Snort mailing list archives

Re: OpenFPC Daemonlogger Segfault Through OpenFPC

From: "Leon Ward (leonward)" <leonward () cisco com>
Date: Fri, 29 Aug 2014 14:17:30 +0000

Hi,

Yeah, I ran into this while working with daemonlogger a few years back.
If I remember correctly, the situation was that when daemonlogger starts, it checks if there is < -M x% of disk space 
left on the partition, if there is, it will delete the last pcap file before starting to log again. It expects that 
there will be a file to delete, and if there isn’t, which is the case when it’s starting for the first time, it 
segfaults.

I think I worked around the bug by touching a “canary" file with the filename that daemonlogger expected to exist the 
first time it starts, then deleting it if all works as planned. Based on if the file is detected I throw up a warning 
to the user. The logic to do this is contained within the main openfpc controller program, that’s being called by the 
init script. Seach through the code for canary, and you’ll find the section.

-Leon

On 27 Aug 2014, at 03:38, Kevin Ross <kevross33 () googlemail com<mailto:kevross33 () googlemail com>> wrote:

Hi,

I seem to have it now, reinstall openfpc, daemonlogger etc on both boxes and it was fine. On one of the boxes I did 
find bro files taking up to much space in the tmp and not being cleaned so the disk was going "oh time to roll over" 
right away so cleaned that up to and that one also started working so it might have been a combination or different 
issues just coming up at same time. So everything looking fine again :).

Thanks for the help and I look forward to seeing more stuff with daemonlogger :). Between this and openfpc it does this 
job very nicely for my needs & requirements right now.


Thanks,
Kevin


On 26 August 2014 16:55, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote:
So we run OpenFPC on CentOS (now at 6.5) and when we've had problems, a reinstall of the package has helped.  Have you 
gotten any of the recentish changes that had gotten made in the scripts?  He moved the code tree to Google and there 
have been some fixes since the last zip on the old website.

https://code.google.com/p/openfpc/source/list

the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs daemonlogger like this:

/usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l /var/log/snort/fpc -M 75 -s 256M -p 
openfpc-daemonlogger-<sensor name>.pid -P /var/run -u snort -g snort -n <sensor name>.pcap

Try that manually.. if that works, then it's a openfpc/perl/library issue.

On fedora we had to roll back perl-Filters due to some new changes that broke the client, but it has seemed stable on 
our servers


On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <maroesch () cisco com<mailto:maroesch () cisco com>> wrote:
What’s the command line that’s being fed to DaemonLogger?  That’d probably be the first place to start looking.  That’s 
a pretty weird error, is there a core dump?

--
Martin Roesch - maroesch () cisco com<mailto:maroesch () cisco com>
VP/Chief Architect, Security Business Group
   ,,_
  o"  )~  Sourcefire  Now a part of Cisco   . : | : . : | : .
   ''''

From: Kevin Ross <kevross33 () googlemail com<mailto:kevross33 () googlemail com>>
Date: Tuesday, August 26, 2014 at 5:09 AM
To: "leon.ward () sourcefire com<mailto:leon.ward () sourcefire com>" <leon.ward () sourcefire com<mailto:leon.ward () 
sourcefire com>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () 
lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC

Hi,

I know this is an older tool which isn't supported but I use it for ease of integration into snorby & also that it 
stores onto disk and then fetches on request making it better for my sensors as PCAP solutions like moloch are just too 
resource intensive so I would appreciate any help kindly given (or suggestions for another suitable maintained PCAP 
option similar in nature).

My systems were updated recently and fine; now following reboot daemonlogger segfaults when run through openfpc so I am 
not able to get PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine and logs PCAPs but when 
using openfpc -a start it says it starts and then in status it is stopped and shows in /var/log/messages as segfault 
error with same memory location and things for each system:

System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip 0000000000402a0a sp 00007fffbc8be100 error 4 in 
daemonlogger[400000+7000]
System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip 0000000000402a0a sp 00007fff0e1e8c90 error 4 in 
daemonlogger[400000+7000]

Running the queue daemon in debug mode and things is fine and shows nothing but I have no idea how to debug 
daemonlogger through openfpc. Some other points:

- Daemonlogger Version1.2.1 (latest version installed)
- Latest openfpc
- System running Centos 6.4
- SELINUX tried relabel, disabled etc.

Thank you for any help in advance.

Kindest Regards,
Kevin Ross

------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

--
Leon Ward
Product Manager - Cisco Security Business Group
leonward () cisco com<mailto:leonward () cisco com>

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: OpenFPC Daemonlogger Segfault Through OpenFPC, (continued)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
  - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC John York (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Marty Roesch (maroesch) (Aug 26)
  - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 28)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 29)