Argus 3.0.2/3.0.6.1 segfaults

Robert Kerr r.kerr at cranfield.ac.uk
Tue May 28 12:29:25 EDT 2013


Hi,

I've been having an issue with lately with one of my argus sensors
crashing roughly once a week. The sensor in question was running argus
3.0.2 on RHEL5 on reasonably old hardware. I wondered whether the
hardware was struggling to cope with the amount of traffic and so
decided to build a new sensor on brand new hardware. I built 3.0.6.1 on
RHEL6 and set it running alongside the old box - both receiving the same
traffic feed. Everything looked good for a few days but then argus on
both boxes died at exactly the same time. I guess this suggests there is
a certain packet or sequence of packets argus doesn't like much. The
only argus related messages in syslog are:

3.0.2
May 26 07:04:02 argus[12332]: 26 May 13 07:04:02.255034 ArgusNewFlow()
flow key is not correct len equals zero
May 26 07:04:02 argus[12332]: 26 May 13 07:04:02.255144 ArgusNewFlow()
flow key is not correct len equals zero
May 26 11:59:35 kernel: argus[12332]: segfault at 0000000000000000 rip
0000000000408f1d rsp 00007fff58cf5a30 error 4

3.0.6.1
May 26 07:04:02 argus[22813]: 26 May 13 07:04:02.254647 ArgusNewFlow()
flow key is not correct len equals zero
May 26 07:04:02 argus[22813]: 26 May 13 07:04:02.255644 ArgusNewFlow()
flow key is not correct len equals zero
May 26 11:59:35 kernel: argus[22823]: segfault at 0 ip 0000000000411c20
sp 00007f611dfe17f0 error 4 in argus[400000+a0000]

I'm assuming the next step would be to build argus with .debug and wait
for it to crash again? Anything else I need to do?

-- 
 Robert Kerr



More information about the argus mailing list