Snort mailing list archives
Re: OpenFPC Daemonlogger Segfault Through OpenFPC
From: "Leon Ward (leonward)" <leonward () cisco com>
Date: Fri, 29 Aug 2014 14:17:30 +0000
Hi, Yeah, I ran into this while working with daemonlogger a few years back. If I remember correctly, the situation was that when daemonlogger starts, it checks if there is < -M x% of disk space left on the partition, if there is, it will delete the last pcap file before starting to log again. It expects that there will be a file to delete, and if there isn’t, which is the case when it’s starting for the first time, it segfaults. I think I worked around the bug by touching a “canary" file with the filename that daemonlogger expected to exist the first time it starts, then deleting it if all works as planned. Based on if the file is detected I throw up a warning to the user. The logic to do this is contained within the main openfpc controller program, that’s being called by the init script. Seach through the code for canary, and you’ll find the section. -Leon On 27 Aug 2014, at 03:38, Kevin Ross <kevross33 () googlemail com<mailto:kevross33 () googlemail com>> wrote: Hi, I seem to have it now, reinstall openfpc, daemonlogger etc on both boxes and it was fine. On one of the boxes I did find bro files taking up to much space in the tmp and not being cleaned so the disk was going "oh time to roll over" right away so cleaned that up to and that one also started working so it might have been a combination or different issues just coming up at same time. So everything looking fine again :). Thanks for the help and I look forward to seeing more stuff with daemonlogger :). Between this and openfpc it does this job very nicely for my needs & requirements right now. Thanks, Kevin On 26 August 2014 16:55, Jeremy Hoel <jthoel () gmail com<mailto:jthoel () gmail com>> wrote: So we run OpenFPC on CentOS (now at 6.5) and when we've had problems, a reinstall of the package has helped. Have you gotten any of the recentish changes that had gotten made in the scripts? He moved the code tree to Google and there have been some fixes since the last zip on the old website. https://code.google.com/p/openfpc/source/list the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs daemonlogger like this: /usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l /var/log/snort/fpc -M 75 -s 256M -p openfpc-daemonlogger-<sensor name>.pid -P /var/run -u snort -g snort -n <sensor name>.pcap Try that manually.. if that works, then it's a openfpc/perl/library issue. On fedora we had to roll back perl-Filters due to some new changes that broke the client, but it has seemed stable on our servers On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <maroesch () cisco com<mailto:maroesch () cisco com>> wrote: What’s the command line that’s being fed to DaemonLogger? That’d probably be the first place to start looking. That’s a pretty weird error, is there a core dump? -- Martin Roesch - maroesch () cisco com<mailto:maroesch () cisco com> VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . '''' From: Kevin Ross <kevross33 () googlemail com<mailto:kevross33 () googlemail com>> Date: Tuesday, August 26, 2014 at 5:09 AM To: "leon.ward () sourcefire com<mailto:leon.ward () sourcefire com>" <leon.ward () sourcefire com<mailto:leon.ward () sourcefire com>>, "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC Hi, I know this is an older tool which isn't supported but I use it for ease of integration into snorby & also that it stores onto disk and then fetches on request making it better for my sensors as PCAP solutions like moloch are just too resource intensive so I would appreciate any help kindly given (or suggestions for another suitable maintained PCAP option similar in nature). My systems were updated recently and fine; now following reboot daemonlogger segfaults when run through openfpc so I am not able to get PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine and logs PCAPs but when using openfpc -a start it says it starts and then in status it is stopped and shows in /var/log/messages as segfault error with same memory location and things for each system: System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip 0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000] System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip 0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000] Running the queue daemon in debug mode and things is fine and shows nothing but I have no idea how to debug daemonlogger through openfpc. Some other points: - Daemonlogger Version1.2.1 (latest version installed) - Latest openfpc - System running Centos 6.4 - SELINUX tried relabel, disabled etc. Thank you for any help in advance. Kindest Regards, Kevin Ross ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Leon Ward Product Manager - Cisco Security Business Group leonward () cisco com<mailto:leonward () cisco com>
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC, (continued)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC John York (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Marty Roesch (maroesch) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 28)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 29)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)