Snort mailing list archives

Re: OpenFPC Daemonlogger Segfault Through OpenFPC

From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 26 Aug 2014 15:55:35 +0000

So we run OpenFPC on CentOS (now at 6.5) and when we've had problems, a
reinstall of the package has helped.  Have you gotten any of the recentish
changes that had gotten made in the scripts?  He moved the code tree to
Google and there have been some fixes since the last zip on the old website.

https://code.google.com/p/openfpc/source/list

the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs
daemonlogger like this:

/usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l
/var/log/snort/fpc -M 75 -s 256M -p openfpc-daemonlogger-<sensor name>.pid
-P /var/run -u snort -g snort -n <sensor name>.pcap

Try that manually.. if that works, then it's a openfpc/perl/library issue.

On fedora we had to roll back perl-Filters due to some new changes that
broke the client, but it has seemed stable on our servers


On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <maroesch () cisco com

wrote:

  What’s the command line that’s being fed to DaemonLogger?  That’d
probably be the first place to start looking.  That’s a pretty weird error,
is there a core dump?

 --
 Martin Roesch - maroesch () cisco com
VP/Chief Architect, Security Business Group
   ,,_
  o"  )~  Sourcefire  Now a part of Cisco   . : | : . : | : .
   ''''

  From: Kevin Ross <kevross33 () googlemail com>
Date: Tuesday, August 26, 2014 at 5:09 AM
To: "leon.ward () sourcefire com" <leon.ward () sourcefire com>, "
snort-users () lists sourceforge net" <snort-users () lists sourceforge net>
Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC

  Hi,

I know this is an older tool which isn't supported but I use it for ease
of integration into snorby & also that it stores onto disk and then fetches
on request making it better for my sensors as PCAP solutions like moloch
are just too resource intensive so I would appreciate any help kindly given
(or suggestions for another suitable maintained PCAP option similar in
nature).

My systems were updated recently and fine; now following reboot
daemonlogger segfaults when run through openfpc so I am not able to get
PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine
and logs PCAPs but when using openfpc -a start it says it starts and then
in status it is stopped and shows in /var/log/messages as segfault error
with same memory location and things for each system:

System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip
0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000]
System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip
0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000]

Running the queue daemon in debug mode and things is fine and shows
nothing but I have no idea how to debug daemonlogger through openfpc. Some
other points:

- Daemonlogger Version1.2.1 (latest version installed)
- Latest openfpc
- System running Centos 6.4
- SELINUX tried relabel, disabled etc.

Thank you for any help in advance.

Kindest Regards,
Kevin Ross


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
  - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Joel Esler (jesler) (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC John York (Aug 26)
- Re: OpenFPC Daemonlogger Segfault Through OpenFPC Marty Roesch (maroesch) (Aug 26)
  - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 26)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Jeremy Hoel (Aug 27)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Kevin Ross (Aug 28)
    - Re: OpenFPC Daemonlogger Segfault Through OpenFPC Leon Ward (leonward) (Aug 29)