Snort mailing list archives
Re: OpenFPC Daemonlogger Segfault Through OpenFPC
From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 26 Aug 2014 15:55:35 +0000
So we run OpenFPC on CentOS (now at 6.5) and when we've had problems, a reinstall of the package has helped. Have you gotten any of the recentish changes that had gotten made in the scripts? He moved the code tree to Google and there have been some fixes since the last zip on the old website. https://code.google.com/p/openfpc/source/list the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs daemonlogger like this: /usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l /var/log/snort/fpc -M 75 -s 256M -p openfpc-daemonlogger-<sensor name>.pid -P /var/run -u snort -g snort -n <sensor name>.pcap Try that manually.. if that works, then it's a openfpc/perl/library issue. On fedora we had to roll back perl-Filters due to some new changes that broke the client, but it has seemed stable on our servers On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <maroesch () cisco com
wrote:
What’s the command line that’s being fed to DaemonLogger? That’d probably be the first place to start looking. That’s a pretty weird error, is there a core dump? -- Martin Roesch - maroesch () cisco com VP/Chief Architect, Security Business Group ,,_ o" )~ Sourcefire Now a part of Cisco . : | : . : | : . '''' From: Kevin Ross <kevross33 () googlemail com> Date: Tuesday, August 26, 2014 at 5:09 AM To: "leon.ward () sourcefire com" <leon.ward () sourcefire com>, " snort-users () lists sourceforge net" <snort-users () lists sourceforge net> Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC Hi, I know this is an older tool which isn't supported but I use it for ease of integration into snorby & also that it stores onto disk and then fetches on request making it better for my sensors as PCAP solutions like moloch are just too resource intensive so I would appreciate any help kindly given (or suggestions for another suitable maintained PCAP option similar in nature). My systems were updated recently and fine; now following reboot daemonlogger segfaults when run through openfpc so I am not able to get PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine and logs PCAPs but when using openfpc -a start it says it starts and then in status it is stopped and shows in /var/log/messages as segfault error with same memory location and things for each system: System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip 0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000] System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip 0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000] Running the queue daemon in debug mode and things is fine and shows nothing but I have no idea how to debug daemonlogger through openfpc. Some other points: - Daemonlogger Version1.2.1 (latest version installed) - Latest openfpc - System running Centos 6.4 - SELINUX tried relabel, disabled etc. Thank you for any help in advance. Kindest Regards, Kevin Ross ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC John York (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Marty Roesch (maroesch) (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 27)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 28)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 29)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)