Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Hi Alejandro,

From my experience, Guardium is very sensitive to memory and its not working correctly if the memory is not at least 24GB as recommended. Yes, its possible to install it – but there could be various errors/error messages.

Martin

------------------------------
Martins Zeipe
------------------------------

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Thanks for your answer Martins, i'll try to check it.

Regards

------------------------------
Alejandro Diaschi
------------------------------

Original Message:
Sent: Wed May 20, 2020 04:36 AM
From: Martins Zeipe
Subject: Snif process - Guardium v11

Hi Alejandro,

From my experience, Guardium is very sensitive to memory and its not working correctly if the memory is not at least 24GB as recommended. Yes, its possible to install it – but there could be various errors/error messages.

Martin

------------------------------
Martins Zeipe

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

I agree with Martin!

It may be possible to install, but with so little memory we are unable to state what behaviour you might encounter as it has not been tested.

You need to setup the min requirements.

Thanks

------------------------------
MARK HARRIS
------------------------------

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Thanks Mark , after all this could be the problem.

Regards

------------------------------
Alejandro Diaschi
------------------------------

Original Message:
Sent: Wed May 20, 2020 04:40 AM
From: MARK HARRIS
Subject: Snif process - Guardium v11

I agree with Martin!

It may be possible to install, but with so little memory we are unable to state what behaviour you might encounter as it has not been tested.

You need to setup the min requirements.

Thanks

------------------------------
MARK HARRIS

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

If your question is whether or not you need port 16016 open, the answer is yes for MS SQL Servers. You will need to have port 16016 open from the database server to the collector so that the STAP can send the data for MS SQL servers.

If you are addressing a different issue with the PID changing, indicating sniffer restarts, that could be a different issue with trying to analyze or log too much traffic. In that case you would need to add ignore rules to your policy to filter activity down to an acceptable level.

------------------------------
Tim Tait
------------------------------

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Thanks Tim, let me ask you something more please. I'm trying all this in a little non productive environment, so this shouldn't be a traffic problem.. mmm. I'm new in this platform so i'll try to check the policy filter you said, but i'm not sure where it is..
Sorry, the database is mysql. So, the port 16016 should be open, right?

Thanks again.

------------------------------
Alejandro Diaschi
------------------------------

Original Message:
Sent: Tue May 19, 2020 12:17 PM
From: Tim Tait
Subject: Snif process - Guardium v11

If your question is whether or not you need port 16016 open, the answer is yes for MS SQL Servers. You will need to have port 16016 open from the database server to the collector so that the STAP can send the data for MS SQL servers.

If you are addressing a different issue with the PID changing, indicating sniffer restarts, that could be a different issue with trying to analyze or log too much traffic. In that case you would need to add ignore rules to your policy to filter activity down to an acceptable level.

------------------------------
Tim Tait

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Even when testing in smaller environments, if you have the Guardium environment scaled down, then you can run into issues caused by traffic most based on the response that Martins gave. Since the require resources are not available, then every aspect of the tool is affected by the resource constraints.

The policy is under Policy Builder for Data, if you are not familiar with the policy builder, or have not built a policy yet, then the default policy is probably installed which only monitors sessions. If you have created a policy, then the default is to log everything and you have to define what to ignore. If you don't have any rules in the policy to ignore unneeded traffic, then that is where the issue could lie. The amount of traffic being analyzed and logged by the collector could be too much since it was not built to the recommended specs.

------------------------------
Tim Tait
------------------------------

Original Message:
Sent: Wed May 20, 2020 03:49 PM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Thanks Tim, let me ask you something more please. I'm trying all this in a little non productive environment, so this shouldn't be a traffic problem.. mmm. I'm new in this platform so i'll try to check the policy filter you said, but i'm not sure where it is..

Thanks again.

------------------------------
Alejandro Diaschi

Original Message:
Sent: Tue May 19, 2020 12:17 PM
From: Tim Tait
Subject: Snif process - Guardium v11

If your question is whether or not you need port 16016 open, the answer is yes for MS SQL Servers. You will need to have port 16016 open from the database server to the collector so that the STAP can send the data for MS SQL servers.

If you are addressing a different issue with the PID changing, indicating sniffer restarts, that could be a different issue with trying to analyze or log too much traffic. In that case you would need to add ignore rules to your policy to filter activity down to an acceptable level.

------------------------------
Tim Tait

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Ok, i'll try to check everthing as you guys recommend.

Thanks to everyone.

------------------------------
Alejandro Diaschi
------------------------------

Original Message:
Sent: Wed May 20, 2020 03:55 PM
From: Tim Tait
Subject: Snif process - Guardium v11

Even when testing in smaller environments, if you have the Guardium environment scaled down, then you can run into issues caused by traffic most based on the response that Martins gave. Since the require resources are not available, then every aspect of the tool is affected by the resource constraints.

The policy is under Policy Builder for Data, if you are not familiar with the policy builder, or have not built a policy yet, then the default policy is probably installed which only monitors sessions. If you have created a policy, then the default is to log everything and you have to define what to ignore. If you don't have any rules in the policy to ignore unneeded traffic, then that is where the issue could lie. The amount of traffic being analyzed and logged by the collector could be too much since it was not built to the recommended specs.

------------------------------
Tim Tait

Original Message:
Sent: Wed May 20, 2020 03:49 PM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Thanks Tim, let me ask you something more please. I'm trying all this in a little non productive environment, so this shouldn't be a traffic problem.. mmm. I'm new in this platform so i'll try to check the policy filter you said, but i'm not sure where it is..

Thanks again.

------------------------------
Alejandro Diaschi

Original Message:
Sent: Tue May 19, 2020 12:17 PM
From: Tim Tait
Subject: Snif process - Guardium v11

If your question is whether or not you need port 16016 open, the answer is yes for MS SQL Servers. You will need to have port 16016 open from the database server to the collector so that the STAP can send the data for MS SQL servers.

If you are addressing a different issue with the PID changing, indicating sniffer restarts, that could be a different issue with trying to analyze or log too much traffic. In that case you would need to add ignore rules to your policy to filter activity down to an acceptable level.

------------------------------
Tim Tait

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------

Hi,

Unix S-TAP connects to the collector's 16018 port for TLS connection and 16016 port for non-TLS connection.
Windows S-TAP connects to the collector's 9501 port for TLS connection and 9500 port for non-TLS connection.
These ports must be opened on collectors.

Ref) Guardium port requirements (Guardium V11.1 Knowledge Center)
https://www.ibm.com/support/knowledgecenter/SSMPHH_11.1.0/com.ibm.guardium.doc.install/install/r_planning_ports.html

Thanks,
Satoshi

------------------------------
SATOSHI KAWASE
------------------------------

Original Message:
Sent: Wed May 20, 2020 05:34 PM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Ok, i'll try to check everthing as you guys recommend.

Thanks to everyone.

------------------------------
Alejandro Diaschi

Original Message:
Sent: Wed May 20, 2020 03:55 PM
From: Tim Tait
Subject: Snif process - Guardium v11

Even when testing in smaller environments, if you have the Guardium environment scaled down, then you can run into issues caused by traffic most based on the response that Martins gave. Since the require resources are not available, then every aspect of the tool is affected by the resource constraints.

The policy is under Policy Builder for Data, if you are not familiar with the policy builder, or have not built a policy yet, then the default policy is probably installed which only monitors sessions. If you have created a policy, then the default is to log everything and you have to define what to ignore. If you don't have any rules in the policy to ignore unneeded traffic, then that is where the issue could lie. The amount of traffic being analyzed and logged by the collector could be too much since it was not built to the recommended specs.

------------------------------
Tim Tait

Original Message:
Sent: Wed May 20, 2020 03:49 PM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Thanks Tim, let me ask you something more please. I'm trying all this in a little non productive environment, so this shouldn't be a traffic problem.. mmm. I'm new in this platform so i'll try to check the policy filter you said, but i'm not sure where it is..

Thanks again.

------------------------------
Alejandro Diaschi

Original Message:
Sent: Tue May 19, 2020 12:17 PM
From: Tim Tait
Subject: Snif process - Guardium v11

If your question is whether or not you need port 16016 open, the answer is yes for MS SQL Servers. You will need to have port 16016 open from the database server to the collector so that the STAP can send the data for MS SQL servers.

If you are addressing a different issue with the PID changing, indicating sniffer restarts, that could be a different issue with trying to analyze or log too much traffic. In that case you would need to add ignore rules to your policy to filter activity down to an acceptable level.

------------------------------
Tim Tait

Original Message:
Sent: Tue May 19, 2020 10:21 AM
From: Alejandro Diaschi
Subject: Snif process - Guardium v11

Good day to everyone! I would be grateful if anyone could help me with this situation.
In a nutshell, i want to give a general overview.
In the collector, the sniffer log show errors and there is no open port 16016 (STAP). I guess this is because of the sniffer and the port must be open. Am i wrong?
In my little lab (not definitive) i could check the memory of the "snif" process:

10471 root 20 0 304.2m 34.3m 20.0m S 5.0 2.0 0:00.15 snif
The PID  changes at every second...

Although i know the collector has only 8GB of memory i've read the requirements of hardware but it doesn't seem to be a memory problem. Just 34Mb of process should not be a problem memory... ¿?

I have installed Guardium v11 with the following components.

 One Aggregator. (Red Hat)
 One collector  (Red Hat)
 One database Mysql. (Ubuntu)

My problems begins when the sniffer logs a "Segmentation Fault error" in /var/log/messages. This log is full of segmentation fault. I installed a fix to the sniffer but it didn't correct anything.

Guardium Sniffer license verified.
May 17 03:43:07 guard GuardiumSniffer[5876]: Guardium Sniffer license verified.
May 17 03:43:07 guard kernel: [314053.653113] snif[5876]: segfault at 0 ip 0000000000563dc9 sp 00007fff64a164e0 error 6 in snif[400000+533b000]
May 17 03:43:08 guard snif: Guardium Sniffer Started
May 17 03:43:10 guard GuardiumSniffer[5888]: Guardium Sniffer license verified.
May 17 03:43:10 guard kernel: [314056.894529] snif[5888]: segfault at 0 ip 0000000000563dc9 sp 00007fff07f05b50 error 6 in snif[400000+533b000]
May 17 03:43:11 guard snif: Guardium Sniffer Started...........

and so on..



In the /opt/IBM/Guardium/log/snif/snif.log  I couldn't see anything strange...

2020-05-19 11:15:47,388 INFO Guardium Sniffer Started
2020-05-19 11:15:47,388 INFO Guardium install directory is /opt/IBM/Guardium
2020-05-19 11:15:47,412 INFO IPv6 disabled
2020-05-19 11:15:47,413 INFO /opt/IBM/Guardium/bin/snif processing threads configuration: 6
2020-05-19 11:15:47,538 INFO Stats init ok, size: 29573920
2020-05-19 11:15:47,681 INFO SNIF_PROCESS_COUNT: 581599
2020-05-19 11:15:47,681 INFO GLOBAL_ID: 2934762805545804283
2020-05-19 11:15:47,681 INFO UTC offset = -3
2020-05-19 11:15:47,681 INFO LOGGING_GRANULARITY: 60
2020-05-19 11:15:47,681 INFO Snif TLS mode: compatibility
2020-05-19 11:15:47,681 INFO SNIF_LOGGER_DESTINATION_TYPE: 0
2020-05-19 11:15:47,681 INFO The running process pid: 24690
2020-05-19 11:15:47,682 WARNING no fam license
2020-05-19 11:15:47,682 INFO gMachine total memory: 1758609408, Snif mem limited to 580341104
2020-05-19 11:15:47,685 INFO Protocol for vendor 7000 loaded, len=3153
2020-05-19 11:15:47,686 INFO Protocol for vendor 7001 loaded, len=906
2020-05-19 11:15:47,686 INFO Protocol for vendor 7002 loaded, len=988
FAM crawler handler initialized
2020-05-19 11:15:47,688 INFO system is running in non-FIPS 140-2 mode
src/central_freelist.cc:333] tcmalloc: allocation failed 57344


Could anyone give me some hints please?

Thank you in advance!
Alex

------------------------------
Alejandro Diaschi
------------------------------