On Thu, Mar 26, 2015 at 3:25 AM, Georg Schönberger <[email protected]> wrote: > Am Montag, 23. März 2015 19:28:17 UTC+1 schrieb dan (ddpbsd): >> >> On Fri, Mar 20, 2015 at 6:38 AM, Georg Schönberger >> <[email protected]> wrote: >> > Hi OSSEC team, >> > >> > I am currently running in troubles where my ossec-analysisd is crashing >> > with >> > a segfault: >> > # gbd ./bin/ossec-analysisd >> > (gdb) run -d -d -f >> > [...] >> > Program received signal SIGSEGV, Segmentation fault. >> > 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at malloc.c:2984 >> > 2984 malloc.c: No such file or directory. >> > (gdb) where >> > #0 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at >> > malloc.c:2984 >> > #1 0x000000000041073e in Free_Eventinfo (lf=0x2497580) at >> > eventinfo.c:580 >> > #2 0x00000000004042f6 in OS_ReadMSG (m_queue=7) at analysisd.c:1183 >> > #3 0x0000000000403571 in main (argc=4, argv=0x7fffffffe1b8) at >> > analysisd.c:555 >> > >> > The daemon is running fine for some time and all alerts are generated, >> > but >> > then it crashes with the above segfault. >> > >> > I am not quite sure if it is due to new rules, nevertheless IMO the >> > daemon >> > should not segfault. >> > >> >> What version of OSSEC? >> > > OSSEC Version is 2.8.1. > > Just for your information, i have found the config setting that was creating > the troubles: > * I have a file with all md5sums of installed packages > ** # head dpkg_checksums.txt > ec4697290c3e566c916ff9a3d45aa34c > usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.1.0 > f861658b8d23d320b5225d9513b41227 usr/share/doc/libmysqlclient18/COPYING.gz > [...] > # du -sh dpkg_checksums.txt > 2.3M dpkg_checksums.txt > > I had set up "report_changes" on this file and I noticed in the stack trace, > that the segfault > happened at this file: > (gdb) info locals > rulenode_pt = 0x691e70 > i = 1641 > msg = "syscheck\000\060:33188:0:0:: ... dpkg_checksums.txt ... > [...] >
Please create an issue on github for this: https://github.com/ossec/ossec-hids >> >> > FYI, I am using a patch for OSSEC, but it should not be related to my >> > problem above: >> > >> > *http://blog.rootshell.be/wp-content/uploads/2013/05/ossec-hids-2.7.md5-patch.diff >> > >> > THX a lot for you help, Georg >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > > Am Montag, 23. März 2015 19:28:17 UTC+1 schrieb dan (ddpbsd): >> >> On Fri, Mar 20, 2015 at 6:38 AM, Georg Schönberger >> <[email protected]> wrote: >> > Hi OSSEC team, >> > >> > I am currently running in troubles where my ossec-analysisd is crashing >> > with >> > a segfault: >> > # gbd ./bin/ossec-analysisd >> > (gdb) run -d -d -f >> > [...] >> > Program received signal SIGSEGV, Segmentation fault. >> > 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at malloc.c:2984 >> > 2984 malloc.c: No such file or directory. >> > (gdb) where >> > #0 0x00007ffff74fe840 in __GI___libc_free (mem=0x2432f3b) at >> > malloc.c:2984 >> > #1 0x000000000041073e in Free_Eventinfo (lf=0x2497580) at >> > eventinfo.c:580 >> > #2 0x00000000004042f6 in OS_ReadMSG (m_queue=7) at analysisd.c:1183 >> > #3 0x0000000000403571 in main (argc=4, argv=0x7fffffffe1b8) at >> > analysisd.c:555 >> > >> > The daemon is running fine for some time and all alerts are generated, >> > but >> > then it crashes with the above segfault. >> > >> > I am not quite sure if it is due to new rules, nevertheless IMO the >> > daemon >> > should not segfault. >> > >> >> What version of OSSEC? >> >> > FYI, I am using a patch for OSSEC, but it should not be related to my >> > problem above: >> > >> > *http://blog.rootshell.be/wp-content/uploads/2013/05/ossec-hids-2.7.md5-patch.diff >> > >> > THX a lot for you help, Georg >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
