
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <br>

    -----BEGIN PGP SIGNED MESSAGE-----<br>

    Hash: SHA1<br>

    <br>

    It's at:<br>

    <br>

    <a class="moz-txt-link-freetext" href="https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c">https://github.com/beave/sagan/blob/master/src/sagan-liblognorm.c</a><br>

    <br>

    See the function "sagan_normalize_liblognorm" (line 93).<br>

    <br>

    There's not a lot to it (right now).    When my blacklist function

    calls this as it is now,  the memory grows and grows.<br>

    If I disable the call to liblognorm,  it stays consistent.<br>

    <br>

    <br>

    <br>

    On 07/15/2013 04:06 PM, Rainer Gerhards wrote:<br>

    <span style="white-space: pre;">><br>

      > I forgot: is your test code available online?<br>

      ><br>

      > Sent from phone, thus brief.<br>

      ><br>

      > Am 15.07.2013 22:02 schrieb "Champ Clark III"

      <<a class="moz-txt-link-abbreviated" href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a>

      <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>>:<br>

      ><br>

      ><br>

      > Sorry,  but same results :(   I'm using the same test code

      below but with es_emptyStr(str) replaced with es_deleteStr(str)<br>

      ><br>

      ><br>

      ><br>

      > On 07/15/2013 03:46 PM, Rainer Gerhards wrote:<br>

      ><br>

      > > Use es_deleteStr instead of es_emptyStr. The latter just

      resets it but does not free.  More explanations follow tomorrow. 

      Please report back.<br>

      ><br>

      > > Sent from phone, thus brief.<br>

      ><br>

      > > Am 15.07.2013 21:06 schrieb "Champ Clark III"

      <<a class="moz-txt-link-abbreviated" href="mailto:cclark@quadrantsec.com">cclark@quadrantsec.com</a> <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>

      <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>

      <a class="moz-txt-link-rfc2396E" href="mailto:cclark@quadrantsec.com"><mailto:cclark@quadrantsec.com></a>>:<br>

      ><br>

      ><br>

      ><br>

      > > Hello,<br>

      ><br>

      > > So - I've stripped down the code a good bit to see if I

      can't isolate<br>

      > > where I'm going wrong.  Below is what I got:<br>

      ><br>

      > > --<snip>--<br>

      > > str = es_newStrFromCStr(syslog_msg, strlen(syslog_msg));<br>

      > > ln_normalize(ctx, str, &lnevent);<br>

      ><br>

      > >        if(lnevent != NULL) {<br>

      > >                 es_emptyStr(str);<br>

      > >                 ee_fmtEventToRFC5424(lnevent, &str);<br>

      > >                 }<br>

      ><br>

      > > free(cstr);<br>

      > > es_deleteStr(str);<br>

      > > ee_deleteEvent(lnevent);<br>

      > > }<br>

      > > --<snip>--<br>

      ><br>

      > > It appears as soon as I add the "ee_fmtEventToRFC5424", 

      valgrind starts<br>

      > > to report the following:<br>

      ><br>

      > > ==21979== 69,872 bytes in 614 blocks are definitely lost

      in loss record<br>

      > > 52 of 54<br>

      > > ==21979==    at 0x4C2B6CD: malloc (in<br>

      > > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)<br>

      > > ==21979==    by 0x5457CD9: es_newStr (string.c:105)<br>

      > > ==21979==    by 0x5457D0E: es_newStrFromCStr

      (string.c:125)<br>

      > > ==21979==    by 0x40C167: sagan_normalize_liblognorm<br>

      > > (sagan-liblognorm.c:103)<br>

      > > ==21979==    by 0x41427F: Sagan_Blacklist

      (sagan-blacklist.c:167)<br>

      > > ==21979==    by 0x40BC07: Sagan_Processor

      (sagan-processor.c:123)<br>

      > > ==21979==    by 0x595EE99: start_thread

      (pthread_create.c:308)<br>

      ><br>

      > > If I remove the line,  that goes away.    Any thoughts?<br>

      ><br>

      > > Thanks for your time.<br>

      ><br>

      ><br>

      > >     _______________________________________________<br>

      > >     Lognorm mailing list<br>

      > >     <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>

      <a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>

      <a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a>

      <a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>

      > >     <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>

      ><br>

      ><br>

      ><br>

      > > _______________________________________________<br>

      > > Lognorm mailing list<br>

      > > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>

      <a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>

      > > <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>

      ><br>

      ><br>

      ><br>

      >     _______________________________________________<br>

      >     Lognorm mailing list<br>

      >     <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a>

      <a class="moz-txt-link-rfc2396E" href="mailto:Lognorm@lists.adiscon.com"><mailto:Lognorm@lists.adiscon.com></a><br>

      >     <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a><br>

      ><br>

      ><br>

      ><br>

      > _______________________________________________<br>

      > Lognorm mailing list<br>

      > <a class="moz-txt-link-abbreviated" href="mailto:Lognorm@lists.adiscon.com">Lognorm@lists.adiscon.com</a><br>

      > <a class="moz-txt-link-freetext" href="http://lists.adiscon.net/mailman/listinfo/lognorm">http://lists.adiscon.net/mailman/listinfo/lognorm</a></span><br>

    <br>

    - -- <br>

    - - Quadrant Information Security<br>

      Champ Clark III<br>

      o: 800.538.9357 x 101<br>

      c: 850.443.2440<br>

    -----BEGIN PGP SIGNATURE-----<br>

    Version: GnuPG v1.4.11 (GNU/Linux)<br>

    Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>

    <br>

    iQEcBAEBAgAGBQJR5FlSAAoJENnmXt7Lmc3K/KkIAINRfPifLOsXVvdf8puDMMjH<br>

    MIls2b8T6R73IUmtZA7+1yO3BtRQKAx50/yBofvXX3uc6v3TskzezjKDIkdCuQJv<br>

    JieWERxsU7FcxoSfRPQT6QBEA6BGjKubwTPn7wwVBIhw5FfGkqMYTFfhcWoUovh5<br>

    SnO5dzRcLQ1w2RpiajFFBFRfkPEwjpPgVut0LZLTMMBx+v1mHZTFROnA9o/b43Jb<br>

    JSIjJRR6jPZYktGBhJZzvxfFB5FC9EX8n/gekhTBowC6nvJjVw1cg5CWyfzyIJ05<br>

    ml7gsSizU7sAvBp14ByTuSHvcbgkuGmRr7923pdFGR0z9xbk11P7Hm/9i/LjHHg=<br>

    =lZ/j<br>

    -----END PGP SIGNATURE-----<br>

    <br>

  </body>

</html>