Am Montag, 23. März 2015 19:28:17 UTC+1 schrieb dan (ddpbsd): > > On Fri, Mar 20, 2015 at 6:38 AM, Georg Schönberger > <[email protected] <javascript:>> wrote: > > Hi OSSEC team, > > > > I am currently running in troubles where my ossec-analysisd is crashing > with > > a segfault: > > # gbd ./bin/ossec-analysisd > > (gdb) run -d -d -f > > [...] > > Program received signal SIGSEGV, Segmentation fault. > > 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at malloc.c:2984 > > 2984 malloc.c: No such file or directory. > > (gdb) where > > #0 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at > malloc.c:2984 > > #1 0x000000000041073e in Free_Eventinfo (lf=0x2497580) at > eventinfo.c:580 > > #2 0x00000000004042f6 in OS_ReadMSG (m_queue=7) at analysisd.c:1183 > > #3 0x0000000000403571 in main (argc=4, argv=0x7fffffffe1b8) at > > analysisd.c:555 > > > > The daemon is running fine for some time and all alerts are generated, > but > > then it crashes with the above segfault. > > > > I am not quite sure if it is due to new rules, nevertheless IMO the > daemon > > should not segfault. > > > > What version of OSSEC? > > OSSEC Version is 2.8.1.
Just for your information, i have found the config setting that was creating the troubles: * I have a file with all md5sums of installed packages ** # head dpkg_checksums.txt ec4697290c3e566c916ff9a3d45aa34c usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.1.0 f861658b8d23d320b5225d9513b41227 usr/share/doc/libmysqlclient18/COPYING.gz [...] # du -sh dpkg_checksums.txt 2.3M dpkg_checksums.txt I had set up "report_changes" on this file and I noticed in the stack trace, that the segfault happened at this file: (gdb) info locals rulenode_pt = 0x691e70 i = 1641 msg = "syscheck\000\060:33188:0:0:: ... dpkg_checksums.txt ... [...] > > FYI, I am using a patch for OSSEC, but it should not be related to my > > problem above: > > * > http://blog.rootshell.be/wp-content/uploads/2013/05/ossec-hids-2.7.md5-patch.diff > > > > > THX a lot for you help, Georg > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > Am Montag, 23. März 2015 19:28:17 UTC+1 schrieb dan (ddpbsd): > > On Fri, Mar 20, 2015 at 6:38 AM, Georg Schönberger > <[email protected] <javascript:>> wrote: > > Hi OSSEC team, > > > > I am currently running in troubles where my ossec-analysisd is crashing > with > > a segfault: > > # gbd ./bin/ossec-analysisd > > (gdb) run -d -d -f > > [...] > > Program received signal SIGSEGV, Segmentation fault. > > 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at malloc.c:2984 > > 2984 malloc.c: No such file or directory. > > (gdb) where > > #0 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at > malloc.c:2984 > > #1 0x000000000041073e in Free_Eventinfo (lf=0x2497580) at > eventinfo.c:580 > > #2 0x00000000004042f6 in OS_ReadMSG (m_queue=7) at analysisd.c:1183 > > #3 0x0000000000403571 in main (argc=4, argv=0x7fffffffe1b8) at > > analysisd.c:555 > > > > The daemon is running fine for some time and all alerts are generated, > but > > then it crashes with the above segfault. > > > > I am not quite sure if it is due to new rules, nevertheless IMO the > daemon > > should not segfault. > > > > What version of OSSEC? > > > FYI, I am using a patch for OSSEC, but it should not be related to my > > problem above: > > * > http://blog.rootshell.be/wp-content/uploads/2013/05/ossec-hids-2.7.md5-patch.diff > > > > > THX a lot for you help, Georg > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
