<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Ok.. Tried that earlier, but let me make sure. Will let you know
the results ASAP.<br>
<br>
<br>
On 07/15/2013 04:23 PM, Rainer Gerhards wrote:<br>
<span style="white-space: pre;">><br>
> Ln 109 add es_deleteStr<br>
><br>
> Sent from phone, thus brief.<br>
><br>
> Am 15.07.2013 22:19 schrieb "Champ Clark III"
<<a class="moz-txt-link-abbreviated" href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>>:<br>
><br>
><br>
> It's at:<br>
><br>
>
<a class="moz-txt-link-freetext" href="https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c">https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c</a><br>
><br>
> See the function "sagan_normalize_liblognorm" (line 93).<br>
><br>
> There's not a lot to it (right now). When my blacklist
function calls this as it is now, the memory grows and grows.<br>
> If I disable the call to liblognorm, it stays consistent.<br>
><br>
><br>
><br>
> On 07/15/2013 04:06 PM, Rainer Gerhards wrote:<br>
><br>
> > I forgot: is your test code available online?<br>
><br>
> > Sent from phone, thus brief.<br>
><br>
> > Am 15.07.2013 22:02 schrieb "Champ Clark III"
<<a class="moz-txt-link-abbreviated" href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>>:<br>
><br>
><br>
> > Sorry, but same results :( I'm using the same test
code below but with es_emptyStr(str) replaced with
es_deleteStr(str)<br>
><br>
><br>
><br>
> > On 07/15/2013 03:46 PM, Rainer Gerhards wrote:<br>
><br>
> > > Use es_deleteStr instead of es_emptyStr. The latter
just resets it but does not free. More explanations follow
tomorrow. Please report back.<br>
><br>
> > > Sent from phone, thus brief.<br>
><br>
> > > Am 15.07.2013 21:06 schrieb "Champ Clark III"
<<a class="moz-txt-link-abbreviated" href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>>:<br>
><br>
><br>
><br>
> > > Hello,<br>
><br>
> > > So - I've stripped down the code a good bit to see
if I can't isolate<br>
> > > where I'm going wrong. Below is what I got:<br>
><br>
> > > --<snip>--<br>
> > > str = es_newStrFromCStr(syslog_msg,
strlen(syslog_msg));<br>
> > > ln_normalize(ctx, str, &lnevent);<br>
><br>
> > > if(lnevent != NULL) {<br>
> > > es_emptyStr(str);<br>
> > > ee_fmtEventToRFC5424(lnevent,
&str);<br>
> > > }<br>
><br>
> > > free(cstr);<br>
> > > es_deleteStr(str);<br>
> > > ee_deleteEvent(lnevent);<br>
> > > }<br>
> > > --<snip>--<br>
><br>
> > > It appears as soon as I add the
"ee_fmtEventToRFC5424", valgrind starts<br>
> > > to report the following:<br>
><br>
> > > ==21979== 69,872 bytes in 614 blocks are definitely
lost in loss record<br>
> > > 52 of 54<br>
> > > ==21979== at 0x4C2B6CD: malloc (in<br>
> > >
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)<br>
> > > ==21979== by 0x5457CD9: es_newStr (string.c:105)<br>
> > > ==21979== by 0x5457D0E: es_newStrFromCStr
(string.c:125)<br>
> > > ==21979== by 0x40C167:
sagan_normalize_liblognorm<br>
> > > (sagan-liblognorm.c:103)<br>
> > > ==21979== by 0x41427F: Sagan_Blacklist
(sagan-blacklist.c:167)<br>
> > > ==21979== by 0x40BC07: Sagan_Processor
(sagan-processor.c:123)<br>
> > > ==21979== by 0x595EE99: start_thread
(pthread_create.c:308)<br>
><br>
> > > If I remove the line, that goes away. Any
thoughts?<br>
><br>
> > > Thanks for your time.<br>
><br>
><br>
> > > _______________________________________________<br>
> > > Lognorm mailing list<br>
> > > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>
> > >
<a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
><br>
><br>
><br>
> > > _______________________________________________<br>
> > > Lognorm mailing list<br>
> > > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>
> > > <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
><br>
><br>
><br>
> > _______________________________________________<br>
> > Lognorm mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>
> > <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
><br>
><br>
><br>
> > _______________________________________________<br>
> > Lognorm mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>
> > <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Lognorm mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>
> <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Lognorm mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a></span><br>
<br>
- -- <br>
- - Quadrant Information Security<br>
Champ Clark III<br>
o: 800.538.9357 x 101<br>
c: 850.443.2440<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.11 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQEcBAEBAgAGBQJR5F53AAoJENnmXt7Lmc3K2yAH/jiD2MRjALwF78X72PGObxnC<br>
fqVjlydZ0z5u9wH6aDeFhfs8QVkx52pxOucMQootXA6AIAYyexr+A7RTQE1RaRxL<br>
iWv68ZJOaCeRgTvnywZh9yozykEuhAa3FgwI2weXipWfnAjxPpoQvD/eSir4XAoy<br>
B7OVqm8nvqa0jrRvTm9MZZeu712GqqMRPJm4VXutxzmZDmQrqaJ2KYnHIfvAwkv2<br>
iCvAiHHbkH1yJSB7X8MbNxlCmig7loPC8hWLSiWD+1blcp5AtknpBdKp9HYEa/cs<br>
uU4vQVx3t0tEzY1Nh8vQCKGpdPGMNUi6oHGycdKWJZAJI609GVWRNKAdYK5KTJE=<br>
=1Vjd<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>