
> > > nature).
> > >
> > > My systems were updated recently and fine; now following reboot
> > > daemonlogger segfaults when run through openfpc so I am not able to get
> > > PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine
> > > and logs PCAPs but when using openfpc -a start it says it starts and then
> > > in status it is stopped and shows in /var/log/messages as segfault error
> > > with same memory location and things for each system:
> > >
> > > System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip
> > > 0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000]
> > > System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip
> > > 0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000]
> > >
> > > Running the queue daemon in debug mode and things is fine and shows
> > > nothing but I have no idea how to debug daemonlogger through openfpc. Some
> > > other points:
> > >
> > > - Daemonlogger Version1.2.1 (latest version installed)
> > > - Latest openfpc
> > > - System running Centos 6.4
> > > - SELINUX tried relabel, disabled etc.
> > >
> > > Thank you for any help in advance.
> > >
> > > Kindest Regards,
> > > Kevin Ross
> > >
> > >
> > > ------------------------------------------------------------------------------
> > > Slashdot TV.
> > > Video for Nerds.  Stuff that matters.
> > > http://tv.slashdot.org/
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > > Snort news!
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!