[Note: this was sent to my in private email, I paste it here for completeness] Hello, When I start prelude-manager, I get the following message: bash-2.05b# prelude-manager - Initialized 3 reporting plugins. - Initialized 1 database plugins. - Subscribing Prelude NIDS data decoder to active decoding plugins. - Initialized 1 decoding plugins. - Initialized 0 filtering plugins. - Subscribing TextMod to active reporting plugins. - Subscribing XmlMod to active reporting plugins. - Subscribing MySQL to active database plugins. - sensors server started (listening on 127.0.0.1:5554). Then I start prelude-lml: bash-2.05b# prelude-lml - Initialized 3 logs plugins. - SimpleMod plugin added 211 rules. - Added monitor for '/var/log/messages'. - Subscribing plugin SimpleMod - Connecting to Unix prelude Manager server. - Plaintext authentication succeed with Prelude Manager. - Subscribing plugin Paxmod - Subscribing plugin SimpleMod file-server.c:initialize_fam:788 : (errno=Connection refused) : error initializing FAM: (null). - /var/log/messages: Metadata available, starting log analyzis at offset 5017909. When I look back in the console, where I started prelude-manger, I see it got killed: bash-2.05b# prelude-manager - Initialized 3 reporting plugins. - Initialized 1 database plugins. - Subscribing Prelude NIDS data decoder to active decoding plugins. - Initialized 1 decoding plugins. - Initialized 0 filtering plugins. - Subscribing TextMod to active reporting plugins. - Subscribing XmlMod to active reporting plugins. - Subscribing MySQL to active database plugins. - sensors server started (listening on 127.0.0.1:5554). [unix] - accepted connection. [unix] - plaintext authentication succeed. [unix] - sensor declared ident 578270586701940232. Killed bash-2.05b# Does anybody know how I could proceed to find out where the problem lies? My setup is the following: gentoo-stable, with * app-admin/prelude-lml [ Masked ] Latest version installed: 0.8.3-r1 * app-admin/prelude-manager [ Masked ] Latest version installed: 0.8.7 * dev-libs/libprelude [ Masked ] Latest version installed: 0.8.5-r1 * net-analyzer/prelude-nids [ Masked ] Latest version installed: 0.8.1-r1 Best regards, Daniel Struck
On Wed, 2003-07-30 at 15:31, Daniel Struck wrote: > Hello, > > When I start prelude-manager, I get the following message: I'm wondering if that could be NPTL related. What kernel / glibc version are you using ? Also, could you send me privatly strace -f output of the prelude-manager ? Is it 100% reproducable ? On your computer / on others computer too ? Thanks, -- Yoann Vandoorselaere <yoann@prelude-ids.org>
Hello Michael, I have a question: You may have seen my question on the prelude-user mailing-list, with the title "prelude-manager gets killed after starting prelude-lml". Here is what Yoann is proposing to me: Begin forwarded message: Date: 30 Jul 2003 17:50:59 +0200 From: Yoann Vandoorselaere <yoann@prelude-ids.org> To: Daniel Struck <community@struck.lu> Subject: Re: strace output from prelude-manager, which is killed by a sensor On Wed, 2003-07-30 at 19:27, Daniel Struck wrote: > Hello Yoann, > > here is the strace output from prelude-manager: > > once without a sensor started > and > once with prelude-lml started > > Version installed, > > gcc:3.2.3-r1 > gblic:2.3.2-r1 > kernel:2.6.0-test2-mm1 Hi, could you try recompiling libprelude and prelude-manager with -O0 -ggdb flags, and trace with valgrind --gdb-attach=yes prelude-manager (make sure you're not using SSL). Tell me if valgrind say anything useful. Thanks, -- Yoann Vandoorselaere <yoann@prelude-ids.org> So I wanted to ask you if you know how to tell the prelude-gentoo-ebuilds to use these flags, as you are the one, who introduced these ebuilds on the gentoo-platform?
Try this: FEATURES="nostrip" CFLAGS="-O0 -ggdb" ACCEPT_KEYWORDS="~x86" USE="-ssl" emerge libprelude prelude-manager prelude-lml I have yet not tested this, but it should work. If it doesn't let me know and I'll have a deeper look at it..
Yoann Vandoorselaere said: Okay, so Daniel, could you confirm that the bug is reproducible with theses flags set ?
Yes, I get the same results when compiling prelude with these flags Daniel
Daniel Do you have any security related features enabled in your kernel such as PaX that would/could do any sort of signal sending? If so the next time you get this to happen please type 'dmesg | tail' and put the results in this bug.
I couldn't reproduce this problem on another machine, which is running gentoo, so I did now something was wrong with the system on the first machine. I have solved the issue: run "ldconfig" and reemerge prelude. Now prelude works without a problem. Sorry for the false alert.
As noone else seems to have this problem, I'm marking this bug as invalid.
yoann(xxxxx] http://bugs.gentoo.org/show_bug.cgi?id=25616 <- I wouldn't mark this as INVALID
Update: Yoann has found out that libxml2 is causing problem on my setup. On my machine with libxml2 2.5.2 prelude is running without a problem. On the other machine with libxml 2.5.8 prelude-manager gets killed as soon as I start a sensor.
Newest libprelude-cvs & libprelude-manger work together with libxml-2.5.8 thanks to Yoann Vandoorselaere Daniel
Just a note that chances are that libprelude-cvs will be pulled out of the portage tree at the next release of prelude, if you wish to continue to use the cvs versions of prelude then backup a copy to your local portage overlay or look for them on breakmygentoo.net
new *prelude* now published : new libprelude, prelude-manager, prelude-lml, prelude-nids and even a brand new cleaned-up patch for prelude support in nessus should close this one
Updated ebuilds (and upstream version) resolves this issue.
