Re: [ossec-list] Re: Problems with ossec-maild

2012-03-30 Thread Daniel Cid 
That's the issue :)

You changed the format of the printf, so now it is trying to insert
the values in the incorrect
memory segment. If you put the format back it should work...

thanks,

--
Daniel B. Cid
http://dcid.me



On Fri, Mar 30, 2012 at 11:07 AM, MDACC-Luckie luckief...@gmail.com wrote:
 [root@dcprpoemprddb1 bin]# diff -r /opt/ossec-hids-2.6/src/os_maild/
 maild.h  /opt/ossec-hids-2.6/src/os_maild/maild.h.11172011
 31c31
  #define MAIL_SUBJECT        OSSEC Notification - Alert level %d  -
 %s - Date %s
 ---
 #define MAIL_SUBJECT        OSSEC Notification - %s - Alert level %d  - 
 Date %s

Re: [ossec-list] Re: Problems with ossec-maild

2012-03-29 Thread Daniel Cid 
Can you send a diff of your modifications against the official
package? A diff -r
should work...

It seems that either SUBJECT_SIZE or MAIL_SUBJECT are incorrectly set there,
causing it to fail (probably by mistake when editing the files).

thanks,

--
Daniel B. Cid
http://dcid.me

On Wed, Mar 28, 2012 at 2:00 PM, MDACC-Luckie luckief...@gmail.com wrote:
 I don't see any anomalies in my keys.  As far as limits on the user
 running ossec, there are none.  My max length server name is 15
 characters.  I am not proficient enough with my programming skills to
 go into the code and modify to provide any enhanced logging, mainly
 because I haven't had the need or the time to do it.  I guess I could
 learn but definitely doesn't help with the immediate issue.

 How complicated is it or is it even possible for me to take a copy of
 specific files that might hold key information, reinstall, and then
 use that backed up key information in a vanilla installation to see if
 that fixes anything?  If so, what files?

 Thanks again for all your help on this.

Re: [ossec-list] Re: Problems with ossec-maild

2012-03-28 Thread dan (ddp) 
You can poke through client.keys file by hand. Finding odd entries may
be easy, depending on what's wrong with them.
I'd also take a look at the ossec user's limits. Some systems limit
the numb er of open files and things.

Other than that, I've got no ideas. Adding logging messages in the
code to see what it's choking on.

On Tue, Mar 27, 2012 at 7:22 PM, MDACC-Luckie luckief...@gmail.com wrote:
 Not long by max length standards 15 characters or so.  Are there
 any other of those type of things I could check data corruption
 somewhere that I might need to look for that isnt obvious to me.  I
 dont think it is with ossec-maild but something with the extra 60 or
 so agent keys I generated that might be causing some type of issue.
 The reason I ask is that used list_agents and saw a device name as
 being an agent but when I looked for it in a manage_agents listed of
 keys, it wasnt there.  Some type of consistency check that can be run
 that looks for possible issues?

 On Mar 27, 3:58 pm, dan (ddp) ddp...@gmail.com wrote:
 Kind of off the wall: Do you have very long agent names?



 On Tue, Mar 27, 2012 at 4:46 PM, MDACC-Luckie luckief...@gmail.com wrote:
  Our config is pretty standard with respect to the ossec.conf.  The
  only non-standard thing we have is that we are usiing port 9025 for
  SMTP on the mail server we are using rather than 25.  We have that
  changed in the sendmail.c file that is used when everything is
  compiled:

  OSSEC.CONF

   global
     email_notificationyes/email_notification
     email_toos...@xx.xxx/email_to
     smtp_serverdcprpafszenoss2.xx.xxx/smtp_server
     email_fromoss...@xx.xxx/email_from
     email_maxperhour1000/email_maxperhour
   /global

  SENDMAIL.C

  /* Default values use to connect */
  #define SMTP_DEFAULT_PORT       9025
  #define HELOMSG                 Helo notify.ossec.net\r\n
  #define MAILFROM                Mail From: %s\r\n
  #define RCPTTO                  Rcpt To: %s\r\n
  #define DATAMSG                 DATA\r\n
  #define FROM                    From: OSSEC HIDS %s\r\n
  #define TO                          To: %s\r\n
  #define CC                          Cc: %s\r\n
  #define SUBJECT                 Subject: %s\r\n
  #define ENDDATA                 \r\n.\r\n
  #define QUITMSG                 QUIT\r\n

  It was working prior to the increase of the number of agents supported
  and the recompile.  I ran a tcpdump on the manager and don't see the
  manager even attempting to try to connect to the SMTP host on port
  9025, only using the agent/manager connection between the two boxes.

  On Mar 27, 3:36 pm, dan (ddp) ddp...@gmail.com wrote:
  What's your mail configuration in the manager's ossec.conf?

  I wish ossec was compiled with -ggdb by default. It might make the gdb
  information a bit easier to follow.

  On Thu, Mar 22, 2012 at 1:47 PM, MDACC-Luckie luckief...@gmail.com 
  wrote:
   I increased the number of agents my installation was capable of
   supporting, reinstalled and then copied my saved ossec.conf file and
   internal_options.conf into the ossec/etc directory and restarted
   ossec.  My ossec-maild daemon starts, runs for a few seconds and then
   dies.

   I ran the following based on a previous email thread I saw and have
   attached the results.  Please let me know if anyone has ideas on why
   it is happening:

   [root@dcprpoemprddb1 logs]# gdb /opt/ossec/bin/ossec-maild
   GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
   Copyright (C) 2009 Free Software Foundation, Inc.
   License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/
   gpl.html
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.  Type show
   copying
   and show warranty for details.
   This GDB was configured as x86_64-redhat-linux-gnu.
   For bug reporting instructions, please see:
   http://www.gnu.org/software/gdb/bugs/...
   Reading symbols from /opt/ossec/bin/ossec-maild...done.
   (gdb) set follow-fork-mode child
   (gdb) run
   Starting program: /opt/ossec/bin/ossec-maild
   [New process 2615]
   [New process 2616]

   Program received signal SIGSEGV, Segmentation fault.
   [Switching to process 2616]
   0x00387c879b60 in strlen () from /lib64/libc.so.6
   (gdb) bt
   #0  0x00387c879b60 in strlen () from /lib64/libc.so.6
   #1  0x00387c846cb9 in vfprintf () from /lib64/libc.so.6
   #2  0x00387c8699da in vsnprintf () from /lib64/libc.so.6
   #3  0x00387c84d5e3 in snprintf () from /lib64/libc.so.6
   #4  0x00402d66 in OS_RecvMailQ (fileq=0x635640,
   p=0x387cb56cc0, Mail=0x7fffe870, msg_sms=0x7fffe7e0)
      at os_maild_client.c:96
   #5  0x00402848 in OS_Run (mail=0x7fffe870) at maild.c:381
   #6  0x004023d0 in main (argc=1, argv=0x7fffe9f8) at
   maild.c:171
   (gdb)- Hide quoted text -

  - Show quoted text -- Hide quoted text -

 - Show quoted text -