bro dies (every day)
scampbell at lbl.gov
Fri Aug 22 08:05:15 PDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Anton Chuvakin, Ph.D. wrote:
| Vern and all,
| I reported bro dieing here before, but now (with 0.34) it happens EVERY
| DAY. I suspect the ongoing ICMP "rain" is to blame as well, since I don't
| think it was happening that often before that. As usual, there are no
| messages in the logs and no core file (ulimit is set).
| I would appreciate any hints for finding out what happens. I can send my
| policy file over, if needed.
I experienced the same problem and tracked down a possible source of the
I took a quick look at the icmp code, and did a little testing. During
this I noticed the following: when *any* tracefile with icmp in it is
run through bro, there will be an exception at close time (ie after
net_done() is called).
On a trace file of ~500 icmp packets (and only icmp), the following data
was provided from the exec trace file:
0.000000 <no location>:0 event called: bro_init()
1060118249.065749 <no location>:0 event called: net_done(t =
1060118249.065749 <no location>:0 event called:
connection_state_remove(c = '[orig_h=18.104.22.168, resp_h=22.214.171.124,
In the info (ie stderr) file the following can be found:
1060118249.065749 <no location> (126.96.36.199): bad tag in Val::CONVERTER
which seems to correlate with the last event logged. Regular logged
data seems to indicate that only the last icmp packet seems to tickle
When a single pair of icmp ping request-response are run through, the
same problem presents itself, with the 'connection_state_remove' call
getting the orig_h and resp_h IPs *backwards* with respect to the icmp
flow object defined when icmp.bro is loaded.
Loading the icmp.bro module seems not to effect this problem, although I
am seeing strange behavior with regard to some packet payload analysis
that is going on (modified icmp.bro).
If anyone has a good idea as to the location of the problem, I would be
most happy in working with them in resolving this issue. Recently a
modified sk rootkit with an icmp backdoor was discovered at another lab,
so keeping an eye on this protocol has just been rased in priority.
NERSC Network Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Bro