racluster segv reading argus v2 file

Mike Iglesias iglesias at uci.edu
Wed Mar 11 13:04:42 EDT 2009


We're still running argus v2 (haven't had time to upgrade), and I'm playing
around with racluster trying to duplicate the output of ragator as we have
some processes that use that data format for reports and such.  I downloaded
the latest argus-clients (3.0.2.beta.2) and used that for this work.

I have an racluster.conf file that looks like this:

RA_FIELD_SPECIFIER= stime flgs proto saddr sport dir daddr dport spkts dpkts
sbytes dbytes state
RA_TIME_FORMAT="%d %b %g %T"

(some lines may have wrapped)

I ran racluster like this against a current v2 file:

racluster -F /home/racluster.conf -A -nn -r /log/argus/argus.out

and got a seg fault.

I rebuilt the clients with .debug and .devel, and here's the output of running
racluster under gdb.  I've snipped a bunch of the lines out of the middle
because the output would be really long otherwise.



Script started on Wed 11 Mar 2009 08:51:03 AM PDT
[root at argrh bin]# gdb racluster
GNU gdb Fedora (6.8-23.fc9)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...
(gdb) run -D 5 -F /home/racluster.conf -A -nn -r /log/argus/argus.out
Starting program: /home/src/argus-clients-3.0.2.beta.2/bin/racluster -D 5 -F
/home/racluster.conf -A -nn -r /log/argus/argus.out
[Thread debugging using libthread_db enabled]
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusParseResourceFile
(/home/racluster.conf) returning 1
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusAddFileList (0xb7ed3008,
/log/argus/argus.out, 1, -1, -1) returning -1
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusNewQueue () returning
0x95a8498
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusNewHashTable (65536)
returning 0x95a8a98
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusReadConnection() read 16 bytes
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusReadConnection()
ARGUS_V2_START Mar.
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusParseInit(0xb7ed3008
0xb7e71008
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusReadConnection(0xb7e71008,
1) returning 1
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusReadStreamSocket
(0xb7e71008) read 262144 bytes
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e8c30
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e8fb8
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e9248
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e9480
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e9690
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e9920
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x95e9b30

[snip]

racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96ee200
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96ee410
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96ee6a0
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96ee930
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96eeb40
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96eed50
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96eefe0
racluster[17330.4069f1b7]: 11 Mar 09 08:51:13 ArgusCopyRecordStruct
(0xb7e71528) retn 0x96ef270
[New Thread 0xb7f16940 (LWP 17330)]

Program received signal SIGSEGV, Segmentation fault.
0x080a8660 in ArgusProcessTCPAvailability (parser=0xb7ed3008,
argus=0xb7e71528) at ./argus_client.c:6426
6426	   switch (net->hdr.subtype) {
Missing separate debuginfos, use: debuginfo-install glibc.i686 zlib.i386
(gdb) where
#0  0x080a8660 in ArgusProcessTCPAvailability (parser=0xb7ed3008,
argus=0xb7e71528) at ./argus_client.c:6426
#1  0x080a84b9 in ArgusProcessServiceAvailability (parser=0xb7ed3008,
argus=0xb7e71528) at ./argus_client.c:6364
#2  0x0804b601 in RaProcessRecord (parser=0xb7ed3008, ns=0xb7e71528) at
./racluster.c:362
#3  0x08059065 in RaScheduleRecord (parser=0xb7ed3008, argus=0xb7e71528) at
./argus_util.c:1958
#4  0x0805949a in ArgusHandleDatum (parser=0xb7ed3008, input=0xb7e71008,
ptr=0x95a8c28, filter=0xb7ef3668) at ./argus_util.c:2045
#5  0x0809c3ef in ArgusReadStreamSocket (parser=0xb7ed3008, input=0xb7e71008)
at ./argus_client.c:1697
#6  0x0809c5cf in ArgusReadFileStream (parser=0xb7ed3008, input=0xb7e71008) at
./argus_client.c:1748
#7  0x0804ce16 in main (argc=9, argv=0xbfb27944) at ./argus_main.c:230
(gdb)


-- 
Mike Iglesias                          Email:       iglesias at uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270



More information about the argus mailing list