[Bro-Dev] BiF parsing index types

Will baxterw3232 at gmail.com
Wed May 18 12:56:58 PDT 2011 

On Wed, May 18, 2011 at 1:59 PM, Will <baxterw3232 at gmail.com> wrote:
> On Wed, May 18, 2011 at 12:01 AM, Robin Sommer <robin at icir.org> wrote:
>>
>> On Tue, May 17, 2011 at 11:16 -0400, you wrote:
>>
>>> I wasn't aware of being able to specify and print a single variable
>>> from bro, as you did above, but ecstatic about how much easier that
>>> will make things when troubleshooting.
>>
>> Are you aware of broctl's "print" command? That shows you the value of
>> variable at runtime. Try running that with
>> "okay_to_lookup_sensitive_hosts" to see if the broctl configuration
>> gets it right.
>>
>
> No, I wasn't til now. Forgive my nubness, but what specifically are
> <id> and <node>? i.e. process id of parent ps or variable name? If
> standalone, would node be just bro, localhost or something completely
> different?
>
> # broctl print "okay_to_lookup_sensitive_hosts" bro
>
>>> /usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
>>> error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
>>> Abort trap: 6 (core dumped)
>>
>> These kind of errors usually indicate trouble with the system's DNS
>> setup. However, I don't think I've ever seen the "message too long"
>> message.
>>
Looks like a ticket is open for a similar issue:
http://tracker.bro-ids.org/bro/ticket/255

The odd thing is, I don't know what changed that would cause these to
start occurring recently.
>
> So everything has been running smoothly for the last 24 hours or so,
> then another crash. More details:
>
> Cannot access memory at address 0x5
> ==== stderr.log
> pcap bufsize = 32768
> listening on bge1
> 1305661424.619015 run-time error: string without NUL terminator:
> "\xff\xff*^Hbc0975.0\xc0^L\0^A\0^A\0\0^D\xb0\0^D^J^D^D.^Hbc097531\xc0^L\0^A\0^A\0\0^D\xb0\0^D\xac^Q(\xa7^Hbc097532.\xff\xff*^Hbc0975.0\xc0^L\0^A\0^A\0\0^D\xb0\0^D^J^D^D.^Hbc097531\xc0^L\0^A\0^A\0\0^D\xb0\0^D\xac^Q(\xa7^Hbc097532"
> 1305707636.214027 run-time error: string without NUL terminator:
> "hosta^Ecompany^Corg\0\xc0^L\0!\0^A\0\0^Bx\0\x1c\0\0\0d^A\x85^J04c2nvrs-a^Ecompa"
> 1305707636.259675 run-time error: string without NUL terminator:
> "hosta^Ecompany^Corg\0\xc0^L\0!\0^A\0\0^Bx\0\x1c\0\0\0d^A\x85^J04c2nvrs-a^Ecompa"
> 1305734703.016096 run-time error: string with embedded NUL:
> "oo^M\xc3\xca\0^A\0^A\0"
> 1305735623.373659 internal error: NB-DNS error in DNS_Mgr::Process
> (ns_initparse(): Message too long)
> /usr/local/bro/share/broctl/scripts/run-bro: line 73: 31891 Abort
> trap: 6           (core dumped) nohup $tmpbro $@
> ==== stdout.log
> ==== .status
> TERMINATED [internal_error]
> ==== No prof.log.
> bro.core
> Core was generated by `bro'.
> Program terminated with signal 6, Aborted.
> #0  0x286e8a27 in kill () from /lib/libc.so.7
> #0  0x286e8a27 in kill () from /lib/libc.so.7
> #1  0x286e8986 in raise () from /lib/libc.so.7
> #2  0x286e756a in abort () from /lib/libc.so.7
> #3  0x080517a4 in internal_error () at SSLInterpreter.cc:30
> #4  0x080a1691 in DNS_Mgr::Process (this=0xbfbfe554) at DNS_Mgr.cc:1069
> #5 0x08147285 in net_run () at Net.cc:528
> #6  0x0804fbff in main (argc=) at main.cc:999
>
> Followed by this crash when broctl tried to restart 5 minutes later.
> So, do you still think this looks like a host configuration issue?
> This is on a freebsd 7.3 host, fyi.
>
> [bro]
> Variable "this" is not available.
> ==== stderr.log
> /usr/local/bro/share/bro/scan.bro, line 117: internal error: NB-DNS
> error in DNS_Mgr::WaitForReplies (ns_initparse(): Message too long)
> /usr/local/bro/share/broctl/scripts/run-bro: line 73: 55221 Abort
> trap: 6           (core dumped) nohup $tmpbro $@
> ==== stdout.log
> ==== .status
> TERMINATED [internal_error]
> ==== No prof.log.
> bro.core
> Core was generated by `bro'.
> Program terminated with signal 6, Aborted.
> #0  0x286e8a27 in kill () from /lib/libc.so.7
> #0  0x286e8a27 in kill () from /lib/libc.so.7
> #1  0x286e8986 in raise () from /lib/libc.so.7
> #2  0x286e756a in abort () from /lib/libc.so.7
> #3  0x080517a4 in internal_error () at SSLInterpreter.cc:30
> #4  0x080a199c in DNS_Mgr::Resolve (this=) at DNS_Mgr.cc:580
> #5  0x080a1dbd in DNS_Mgr::LookupHost (this=0x82dc800, name=0x85a3939
> "test-scooter.av.pa-x.dec.com") at DNS_Mgr.cc:468
> #6  0x080682b7 in brolex () at scan.l:324
> #7  0x08053bbc in yyparse () at p.c:2260
> #8  0x0804ee16 in main (argc=17, argv=0xbfbfeb5c) at main.cc:749
>
> Thanks,
>
> Will
>
>> Robin
>>
>> --
>> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
>> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>>
>

More information about the bro-dev mailing list