racluster crash

carter at qosient.com carter at qosient.com
Sun Aug 13 14:12:13 EDT 2006 

Yes, I think your missing a concept here.
The status timer should be shorter than the idle timer.

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Dietmar Goldbeck <goldbeck at e-trend.de>
Date: Sun, 13 Aug 2006 19:33:45 
To:Carter Bullard <carter at qosient.com>
Cc:argus-info at lists.andrew.cmu.edu
Subject: Re: [ARGUS] racluster crash

On Thu, Aug 10, 2006 at 09:58:40AM -0400, Carter Bullard wrote:
> Hey Dietmar,
>    A few things that might help to get you past the problem until
> I can figure it out.   Your status time value really should to be larger
> than the idle timeout value.    (i'm sure that we're going to time out

  Hi Carter,

it crashes also when using just thie 2 lines:

filter="tcp or udp" model="saddr sport daddr proto dport" status=600 idle=120
filter="" model="saddr daddr proto" status=600 idle=120

>    The only way to debug this type of problem is to have a file
> that contains the set of records that generates the error.  If you
> can just capture a bunch of records and run racluster against
> that file, you should get the same behavior?

No, i had a pcap file (155MB too large for a mail and
unfortunately, i deleted it prior to finding the other bug with pcap files) 

Running

argus -r ippp.cap -w - | racluster -F racluster.conf 

gave me a crash. (No core dump, but a message like
ArgusRemoveFromQueue(0x81a7dc0, 0x81c3cf0) obj not in queue)

The following command works fine:
argus -r ippp.cap -w argus3.log; racluster -f racluster.conf -r argus3.log


At the moment i have racluster -S 127.0.0.1 -f racluster.conf running
on my firewall.  Every few hours get a core dump. Unfortunately it
doesn't give much informtion:

gdb /usr/local/argus-3.0.0.rc.25/bin/racluster core.So_Aug_13_15\:12\:02_CEST_2006

Core was generated by `racluster -f /etc/tux-misst/racluster.conf -S 127.0.0.1'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7ef6689 in ?? ()
(gdb) backtrace
#0  0xb7ef6689 in ?? ()
Cannot access memory at address 0xbf7fffec
(gdb)

Do i need to put -g into CFLAGS? I did a 

touch .devel .debug

and recompiled everything. 

   regards,

      Dietmar

-- 
 Alles Gute / best wishes  
     Dietmar Goldbeck         E-Mail: dietmar.goldbeck at schotterweg.de
Reporter (to Mahatma Gandhi): Mr Gandhi, what do you think of Western
Civilization?  Gandhi: I think it would be a good idea.

More information about the argus mailing list