IBM Support

Sniffer crashing continuously on IBM Security Guardium appliance after sniffer patch V11.0p4009 or V10.0p4054 was installed

Troubleshooting


Problem

The sniffer is crashing continuously on IBM Security Guardium appliances where either sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) has been installed (for V11), or sniffer patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) has been installed (for V10).
The issue has been particularly observed if the installed Policy contains a rule with a condition on the Command entity, or in other words, if a Command criteria is defined in the Policy rules.
A message similar to the following may be logged in the messages log every few minutes:
segfault at <string> ip <string> sp <string> error 4 in libtcmalloc.so.4.4.5[xxxxxxx+xxxxxx]

Symptom

Sniffer continuously crashes and segfault message is logged to the messages log every time it crashes. Additionally, the IBM Guardium S-TAPs connected to the collector continuously disconnect from and reconnect to the appliance while messages indicating that are logged to the STAP.log.

Cause

Problem is caused by a Defect in the sniffer code introduced by:
Sniffer Patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) for V11
and by
Sniffer Patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) for V10

Environment

IBM Security Guardium V11 collector with sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) 
or
IBM Security Guardium V10 collector with sniffer patch p4054  (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020)

Diagnosing The Problem

It may be this problem if all the following is true:
-Either sniffer patch p4009 (SqlGuard_11.0p4009_SnifferUpdate_Jul-09-2020) was recently installed on the V11 collector
or 
sniffer patch p4054 (SqlGuard_10.0p4054_SnifferUpdate_Jul-09-2020) was recently installed on the V10 collector
-the sniffer started to continuously crash right after installing  the sniffer patch
-the installed Policy on the collector contains rules with conditions in the Command entity

Resolving The Problem

Install one of the following sniffer patches where issue has been resolved:
for V11: SqlGuard-11.0p4010_Snif_Aug_13_2020.tgz.enc.sig
for V10: SqlGuard-10.0p4055_Snif_Aug_12_2020.tgz.enc.sig

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0SAAS","label":"SNIFFER"}],"ARM Case Number":"TS004023743","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
18 August 2020

UID

ibm16261009

Page Feedback