[Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC

Kevin Ross kevross33 at ...14012...
Thu Aug 28 04:01:32 EDT 2014


Hi,

Interesting stuff; glad to see things still happening with it. Thank you
for your work in providing this to the community; I personally find it very
useful.


Kind Regards,
Kevin Ross


On 28 August 2014 00:37, Leon Ward (leonward) <leonward at ...589...> wrote:

>  Hi.
>
>  In fact I've put a load of effort into ofpc recently. After a couple of
> requests I've moved the code to GitHub, that's one of the reasons why you
> won't have seen any commits to the google code svn repo.
>
>  It's working really well for my needs right now and I've added some new
> cool features like searching flow data from the cli. Once I've finished off
> distributed flow searching (via openfpc proxy to multiple session databases
> on remote nodes) I'll wrap another release and package it up again.
>
>  There is a load of other stuff I could talk about, but I'll wait until
> it's ready to release and out together a blog post/install video etc.
>
>  It's good to hear people are using it.
>
>  -L
>
>
> Sent from a mobile device. Apologies for any typos but they happen.
>
> On 27 Aug 2014, at 03:45, "Kevin Ross" <kevross33 at ...14012...> wrote:
>
>   Hi,
>
> I seem to have it now, reinstall openfpc, daemonlogger etc on both boxes
> and it was fine. On one of the boxes I did find bro files taking up to much
> space in the tmp and not being cleaned so the disk was going "oh time to
> roll over" right away so cleaned that up to and that one also started
> working so it might have been a combination or different issues just coming
> up at same time. So everything looking fine again :).
>
> Thanks for the help and I look forward to seeing more stuff with
> daemonlogger :). Between this and openfpc it does this job very nicely for
> my needs & requirements right now.
>
>
> Thanks,
> Kevin
>
>
> On 26 August 2014 16:55, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>>   So we run OpenFPC on CentOS (now at 6.5) and when we've had problems,
>> a reinstall of the package has helped.  Have you gotten any of the
>> recentish changes that had gotten made in the scripts?  He moved the code
>> tree to Google and there have been some fixes since the last zip on the old
>> website.
>>
>> https://code.google.com/p/openfpc/source/list
>>
>>  the /etc/init.d/openfpc-daemonlogger command calls openfpc which runs
>> daemonlogger like this:
>>
>> /usr/local/bin/daemonlogger -d -f /etc/snort/bpf.txt -i eth1 -l
>> /var/log/snort/fpc -M 75 -s 256M -p openfpc-daemonlogger-<sensor name>.pid
>> -P /var/run -u snort -g snort -n <sensor name>.pcap
>>
>>  Try that manually.. if that works, then it's a openfpc/perl/library
>> issue.
>>
>>  On fedora we had to roll back perl-Filters due to some new changes that
>> broke the client, but it has seemed stable on our servers
>>
>>
>>  On Tue, Aug 26, 2014 at 2:36 PM, Marty Roesch (maroesch) <
>> maroesch at ...589...> wrote:
>>
>>>    What’s the command line that’s being fed to DaemonLogger?  That’d
>>> probably be the first place to start looking.  That’s a pretty weird error,
>>> is there a core dump?
>>>
>>>  --
>>>  Martin Roesch - maroesch at ...589...
>>> VP/Chief Architect, Security Business Group
>>>    ,,_
>>>   o"  )~  Sourcefire ­ Now a part of Cisco   . : | : . : | : .
>>>    ''''
>>>
>>>   From: Kevin Ross <kevross33 at ...14012...>
>>> Date: Tuesday, August 26, 2014 at 5:09 AM
>>> To: "leon.ward at ...1935..." <leon.ward at ...1935...>, "
>>> snort-users at lists.sourceforge.net" <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] OpenFPC Daemonlogger Segfault Through OpenFPC
>>>
>>>   Hi,
>>>
>>> I know this is an older tool which isn't supported but I use it for ease
>>> of integration into snorby & also that it stores onto disk and then fetches
>>> on request making it better for my sensors as PCAP solutions like moloch
>>> are just too resource intensive so I would appreciate any help kindly given
>>> (or suggestions for another suitable maintained PCAP option similar in
>>> nature).
>>>
>>> My systems were updated recently and fine; now following reboot
>>> daemonlogger segfaults when run through openfpc so I am not able to get
>>> PCAPs. If I run daemonlogger say with just daemonlogger -i eth1 it is fine
>>> and logs PCAPs but when using openfpc -a start it says it starts and then
>>> in status it is stopped and shows in /var/log/messages as segfault error
>>> with same memory location and things for each system:
>>>
>>> System 1 Error - kernel: : daemonlogger[23570]: segfault at 0 ip
>>> 0000000000402a0a sp 00007fffbc8be100 error 4 in daemonlogger[400000+7000]
>>> System 2 Error - kernel: : daemonlogger[3392]: segfault at 0 ip
>>> 0000000000402a0a sp 00007fff0e1e8c90 error 4 in daemonlogger[400000+7000]
>>>
>>> Running the queue daemon in debug mode and things is fine and shows
>>> nothing but I have no idea how to debug daemonlogger through openfpc. Some
>>> other points:
>>>
>>> - Daemonlogger Version1.2.1 (latest version installed)
>>> - Latest openfpc
>>> - System running Centos 6.4
>>> - SELINUX tried relabel, disabled etc.
>>>
>>> Thank you for any help in advance.
>>>
>>> Kindest Regards,
>>> Kevin Ross
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Slashdot TV.
>>> Video for Nerds.  Stuff that matters.
>>> http://tv.slashdot.org/
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
>
>  _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140828/11bf9a84/attachment.html>


More information about the Snort-users mailing list