Hey, Thanks for the output. Can you try very quickly the latest snapshot:
http://ossec.net/files/snapshots/ossec-hids-090630.tar.gz I think I got it fixed. Thanks, On Tue, Jun 30, 2009 at 12:01 PM, louie<[email protected]> wrote: > This maybe no a 64-bit issue, because I had a another 32 bit machine segfault > too. > > > This is a x86_64 machine > debian lenny 5.0.2 > kernel 2.6.26-2-amd64 > > gdb /var/ossec/bin/ossec-syscheckd > GNU gdb 6.8-debian > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu"... > (gdb) set follow-fork-mode child > (gdb) run > Starting program: /var/ossec/bin/ossec-syscheckd > > Program received signal SIGSEGV, Segmentation fault. > [Switching to process 1989] > 0x000000000040414b in start_daemon () at run_check.c:278 > 278 if(syscheck.realtime->fd >= 0) > (gdb) bt > #0 0x000000000040414b in start_daemon () at run_check.c:278 > #1 0x0000000000402a98 in main (argc=1, argv=0x7fffe574afb8) at syscheck.c:337 > > > sorry, but I don't know where to use -d -d > > gdb -d /var/ossec/bin/ossec-syscheckd > Tue Jun 30 23:00:09 CST 2009 > GNU gdb 6.8-debian > Copyright (C) 2008 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> > This is free software: you are free to change and redistribute it. > There is NO WARRANTY, to the extent permitted by law. Type "show copying" > and "show warranty" for details. > This GDB was configured as "x86_64-linux-gnu". > > warning: /var/ossec/bin/ossec-syscheckd is not a directory. > > > gdb /var/ossec/bin/ossec-syscheckd -d > Tue Jun 30 23:00:33 CST 2009 > gdb: option `-d' requires an argument > Use `gdb --help' for a complete list of options. > > > segfault happened within ten minutes > > -- > Louie June 30, 2009 22:58:40 > > On Tue, Jun 30, 2009 at 11:33:54AM -0300, Daniel Cid wrote: >> >> Hey, >> >> Thanks for the feedback. We certainly didn't encounter this error in >> our beta testing, but will try to fix asap. >> >> Can any of you run it with gdb? Also, do you have the real time >> monitoring enabled? Does it happen right away >> or after a while? >> >> To run with gdb: >> >> # gdb /var/ossec/bin/ossec-syscheckd >> >> Inside gdb: >> >> (gdb) set follow-fork-mode child >> (gdb) run >> >> >> When it seg faults: >> >> (gdb) bt >> >> >> If you can do that (and run with -d -d to enable debug) would really help. >> >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> >> On Tue, Jun 30, 2009 at 11:12 AM, louie<[email protected]> wrote: >> > It's a me too reply ^_^ >> > >> > just upgraded to 2.1 >> > >> > [534986.676528] ossec-syscheckd[19422]: segfault at 0 ip 40414b sp >> > 7fffbd4e3b10 error 4 in ossec-syscheckd[400000+3b000] >> > >> > debian lenny 5.0.2 >> > kernel 2.6.26-2-amd64 >> > >> > -- >> > ? ? ? ? ? ? ? ? ? ? ?Louie June 30, 2009 ? 22:10:35 >> > >> > On Tue, Jun 30, 2009 at 09:16:54AM -0400, Koski, David wrote: >> >> >> >> Just upgraded and my ossec-syscheckd segfaulted on its first run (RHEL5 >> >> x64) on the main server: >> >> >> >> kernel: ossec-syscheckd[1853]: segfault at 0000000000000000 rip >> >> 0000000000403dbe rsp 00007fff14946db0 error 4 >> >> >> >> ? ? ? David >> >> >> >> -----Original Message----- >> >> From: [email protected] [mailto:[email protected]] On >> >> Behalf Of Daniel Cid >> >> Sent: Tuesday, June 30, 2009 8:38 AM >> >> To: [email protected]; [email protected] >> >> Subject: [ossec-list] OSSEC v2.1 released >> >> >> >> >> >> Hi list, >> >> >> >> We are happy to announce that OSSEC version 2.1 is available now. >> >> >> >> This new version is the first one with support for centralized >> >> configurations and realtime integrity monitoring on Linux. >> >> It also includes many other features and bug fixes: >> >> >> >> ? ? * Centralized configuration - The agent.conf file was introduced >> >> to allow granular configuration of the agents directly on the manager >> >> side. >> >> ? ? * Remote agent restart - Functionality was added to restart the >> >> agents remotely using the agent_control tool. >> >> ? ? * Real time integrity checking - Real time integrity checking was >> >> added to Linux systems. >> >> ? ? * New Log Rules Support - We added support for Windows DHCP logs >> >> and fixed/improved many of the other rules for different messages. >> >> >> >> Source: >> >> http://www.ossec.net/main/ossec-v21-released >> >> >> >> Download from here: >> >> http://www.ossec.net/main/downloads >> >> >> >> >> >> Full changelog (If I forgot somone, please let me know and I will >> >> update it asap): >> >> http://www.ossec.net/announcements/v2.1-2009-06-30.txt >> >> >> >> -Added additional rules to detect the enumeration of extensions >> >> (Patch by Chris Bailes <chris at paeenterprises.co.uk>). >> >> >> >> -Added support for glob (regular expressions) when specifying the >> >> directories >> >> to check on syscheck. >> >> >> >> -Added support for syslog-ng ISODATE (conforming to ISO-8601) date formats >> >> in the syslog header. >> >> >> >> -Added support for rsyslog non-standard date format (RFC 5425). >> >> >> >> -Added the log testing tool to the default build (now available at >> >> ?/var/ossec/bin/ossec-logtest ). >> >> >> >> -Added agentless script for Foundry switches >> >> (Thanks to Matt <mgoldsberry at gmail.com> for the help). >> >> >> >> -Added support for real time integrity checking. >> >> >> >> -Added support for sending OSSEC alerts to twitter via active response. >> >> >> >> -Added support for Windows DHCP logs >> >> (Thanks to [email protected] for the help). >> >> >> >> -Adding changes to support ASA/FWSM on the agentless monitoring >> >> (Thanks to Michael Starks for the patch) >> >> >> >> -Added option to restart an ossec agent remotely. >> >> >> >> -Added agent config on the manager side. >> >> >> >> -Added the ability to fully build an Windows ossec agent directly from >> >> the (Linux) server. >> >> >> >> -Fixed rootcheck to do not monitor read-only file systems during the >> >> rc_sys_check >> >> (Reported by Dennis Golden). >> >> >> >> -Fixed Windows policy that was looking for the wrong value to check if >> >> the firewall >> >> was enabled or not >> >> (Reported by Aaron Bliss). >> >> >> >> -Fixed debian rules that were matching on Juniper messages >> >> (Reported by Reggie Griffin). >> >> >> >> -Fixed yum rules that we matching on another events. >> >> >> >> -Fixed syscheck_control that was segfaulting on 64 bit systems. >> >> >> >> -Fixed mcafee rule that was triggering deleted viruses as uncontained >> >> (Thanks to Michael Starks for the patch). >> >> >> >> -Fixed sshd rule to support new log format >> >> (Thanks to j.bromley at bristol.ac.uk for the report). >> >> >> >> -Fixed ssh_integrity_check_linux agentless script that had some extra >> >> spaces >> >> causing it to hang >> >> (Thanks to Mark Ibrahim for the report). >> >> >> >> -Fixed support for systems without proper syslog hostname (solaris 8/9 >> >> most of the time). >> >> >> >> -Added System32 Restore directory to the list of ignore files for >> >> integrity checking >> >> (it was causing too many false positives). >> >> >> >> -Fixed iptables active-response scripts that was not properly deleted >> >> all the entries. >> >> >> >> -Added agentless devices to the listing tools (agent_control -l, >> >> syscheck_control, -l ,etc). >> >> >> >> -Fixed bug when reading /dev/fd on FreeBSD that was causing ossec to loop. >> >> (Patch by Danny Fullerton - dfullerton at mantor.org ) >> >> >> >> -Fixed file descriptor leak on execd. >> >> (Patch by Slava Semushin - php-coder at altlinux.org ) >> >> >> >> -Fixed bug where descriptions with new lines would break the alert file. >> >> (Reported by Bill Mathews <billford at gmail.com>) >> >> >> >> -Fixed init scripts for Darwin. >> >> (patch by Peter <peter.wolanin at acquia.com>) >> >> >> >> -Added support for strftime on globbed files. >> >> >> >> -Added the option to decrease syscheck sleep time to 0 (and run as >> >> fast as possible). >> >> (thanks to Michael Altfield <michael.sa at gmail.com> for the suggestion) >> >> >> >> >> >> Thanks, >> >> >> >> -- >> >> Daniel B. Cid >> >> dcid ( at ) ossec.net >> >> >> > >> > -----BEGIN PGP SIGNATURE----- >> > Version: GnuPG v1.4.9 (GNU/Linux) >> > >> > iEYEARECAAYFAkpKHTgACgkQtUibo3x6GXE90wCeJnR9lq9OgVf9hATy07ps+/mN >> > MiMAoKEtsR3qCtanjTP3CS6DbxMonePj >> > =Wf0K >> > -----END PGP SIGNATURE----- >> > >> > >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > > iEYEARECAAYFAkpKKMIACgkQtUibo3x6GXGTkwCdHvfqmcGyL6m1Lp8dArKOeedm > GcEAn2PtP0ybNfGhreoA54i7KwHB8Nay > =HjTe > -----END PGP SIGNATURE----- > >
