Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ossec-logcollector blocked and loops endlessly when a NUL character appears in monitored log file #913

Open
ybonnamy opened this issue Aug 4, 2016 · 5 comments
Open

ossec-logcollector blocked and loops endlessly when a NUL character appears in monitored log file #913

ybonnamy opened this issue Aug 4, 2016 · 5 comments

Comments

@ybonnamy
Copy link

ybonnamy commented Aug 4, 2016

Hi,

i'm monitoring a proprietary application log file with ossec, unfortunatly my monitoring appears to stop from time to time. After raising log level, it appeared that ossec-logcollector loops endlessly with such debug output :

2016/08/04 09:17:52 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'
2016/08/04 09:17:52 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'
2016/08/04 09:17:54 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'
2016/08/04 09:17:54 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'
2016/08/04 09:17:56 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'
2016/08/04 09:17:56 ossec-logcollector: Message not complete. Trying again: '2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580'

in the monitored logfile, the content is :

2016-08-04 06:25:28,601 INFO  [ajp-bio-8009-exec-2442-com.mccsoft.diapason.service.Login] Login failed: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@]

so it looks as if the ^@ we can see at the end is disturbing ossec-logcollector
if i look quickly at the ossec-hids-2.8.3/src/logcollector/read_syslog.csource code, i see no way it could exit this endless loop.

Thanks for your help.
@ybonnamy
Copy link
Author

ybonnamy commented Aug 4, 2016

actually it is a NUL character , 00 in Hex , ^@ was just how vim displayed it. attached a sample.
log.withNUL.txt

@ybonnamy
Copy link
Author

ybonnamy commented Aug 5, 2016
edited
Loading

easy way to reproduce if /var/log/message is monitored :
dd if=/dev/zero bs=1 count=1 >> /var/log/messages

such a command could probably be used to trig a DOS of the monitoring of some other files

@ybonnamy ybonnamy changed the title ossec-logcollector blocked and loops endlessly when a particular entry appears in log file ossec-logcollector blocked and loops endlessly when a NUL character appears in monitored log file Aug 5, 2016
@ybonnamy
Copy link
Author

ybonnamy commented Aug 8, 2016

if ever no solution was found here, here is the workaround i could use :

--- ./src/logcollector/read_syslog.c.orig       2015-10-12 23:21:06.000000000 +0200
+++ ./src/logcollector/read_syslog.c    2016-08-08 15:08:56.278924850 +0200
@@ -44,7 +44,13 @@
         {
             *p = '\0';
         }
-
+       /* debug issue #913 detect NUL char */
+        else if ((p = strrchr(str, '\0')) != NULL)
+        {
+                debug1("debug913 NUL found" );
+               /* replace NUL with a dot */
+               *p = '.';
+        }
         /* If we didn't get the new line, because the
          * size is large, send what we got so far.
          */

(please note that this workaround elaboration was an awful trial and error process , i'm not a C++ developper at all)

@ybonnamy
Copy link
Author

ybonnamy commented Nov 16, 2017
edited
Loading

14 months later, bug still exist with ossec-hids-agent-2.9.2 on RHEL7, it's still too easy to defeat ossec-logcollector injecting a nul character in a monitored log file.

ddpbsd added a commit to ddpbsd/ossec-hids that referenced this issue Nov 16, 2017
@ddpbsd
logcollector goes into loop when a NULL is in the log message
6958773 
Fixes issue ossec#913 from @ybonnamy
Fix from @ybonnamy, although I'm trying a space instead of a dot. I'm
willing to use the dot if anyone prefers that.
@ddpbsd ddpbsd mentioned this issue Nov 16, 2017
Merged
@ddpbsd
Copy link
Member

ddpbsd commented Nov 16, 2017

@ybonnamy Thanks for reporting, fixing, and reminding us that you fixed it. Pull request #1318 should hopefully fix the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ddpbsd @ybonnamy