[ossec-list] Re: Problems with ossec-maild
Thanks Daniel. That definitely was it.
[ossec-list] Re: Problems with ossec-maild
[root@dcprpoemprddb1 bin]# diff -r /opt/ossec-hids-2.6/src/os_maild/ maild.h /opt/ossec-hids-2.6/src/os_maild/maild.h.11172011 31c31 #define MAIL_SUBJECTOSSEC Notification - Alert level %d - %s - Date %s --- #define MAIL_SUBJECTOSSEC Notification - %s - Alert level %d - Date %s
Re: [ossec-list] Re: Problems with ossec-maild
That's the issue :) You changed the format of the printf, so now it is trying to insert the values in the incorrect memory segment. If you put the format back it should work... thanks, -- Daniel B. Cid http://dcid.me On Fri, Mar 30, 2012 at 11:07 AM, MDACC-Luckie luckief...@gmail.com wrote: [root@dcprpoemprddb1 bin]# diff -r /opt/ossec-hids-2.6/src/os_maild/ maild.h /opt/ossec-hids-2.6/src/os_maild/maild.h.11172011 31c31 #define MAIL_SUBJECT OSSEC Notification - Alert level %d - %s - Date %s --- #define MAIL_SUBJECT OSSEC Notification - %s - Alert level %d - Date %s
Re: [ossec-list] Re: Problems with ossec-maild
Can you send a diff of your modifications against the official package? A diff -r should work... It seems that either SUBJECT_SIZE or MAIL_SUBJECT are incorrectly set there, causing it to fail (probably by mistake when editing the files). thanks, -- Daniel B. Cid http://dcid.me On Wed, Mar 28, 2012 at 2:00 PM, MDACC-Luckie luckief...@gmail.com wrote: I don't see any anomalies in my keys. As far as limits on the user running ossec, there are none. My max length server name is 15 characters. I am not proficient enough with my programming skills to go into the code and modify to provide any enhanced logging, mainly because I haven't had the need or the time to do it. I guess I could learn but definitely doesn't help with the immediate issue. How complicated is it or is it even possible for me to take a copy of specific files that might hold key information, reinstall, and then use that backed up key information in a vanilla installation to see if that fixes anything? If so, what files? Thanks again for all your help on this.
Re: [ossec-list] Re: Problems with ossec-maild
You can poke through client.keys file by hand. Finding odd entries may be easy, depending on what's wrong with them. I'd also take a look at the ossec user's limits. Some systems limit the numb er of open files and things. Other than that, I've got no ideas. Adding logging messages in the code to see what it's choking on. On Tue, Mar 27, 2012 at 7:22 PM, MDACC-Luckie luckief...@gmail.com wrote: Not long by max length standards 15 characters or so. Are there any other of those type of things I could check data corruption somewhere that I might need to look for that isnt obvious to me. I dont think it is with ossec-maild but something with the extra 60 or so agent keys I generated that might be causing some type of issue. The reason I ask is that used list_agents and saw a device name as being an agent but when I looked for it in a manage_agents listed of keys, it wasnt there. Some type of consistency check that can be run that looks for possible issues? On Mar 27, 3:58 pm, dan (ddp) ddp...@gmail.com wrote: Kind of off the wall: Do you have very long agent names? On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie luckief...@gmail.com wrote: Our config is pretty standard with respect to the ossec.conf. The only non-standard thing we have is that we are usiing port 9025 for SMTP on the mail server we are using rather than 25. We have that changed in the sendmail.c file that is used when everything is compiled: OSSEC.CONF global email_notificationyes/email_notification email_toos...@xx.xxx/email_to smtp_serverdcprpafszenoss2.xx.xxx/smtp_server email_fromoss...@xx.xxx/email_from email_maxperhour1000/email_maxperhour /global SENDMAIL.C /* Default values use to connect */ #define SMTP_DEFAULT_PORT 9025 #define HELOMSG Helo notify.ossec.net\r\n #define MAILFROM Mail From: %s\r\n #define RCPTTO Rcpt To: %s\r\n #define DATAMSG DATA\r\n #define FROM From: OSSEC HIDS %s\r\n #define TO To: %s\r\n #define CC Cc: %s\r\n #define SUBJECT Subject: %s\r\n #define ENDDATA \r\n.\r\n #define QUITMSG QUIT\r\n It was working prior to the increase of the number of agents supported and the recompile. I ran a tcpdump on the manager and don't see the manager even attempting to try to connect to the SMTP host on port 9025, only using the agent/manager connection between the two boxes. On Mar 27, 3:36 pm, dan (ddp) ddp...@gmail.com wrote: What's your mail configuration in the manager's ossec.conf? I wish ossec was compiled with -ggdb by default. It might make the gdb information a bit easier to follow. On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote: I increased the number of agents my installation was capable of supporting, reinstalled and then copied my saved ossec.conf file and internal_options.conf into the ossec/etc directory and restarted ossec. My ossec-maild daemon starts, runs for a few seconds and then dies. I ran the following based on a previous email thread I saw and have attached the results. Please let me know if anyone has ideas on why it is happening: [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/ gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /opt/ossec/bin/ossec-maild...done. (gdb) set follow-fork-mode child (gdb) run Starting program: /opt/ossec/bin/ossec-maild [New process 2615] [New process 2616] Program received signal SIGSEGV, Segmentation fault. [Switching to process 2616] 0x00387c879b60 in strlen () from /lib64/libc.so.6 (gdb) bt #0 0x00387c879b60 in strlen () from /lib64/libc.so.6 #1 0x00387c846cb9 in vfprintf () from /lib64/libc.so.6 #2 0x00387c8699da in vsnprintf () from /lib64/libc.so.6 #3 0x00387c84d5e3 in snprintf () from /lib64/libc.so.6 #4 0x00402d66 in OS_RecvMailQ (fileq=0x635640, p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0) at os_maild_client.c:96 #5 0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381 #6 0x004023d0 in main (argc=1, argv=0x7fffe9f8) at maild.c:171 (gdb)- Hide quoted text - - Show quoted text -- Hide quoted text - - Show quoted text -
[ossec-list] Re: Problems with ossec-maild
I don't see any anomalies in my keys. As far as limits on the user running ossec, there are none. My max length server name is 15 characters. I am not proficient enough with my programming skills to go into the code and modify to provide any enhanced logging, mainly because I haven't had the need or the time to do it. I guess I could learn but definitely doesn't help with the immediate issue. How complicated is it or is it even possible for me to take a copy of specific files that might hold key information, reinstall, and then use that backed up key information in a vanilla installation to see if that fixes anything? If so, what files? Thanks again for all your help on this.
[ossec-list] Re: Problems with ossec-maild
Our config is pretty standard with respect to the ossec.conf. The only non-standard thing we have is that we are usiing port 9025 for SMTP on the mail server we are using rather than 25. We have that changed in the sendmail.c file that is used when everything is compiled: OSSEC.CONF global email_notificationyes/email_notification email_toos...@xx.xxx/email_to smtp_serverdcprpafszenoss2.xx.xxx/smtp_server email_fromoss...@xx.xxx/email_from email_maxperhour1000/email_maxperhour /global SENDMAIL.C /* Default values use to connect */ #define SMTP_DEFAULT_PORT 9025 #define HELOMSG Helo notify.ossec.net\r\n #define MAILFROMMail From: %s\r\n #define RCPTTO Rcpt To: %s\r\n #define DATAMSG DATA\r\n #define FROMFrom: OSSEC HIDS %s\r\n #define TO To: %s\r\n #define CC Cc: %s\r\n #define SUBJECT Subject: %s\r\n #define ENDDATA \r\n.\r\n #define QUITMSG QUIT\r\n It was working prior to the increase of the number of agents supported and the recompile. I ran a tcpdump on the manager and don't see the manager even attempting to try to connect to the SMTP host on port 9025, only using the agent/manager connection between the two boxes. On Mar 27, 3:36 pm, dan (ddp) ddp...@gmail.com wrote: What's your mail configuration in the manager's ossec.conf? I wish ossec was compiled with -ggdb by default. It might make the gdb information a bit easier to follow. On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote: I increased the number of agents my installation was capable of supporting, reinstalled and then copied my saved ossec.conf file and internal_options.conf into the ossec/etc directory and restarted ossec. My ossec-maild daemon starts, runs for a few seconds and then dies. I ran the following based on a previous email thread I saw and have attached the results. Please let me know if anyone has ideas on why it is happening: [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/ gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /opt/ossec/bin/ossec-maild...done. (gdb) set follow-fork-mode child (gdb) run Starting program: /opt/ossec/bin/ossec-maild [New process 2615] [New process 2616] Program received signal SIGSEGV, Segmentation fault. [Switching to process 2616] 0x00387c879b60 in strlen () from /lib64/libc.so.6 (gdb) bt #0 0x00387c879b60 in strlen () from /lib64/libc.so.6 #1 0x00387c846cb9 in vfprintf () from /lib64/libc.so.6 #2 0x00387c8699da in vsnprintf () from /lib64/libc.so.6 #3 0x00387c84d5e3 in snprintf () from /lib64/libc.so.6 #4 0x00402d66 in OS_RecvMailQ (fileq=0x635640, p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0) at os_maild_client.c:96 #5 0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381 #6 0x004023d0 in main (argc=1, argv=0x7fffe9f8) at maild.c:171 (gdb)- Hide quoted text - - Show quoted text -
[ossec-list] Re: Problems with ossec-maild
Not long by max length standards 15 characters or so. Are there any other of those type of things I could check data corruption somewhere that I might need to look for that isnt obvious to me. I dont think it is with ossec-maild but something with the extra 60 or so agent keys I generated that might be causing some type of issue. The reason I ask is that used list_agents and saw a device name as being an agent but when I looked for it in a manage_agents listed of keys, it wasnt there. Some type of consistency check that can be run that looks for possible issues? On Mar 27, 3:58 pm, dan (ddp) ddp...@gmail.com wrote: Kind of off the wall: Do you have very long agent names? On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie luckief...@gmail.com wrote: Our config is pretty standard with respect to the ossec.conf. The only non-standard thing we have is that we are usiing port 9025 for SMTP on the mail server we are using rather than 25. We have that changed in the sendmail.c file that is used when everything is compiled: OSSEC.CONF global email_notificationyes/email_notification email_toos...@xx.xxx/email_to smtp_serverdcprpafszenoss2.xx.xxx/smtp_server email_fromoss...@xx.xxx/email_from email_maxperhour1000/email_maxperhour /global SENDMAIL.C /* Default values use to connect */ #define SMTP_DEFAULT_PORT 9025 #define HELOMSG Helo notify.ossec.net\r\n #define MAILFROM Mail From: %s\r\n #define RCPTTO Rcpt To: %s\r\n #define DATAMSG DATA\r\n #define FROM From: OSSEC HIDS %s\r\n #define TO To: %s\r\n #define CC Cc: %s\r\n #define SUBJECT Subject: %s\r\n #define ENDDATA \r\n.\r\n #define QUITMSG QUIT\r\n It was working prior to the increase of the number of agents supported and the recompile. I ran a tcpdump on the manager and don't see the manager even attempting to try to connect to the SMTP host on port 9025, only using the agent/manager connection between the two boxes. On Mar 27, 3:36 pm, dan (ddp) ddp...@gmail.com wrote: What's your mail configuration in the manager's ossec.conf? I wish ossec was compiled with -ggdb by default. It might make the gdb information a bit easier to follow. On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com wrote: I increased the number of agents my installation was capable of supporting, reinstalled and then copied my saved ossec.conf file and internal_options.conf into the ossec/etc directory and restarted ossec. My ossec-maild daemon starts, runs for a few seconds and then dies. I ran the following based on a previous email thread I saw and have attached the results. Please let me know if anyone has ideas on why it is happening: [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2) Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/ gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type show copying and show warranty for details. This GDB was configured as x86_64-redhat-linux-gnu. For bug reporting instructions, please see: http://www.gnu.org/software/gdb/bugs/... Reading symbols from /opt/ossec/bin/ossec-maild...done. (gdb) set follow-fork-mode child (gdb) run Starting program: /opt/ossec/bin/ossec-maild [New process 2615] [New process 2616] Program received signal SIGSEGV, Segmentation fault. [Switching to process 2616] 0x00387c879b60 in strlen () from /lib64/libc.so.6 (gdb) bt #0 0x00387c879b60 in strlen () from /lib64/libc.so.6 #1 0x00387c846cb9 in vfprintf () from /lib64/libc.so.6 #2 0x00387c8699da in vsnprintf () from /lib64/libc.so.6 #3 0x00387c84d5e3 in snprintf () from /lib64/libc.so.6 #4 0x00402d66 in OS_RecvMailQ (fileq=0x635640, p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0) at os_maild_client.c:96 #5 0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381 #6 0x004023d0 in main (argc=1, argv=0x7fffe9f8) at maild.c:171 (gdb)- Hide quoted text - - Show quoted text -- Hide quoted text - - Show quoted text -