Troubleshooting
Problem
The sniffer is crashing continuously on IBM Security Guardium appliances where either sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) has been installed (for V11), or sniffer patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) has been installed (for V10).
The issue has been particularly observed if the installed Policy contains a rule with a condition on the Command entity, or in other words, if a Command criteria is defined in the Policy rules.
A message similar to the following may be logged in the messages log every few minutes:
segfault at <string> ip <string> sp <string> error 4 in libtcmalloc.so.4.4.5[xxxxxxx+xxxxxx]
Symptom
Sniffer continuously crashes and segfault message is logged to the messages log every time it crashes. Additionally, the IBM Guardium S-TAPs connected to the collector continuously disconnect from and reconnect to the appliance while messages indicating that are logged to the STAP.log.
Cause
Problem is caused by a Defect in the sniffer code introduced by:
Sniffer Patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) for V11
and by
Sniffer Patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) for V10
Environment
IBM Security Guardium V11 collector with sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020)
or
IBM Security Guardium V10 collector with sniffer patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020)
Diagnosing The Problem
It may be this problem if all the following is true:
-Either sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) was recently installed on the V11 collector
or
sniffer patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) was recently installed on the V10 collector
-the sniffer started to continuously crash right after installing the sniffer patch
-the installed Policy on the collector contains rules with conditions in the Command entity
Resolving The Problem
Install one of the following sniffer patches where issue has been resolved:
for V11: SqlGuard-11.0p4010_Snif_Aug_13_2020.tgz.enc.sig
for V10: SqlGuard-10.0p4055_Snif_Aug_12_2020.tgz.enc.sig
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0SAAS","label":"SNIFFER"}],"ARM Case Number":"TS004023743","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
18 August 2020
UID
ibm16261009