racluster 3.0.8.2 segfaults with -M dsrs option

Markku P via Argus-info argus-info at lists.andrew.cmu.edu
Fri Jul 15 01:53:13 EDT 2016 

Hey,

I applied your modifications and they do remove the crash. Awesome speed on
the fixing. Thanks!

There shouldn't be multiple processes writing into the same file (using pid
files), but I guess everything is possible. I'm restarting argus daemons
via cron every now and then, because they have got stuck multiple times in
the past (once per month or so), entering some do-nothing-and-idle-loop.
That's another thing that would have needed fixing, but it's difficult to
diagnose (getting stack trace from non-attached process and all). This
workaround has worked well for years.

What comes to one side of traffic, it's meant to be like that here. None of
the destinations reply. This is kind of a special set-up, where all of the
traffic seen is either malicious or config/user error.

Thanks again.


2016-07-14 21:58 GMT+03:00 Carter Bullard <carter at qosient.com>:

> Hey Markku P,
> You should be running argus-clients-3.0.8.2, as that is the current
> version.  If you can, please make that upgrade.  The modifications I have
> included below belong to that version, so if needed … upgrade and then
> update with the included files below.
>
> The file that you sent is corrupted (as you probably suspected).  It has a
> partial argus record at byte offset 1863448 (about 22% into the data file),
> which doesn’t have any time values. This is an illegal record, and so we
> stop processing.  Your corrupted file did expose a bug that I’ve fixed.
>
> Now, argus clients can recover from corrupted flow records, by skipping 4
> byte chunks until it finds legitimate records in the file, and your file
> does have legitimate data starting at byte count 1866640.  But there are a
> few records that are really munged.  Any possibility that you had 2
> processes writing into the file for some time ????
>
> The corrupted file tickled a few bugs, as the corruption generated pseudo
> Netflow records, and pseudo Argus event records.  I’ve fixed it to the
> point that we can read your file, but it involves multiple changes to
> ./common/argus_client.c and ./common/argus_util.c.  If you could, replace
> your copies of the files I’ve included, and test it out on your data that
> would be cool.
>
> Thanks !!!!
>
> Carter
>
>
>
> > On Jul 14, 2016, at 8:47 AM, Markku P via Argus-info <
> argus-info at lists.andrew.cmu.edu> wrote:
> >
> > Hi,
> >
> > My argus 3.0.8.1 has managed to produce few files that segfault even the
> latest racluster:
> >
> > $ racluster -M dsrs=-agr -r crashing-20160703.dat -m proto  -w out.ra
> > Segmentation fault
> >
> > The issue seems to be on the "-M dsrs" option. The actual option value
> used does not seem to matter. Direct read with ra works normally. That same
> option works with most of my other files.
> >
> > Trace:
> > #0  0x0000000000457a81 in ArgusGenerateRecordStruct ()
> > #1  0x0000000000432f4c in ArgusHandleRecord ()
> > #2  0x0000000000459b7c in ArgusReadStreamSocket ()
> > #3  0x0000000000459cb5 in ArgusReadFileStream ()
> > #4  0x0000000000406482 in main ()
> >
> > The system is an old CentOS 64bit linux, gcc 4.1.2.
> >
> > I have uploaded that test file to qosient.com /incoming for your
> analysis.
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20160715/f41dfeda/attachment.html>

More information about the argus mailing list