racluster crash

[Dietmar Goldbeck]

On Thu, Aug 10, 2006 at 09:58:40AM -0400, Carter Bullard wrote:
> Hey Dietmar,
>    A few things that might help to get you past the problem until
> I can figure it out.   Your status time value really should to be larger
> than the idle timeout value.    (i'm sure that we're going to time out

  Hi Carter,

it crashes also when using just thie 2 lines:

filter="tcp or udp" model="saddr sport daddr proto dport" status=600 idle=120
filter="" model="saddr daddr proto" status=600 idle=120

>    The only way to debug this type of problem is to have a file
> that contains the set of records that generates the error.  If you
> can just capture a bunch of records and run racluster against
> that file, you should get the same behavior?

No, i had a pcap file (155MB too large for a mail and
unfortunately, i deleted it prior to finding the other bug with pcap files) 

Running

argus -r ippp.cap -w - | racluster -F racluster.conf 

gave me a crash. (No core dump, but a message like
ArgusRemoveFromQueue(0x81a7dc0, 0x81c3cf0) obj not in queue)

The following command works fine:
argus -r ippp.cap -w argus3.log; racluster -f racluster.conf -r argus3.log


At the moment i have racluster -S 127.0.0.1 -f racluster.conf running
on my firewall.  Every few hours get a core dump. Unfortunately it
doesn't give much informtion:

gdb /usr/local/argus-3.0.0.rc.25/bin/racluster core.So_Aug_13_15\:12\:02_CEST_2006

Core was generated by `racluster -f /etc/tux-misst/racluster.conf -S 127.0.0.1'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7ef6689 in ?? ()
(gdb) backtrace
#0  0xb7ef6689 in ?? ()
Cannot access memory at address 0xbf7fffec
(gdb)

Do i need to put -g into CFLAGS? I did a 

touch .devel .debug

and recompiled everything. 

   regards,

      Dietmar

-- 
 Alles Gute / best wishes  
     Dietmar Goldbeck         E-Mail: dietmar.goldbeck at schotterweg.de
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?  Gandhi: I think it would be a good idea.